In June we released a report with numbers from late May, showing the network blocks containing the largest numbers of badware sites reported by Google. In July, we released an udpate. Here is another update from mid-August:

Note: A network block owner is not always the owner or operator of the infected servers on that block, and our publication of these data is intended to inform and educate, not to assign blame.

Not too many changes from last month. AOL is no longer on the list, apparently following through on their commitment to address the issue that landed them on last month’s list. Google reappears with a few thousand infected sites from their Blogger network, which, as previously mentioned, may be more indicative of aggressive scanning and badware removal than it is of threat to the public. Endurance is still high up on the list, though with several thousand fewer infected sites than our last update.

See also our updated list of top infected IP addresses.

In June we released a report with numbers from late May, showing the network blocks containing the largest numbers of badware sites reported by Google. Here are updated numbers from early July:

Note: A network block owner is not always the owner or operator of the infected servers on that block, and our publication of these data is intended to inform and educate, not to assign blame.

Overall, the numbers have decreased significantly as a result of Google more aggressively scanning previously-flagged sites and removing stale entries. A few other notable changes:

• Google is no longer on the top 10 list, probably as a result of more aggressive rescanning of their own sites after they have been cleaned.
• Also dropping from the top 10 are European web hosting company iEurop and Chinese network provider Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
• New on the list is AOL, a StopBadware.org partner. Most or all of the infected sites are from their Hometown service, which offers free blogging and web hosting. (Like Google’s Blogspot, free accounts on Hometown are targeted by spammers and other bad actors as a means to create bogus websites containing or linking to badware.) AOL tells us that they are taking quick action against the sites and the user accounts involved.
• Also new on the list is Endurance International Group. (Endurance is now the parent company of iPowerWeb, which led our list over a year ago.) Endurance told us that as soon as they received notice from us about these infections, they identified thousands of malware redirects on their customers’ sites and took action, including removing the redirects, notifying the customers, and forcing the users to reset their passwords. They also took steps to look for and respond proactively to similar malware in the future.

About a month ago, I blogged about a hosting company called Byet Internet Services:

A few days ago, the team at Byet Internet Services contacted us. It seems they came across our list of the top 10 infected IP addresses from March and saw one of their addresses listed. It turns out this is an IP address they use for offering free web hosting, so it is not unusual for bad players to set up accounts for hosting malware. Byet says that they have a variety of technologies that they have developed to try to detect and block these malicious sites, so they asked us for the list of the URLs found on that IP address so they can investigate and update their systems to prevent these problems from continuing and recurring.

I’m happy to report that, a month later, when Byet asked us for updated data, there was only a single bad site in the Clearinghouse associated with that IP address. Furthermore, Byet tells me that the one bad site had already been automatically detected and disabled. This is a great example of how multiple organizations (Google, StopBadware, Byet) worked together, each using their respective strengths, to protect users from badware.

Google has rolled out a new resource for owners of compromised websites that it flags as potentially dangerous in its search results.

Google Diagnostics shows information about malware and malware-distributing behaviors that Google has observed on the site within the past 90 days.

We’re already hearing from website owners and the volunteers in our discussion group that the new diagnostics pages are helpful in discovering problems with a site. We’d like to applaud Google for taking this step in greater transparency. This new resource should help website owners in cleaning and securing their sites faster, which will help protect even more internet users.

You can see an example diagnostics page here.

A few days ago, the team at Byet Internet Services contacted us. It seems they came across our list of the top 10 infected IP addresses from March and saw one of their addresses listed. It turns out this is an IP address they use for offering free web hosting, so it is not unusual for bad players to set up accounts for hosting malware. Byet says that they have a variety of technologies that they have developed to try to detect and block these malicious sites, so they asked us for the list of the URLs found on that IP address so they can investigate and update their systems to prevent these problems from continuing and recurring.

I know very little about Byet, other than that Craig, who contacted me, seemed very pleasant and had an enviable British accent. But the fact that they saw an indication of a security lapse and took action to gather more data and try to do something about it is a positive sign. They also asked if they can receive updated data next month, to ensure that their new measures are working. It would be great to see all web hosting companies giving this type of attention to preventing drive-by downloads.

I also want to acknowledge the Safe Browsing folks at Google, who allow us to share a bit of their data in situations like this to enable hosting providers to secure their systems, thereby protecting Internet users.

[Update 5/8] About 24 hours after we sent them the requested data, I received a follow-up from Byet indicating that they suspended all of the infected accounts and updated their security measures to make it more difficult for similar attacks to be launched from their system.