More than half the sites spreading malicious code are hosted on Chinese networks, an anti-malware group says.
Of the over 213,000 malware-hosting sites analysed last month by Stopbadware.org — a joint effort of researchers at Harvard, Oxford and several corporations, including Google and Sun Microsystems — 52% were hosted by servers running Chinese IP addresses. Of the top 10 networks serving malicious code, six are Chinese.
The US hosts 21% of the malware sites, giving it the dubious honour of second place.
Stopbadware.org, which uses data collected by Google's crawlers, wouldn't speculate on what proportion of the sites, Chinese or otherwise, were deliberately hosting malicious code and what fraction were actually legitimate sites that have been hacked. But the dramatic year-to-year growth in the number of sites serving up malware is likely due to a boom in site hacking.
"It's hard to tell how much of the increase is due to Google expanding its efforts [in scanning for malicious sites] but by other reports and researchers, it's reasonable to say that the growing number is in large part due to the growth in [SQL injection] attacks," says Maxim Weinstein, the manager of Stopbadware.org.
With Google fingering only 45,000 to 50,000 sites last year, May's number is up more than 300%. "There's just a much larger number of infected sites out there," said Weinstein.
The number of hacked sites, most compromised through SQL injection attacks, has soared in 2008, with some estimates of the total number of hijacked legitimate pages reaching as high as three million. The problem has become so acute, said Microsoft yesterday, that it and Hewlett-Packard joined forces to launch free tools that site developers and administrators can use to search for vulnerable code and block incoming attacks.
And while Stopbadware.org had some success last year in getting some US-based networks to clean out malware-hosting sites, Weinstein doesn't sound as confident that the group can make the same progress with Chinese operators.
"It's a bigger challenge, to be sure," he acknowledges. "We don't understand the landscape nearly as well. We have attempted to contact all the Chinese networks, but we haven't always been successful. It's tougher when you start crossing national and cultural lines."
But Stopbadware.org's is still trying to contact network owners and convince them to shut down deliberate hosts and help legitimate sites eradicate malware that's made it onto their servers, Weinstein says. "We want to get these conversations going," he says. "We've shown that when the parties are willing to talk, the approach works. We hope to see the same sort of approach working in China."
Ironically, the US network with the largest number of sites spreading malware is Google itself, one of Stopbadware.org's prime sponsors and the source of the site data.
On Stopbadware.org's most recent top 10 list, Google ranked fourth, primarily because of the company's Blogger service, and hacked and/or malicious blogs hosted there, says the group. In March, Google held first place, although the number of infected sites hosted by its network was actually about 13% less than in May.
"We take malware blogs very seriously," Google said in a statement it sent to Stopbadware.org when the anti-malware organisation contacted the top 10 networks. The group posted the replies it received on its own blog.
"On a daily basis, malware blogs are created by bad guys, and subsequently detected and deleted by Google," continued Google's response. "Given that there are millions of active blogs in our network, 4,261 is just a very small percentage of the total blogs."