Report: China Hosts Most Malware-Infected Sites

StopBadware.org report shines new light on where the world's malware-ridden sites reside

Dark Reading logo in a gray background | Dark Reading

More than half of the infected Websites on the Internet today are located on servers in China, according to a newly released report by nonprofit StopBadware.org. And six of the top ten network blocks hosting malware-ridden sites reside in China as well, the report says.

StopBadware.org, an organization made up of academia and technology and backed by Google, PayPal, Lenovo, AOL, Trend Micro, and VeriSign to protect users from malware threats, found that 52 percent of the over 200,000 infected Websites it analyzed in late May were hosted by Chinese networks. Another 21 percent were U.S.-based.

China also has an infection rate of more than three times the world average, according to Stopbadware.org.

“We’ve been seeing this trend over the last six to nine months: China has really been emerging as a popular place to host infected sites,” says Maxim Weinstein, manager of StopBadware.org. “What’s less clear is why that’s the case.”

The data was gathered by Google’s Safe Browsing team, and included sites that were detected by Google as containing malware. “There were a lot of drive by downloads and other malware hosted or directly linked from the [infected] site,” Weinstein says. “Another popular payload was information-stealing Trojans” on sites.

StopBadware’s new report is a major departure from its report a year ago, when the U.S. was the main culprit for hosting malware-infested Websites. “At the time, China was not nearly as large a factor. Of the top five network blocks [in 2007], four were U.S.-based,” Weinstein says. The main offender back then was U.S. firm iPower, which had 10,000 infected sites -- versus this year, where China’s No. 1 network offender CHINANET-BACKBONE has nearly 50,000 infected sites in its network block.

Google was No. 5 in the top 10 most infected network blocks (4,261), a dubious distinction the search engine giant attributes mainly to its blog hosting services. “On a daily basis, malware blogs are created by bad guys, and subsequently detected and deleted by Google. The 4,261 figure represents some of the malware blogs we delete over a 30 day period,” Google officials said in a response to Stopbadware.org. “Given that there are millions of active blogs in our network, 4,261 is just a very small percentage of the total blogs.”

U.S.-based Web hosting service provider SoftLayer Technologies has 3,507 infected sites, and ThePlanet.com Internet Services, also in the U.S., has 3,507 malicious sites.

Weinstein expects the report to help the providers clean up their acts. But it’s tough to say whether it will have any impact on the main offenders in China: Only one of the listed Chinese firms responded to StopBadware.org when it reached out to the organizations it found in the study, and the email from the firm contained garbled characters that were unreadable. “One of our big goals is to try to reach folks at these companies as well as at companies doing business in China that may be able to help,” Weinstein says. “Our M.O. is trying to open the dialog with various parties, because the more we talk and share information, the more people will move forward.”

StopBadware.org also noted in its report that the data from Google’s scans is probably not comprehensive since Google focuses on specific malware traits in its scans, and because some sites are scanned “more aggressively.” Even so, it maintains that it’s confident that the data is “representative of the overall web ecosystem.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights