In its Q1 2007 Web Security Trends Report, Finjan examined 10 million unique URLs and also investigated the server behind each domain. It found that over 80 percent of the URLs containing malicious code are hosted on servers in the United States, followed by the UK, with 10 percent of the code.
A recent survey by McAfee's SiteAdvisor found that South Pacific island nations were among the worst offenders when it came to hosting malware (define), but SiteAdvisor never dug into where the site was actually based, just the top level domain.
Tokelau, the tiny nation of 1,200 people, was among the worst offenders, but its domain registration service is provided by a San Francisco company, and just because you register a .tk domain doesn't mean the server is actually hosted on the island.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=iWhat Finjan found is that while the code may originate in Russia or China, they are finding poorly maintained or secured servers in the U.S. to host it, such as free hosting sites, or just an abandoned site with no one monitoring it.
Either way, it doesn't reflect well on the U.S., the dominant nation on the Internet, which often points the accusing finger at Russia. "That's the big surprise. You would expect in the U.S. that this would not happen," Yuval Ben-Itzhak, CTO for Finjan, told internetnews.com.
While it's usually in out of the way locations or cheap, free hosting sites, malware gets into high profile places, too, such as Wikipedia. And during the Super Bowl this past January, the homepage for Dolphin Stadium in Miami was also infected.
It reflects a losing battle for the good guys, according to one analyst. "It's hard to secure your stuff. It takes constant effort," said Peter Firstbrook, research director with Gartner. "I'm a security expert and I don't know how to secure a server. A small business has no hope in hell. The stuff we're talking about is a case of the hackers knowing way more than the defenders."
In looking behind the URL at the site itself, Finjan found that most of the sites pushing malicious code did it through advertising links that are embedded in a page, frame or link. Ben-Itzhak said this makes tracing the malicious code difficult because there is such a lengthy chain of connections to all of these advertisers.