Monday, May 14, 2012

A look at the top websites blacklisted

Google Safe Browsing is the most popular security blacklist in use. It is leveraged by Firefox, Safari and Google Chrome. As such, being blacklisted by Google is a big deal - users of these three browsers are warned not to visit the sites and Google puts warnings in their search results.

I've run Google Safe Browsing against the top 1 million (based on number of visits) websites according to Alexa. 621 of them are blacklisted by Google Safe Browsing. I've looked at the most popular to understand why they are considered malicious. Here is what I found for the most popular blacklisted sites:


Rank Domain Threat Comment
6,239 subtitleseeker.com Malicious JavaScript Hijacked
18,784 financereports.co Scam Work from home scam
35,610 tryteens.com PDF malware Porn
41,560 iranact.co Malicious JavaScript Hijacked
47,016 creativebookmark.com Fake AV Hijacked
52,409 ffupdate.org Adware download  
52,431 vegweb.com Malicious JavaScript Hijacked
53,902 delgets.com Malicious JavaScript Hijacked
78,202 totalpad.com Fake AV Hijacked
81,403 kvfan.net Malicious JavaScript Hijacked
82,344 hgk.biz Malicious JavaScript Hijacked
83,858 youngthroats.com Malicious IFRAME Porn
125,305 metro-ads.co.in Malicious JavaScript Hijacked
133,455 salescript.info Malicious JavaScript Hijacked

http://financereports.co
creativebookmark.com
Most of the top-ranked websites that have been blacklisted are not malicious by nature, but they have been hijacked. Malicious JavaScript, similar to the code we found on a French government website, or a malicious IFRAME is generally the culprit. It is interesting to notice that Google decided to blacklist the infected site, rather than just blocking the external domain hosting the malicious content.

I have also checked to see which country the blacklisted domain is hosted in. Here is the breakdown:


Most of the blacklisted sites are hosted in the US. Western Europe (especially Germany, France and the Netherlands) is number two, followed by China (8%).

There is a government website in this list: mdjjj.gov.cn. It contains malicious JavaScript for a third domain. The code is much more sophisticated that on the other sites on this list. The JavaScript is obfuscated, broken down in several files with a .jpeg extension. There is also a Flash exploit with a heap spray targeting Mac OS X, not unlike a Flash exploit we found on another Chinese site a few years ago. Windows users with Internet Explorer 6 and 7 users get the old "iepeers.dll" exploit (a different version for each browser).


No site is safe from hijacking. Personal websites and top-10,000 sites are all likely to be infected at some point.

No comments: