avast! releases internet security forensics data from the web’s largest malware hunter community

(PRAGUE, April 15, 2010) Researchers at ALWIL Software, providers of the avast! Antivirus program, have released the first set of data from its Community, an opt-in sensor program for the 100 million avast! Antivirus users.

Community is the world’s first large-scale sampling of online threats. Sensors in the avast! Antivirus program identify malware and infected websites by analyzing suspicious behavior, use of malicious code, and past experience with other avast! users.

“The huge numbers of Community member’s create a “cloud” of sensors that gives us a real-time snapshot of the threats posed by websites across the internet,” said Vince Steckler, CEO of avast! maker ALWIL Software. “Our cloud gives a huge time-sensitive amount of data on the state of malware and viruses across the web.”

Globally, the 1Q’2010 set of data includes 252,000 infected domains which were visited and identified through 11.9 million visits by Community members.

For UK-based websites, the list includes over 3,000 infected domains. Many of the infected sites – all with the co.uk suffix – were small businesses or travel sites such as harrysbars.co.uk, glassbasins.co.uk and westminster-london-hotels.co.uk/.

“Harry’s bars wants to be a hot spot in Dorset, but not for malware infection, and they did have an iframe infection for 30 days. Most of the sites on our list are legitimate places that a normal user would never suspect could be infected – but they are,” said Steckler. “And we know Harry’s had an infection due to repeated visits by our Community members. Other infections have lasted much longer, such as the 153 days at mystainedglassart.co.uk There are sites on our list – mostly adult-orientated – that have been designed to spread malware. But, these are the minority. If you look at the total number of user visits, it’s the ordinary sites that are the most dangerous.”

For French-based websites, Community members visited over 300 infected domains every day with the .fr (France) suffix, identifying over 3,000 separate domains during the quarter. Three of the most infected sites by number of visitors were ja6.free.fr, asso.fr, and maxio.fr. “Free” is a big attraction for malware targeting French consumers, with over a sixth of the sites pushing malware using the word free in the url.

Every time a Community member visits a website, the avast! antivirus installed in their computer performs a rigorous scan and examines the behavior of the site for any infection, viruses, or suspicious activity. If this uncovers malware, avast! then shuts off the connection – protecting the user’s computer – and sends data off for analysis.

This anonymous packet of data includes information on the malware type, visited website, and computer applications running at the time of exposure. The data allows the discovery of known infections and provides useful clues through behavioral analysis and cross-referencing of operating systems, service packs, browser data to allow avast! researchers to spot variants and also new threats and possible attack vectors.

By combining reports from individual Community members, avast! researchers are able to identify new malware, chart the spread and duration of the infection. Other Community data is processed automatically and forms the basis for the daily virus database updates.

“The data from the IQcommunity is invaluable as it is based on the real surfing experience of a large sample size,” explains Mr. Steckler. “Most community members are just average PC users that go online as part of their daily regime. This increases the potential to find and clarify new threats at close to or even at zero day.”

avast! will be releasing a detailed Community internet security barometer report later in the year which will have detailed statistics on the threat landscape broken down by country and domain as well as information on emerging threats captured by behavioral analyses.

“Our goal is to make information from the Community freely available to improve overall internet security,” adds Steckler, “We would also like to thank users within the Community for their support and wish them happy – and safe – surfing.”

Infectious Statistics Infected sites identified in Q1’2010 2,149,042 pages
252,801 domains Visits to infected sites by
Community members
(This does not include attempted visits to blocked sites.
Blocked URL visits can reach 3 million daily.) 11,876,357 – visits to non-blocked infected sites
Infected sites by country Domains / hits by Community members General (.COM) 102,721 / 5,186,345 Brazil 6,356 / 344,888 China (.CN) 5,657 / 193,785 Czech Republic (.CZ) 7,306 / 141,349 France (.FR) 3,244 / 145,581 Great Britain (CO.UK) 3,264 / 38,259 Poland 9,446 / 342,844 Russia (.RU) 20,639 / 1,230,077