Tuesday, 9 April 2013

Top porn sites lead to malware

About a year and a half ago I wrote about a series of malware infections at xvideos.com that were potentially infecting visitor's PCs. This week I saw another spike in infections that also appeared to be caused by a popular porn site.

I decided to revisit the statistics that I compiled for those sites using a combination of Alexa and Google Safe Browsing diagnostics. Alexa gives an idea of how popular a site is and how many pages each user visits, Google gives the number of potentially infected pages out of the total indexed.

The results were quite surprising. Last time I calculated a 28% risk that the average visitor to xvideos.com would be exposed to malware. However, now that site has been cleaned up and appears risk free. But what was shocking was that now visitors to xhamster.com ran a 42% chance of malware contact, and pornhub.com users an atrocious 53% chance with a lower infection rate on tube8.com (14%) and youjizz.com (2%).

xvideos.com, livejasmin.com, redtube.com, xnxx.com, youporn.com and adultfriendfinder.com all appeared to be clean. Well.. you know what I mean.

Site
Alexa Rank
Infected pages / total pages
Infection rate
Average pages / user
Malware contact probability
42
0/176191
0.00%
12.9
0%
46
1067/20986
5.08%
10.3
42%
63
1777/13955
12.73%
5.5
53%
75
0/269
0.00%
2.2
0%
82
0/10387
0.00%
5.1
0%
98
0/84373
0.00%
10
0%
99
1/3854
0.03%
6
0%
129
837/22026
3.80%
3.9
14%
242
14/3537
0.40%
6.2
2%
344
0/593
0.00%
6.4
0%
Note: hyperlinks are safe for work and go to Google's Safe Browsing Diagnostics Page for the site

Now, I have no doubt that it is not the intention of the site operators to infect visitor's machines with malware, but instead third party content and infected banner ads are causing the problem. For example, with xhamster.com Google says:

Safe Browsing
Diagnostic page for xhamster.com

What is the current listing status for xhamster.com?

    This site is not currently listed as suspicious.

    Part of this site was listed for suspicious activity 4 time(s) over the past 90 days.

What happened when Google visited this site?

    Of the 20986 pages we tested on the site over the past 90 days, 1067 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-04-09, and the last time suspicious content was found on this site was on 2013-04-06.

    Malicious software is hosted on 2 domain(s), including exposedcamz-live.com/, ceskeporno.tv/.

    3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including brandreachsys.com/, traffichaus.com/, crakmedia.com/.

    This site was hosted on 3 network(s) including AS39572 (ADVANCEDHOSTERS), AS16265 (LEASEWEB), AS36351 (SOFTLAYER).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, xhamster.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.

for pornhub.com Google says:

Safe Browsing
Diagnostic page for pornhub.com

What is the current listing status for pornhub.com?

    This site is not currently listed as suspicious.

What happened when Google visited this site?

    Of the 13955 pages we tested on the site over the past 90 days, 1777 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-04-09, and the last time suspicious content was found on this site was on 2013-01-28.

    Malicious software includes 5 exploit(s), 2 trojan(s). Successful infection resulted in an average of 6 new process(es) on the target machine.

    Malicious software is hosted on 9 domain(s), including rodriguezwoca.com.ar/, crucerosinfantiles.com.ar/, ingenet.com.ar/.

    4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including trafficjunky.net/, gammae.com/, rockwork.ch/.

    This site was hosted on 4 network(s) including AS30361 (SWIFTWILL2), AS22822 (LLNW), AS29789 (REFLECTED).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, pornhub.com appeared to function as an intermediary for the infection of 34 site(s) including gaypornplanet.com/, xgaytube.com/, pornmd.com/.

Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.

finally, the report for tube8.com says:

Safe Browsing
Diagnostic page for tube8.com

What is the current listing status for tube8.com?

    This site is not currently listed as suspicious.

    Part of this site was listed for suspicious activity 63 time(s) over the past 90 days.

What happened when Google visited this site?

    Of the 22026 pages we tested on the site over the past 90 days, 837 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-04-09, and the last time suspicious content was found on this site was on 2013-04-06.

    Malicious software includes 63 exploit(s). Successful infection resulted in an average of 6 new process(es) on the target machine.

    Malicious software is hosted on 22 domain(s), including btsinvestments.com/, nymphdate.com/, dirtymechanics.org/.

    10 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including crakmedia.com/, trafficjunky.net/, justanaffiliate.com/.

    This site was hosted on 4 network(s) including AS30361 (SWIFTWILL2), AS3356 (LEVEL3), AS29789 (REFLECTED).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, tube8.com appeared to function as an intermediary for the infection of 38 site(s) including pornmd.com/, largeporntube.com/, ro89.com/.

Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.

So, we can see that the greatest risk comes from external sites such as crakmedia.com (report), trafficjunky.net (report) and traffichaus.com (report) [although see their statement below] plus several others. These too are intermediaries being abuse by third parties.. but this is part of the problem with poorly regulated banner ads and traffic exchangers. Bad things slip into pages easily, and very few people want to kick up a fuss.

