stats

stats

New badware stats page

Fairly often, a reporter, a partner, or another contact asks us for statistics about badware: how many bad websites exist, how many computers get infected each day, what do users understand about the threat, etc. These are complex questions to answer, and StopBadware does not always have the information or time to answer them. We do, however, frequently come across useful and interesting stats in third party reports. I've been cataloging these for quite a while, and I've even shared some highlights on occasion. Since our new website, unlike the old one, allows us to update content without employing a map, a flashlight, and a team of Sherpas, we figured we'd go ahead and make our catalog of interesting stats a regular feature of the site.

We continue working to collect, publish, and analyze data that we believe will illuminate the problem of badware on the Web. Meanwhile, we hope that our aggregation of third party stats will be a useful resource for the community.

If you come across stats that you think would make a good addition to the page (criteria include relevance, quality of source, and a public link to the citation), please email or tweet them to us.

Where's the badware?

Over at social shopping site StyleFeeder, Philip Jacob posted some stats about the geographic origins of spammy accounts. It turns out that the majority of the spam accounts created on StyleFeeder come from IP addresses in India.
This reminded me that we hadn't posted a breakdown of badware websites by country in quite some time. So, without further ado, here's the updated pie chart:

Probably the most remarkable thing about the update is how similar it is to the one we included in our report last summer (PDF). China's share has come down just a bit, from 52% to 48% of the world's share of badware sites, but otherwise the top countries are holding pretty steady. It will be interesting to watch over time to see if China's adjustment is the start of a trend or just a statistical blip.
It's interesting to note that, while StyleFeeder's spam seems to come from client PCs in India, there are relatively few badware-delivering websites in that country. This could be a reflection of security-savvy web hosting providers in India or perhaps a relatively low rate of new sites being created by individuals and small businesses in that country.
Also interesting is the commentary that follows Mr. Jacob's stats, in which he muses on the challenge of how to address the spam problem effectively without overblocking. I encourage you to read his entire post.

October infected network stats

In June we released "a report":http://www.stopbadware.org/home/badwebs with numbers from late May, showing the network blocks containing the largest numbers of badware sites reported by Google. We released updated in "July":http://blogs.stopbadware.org/articles/2008/07/30/updated-infection-stats and "August":http://blog.stopbadware.org/2008/08/25/top-infected-network-blocks-for-m.... Here is another update from early October:

|_.# of badware sites |_.AS block name |
|35147|CHINANET-BACKBONE No.31,Jin-rong Street|
|9504|CHINA169-BACKBONE CNCGROUP China169 Backbone|
|6222|CHINANET-SH-AP China Telecom (Group)|
|4671|BIZLAND-SD - Endurance International Group, Inc.|
|4654|CNCNET-CN China Netcom Corp.|
|3302|THEPLANET-AS - ThePlanet.com Internet Services, Inc.|
|2460|CRNET_BJ_IDC-CNNIC-AP China Tietong Telecommunication Corporation|
|1632|SOFTLAYER - SoftLayer Technologies Inc.|
|1597|PAH-INC - GoDaddy.com, Inc.|

Note: A network block owner is not always the owner or operator of the infected servers on that block, and our publication of these data is intended to inform and educate, not to assign blame.
Compared to August, we see that Bizland/Endurance has dropped its number of infected sites by nearly 50%, though it still has several thousand, and Google and NetDirect are no longer on the list. GoDaddy is a newcomer to the list. I just got off the phone with the chief information security officer at GoDaddy, who let me know that they are using the list of infected URLs we provided them to notify customers, offer support in cleaning up the sites, identify the root cause of the infections, and develop proactive strategies for preventing and monitoring site compromises in the future.