Investigation and analysis of malware on websites

We investigated the distribution of malware on websites by constructing web honeypots carrying vulnerable web applications. With the diffusion of web services caused by the appearance of a new architecture known as cloud computing, a large number of websites have been used by attackers as hopping sites to attack other websites and user terminals. To construct hopping sites, many attackers force victims to download malware by using vulnerabilities in web applications. To protect websites from these attacks, conventional methods, such as using anti-virus software, filter files from attackers using pattern files, which are generated by analyzing conventional malware files collected by security vendors. However, it is difficult to define malware since software files become malicious depending on the situation. In addition, it is difficult to detect malware, which is different from known malware analyzed by security vendors. Recently, variations in malware continue to increase as new types of malware constantly appear. To reveal the actual situation and critical detection ratio of such conventional methods, we investigated the detection ratio of anti-virus software by using malware collected by web honeypots, which collect attacks on websites by using actual vulnerable web applications. Our investigation revealed that anti-virus software fail to detect many malware files, and that traffic patterns to web honeypots are useful for detecting malware files on websites.