StopBadware Cites Malware's China Syndrome

By Matthew Hines  |  Posted 2008-06-26 Print this article Print

The smaht folks at anti-malware/adware team backed by Harvard Law School's Berkman Center for Internet & Society--published some interesting stats earlier this week that highlight the growing use of Chinese Net infrastructure in the proliferation of unwanted software over the Web.

The use of Chinese servers and ISPs in the distribution of badware (defined by the Hahvahd gang as any program transferred onto users' computers either illicitly or under false pretenses) has been a growing problem for the last few years, but apparently it has really taken off over the last year.

It's worth noting that just because the servers hosting the infected sites are based in China, that doesn't mean that the badware programs being distributed were created there. The big problem would appear to be a lack of sufficient regulation of Chinese ISPs (which is kind of funny when you consider how effectively the Chinese Government appears to clamp down on a lot of activities it sees as unlawful ... including unfettered Internet access for its citizens).

Using data garnered via its partnership with Google, StopBadware said it analyzed over 200,000 Web sites dropping infections or adware over the last 12 months. The researchers subsequently found that over 50 percent of the sites it examined were based on "Chinese network blocks," with a relatively small range of hosts accounting for most of the infected sites.

By comparison, U.S. networks accounted for 21 percent of the infected sites and were spread across a wide range of networks.

Compared with the group's 2007 estimates, the sheer volume of badware-spreading sites was much higher in 2008, a result the researchers said was likely due "both to increased scanning efforts by Google and to increased use of websites as a vector of malware infection."

Kudos to the StopBadware gang for highlighting Google's role in the whole ecosystem effect (not that it's really Google's fault) despite its support from the search giant, that's pretty dang objective and non-self serving. But again, Google is just a tool in this case, not necessarily a direct contributor to the problem, though some believe the search giant could do more to cleanse its results and hosted pages.

StopBadware reported that at least one of the U.S.-based networks that was hosting a lot of infected URLs in 2007, iPowerWeb--which was actually the leading center of such activity in the year-ago report--has responded to pleas to better police its customers and significantly reduced its role in the distribution of unwanted programs. Credit due to iPowerWeb as well.

Other U.S. hosts have also upped their efforts to reduce the numbers of infected sites they support, StopBadware said.

With help from Team Cymru--another neato gang of anti-malware researchers, whose logo is also present on one of the most badass racecars you will ever see--StopBadware said that it specifically scanned some 213,575 dirty sites in generating its results.

With 52 percent of the identified badware sites, China accounted for far more of the sites than any other country. Other than the United States, no other country hosted more than 4 percent of the world's badware sites, though a total of 106 countries hosted at least one infected site and 38 countries hosted at least 100, the group reported.

Russia does however average 307 badware sites per million Net users, placing it between China (689) and the United States (212).

In addition to being used as a tool by badware distributors, the researchers also identified Google as the owner of the fifth largest number of network blocks hosting infected URLs, behind only four Chinese providers.

The network blocks and their owners play different roles in the Internet ecosystem. Google uses its network to provide hosted blogs, indicating that the company has direct control over the infected servers, the researchers said.

However, unlike its Chinese counterparts, "Google reportedly disables infected blog sites as its systems detect badware behavior," the report contends. "Google tells StopBadware that when a blogger site is identified as badware by their Safe Browsing initiative, the site is immediately reported to Google's blogger group and the site is disabled. However, the URL for the site remains listed as badware until the Safe Browsing systems rescan the site, which means that there is a lag from the time the site is rendered harmless to the time at which it no longer appears in the data used by for analysis."

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel