Google just released their Malware Distribution Transparency Report, sharing the amount of sites compromised or distributing malware detected by their systems (Safe Browsing program).
Google’s Safe Browsing program started in 2006 and since has become one of the most useful blacklists to detect and report on compromised sites. They flag around 10,000 different sites per day, which are being used for over 1 billion browser (Chrome, Firefox And Safari) users.
What is really scary from their report is the amount of legitimate compromised sites hosting malware compared to sites developed by the bad guys for malicious purposes. For example, in the first week of Jun/2013, 37,000 legitimate sites were compromised to host malware. At the same time, they only identified around 4,000 sites that were developed for the unique purpose of infecting people.
Hiding from Google
Another interesting point is that Google’s system is not 100% correct, far from it in fact often not detecting hidden spam or defaced sites accurately. For example, on our own SiteCheck we often detect malware on sites that are not yet blacklisted.
Further, we are seeing a big growth in malware that actively tries to hide from Google’s systems. Attackers are changing their behaviour based on the user agent and even based on Google’s IP address. What this leads us to believe is the number of compromised sites in the wild is probably a lot larger than what is reported, since it is based only on what Google’s found.
Google Safe Browsing Scale
Despite these typical shortfalls, Google still does a very good job and their scale is insane. Just to get an idea of their scale, in this last week of June, more than 11 million users per day got a warning on their browser when visiting a compromised website. From their graphs, we can clearly see how much that is growing:
This is their graph on the total number of sites in their database (360k in the last week):
Good Move by Google
This is definitely a very good move by Google and we will be going through their reports to try to find more interesting gems (they provide stats per ASN/hosts as well).
As always, you can check if your site is blacklisted by Google on our SiteCheck Website Scanner.