Research on Malware Distribution


Among their conclusions are that the majority of malware distribution sites are hosted in China, and that 1.3% of Google searches return at least one link to a malicious site. The lead author, Niels Provos, wrote, ‘It has been over a year and a half since we started to identify web pages that infect vulnerable hosts via drive-by downloads, i.e. web pages that attempt to exploit their visitors by installing and running malware automatically. During that time we have investigated billions of URLs and found more than three million unique URLs on over 180,000 web sites automatically installing malware. During the course of our research, we have investigated not only the prevalence of drive-by downloads but also how users are being exposed to malware and how it is being distributed.'”

Draft paper, and some data.

Posted on February 26, 2008 at 6:23 AM5 Comments


beads February 26, 2008 12:19 PM

The easy answer is to simply null route much if not all traffic where you have no potential customers or clients. Mainly countries or ISPs who do not recognize their own abuse policies, etc.

If countries and ISPs are simply allowed to play the role of bad actors they should be shunned from the ‘Net in general. Don’t play nice? Don’t need to receive that traffic. Simple as that. I do not accept traffic from China and a number of “secured” European and South American countries and ISPs. Its got to be a two way street.

Infosponge February 26, 2008 4:16 PM

Online security would be greatly increased if there was some organized way to shun organizations that refuse to play by the rules. A blacklist–along the lines of SORBS and company in the anti-spam world–of IP blocks used to host malware would be a very good first step.

Cutting off entire countries or areas without clients or customers, however, is a little extreme. Breaking routes on a geographic basis would amount to a balkanization of the internet and be a cure far worse than the disease.

Peter E Retep February 26, 2008 9:09 PM

Don’t worry.
Accidental identity mis-allocation is alive and well.
Pakistan’s Interior Ministry took YouTube off air for 2 hours World Wide [Webwise].

Joe Kakowski February 28, 2008 5:42 AM

“however, is a little extreme.” @No.2 !

Extreme! What is so Extreme cutting off entire countries from your network? You know, I’m just some sideline guy who is not in the IT industry but common sense tells me the MORE work you need to do the more MONEY it costs. Blocking an entire NON CUSTOMER base leads me to believe I could focus my COSTLY time on other things instead of the billion people in China trying to hack my machine. For me, by blocking China, Russia, and the Ukraine, I have elimited 99 percent of my problems.

Nicholas Jordan March 6, 2008 7:21 AM


There are tools already that use this approach, they get taken down by the money involved. I signed up for a workgroup on the matter ~ the only trafffic I got from them was that the group had done no work and was therefore being archived.

If you go up against them, you will be rolling Cold-Rolled Cadavers at Cold Slab Bank.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.