Today marked another large spike in activity in our compressed binary download filters. Today we saw an increase of 420.3% for Filter 4111 that detects UPX compressed binary downloads over HTTP. For those that enabled these filters after my previous post (you did, right?) you might have been surprised in the amount of activity on your particular network over the past few days. In response to this increase in activity, I decided to do some research to further substantiate my claims that these filters have a place as a first line defense against malware and other Internet nastys.

We began our search by correlating IP addresses that are serving up both packed executables and known malware. One of the targets that I looked at today is pchome.net. This website is a popular Chinese portal.  Alexa gives the site a page rank of 231 and shows that 2,796 other sites link to pchome.net. More details from Alexa can be found here.

The first page of hits from a Google search of "pchome.net" included at least one anti-virus vendor has marked this website as safe. However, this website is anything but safe. The filters in TippingPoint's Spyware category that have fired on this website in the past 30 days include:

Filter 4952 (Spyware: Freeze.com/YourScreen Program Download)
Filter 3864 (Spyware: Alexa Program Download)
Filter 3303 (Spyware: Perfect KeyLogger Program Download)
Filter 6289 (Spyware: Malicious Anti-Spyware Program Download)
Filter 3418 (Spyware: WildTangent Program Download)
Filter 3415 (Spyware: MessengerPlus Program Download)

However, the interesting thing is that the above filters only account for less than one percent (0.66% to be exact) of the 312,212 (!) filter hits that we have seen in the past 30 days for this website. The rest of the hits were from the compressed binary download filters mentioned in my previous blog post.

Well you might ask, "Perhaps the binaries served up from pchome.net are innocuous?" Very good question. So, I decided to write a simple web crawler script that scans links that are hosted on the pchome.net website and follows them in order to find executables. I then submitted these executables to an online virus checker. Guess what? Over 97% of the entries executables scanned tests positive for some sort of malware, trojan, or other undesirable. BDSearch was at the top of the list. Kind of interesting, huh?

Thanks for reading and if you have any questions or comments, please don't hesitate to post a comment to this blog entry.