My advice from last time remains pretty much unchanged: If you are going to look at the shady side of the web, then it is very important to make sure that your system is fully patched (you can use Secunia OSI to check), and a combination of Firefox + NoScript is very good at locking down your browser (note that this isn't really for novices). Logging in as something other than an administrator can also help to reduce the impact of malware.. and of course a good and up-to-date anti-virus or security package is essential. In addition, Chrome is pretty good at picking up malicious sites.. the biggest problem tends to be Internet Explorer. Oh, if you have Java then you should probably uninstall that as it is one of the most popular vectors for infection.

Note: Google's figures stretch back over 90 days and do not necessarily mean that a site is serving malware right now. Interpret the "malware contact probability" in this way: a visitor viewing the reported average number of pages over the aggregate 90 day period would have this average probability of coming into contact with potential malware during a single browsing session, assuming that the infection rate figures are accurate.

Traffichaus's statement: It seems that it is actually OpenX is the main source of all these malware issues. It is not our server nor Xhamster, nor Brandreach and other sites you have listed. The site Crakmedia.com in this recent incident was hacked via an on going flaw within openx. And Openx is easily hacked on their free version, so this company was using the free version, had their servers completely locked down via ip, and apparently got their servers hacked via a bug update in OpenX.
I'd appreciate it if you could remove our domain and name from the story as it doesn't accurately paint the right picture. Also, the infection rate on Xhamster of 42% is not accurate, that infected advertiser was only on the site for maybe a day and only at a 10% rotation, and on minimal pages, so the infection rate was probably 5-7% and it was only for a 12 hour period before the ads were caught and removed.

FAQs

Q: What do you mean by "malware contact"?
A: This is an attempted malware / viruses infection whether it succeeded or not.

Q: Does this sort of malware impact just PCs or other devices too?
A: I haven't identified any individual malware strain here, but the bad guys are increasingly targeting mobile devices as well as PCs, especially Android. Other platforms are also potentially vulnerable.

Q: Who is behind it? Is it the site owners?
A:  It is almost definitely not site owners or even the ad networks behind it. You could even say that they are victims of it as well. If I had to point a finger at geographical regions then I'd start with Russia and Florida.

Q: Porn is disgusting. Why should we care?
A: I try to be non-judgmental. The biggest of these sites pull in about 2% of all web users per day. Not talking about it is not going to help.

Q: Does this just impact porn sites?
A: No. Infected banner ads can be found (less often) on mainstream media sites too. It is good to take some of the precautions listed above even if you don't stray far from the Daily Mail or NBC.


13 comments:

mrbyte said...

Great work!

The tree climber said...

Please provide a worked example of the 'Malware contact probability' figure. Perhaps you could use the Pronhub.com row as an example?

Alex Matulich said...

Great work -- it looks like this post has been picked up by various news agencies. Unfortunately, none of them seem to provide a way to read this original report. I had to hunt for it.

Alex Matulich said...
This comment has been removed by the author.
Conrad Longmore said...

I'm using a formula of:
1 - (( 1 - Infection Rate) ^ Pageviews per User)

So, for Pornhub Google reports 12.73% of pages, Alexa reports 5.5 pageviews per user.

1 - ((1 - .1273) ^ 5.5) = 0.527

To explain the formula - I work out the probability of a visitor landing on a NON-infected page every time and then work backwards.

RB said...

this has been grossly exaggurated by news agencies, for a counter-argument I would recommend reading: http://www.securityweek.com/easier-get-infected-malware-good-sites-shady-sites-cisco-says

Phil James said...

Hi Conrad

Would I be right in thinking that having a policy of NEVER clicking on any advertising on these sites would greatly reduce the risks of malware?

Thanks

Conrad Longmore said...

@Phil: no, it wouldn't help. The problem with these malicious advertisements ("malvertisements") is that you don't even need to click them, when they display the Javascript (or Flash) in the ad itself leads to malware with no manual intervention. An ad blocker can help a lot though, as can NoScript for Firefox or a similar browser extension.

-=Wendell=- said...

Is it safe to assume that Redtube can be browsed safely...?
Or am I better off just using Tumblr?

Conrad Longmore said...

@Wendell: Google reports no malware on Redtube, but URLquery reports some possible exploits. Make sure your Adobe Flash installation is up-to-date. I would also recommend using Firefox + NoScript or a similar solution to restrict third-party scripts.

salas...alto said...

We have created a list of the most popular and the safest porn sites on http://mypornbible.com We considered important the stats published by you in the creation of our blog list.

Tbean said...

Interesting, I always thought that the big porn sites like xhamster, http://theporndude.com/, pornhub, etc. were totally safe. :s

What's the best way to protect yourself, when you're visiting these sites? Is an antivirus on your PC enough and which one would be the best then?

Conrad Longmore said...

@Tbean: most of these things are delivered through ads. Using an ad blocker or script blocker in your browser is an effective way of protecting your computer. However it does deprive the site you are visiting of ad revenues, which they rely on.