A recent surge in compromised web servers has generated many interesting discussions in online forums and blogs. We thought we would join the conversation by sharing what we found to be the most popular malware sites in the last two months.
As we've discussed previously, we constantly scan our index for potentially dangerous sites. Our automated systems found more than 4,000 different sites that appeared to be set up for distributing malware by massively compromising popular web sites. Of these domains more than 1,400 were hosted in the .cn TLD. Several contained plays on the name of Google such as goooogleadsence.biz, etc.
The graph shows the top-10 malware sites as counted by the number of compromised web sites that referenced it. All domains on the top-10 list are suspected to have compromised more than 10,000 web sites on the Internet. The graph also contains arrows indicating when these domains where first listed via the Safe Browsing API and flagged in our search results as potentially dangerous.
Other malware researchers reported widespread compromises pointing to the domains gumblar.cn and martuz.cn, both of which made it on our top-10 list. For gumblar, we saw about 60,000 compromised sites; Martuz peaked at slightly over 35,000 sites. Beladen.net was also reported to be part of a mass compromise, but made it only to position 124 on the list with about 3,500 compromised sites.
To help make the Internet a safer place, our Safe Browsing API is freely available and is being used by browsers such as Firefox and Chrome to protect users on the web.
Looks like many are from China.
ReplyDeleteAnd also, one of them look to have tried to use Google Analytics (phishing).
hongjun
Gumblar.cn was added to the Google Safe Browsing list on 4/27?
ReplyDeleteWould this also handle the obfuscated code?
A lot of not-so-net-savvy kids are searching for Friv to play games (http://www.google.com/trends?q=friv) but as Friv.com isn't indexed by Google (it is by Bing, Yahoo...?) they get links to malware. I quickly found these two links - the first on page 1, the second on page 2. Just first "-" in URL to check them. Please look into this Google!
ReplyDeletem-ops.optus.nu/cheatscoce/guthef.html
i-bigpak.altervista.org/tyson-da46/ocrezderr.html
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThe Beladen mass compromise which we've been tracking at Websense is the final landing page after legit sites have been infected. The injected code first redirects users to googleanalytlcs.net (on the top 10) and then to a final landing page such as Beladen.
ReplyDeleteWe expect beladen.net to be one of many sites to be used in this attack.
Attackers have already switched from sending users from googleanlytlcs.net to beladen.net to googleanalytlcs.net to shkarkimi.net
http://securitylabs.websense.com/content/Alerts/3412.aspx
Thank you for this very interesting information! A pity that the Internet also has the negative side! Many greetings, heinka
ReplyDeleteIf you were to publish a regularly updated service for top X Malware destinations, I would be most happy :)
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteWhy bother blocking just 10 sites? Block them all or maybe the top 100 or so. At least by blocking 100 you are blocking a bigger majority of malware out there than just 10.
ReplyDeleteIf you want a long list, just download the free blacklist at http://urlblacklist.com/?sec=download
ReplyDeleteUnfortunately, you cause software to block an entire root domain when just one subdomain, such as www.*.com has been hacked. This is unacceptable and unecessary because it can lead to loss of millions of dollars for just one server being hacked (which shouldn't happen, but does on occasion). Furthermore, your review process takes too long. It should be instantaneous. You should be more targeted in your reporting of malicious sites, and have an instantaneous review process.
ReplyDelete@Brian: If having your site flagged as unsafe by Google can lead to you losing "millions of dollars", you're in the wrong business and crying on the wrong shoulder. No site in the world makes millions of dollars a day from search traffic, not even the almighty Google.
ReplyDeleteOne would also argue that if you had that sort of income stream, security would be a bigger responsibility for you, and ideally you'd find out about the breach before Google does. Or are you the type of businessman who cries to the government when the reality of your ineptitude tampers with your bottom line ?
New on the list: http://x9p.ru:8080/ts/in.cgi?pepsi118
ReplyDeleteMy host provider give me a solution, then a link to Slashdot article.
Te article Head Title is: R.I.P FTP.
Crazy as a Life!
What about pepsi in the url.
Crazy
How ca anyone do this? Its wrong and a disgrace.
ReplyDeletewhat a nice and the best kinds of the games platforms that’s why the most of the gamer are there to play and also to enjoy it the biggest kinds of the Friv games.
ReplyDeleteThank you for share this is such a very nice post i really like it your blog.
ReplyDeleteSecurity Audit