Broadband connectivity and the great variety of services offered over the Internet have made it an important source of information and entertainment and a major means of communication. In 2008, users are more connected than ever.\ud With connectivity to the Internet, however, come security threats. Because the Internet is a global network, an attack can be delivered anonymously from any location in the world.\ud As part of work commissioned by InternetNZ, Victoria University of Wellington has gathered intelligence on the threat from malicious servers across the .nz domain. In this study, all index pages of publicly accessible web servers were inspected for malicious content that launch drive-by-download attacks.\ud Results of this study show malicious URLs in the .nz domain. Inspecting 247,198 URLs, 52 malicious URLs were identified. Assuming 1173 web pages per web server on average and a consistent percentage of malicious web pages across all web pages, approximately 61,000 malicious web pages are estimated to exist in the .nz domain.\ud The physical hosts of these URLs were primarily located in New Zealand and the United States of America. However, the actual exploits were often imported from centralized exploit servers that were located in countries with more lenient cyber laws, such as China and Russia.\ud Blacklisting and patching was evaluated as defenses against these malicious URLs. Several blacklisting providers did not know about these malicious URLs and would therefore inadequately protect end users from these URLs. However, the Haute Secure browser plug-in, which not only checks the main URL against its blacklist, but all contained references, has a higher detection rate of 77%. Patching, on the other hand, was mechanism that provides effective protection. None of the 52 malicious web pages were able to successfully attack a patched system.\ud The malicious URLs seem to be highly dynamic. None of the URLs of the .nz identified in stage 1 and several URLs identified in this stage of the study solicit malicious behavior shortly after the data collection was completed. Malicious content seem to appear and disappear within days. In the next stage of this work, periodic assessment of the .nz will be undertaken. Repeated inspection will increase the understanding on the dynamic nature of the malicious content.\ud In addition, periodic monitoring of the malicious sites with a fully patched system will be undertaken as part of stage 3 of this study. While patching seems very successful to protect against malicious web sites, there is a residual risk of a successful attack by zero day exploits. We assume that these exploits will be deployed by existing malicious web servers first, so periodic monitoring of these servers might reveal these zero-day exploits as they appear
To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.