It must be a mistake, these domains cannot be hosting malware

Since 2005, Malware Patrol maintains a database of malicious URLs and indicators of compromise. It didn't take much time for us to figure out a widespread assumption that domains owned by trusted brands don't host malicious files. We frequently receive e-mails saying these domains are present in our block lists and data feeds, and that must be a mistake.

Unfortunately, there is no mistake and malware can be found in the most diverse domain names, including brands like Amazon, Dropbox and Google, among others.

The intention here is not to shame anybody, therefore we won't disclose numbers for specific companies. We want to alert for the fact that the threat of malware infections is more prevalent than people believe and that you certainly need threat intelligence and a layered security strategy to properly protect your customers, employees and systems.

Talking about big IT names like Amazon AWS, Dropbox and Google, there are currently 1,601 known active malicious files hosted in their infrastructure. This is not to say these companies don't care about malware. Each of them employ rigid controls to avoid the upload of malicious artifacts but the validation of millions of files every day is an enormous task. Taking it into perspective, they do a pretty good job in fact. The number of malicious artifacts is certainly a very small fraction of all files hosted by these services. Still, it only takes one malware infection to cause damage to your company, encrypt your files for a ransom or secretly steal financial and proprietary information.

What about malware hosted in government web sites? That doesn't exist, right?

Wrong. Our database has records of 127 malicious files actively hosted in government systems of Bosnia and Herzegovina, Brazil, China, Italy, Jamaica, USA, Taiwan and Vietnam.

Not even universities are free from malicious files. There are educational institutions hosting malware in Brazil, China, Hong Kong, Poland, Portugal, Russia, Taiwan, the United States and Vietnam.

And there is also the threat posed by companies offering dynamic DNS and URL shortening services. They have absolutely no control over the content served by their customers and are commonly used as redirects or to host badness.

That is why threat intelligence and malware protection mechanisms are so important today. Recent studies show that 99% of the surveyed companies employ some type of anti-spam systems. Certainly most, if not all of them, have firewalls in place, and anti-virus software installed and updated on endpoints. But all that is not enough and malicious e-mail messages continue to successfully make their journey to victims' mailboxes, infecting them with malware and ransomware.

Although blocking access to well known brands may be an issue, it is important to acknowledge the dangers that hide in their servers. Companies like Malware Patrol, that provide threat intelligence and block lists must keep track of this situation very carefully.

Andre Correa - Malware Patrol Co-founder
Information Security and Threat Intelligence Professional whose qualifications include in-depth knowledge of Internet technologies, current cyber security landscape, incident response, security mechanisms and best practices.
He founded the Malware Patrol project in 2005. The company is helping enterprises around the world to protect themselves from malware and ransomware attacks through some of the most comprehensive threat data feeds and block lists on the market.

Back to top