In March of 2018 cybersecurity nonprofit abuse.ch launched a new project called URLhaus. Its goal: to search and destroy compromised web pages that were being used to distribute malware. Fast forward to today and URLhaus has helped cleanse the Web of more than 100,000 malicious pages.
URLhaus is a collaborative effort and some 265 cybersecurity researchershave contributed to the project so far. Abuse.ch reports having received more than 300 malicious page submissions every day.
That number jumped dramatically this month. On January 16 reports more than doubled to 701. Yesterday URLhaus broke the 1,000 submission mark for the first time. Expect those numbers to continue climbing as more members of the cybersec community get involved.
Two strains of malware make up a substantial percentage of the submissions so far. Heodo, a botnet that is commonly used to launch DDoS attacks and distribute additional malware, leads the way with more than 16,000pages blacklisted. In second place is Gozi, a widely-distributed spyware tool that has the ability to record keystrokes and steal login details from web browsers.
Abuse.ch shared some additional statistics about its work so far. Some of the most interesting dealt with the responsiveness of hosting providers around the globe.
Providers in the United States typically took swift action after receiving a notification from URLhaus. Digital Ocean, which saw the most submissions of any provider, averaged about 6 days. Household names GoDaddy and Google were slightly slower at 9 and 8 days, respectively.
Faster is better, naturally. The sooner a malware distribution point is removed from the Web the safer things are for everyone who uses it.
Unfortunately not all content distribution networks respond as quickly. Some providers allowed reported URLs to continue pushing malware for weeks. In one case nearly two months passed between the URLhaus alert and the link’s removal.
The longer these malicious pages remain online, the greater the harm the malware can do. Hopefully providers will start working more closely with URLhaus and bringing their response times down. Swift action on their part means a safer Internet for everyone.