Google Blogspot Infections

It is unusual to see Google’s AS block listed on our Top Infected Networks page for so long. Generally the infections are not the result of blogs being attacked and successfully infected but rather mass fake accounts being setup on the free blogging service and filled with links to malware. The cycle we are used to seeing is a surge of attacks followed by some tweak of the registration system to prevent attackers from setting up fake accounts.
It is also worth noting that the detection of infected blogs on the Google owned service is particularly high since the scanning takes place at a higher frequency. I started to dig into these infections a little deeper and started comparing lists of URLs from different dates going back to December of last year. In each case the intersection (or overlap) was nearly zero. That is to say the list of infected urls are almost entirely new urls for each sample. This would suggest that attackers have figured out how to continue to bypass the registration system and are registering new blogs as fast as Google can take them down. Maybe a little faster.
If you look at the curve of the infections it is pretty obvious the attackers have been gaining a lot of ground. From only 1,000 infections in November 2009 to nearly 8,500 by years end. There was a short reprieve followed by a sudden and non stop surge since the start of 2010. I hope to do some content analysis in the future and determine what the attackers are uploading to these blogs. This is a developing story so stay tuned.

[DISCLAIMER: Google is a data partner and generous sponsor of StopBadware. I am doing my best not to sugar coat this story and treat Google the same as I would any other victim of attackers on the Internet]