Detecting and Stopping Malware Threats Within Your Content Delivery Networks

CDN providers and SaaS companies with content-sharing components (such as DropBox, WeTransfer, SharePoint,etc) are increasingly targeted by cyber criminals for malware. The ease with which users can upload and share content is obviously key, but unfortunately, it is equally appealing for malicious actors to attach malware contents.

With thousands of new malware variants discovered every day, it can be difficult for CDNs and content-sharing SaaS businesses to detect threats in real time. Furthermore, any undetected infection suddenly turns their businesses into unwilling malware distributors, with potential effects on their reputation when later discovered. Viruses and malware can be active for months or even years without being flagged, giving cyber criminals ample time to infiltrate target computers and networks.

In this article, we discuss the prevalence of malware among CDN providers and content-sharing SaaS companies. We also talk about how companies and internet users can protect themselves from malware, and which features they should look for when choosing a cyber-security solution.

CDN malware and their targets

One particularly vicious form of malware is known as the downAndExec standard, which uses JS scripts and enables the download and execution of malware. In Brazil, thousands of unsuspecting internet users fell victim in 2017 to this attack, which was geared towards stealing baking information. The malicious application, hidden in a JS snippet hosted on the infrastructure of a CDN provider, provided high bandwidth for payload delivery and C&C operations.

Another difficulty in the downAndExec attack (which is similar to many other malware attacks targeting CDNs) is that it’s resistant to sandboxing. The malicious script is capable of performing a series of tests to see if the host computer they have infected is worth running the malware on.

For the Brazilian victims of this attack, for example, the malware scanned to ensure that the computer they had compromised was from a Brazilian IP address, and confirmed whether the computer had access to banking systems. That means the malware lay dormant in many computers that did not meet these two qualifications, enabling it to escape being sandboxed and flagged as a malicious script.

The most troubling thing about malware attacks based within a CDN is that takedown attempts can’t be immediately executed. Accessibility is a prime function of CDNs, so even if vicious malware is detected, it would be difficult to prohibit paying users from accessing their content to address the threat.

This is a difficult hurdle for cybersecurity experts to overcome, especially when you consider that indicators of compromise are hard to pinpoint as affected environments usually have multiple access records made by reputable software. The nightmare this scenario presents for CDN and SaaS providers and their customers is enough to persuade most businesses to invest in cybersecurity solutions that will prevent this from occurring in the first place.

Google user content CDN used for malware hosting

Even tech giant Google is not immune to hosting malware on their CDN. Hackers have been found hiding malicious code inside the metadata field of images hosted on Google’s official CDN. This platform is frequently used for those involved in running websites or blogs.

The ease with which malicious actors can upload dangerous files into even the most popular CDNs is startling. With the pandemic prompting companies to rely more heavily on remote work, a record 59% of businesses report that they are allowing employees to access work from their personal devices.

A remote worker who has accidentally installed malware on a personal device can pose a serious threat to the entire company. Hackers don’t only target businesses, however. A recent report by the FBI indicates that K-12 schools are increasingly falling victim to malware as well.

The malware that affected many users was difficult to report to Google, which has methods to contact their team for issues like copyright infringement but few avenues for reporting malware. The source of the malware was also difficult to locate, since the malware was embedded in widely shared images with an anonymized, identical URL.

This type of persistent malware is especially dangerous for businesses with remote workers, as malware has the potential to affect the entire company’s network once established within a remote worker’s device.

Most web hosts come with protective security features for their CDN, but the ability for anyone to upload a file into a CDN makes it inherently vulnerable. A truly secure web host will provide SSL security free of charge and a high-quality server. While many cheap or free web hosts are available, they are unlikely to provide the cybersecurity needed for individuals and businesses operating in the modern world.

Protecting your network from malware

With new threats and vulnerabilities discovered every day, it’s important that CDNs scan for malware and viruses automatically so potential threats can be flagged for further investigation. That would require implementing a multi-layered security solution that can identify incoming threats in the network as well as on the users’ machines.

For example, DownAndExec attacks rely on two components to be present on two different devices: the downloadable content on the CDN and an executable/script on the victim’s host. Because of this, it is almost impossible to determine if a file has been altered via steganography to contain a malicious payload. It is, however, possible to correlate different components of a single attack from the available pieces: user reported content and files stored on the CDN network.

Bitdefender Antimalware SDK (software development kit) lets software developers build applications that can detect a wide range of malware.The Antimalware SDK is the core detection technology in Bitdefender products, representing the state of the art in threat mitigation, which is confirmed by the impressive number of awards received.

Besides its detection capabilities, the Antimalware SDK can leverage Bitdefender’s cloud services for grater efficacy. This feature allows it to tie in multi-component attacks. Bitdefender’s cloud-based security services supply an extensive set of antimalware detection methods and routines. A CDN-based security solution using the Antimalware SDK would thus leverage this vast knowledge base for improved prevention against cyber-attacks. We can equate deployment of the Antimalware SDK to being part of a huge virtual security solution with complete visibility across users’ devices and the CDN files and its systems.

From a technical standpoint, the Antimalware SDK scans any file or buffer supplied by the higher software levels. It has a modular architecture, allowing maximum customization for various environments and needs. Individual modules handle specific file formats such as binary executables, scripts, image files, archives, etc. Some modules work together and share information to build-up a scan context that allows it to tackle complex threats.The Antimalware SDK deployments come in multiple forms such as standalone, client-server or working together with other host or cloud-based security services.


Whether we like it or not, businesses and internet users must accept that navigating an online landscape of malware is an indisputable fact of the future. With more people than ever working online, some of them remotely with their personal devices and on public connections, it’s clear that proactive cybersecurity solutions are a must.

Unfortunately, most companies realize the high cost of dealing with malware only after experiencing a devastating attack. In an increasingly digital world, it’s essential that businesses and internet users alike take a proactive stance to protecting their business and their digital assets.