200,000 sites spreading web malware, China's hosting the most

200,000 sites spreading web malware, China's hosting the most

Summary: Yesterday, the Stopbadware.org initiative released a report entitled "May 2008 Badware Websites Report" summarizing the findings out of analyzing over 200,000 sites spreading malware.

TOPICS: Malware, Security

Yesterday, the Stopbadware.org initiative released a report entitled "May 2008 Badware Websites Report" summarizingBadware sites May 2008 the findings out of analyzing over 200,000 sites spreading malware. With recent data for malicious sites provided by Google's Safe Browsing diagnostic, Stopbadware.org also received responses from affected parties such as Google itself, The Planet, SoftLayer and iEurop. Here are more details on the methodology used, and who's who in hosting the most badware sites for May, 2008 :

Using data from Google’s Safe Browsing initiative, StopBadware.org analyzed over 200,000 websites found to engage in badware behavior. The analysis found that over half of the sites were based on Chinese network blocks, with a small number of blocks accounting for most of the infected sites in that country. The U.S. accounted for 21% of infected sites, and these were spread across a wide range of networks. Compared to last year, the total number of sites was much higher, likely due both to increased scanning efforts by Google and to increased use of websites as a vector of malware infection. Several U.S.-based network blocks that were heavily infected last year, including that of web hosting company iPowerWeb, whose network block topped last year’s list, no longer host large numbers of infected sites.

What's important to take into consideration when going through these stats, is that a great deal of networks hosting domain portfolios engaging in a countless number of malicious activities, would remain underreported due to the efforts them put into evading common detection approaches, the result of which is their current placement in the "Unknown" and "Other" categories. I was pleasantly surprised to see SoftLayer mentioned, in fact SoftLayer's response to the research at the first place, as if we are to play a game of associations the first things that come to my mind when I see SoftLayer are The Russian Business Network, InterCage, Inc., Layered Technologies, Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh, ISPs providing infrastructure to malware command and control interfaces and malicious domains used in the majority of malware embedded attacks during the entire 2007, and early 2008.

The report makes an important point, namely, that compared to the previous year the total number of sites found to engage in badware activities was much bigger, mostly because of the increasing use of sites as infection vectors, but also because of Google's increased scanning efforts.

Don't forget that these are only the detected sites spreading malware, and with the ongoing efforts by malicious parties to implement evasive tactics in order to fool client side honeypots crawling their malicious sites, the number of malware spreading sites is much higher. For instance, for the past couple of weeks I've been analyzing malicious doorways which when properly analyzed redirect to over 10 to 20 different malware serving domains, and given most of them are also used as redirectors, analyzing a single malicious doorway ends up with a portfolio of over a 100 malicious domains. So what? Basically, the ongoing collaboration between blackhat search engine optimizers and malware authors, results in the malware authors getting empowered with know-how on cloaking their malicious doorways from search engine crawlers, and it's these search engine crawlers who make it possible for client side honeypots to verify whether or not a site is malicious or not. The doorway would serve legitimate content to a potentially identified search engine's crawler or even a client side honeypot, but would reveal it's real ugliness to the average Internet user.

Anyway, what's more disturbing at the bottom line - the fact that legitimate sites are starting to host most of the web malware these days, ruining the stereotype of "don't visit unknown sites or you risk getting infected with something", or the fact that we are not emphasizing on the average time it takes to shut down such a site at the first place, but are always curious where are they hosted geographically?

Consider going through the report, it's well worth it.

Topics: Malware, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I say we just cut China's segment off...

    Until the Chinese government seems to give a damn about poision food, poison web sites and rampant piracy, I say we just cut them off at the knee's.

    We don't need this crap.
    • I agree, China has NOTHING I need or want.

      I see no reason to allow China to even be connected to the internet myself. My bet is that if you cut them off they would suddenly start policing things much more.
      • yes, but...

        Yes, but the internet helps move countries towards democratic reform. So be sure to factor that into the equation.

        • yes, but...is that a joke or what?

          Couldn't tell whether 'gary' was pulling our collective leg or not. Would love to see any real stats that prove that nonsense. There's even an argument to be made that it hasn't moved the US that way!
          • RE: yes, but...is that a joke or what?

            You're absolutely right. It's a difficult assertion to prove. But clearly the Chinese are going online in a BIG way. And they are more informed about the world than ever before, despite the censorship. And an informed public is generally the bain of dictatorships. But of course only time will tell.

            As for the US, people tend to be more informed about the next top model or idol than they do politics. As a citizen I find that very frustrating. But I don't think the internet is moving us in the wrong direction. To the contrary it's giving us new ways to be informed. And again, only time will tell.

            But I'm sticking with my gut on this one...the internet is good for democracy.

      • If you think China has nothing you want . . .

        Try going 60 days without buying anything made in China. I agree with your greater point. By the way, I bought some lead from China the other day and found a toy in it. ;-)
    • Firewall China Network Blocks

      While I can't go without Chinese products in my daily life, on the web, at work, we're about to Firewall out all Chinese IP addresses.

      If someone has a link/list to all of the IP's for China, please post it.

      Of nearly 30 major attacks an hour we monitor, 1 in 3 are from China, with ChinaNET and CNCGroup being the main sources.

