Top 10 Malware Sites

Wednesday, June 3, 2009 12:56 PM


A recent surge in compromised web servers has generated many interesting discussions in online forums and blogs. We thought we would join the conversation by sharing what we found to be the most popular malware sites in the last two months.

As we've discussed previously, we constantly scan our index for potentially dangerous sites. Our automated systems found more than 4,000 different sites that appeared to be set up for distributing malware by massively compromising popular web sites. Of these domains more than 1,400 were hosted in the .cn TLD. Several contained plays on the name of Google such as goooogleadsence.biz, etc.





The graph shows the top-10 malware sites as counted by the number of compromised web sites that referenced it. All domains on the top-10 list are suspected to have compromised more than 10,000 web sites on the Internet. The graph also contains arrows indicating when these domains where first listed via the Safe Browsing API and flagged in our search results as potentially dangerous.

Other malware researchers reported widespread compromises pointing to the domains gumblar.cn and martuz.cn, both of which made it on our top-10 list. For gumblar, we saw about 60,000 compromised sites; Martuz peaked at slightly over 35,000 sites. Beladen.net was also reported to be part of a mass compromise, but made it only to position 124 on the list with about 3,500 compromised sites.

To help make the Internet a safer place, our Safe Browsing API is freely available and is being used by browsers such as Firefox and Chrome to protect users on the web.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

17 comments:

Loh Hon Chun said...

Looks like many are from China.
And also, one of them look to have tried to use Google Analytics (phishing).

hongjun

Declare.James said...

Gumblar.cn was added to the Google Safe Browsing list on 4/27?
Would this also handle the obfuscated code?

Tips Experts For You said...

its really helpful blog and have good content

James said...

A lot of not-so-net-savvy kids are searching for Friv to play games (http://www.google.com/trends?q=friv) but as Friv.com isn't indexed by Google (it is by Bing, Yahoo...?) they get links to malware. I quickly found these two links - the first on page 1, the second on page 2. Just first "-" in URL to check them. Please look into this Google!


m-ops.optus.nu/cheatscoce/guthef.html

i-bigpak.altervista.org/tyson-da46/ocrezderr.html

Alexis de Tocqueville said...
This comment has been removed by a blog administrator.
stephan said...
This comment has been removed by the author.
stephan said...

The Beladen mass compromise which we've been tracking at Websense is the final landing page after legit sites have been infected. The injected code first redirects users to googleanalytlcs.net (on the top 10) and then to a final landing page such as Beladen.

We expect beladen.net to be one of many sites to be used in this attack.

Attackers have already switched from sending users from googleanlytlcs.net to beladen.net to googleanalytlcs.net to shkarkimi.net

http://securitylabs.websense.com/content/Alerts/3412.aspx

heinka said...

Thank you for this very interesting information! A pity that the Internet also has the negative side! Many greetings, heinka

GroundHogDog said...

If you were to publish a regularly updated service for top X Malware destinations, I would be most happy :)

Bilal said...
This comment has been removed by a blog administrator.
Ed said...

Why bother blocking just 10 sites? Block them all or maybe the top 100 or so. At least by blocking 100 you are blocking a bigger majority of malware out there than just 10.

Jan said...

If you want a long list, just download the free blacklist at http://urlblacklist.com/?sec=download

AK said...

There are plenty of tools available to block and report phishing sites. I am using Netcraft toolbar http://toolbar.netcraft.com. It is easily integrates into FF and IE.

Brian said...

Unfortunately, you cause software to block an entire root domain when just one subdomain, such as www.*.com has been hacked. This is unacceptable and unecessary because it can lead to loss of millions of dollars for just one server being hacked (which shouldn't happen, but does on occasion). Furthermore, your review process takes too long. It should be instantaneous. You should be more targeted in your reporting of malicious sites, and have an instantaneous review process.

Billco said...

@Brian: If having your site flagged as unsafe by Google can lead to you losing "millions of dollars", you're in the wrong business and crying on the wrong shoulder. No site in the world makes millions of dollars a day from search traffic, not even the almighty Google.

One would also argue that if you had that sort of income stream, security would be a bigger responsibility for you, and ideally you'd find out about the breach before Google does. Or are you the type of businessman who cries to the government when the reality of your ineptitude tampers with your bottom line ?

Andrés said...

New on the list: http://x9p.ru:8080/ts/in.cgi?pepsi118

My host provider give me a solution, then a link to Slashdot article.

Te article Head Title is: R.I.P FTP.

Crazy as a Life!

What about pepsi in the url.

Crazy

Jeremy said...

How ca anyone do this? Its wrong and a disgrace.