It’s estimated that 86% of all websites had at least a serious vulnerability during 2012. Attackers either manually or automatically (via botnets) deploy C&C servers and malware droppers within exploited websites to infect clients. When such an intrusion is not detected by the owner, the website can deliver malware for long periods until somebody either privately or publicly notices it and maybe an investigation starts.
To tackle this, we have developed a web monitoring tool called WebDetector, that can be scheduled to run periodically over a list of domain names and to produce a score that indicates how malicious a page is.
We have tested the efficacy of WebDetector by deliberately adding common malicious behaviour in a controlled Wordpress installation. More sophisticated malware strategies needs refined heuristics for detection that will be addressed in future.