Posted July 22, 2010
If you don’t mow the lawn often enough, you may find unwelcome guests in your yard.
Image courtesy dnatheist.
Hosting companies are a major component of criminal resources online. Like all for-profit enterprises, cybercrime relies on solid, dependable infrastructure that will allow them to distribute viruses and other malware. While some hosting companies actively support cybercriminals by explicitly offer so-called “bullet proof hosting” environments to those looking for havens from law enforcement, many hosting companies simply turn a blind eye to cyber crime. After all, they are making profit and they are not getting in trouble for providing services to criminals, so why would they stop? A new report by HostExploit sheds light on hosting companies that likely are aware that criminals use their services to further their ends.
Of course, cybercriminals do not always pay for the services they use. A tried and true method used by online thieves is to borrow the resources of a server someone else is paying for.
How does one take over someone else’s server? The variety of techniques used are beyond the scope of this article but in the same manner a person’s home computer is likely to be infected by a virus if the software it uses is out of date, if a hosting environment is not keeping up with updates to software and applications it is running, it is more likely to be hijacked by cyber criminals because unpatched vulnerabilities exist. Just this week Google’s Matt Cutts discussed the growing threat of web server hacking in Google Webmaster Videos, saying:
I think web servers on the web are going to be exploited a lot more. The hackers are going to stop putting viruses and malware on individual people’s machines and they’re going to start attacking web servers across the entire world wide web.
So today we focus on those hosting companies that are negligent in updating their infrastructure, in essence opening the door for criminals to illicitly host their own content like illegal online pharmacies or to infect internet users’ computers. Once the users’ machines are infected, the criminals will steal banking passwords, use the computers to send spam or even participate in phishing attacks to steal money from victims’ bank accounts.
Profile of 100,000 Most Popular Websites
Cyveillance recently performed a scan of the 100,000 most popular websites on the entire internet, as defined by Alexa. (A daily listing of Alexa’s top 1 million websites can be downloaded from this page.) We simply requested the headers from each of the sites, which will return details about what systems the website’s hosting platform uses. This type of information is included virtually every time any web surfer visits any web page, so requesting it once from each site would not impose any burden on these 100,000 websites.
We then simply compared what versions of common hosting variables were used by these popular sites. We have used very conservative standards for what are acceptable, up to date versions. That being said, here’s what we learned…
Apache HTTP Server
Current Version: Version 2.2.15 is the current stable release, released four months ago according to Wikipedia.
What We Considered Out of Date and Why: Any version that was version 2.0.x is way out of date. Version 2.2 appears to have been released in the year 2007.
Internet Information Services (IIS)
Current Version: Version 7.5 was released in October 2009 and is the current stable release according to Wikipedia.
What We Considered Out of Date and Why: Anything using version 6.0 and older. Version 6.0 was released as part of Windows Server 2003.
Current Version: Version 5.3.2 was released in March 2010 and is the current stable release according to Wikipedia.
What We Considered Out of Date and Why: Anything using version 5.1 or older. Version 5.2.0 was released in November 2006. It’s hard to justify not upgrading in the last 3.5 years. Also note that PHP exploits are available through the software that is installed on a website (like forums, blogs, etc) and that PHP in and of itself is not a vector for attack. But PHP updates routinely include security fixes to prevent such abuse so running more recent versions is good hosting hygiene.
|Service||Apache HTTP Server 2.0.x or older||IIS 6.0 or older||PHP 5.1 or older|
|Percentage of top 100,000 sites||6%||12%||7%|
Perhaps it’s also useful to know how what percentage of the top 100,000 have upgraded to the newest version.
|Service||Apache HTTP Server
|IIS 7.5||PHP 5.3.2|
|Percentage of top 100,000 sites||4%||1%||1%|
So there is a very large percentage of sites not running up to date versions of these services. If your definition of safe is “must run the most recent version” then the web is very vulnerable indeed.
A few items are worth mentioning.
- Sometimes a website has a bad day and for whatever reason did not return any response to our request for its headers. Stuff happens. Perhaps the site was offline, perhaps the site has a policy of not answering requests just for headers. We did not screen these out of the results because we wanted to preserve the integrity of the top 100,000 dataset. It would have been rather arbitrary to keep going deeper past the 100,000 site mark just to make up for some absentees.
- Some webmasters will modify their sites so that the headers do not reveal very much information about what systems they run. This is very clever because in the same way we scanned the sites to do a health check up on the most popular 100,000 sites, criminals will scan the web looking for out of date software to attack. The sites that did not offer any such information were not removed from our dataset.
- Also, there are certainly situations where the same “hosting environment” was found multiple times in the top 100,000 sites we polled. For instance, a good number of sites from blogspot.com, wordpress.com, etc were present. But again, we didn’t pull those out because we wanted to maintain the notion of the top 100,000 sites on the web.
As can be seen, a noteworthy percentage of hosting environments out there do not run very recent versions of important system components. And to reiterate, we have used generous allowances for what we considered unarguably out of date in general terms. This is especially surprising given the commercial value of sites in the 100,000 most popular sites on the entire internet. With the stiff competition to become highly-trafficked, we were surprised to see that so many of these sites have not kept up with such fundamental components to their software.
Of course, this certainly doesn’t mean that by going to these sites you will be infected with malware, or that you will visit a compromised server. What it does mean is that a significant portion of highly valuable sites are not as well protected as they should be, and that less popular sites even farther down the food chain may be even more risky because there is less monetary incentive for their owners to protect them.
We want to make clear that we are not calling out any individual site for not being up to date. There are many reasons a site may not be completely up to date with the most recent software out there. Maybe their web application was not future-proofed and would not run on newly updated versions, so they have not been able to bring things up to speed. That’s a business decision for the site owners. Maybe the site in question is a security researcher honeypot and is out of date on purpose! In any case, our aim is simply to paint a picture of the overall landscape.
What can be done?
Clearly, in the same way a computer owner regularly applies updates to the software running on his or her machine, hosting companies need to be very diligent about offering the most recent versions of the types of services we describe above. Webmasters should also only use hosting companies running up to date software. This will not only help keep the webmasters’ sites safe from hacks by cybercriminals, it promotes a healthier web for everyone if hosting companies know they lose business to more security-minded competitors.
Of course, in the same way that even a fully-patched, updated laptop can still be infected by malware, the most carefully maintained hosting environments can be compromised. Our intention is not to suggest that if a hosting company gets infected and is used to spread malware to internet users that it was negligent. Zero-day exploits are sadly not uncommon. We are suggesting that hosting environments which are not updated and get infected or compromised by cybercriminals are in fact making the internet a more dangerous place than it would be otherwise, and that action should be taken to correct the situation.
Let’s say you are travelling in your car and needed a place to eat. You come upon a town. If you knew that 10% of a town’s restaurants did not meet health code standards and that there was a nontrivial chance you could get food poisoning, would you want to eat in that town? No, we wouldn’t want to eat in that town either, and we hope for a time when the internet’s hosting environments are far safer than they are now.