In addition to the updated list of “infected network blocks”:http://blogs.stopbadware.org/articles/2008/08/25/top-infected-network-blocks-for-mid-august that we just posted, we also offer this list of the top 10 infected IP addresses:
|_.# of badware sites |_.IP address |_.AS block name |
|2778|72.14.207.191| GOOGLE – Google Inc.|
|1292|89.149.253.24| NETDIRECT AS NETDIRECT Frankfurt, DE|
|537|209.63.57.10| INTEGRATELECOM – Integra Telecom, Inc.|
|526|210.51.165.96| CNCNET-CN China Netcom Corp.|
|513|38.113.1.116| BIZLAND-SD – Endurance International Group, Inc.|
|502|221.195.42.71| CHINA169-BACKBONE CNCGROUP China169 Backbone|
|482|203.22.204.187| MZIMA – Mzima Networks, Inc.|
|383|213.193.4.11| LYCOS-EUROPE Lycos Europe GmbH|
|370|89.149.226.207| NETDIRECT AS NETDIRECT Frankfurt, DE|
|345|72.14.221.191|GOOGLE – Google Inc.|
Note: The AS block name does not always indicate the owner or operator of the infected servers on the listed IP address, and our publication of these data is intended to inform and educate, not to assign blame.
We see that most of the infections that show up in Google’s network block are from a single IP address that is associated with their Blogger network. As previously mentioned, this may indicate aggressive scanning and badware removal efforts more than it represents a threat to the public.
One positive story to come out of this latest round of stats is the response from Mzima Networks & Globat.com. Mzima forwarded our notification about the number of infections we’d observed on one of their IP addresses to the hosting provider, Globat, that leases the IP. The folks at Globat quickly called us up to ask what they could do to increase the security of their hosted sites. Globat had recently been the victim of a sophisticated hacking attack, and was already working hard to better secure their network. Our internal numbers from the past week indicate a marked drop in infections on the Mzima/Globat IP address.