      The only upside is that the Chinese based attacks so far have lacked sophistication - brute force Ping Sweeps and Port Scans.

      20% of our attacks originate from Russia, often by way of a Netherlands based paid hosting site. These are the worst of the malware, with a rising trend in malware running in RAM that on reboot, or AV update can't be detected, but ceases it's activity.

      I don't get warm and fuzzies when I can't find and block the root cuase.
      • RE: Firewall....

        Want to block parts of the internet??

        Try this site:


        It lists the IP addresses assigned to each country.
        • List of IP addys for each country interesting

          An interesting read, indeed. U. S. A. filesize is 549.77 Kb. China's file is a mere 16.49 Kb. Even Canada's file is larger than China's, at 89.52 Kb.

          What does this mean? I would say that, at first blush, no one can rationally make the claim that keeping China connected to the internet is having much of an effect one way or another. Further consideration, with comparison to the report on where the Chinese malware is coming from indicates that most IP's in China are permitting this behavior. In fact, it appears to me (not that I had time to go into much depth) that many of the IPs are directly related to the government, and they may well be the source of many attacks.

          Cut them off. Their connection to the internet is counterproductive.
          • What attacks from China? People need to learn to read

            Malware sites are not attacks, but on the contrary, they are the sites attacked by malware. If those sites are government sites, that just means their government sites are attacked by malwares most (not a surprise)

            Also I don't understand all those "cut China off" and "I don't need anything from China" rubbish. They are sites infected by malware, which means, if you really don't need anything from China, then you won't visit any sites in China, then you are safe from those malware sites in China.

            If someone is so stupid to go visit a bad malware site in China to get himself infected, then it's this idiot guy that's need to be cut off from the Internet, not the sites in China.

            The only counterproductive thing is some stupid guy browsing for porn sites hosted in China and getting infected by malware, not China's connection to the internet. Actually since China currently is the country with most active internet users in the world, its connection to the internet is VERY productive to those companies making profit from online ads, for example Google.
  • Just a guess

    I would suspect that most of the china sites are owned by American spammers,malware owners.
  • I am seeing a rampant uptick in spyware this week...

    Users coming from everywhere with zlob infections. Many are new strains and even SmitFraudFix isn't working.
  • Like roaches...

    For every one you see, there are a hundred you don't. Let's be ultra-conservative and assume it's only a 10-1 ratio of seen versus unseen boxes serving up malware. That puts the number at around 2 million. All this is good information, but not really useful since nobody is talking about what to do about it. Identifying problems is a critical step in solving problems, but it is only a step. It's pretty clear that nobody is genuinely serious about solving this particular problem. The technology companies seem to always have the same point of view as our government...never look back in any sort of meaningful way. Looking back continues to be the sole domain of vilifiers and excuse makers. Looking backwards to learn from mistakes or to figure out how to fix problems is truly a lost art.
  • a solution

    If all the efforts of Microsoft, security vendors, and the like have us going in the OPPOSITE direction, perhaps it's time to rethink the situation. Give up the notion that you can fight software with software. Use hardware to protect the system. I can safely say that I have NO INTENTION of installing any software today, so I will leave the "allow installations" switch in the OFF position. That's how it needs to work.

  • China also ranks #1 in software piracy

    You know which country has the highest adoption rate of Microsoft software? China, b/c they can download everything illegally, use it WITHOUT SPENDING A DIME. You want Windows, Office, Adobe, anti-virus, media playing / editing software or development env like Windows Server, Sql Server, Visual Studio etc? Just run a BitTorrent and get them all for free. No copy right protection, no legislation, no law enforcement, no nothing.
    • China is NOT #1 in software piracy

      I bet you never heard of any country with prevalent software piracy other than China. Thanks to the biased China-bashing Western media. Well, China is not clean, but just like other countries. Why is China always singled out? Here you go:
      "Piracy was most prevalent in Armenia, Bangladesh and Azerbaijan, where more than 90 percent of PCs had unlicensed software. "
      • 5% in China > 90% in Bangladesh?

        Maybe because 5% in China is larger than 90% in Bangladesh?
        • Only percentage or per capita is fair

          The larger the population, the more of a lot of things, good or bad. It is only fair to compare by percentage or per capita.
    • Sofware makers CREATE the piracy!

      People in China make $30-100 a month, students less than that if anything at all. However, software is MORE expensive in China than in the USA! (Same with other poor countries) What would you do? It is the same issue with the DVD movies - Will you spend a week's or a month's wages to buy a DVD while you are starving?

      McDonald's is smart enough to adjust their prices in each country to reflect the median income - the software vendors MUST do the same thing.

      I travel to Asia often and I can tell you that the Chinese people would PREFER to have the real thing in software, watches, shoes, etc. but simply cannot afford them. They have no choice but to buy pirate copies.

      Companies cry about how much they are losing - so why not sell their products at a reasonable price people and afford? Better to make $2 than nothing. However, they are just too greedy to back off their pricing and therefore they force the pirate market to flourish.

      I heard that Warner's has seen this light and is now selling DVDs in China at $5 - finally. When the rest go along with this, the piracy will vanish.
      • Entitlement

        If you cannot afford it, you don't get it. Why do people think they are entitled to DVDs, software and everything else? I cannot afford a BMW. That does not justify my stealing it.