Architecture, Network security, Threats, Malware

Group outlines web host’s role in fighting malware

March 16, 2011
Web hosting providers can limit the spread of malware by quickly responding to reports of compromised sites, informing customers and, in some cases, mitigating and resolving the issues, according to a new set of best practices released by StopBadware, a nonprofit aimed at fighting faulty software on the internet.

The document, developed in collaboration with security researchers and major web hosting companies, aims to set expectations to help reduce the scourge of malware.

Cybercriminals regularly set up malicious websites or compromise legitimate sites to host exploits, StopBadware's Executive Director Maxim Weinstein told SCMagazineUS.com on Wednesday.

When researchers notice, they often send reports to hosting providers, but there is a lack of industry consensus as to how to respond to such notifications, Weinstein said.

Some providers don't consider it their problem when malware makes its way onto a customer's site, often waiting weeks to pass along infection reports, he said. Others take a more active role by removing malicious content and notifying customers.

According to the StopBadware document, web hosting providers should acknowledge the receipt of abuse reports within one business day. Within two business days, they should evaluate whether the malicious URL in the report is within their control and determine if the infection can be quickly mitigated.

Immediately after analyzing the report, they should notify the site owner (or downstream providers) and provide tips for resolving the issue, the recommendations state.

Scott Gerlach, IT security operations manager at Go Daddy, the world's top web hosting provider, told SCMagazineUS.com on Wednesday that his company provides malware investigation and remediation services to customers for free.

Many hosting providers, however, simply don't have the resources to investigate and remove malware from customer sites, he added.

"Go Daddy has a staff of 25 security people working on this all the time," Gerlach said. "Not a whole lot of firms have a staff that large."

Website owners share the responsibility for keeping their sites clean but, in some cases, hosting firms should correct the problem by blocking affected content, removing malware and fixing any underlying vulnerabilities, according to StopBadware.

“If the malware occurs because the web hosting provider didn't adequately patch the server, they should probably help with addressing it,” Weinstein said. “If it happened because a customer left a vulnerability in an app they installed and the customer is in a good position to simply delete the malware file, patch the software and move on, it might not be as critical that the hosting provider help out.”

Regardless, communication is paramount, according to the document. Providers should also ensure they follow up with the individual who reported the infection.

“The more [security researchers and hosting providers] are talking and working together and acknowledging each other's presence and ensuring the lines of communication are open, the more quickly and effectively the whole ecosystem can respond to malware,” Weinstein said.

And finally, hosting firms should periodically review abuse reports to identify trends and patterns. If a number of customer websites are infected in a similar way around the same time, it may signal a deeper trend, Weinstein said.

“Attackers are using web hosters to spread malware, so it is the responsibility of web hosts to try to mitigate that activity,” Gerlach said.
prestitial ad