Threatglass was built as a front-end for a large-scale, automated system that leverages heavyweight virtualization to detect web-based malware in a vulnerability and exploit-independent manner. The platform analyses millions of websites each week, sourced from multiple data feeds including the Alexa top 25,000 websites, social feeds and suspicious websites from Barracuda Labs' customer network, consisting of more than 150,000 organizations worldwide.
In addition to screen-captures of the infections, Threatglass displays various representations of network traffic including DNS, HTTP, and netflow in both graphical and textual formats. "Packet capture is something no-one else is going. This is a library of what attacks look like", Dr. Paul Judge, chief research officer and vice president of Barracuda, told Infosecurity."We developed the tool for ourselves, and then turned it into a tool for the information security community."
The system has cataloged approximately 10,000 live web-based malware attacks and adds new ones each day. Recently, Barracuda found that Cracked.com, Php.net and Hasbro.com were all compromised.
“All employees should be aware of how their behavior online can put their business at risk,” Baraccuda told Infosecurity. “IT and security professionals can use Threatglass as a part of their user cyber security training. Employees should be encouraged to check out anything that appears to be suspicious and share the results with their IT/security manager.” The forensics tool, Barracuda told Infosecurity, is a high-level tool for anyone with minimal technical knowledge."
The system has tools for simple visualization of the threat landscape, including the ability to casually browse website infections in a Pinterest-like graphical representation. Users can also view charting and trending data of historical malware volumes, and examine relationships between various components of an attacker ring through a visual graphic user interface.
Threatglass also has a community element, so users can share data among other researchers, review easily-parsed breakout data as well as source data, and submit websites for inspection and analysis.
Security managers can also use malware detection engines when updating the settings of their firewall – blocking any malicious sites identified by Threatglass.
“‘Good sites gone bad’ is a daily problem for popular websites targeted by attackers and used to serve malware to their unsuspecting visitors”, said Judge. “Threatglass was designed for both casual users and the research community to provide a way to document and better understand this ongoing problem.”