Google Transparency Report – Malware Distribution

Google just released their Malware Distribution Transparency Report, sharing the amount of sites compromised or distributing malware detected by their systems (Safe Browsing program).

Google’s Safe Browsing program started in 2006 and since has become one of the most useful blacklists to detect and report on compromised sites. They flag around 10,000 different sites per day, which are being used for over 1 billion browser (Chrome, Firefox And Safari) users.

What is really scary from their report is the amount of legitimate compromised sites hosting malware compared to sites developed by the bad guys for malicious purposes. For example, in the first week of Jun/2013, 37,000 legitimate sites were compromised to host malware. At the same time, they only identified around 4,000 sites that were developed for the unique purpose of infecting people.

Hiding from Google

Another interesting point is that Google’s system is not 100% correct, far from it in fact often not detecting hidden spam or defaced sites accurately. For example, on our own SiteCheck we often detect malware on sites that are not yet blacklisted.

Further, we are seeing a big growth in malware that actively tries to hide from Google’s systems. Attackers are changing their behaviour based on the user agent and even based on Google’s IP address. What this leads us to believe is the number of compromised sites in the wild is probably a lot larger than what is reported, since it is based only on what Google’s found.

Google Safe Browsing Scale

Despite these typical shortfalls, Google still does a very good job and their scale is insane. Just to get an idea of their scale, in this last week of June, more than 11 million users per day got a warning on their browser when visiting a compromised website. From their graphs, we can clearly see how much that is growing:

Google Safe Browsing Scale

This is their graph on the total number of sites in their database (360k in the last week):

Google Safe Browsing size

Good Move by Google

This is definitely a very good move by Google and we will be going through their reports to try to find more interesting gems (they provide stats per ASN/hosts as well).

As always, you can check if your site is blacklisted by Google on our SiteCheck Website Scanner.

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

  • Cathy Coloff

    Very interesting and troubling at the same time!

  • http://www.minecraftgames.co/ Minecraft Games

    This information will make users more comfortable.

  • http://www.mediatech.co.id/ Mediatech

    Yup.. it is definitely a very good move by Google. Thank you for sharing Daniel Cid