In June we released "a report":http://www.stopbadware.org/home/badwebs with numbers from late May, showing the network blocks containing the largest numbers of badware sites reported by Google. We released updated in "July":http://blogs.stopbadware.org/articles/2008/07/30/updated-infection-stats and "August":http://blog.stopbadware.org/2008/08/25/top-infected-network-blocks-for-mid-august. Here is another update from early October:

Note: A network block owner is not always the owner or operator of the infected servers on that block, and our publication of these data is intended to inform and educate, not to assign blame.

Compared to August, we see that Bizland/Endurance has dropped its number of infected sites by nearly 50%, though it still has several thousand, and Google and NetDirect are no longer on the list. GoDaddy is a newcomer to the list. I just got off the phone with the chief information security officer at GoDaddy, who let me know that they are using the list of infected URLs we provided them to notify customers, offer support in cleaning up the sites, identify the root cause of the infections, and develop proactive strategies for preventing and monitoring site compromises in the future.

In addition to the updated list of infected network blocks that we just posted, we also offer this list of the top 10 infected IP addresses:

Note: The AS block name does not always indicate the owner or operator of the infected servers on the listed IP address, and our publication of these data is intended to inform and educate, not to assign blame.

We see that most of the infections that show up in Google’s network block are from a single IP address that is associated with their Blogger network. As previously mentioned, this may indicate aggressive scanning and badware removal efforts more than it represents a threat to the public.

One positive story to come out of this latest round of stats is the response from Mzima Networks & Globat.com. Mzima forwarded our notification about the number of infections we’d observed on one of their IP addresses to the hosting provider, Globat, that leases the IP. The folks at Globat quickly called us up to ask what they could do to increase the security of their hosted sites. Globat had recently been the victim of a sophisticated hacking attack, and was already working hard to better secure their network. Our internal numbers from the past week indicate a marked drop in infections on the Mzima/Globat IP address.

In June we released a report with numbers from late May, showing the network blocks containing the largest numbers of badware sites reported by Google. In July, we released an udpate. Here is another update from mid-August:

Note: A network block owner is not always the owner or operator of the infected servers on that block, and our publication of these data is intended to inform and educate, not to assign blame.

Not too many changes from last month. AOL is no longer on the list, apparently following through on their commitment to address the issue that landed them on last month’s list. Google reappears with a few thousand infected sites from their Blogger network, which, as previously mentioned, may be more indicative of aggressive scanning and badware removal than it is of threat to the public. Endurance is still high up on the list, though with several thousand fewer infected sites than our last update.

See also our updated list of top infected IP addresses.

In June we released a report with numbers from late May, showing the network blocks containing the largest numbers of badware sites reported by Google. Here are updated numbers from early July:

Note: A network block owner is not always the owner or operator of the infected servers on that block, and our publication of these data is intended to inform and educate, not to assign blame.

Overall, the numbers have decreased significantly as a result of Google more aggressively scanning previously-flagged sites and removing stale entries. A few other notable changes:

• Google is no longer on the top 10 list, probably as a result of more aggressive rescanning of their own sites after they have been cleaned.
• Also dropping from the top 10 are European web hosting company iEurop and Chinese network provider Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
• New on the list is AOL, a StopBadware.org partner. Most or all of the infected sites are from their Hometown service, which offers free blogging and web hosting. (Like Google’s Blogspot, free accounts on Hometown are targeted by spammers and other bad actors as a means to create bogus websites containing or linking to badware.) AOL tells us that they are taking quick action against the sites and the user accounts involved.
• Also new on the list is Endurance International Group. (Endurance is now the parent company of iPowerWeb, which led our list over a year ago.) Endurance told us that as soon as they received notice from us about these infections, they identified thousands of malware redirects on their customers’ sites and took action, including removing the redirects, notifying the customers, and forcing the users to reset their passwords. They also took steps to look for and respond proactively to similar malware in the future.

A new report [pdf] from Commtouch, an e-mail security vendor, indicates that “zombies” (PCs infected with bots that send spam and malware) are geographically much more dispersed than we found infected websites to be. Turkey led the world by a small margin, with 11% of the ten million zombie IP addresses analyzed, while the U.S. was in 9th place with 4.3%.

Not mentioned in the report is that some of the countries near the top of the list, including Turkey, Germany, and Poland, must have very high “zombies per Internet user” rates, as these countries have far fewer users, yet more total zombies, than the U.S. Perhaps all the work that has been done here at home in the last few years to educate users about PC security is having some effect. Still a long way to go, though, if we have 4+ million zombies in the country.