I’ve been very interested in applying epidemiology to the world of malware lately. Prevalence is quite simply the number of infected in a given population at a specific time. More specifically it is a ratio of infected over the number of people susceptible. When you look at the data we provide publicly we show you the number of infections for IP addresses and AS blocks. What we don’t show you however is the size of the networks that are infected.
This is something that is likely to change soon. I’m proposing that we start displaying the size of the network by summing up the total number of IP addresses under control of the AS derived from CIDR blocks. This would be fairly trivial for us to do but has some drawbacks. Firstly, CIDR blocks show the size of the network in terms of how many IP addresses are grouped together. It says nothing of how many web servers exist in that range or even how many of the IP addresses are active. This would be similar to saying there are 100,000 houses in zip code 02138 but not saying how many people live in those houses (if any at all). However I’m convinced that knowing the number of IP addresses under the control of an AS block is important.
For instance our page reporting on the top 50 AS block currently shows ThePlanet and Chinanet-Backbone in the number 1 and 2 positions. They have ~16,000 and ~15,000 respectively. However AS4134 (Chinanet) controls 70M IP addresses compared to only 1.5M for ThePlanet. The difference in those two numbers is staggering and it tells me that the number of infections sustained at ThePlanet is abnormally high.
Archives
- March 2010 (4)
- February 2010 (5)
- January 2010 (6)
- December 2009 (2)
- November 2009 (3)
- October 2009 (9)
- September 2009 (5)
- August 2009 (3)
- July 2009 (13)
- June 2009 (3)
- May 2009 (4)
- April 2009 (10)
In June we released "a report":http://www.stopbadware.org/home/badwebs with numbers from late May, showing the network blocks containing the largest numbers of badware sites reported by Google. We released updated in "July":http://blogs.stopbadware.org/articles/2008/07/30/updated-infection-stats and "August":http://blog.stopbadware.org/2008/08/25/top-infected-network-blocks-for-mid-august. Here is another update from early October:
| # of badware sites | AS block name |
|---|---|
| 35147 | CHINANET-BACKBONE No.31,Jin-rong Street |
| 9504 | CHINA169-BACKBONE CNCGROUP China169 Backbone |
| 6222 | CHINANET-SH-AP China Telecom (Group) |
| 4671 | BIZLAND-SD – Endurance International Group, Inc. |
| 4654 | CNCNET-CN China Netcom Corp. |
| 3302 | THEPLANET-AS – ThePlanet.com Internet Services, Inc. |
| 2460 | CRNET_BJ_IDC-CNNIC-AP China Tietong Telecommunication Corporation |
| 1632 | SOFTLAYER – SoftLayer Technologies Inc. |
| 1597 | PAH-INC – GoDaddy.com, Inc. |
Note: A network block owner is not always the owner or operator of the infected servers on that block, and our publication of these data is intended to inform and educate, not to assign blame.
Compared to August, we see that Bizland/Endurance has dropped its number of infected sites by nearly 50%, though it still has several thousand, and Google and NetDirect are no longer on the list. GoDaddy is a newcomer to the list. I just got off the phone with the chief information security officer at GoDaddy, who let me know that they are using the list of infected URLs we provided them to notify customers, offer support in cleaning up the sites, identify the root cause of the infections, and develop proactive strategies for preventing and monitoring site compromises in the future.
StopBadware recently analyzed 49,296 sites which were submitted by trusted third parties to our Badware Website Clearinghouse. We identified five web hosting companies with the largest number of infected sites residing on their servers:
• iPowerWeb, Inc., (10,834)
• Layered Technologies, (2,513)*
• ThePlanet.com Internet Services, Inc, (2,056)
• Internap Network Services, (1,437)
• CHINANET Guangdong province network, (786)
Many of the sites listed in the Clearinghouse as distributors of badware are otherwise innocent sites that have been hacked into by third parties. If a provider hosts a large number of sites that distribute badware, it’s possible that the provider has unaddressed security vulnerabilities that increase the likelihood of the sites the provider hosts being hacked.
iPowerWeb, one of the world’s largest hosting providers, hosts a startlingly high number of sites in the Clearinghouse. iPowerWeb’s homepage claims that the provider hosts over 700,000 sites; at 10,834, more than 1.5 percent of those can infect internet users with badware.
StopBadware spoke with some owners of websites in our Clearinghouse that are hosted by iPowerWeb. To iPowerWeb’s credit, many of their customers report that iPowerWeb personnel quickly located and removed the badware or badware-distributing code from their sites. Some customers complained, however, was that iPowerWeb support personnel were unable to provide details about how the websites were compromised.
StopBadware encourages all web hosting providers to work proactively to stem the spread of badware on the internet. StopBadware co-director John Palfrey says, “Web hackers and badware distributors are constantly finding new ways to work around the safeguards that are put in place to protect consumers. Web hosting providers must do their part to stay ahead of the curve and help keep the websites they host safe from malicious attacks.”
You can read our full press release here. If you’d like to comment on this information, or share a story about your own experiences with a web hosting provider to address a compromised site, please visit our discussion group.
* NOTE: Layered Technologies has informed us that it provides a style of web hosting known as self-managed hosting, in which its customers have full control over and responsibility for server management.