I’ve been working on my investigation of ThePlanet and have some new and interesting results.
Skenzo has some valid concerns. They monetize abandoned domain names and apparently inherited a bunch of abandoned badware URLs. When Google rescans a site on its badware list and finds that the contents have disappeared or changed dramatically, Google does not necessarily assume that the site is clean. Which is to say that someone who simply deletes the page and doesn’t request a review might stay on the list for a prolonged time. The logic, I guess, is that they are preventing someone from simply deleting the page until they are cleared and then reinstate the previous content.
Skenzo did some investigating of their own with a list of URLs I provided them. They found the following:
* 635 URLs had not been visited by Google in the last 90 days
* 108 URLs Google had visited but did not find a suspicious page in the last 90 days
* 473 URLs marked as suspect in the last 90 days. This would be at the previous network and not on Skenzo’s infrastructure
There are obvious issues with Skenzo’s situation. Skenzo doesn’t want the badware URLs in their monetization network anyway so I introduced Skenzo to the Google team in the hopes that Google will just send them updated lists for removal. So that may have a happy ending.
WebsiteWelcome is a whole other headache. Earlier I only ran the top 50 IP addresses from the infections in AS21844. This means I excluded the “tail” of the distribution. Usually the tail is made up of small websites with 1-5 infections on their IP address. However what I didn’t realize at the time was that WebsiteWelcome is, quite literally, HostGator. I had assumed they were just a reseller but they seem to be the private label name used by all Host Gator resellers. So when I reran the entire list of infections in AS21844 through the RWhois server I got this result:
WebsiteWelcome 8317
Skenzo FZE 2592
No Orgname 474
Site5 LLC 389
SiteGround.com 205
This means that of ThePlanet’s 20,000 infections HostGator (under the WebsiteWelcome name alone) comprises ~40% of them. Those infections are spread out across 2,800 IP addresses. That is a really large percentage considering many of the top malware network lists have ThePlanet at the top. Worse I don’t have any way of making the list more granular. HostGator and I have been in touch via email but they refuse to go on record. I continue to send them URLs and they are working on cleaning up these hosts so far as I can tell.
[Update 4/27: Edited the part about Google's policy for improved accuracy.]
