Earlier this month I started investigating the infections which continue to plague ThePlanet. As you can see in the chart I linked to they have sustained over 10,000 infections for several months now. In my research I found that many of these infections are not new and have been present on ThePlanet's network going back as far as September 2009.

I wrote some code that performs a simple intersection test on two lists. That is to say, if you have list A and list B this program will tell you the amount of items that exist in both lists. I used a list of infected urls pulled from 3/1/2010 and compared it to lists of infected urls going back to September 2009. Here are the results I found:

[03/2010 and 02/2010] = 12,061
[03/2010 and 01/2010] = 10,417
[03/2010 and 12/2009] = 7,701
[03/2010 and 11/2009] = 6,129
[03/2010 and 10/2009] = 4,597
[03/2010 and 09/2009] = 4,506

This shows that 12,000 infections that were reported on 2/1/2010 were also still present a month later on 3/1/2010. 7,700 infections that were reported from 12/1/2009 were still present on 3/1/2010 and so on.

These are fairly disturbing statistics. What they seem to imply is that once these servers become infected they stay infected. I want to make clear that I am not implying that we have another "McColo situation". I do not believe that ThePlanet is a bulletproof host nor do I believe they are entirely aware of the duration of some of these infections.

I have tried to contact the abuse department staff of ThePlanet several times over email with these results. I went as far as emailing them directly and asking for their response on some private security mailing lists. If they are reading this now I hope they take us up on our offer to help. As with other infections of this magnitude StopBadware can help out by providing intelligence on where these infections are clustered. We can even provide the lists of hosts provided by our data partners directly to the hosting provider.