I wanted to circle back and close the loop from my original post on this. First- not surprisingly I’m not the only one to have taken note at malicious sites landing in Alexa (reference sucuri.net blog).
I wrote some scripts to check a number of the domains listed in the Alexa top 1 million against Google SafeBrowsing (GSB), SURBL, and to cross-reference with MalwareDomainsList (MDL). In the previous post, I mentioned a few of my findings related to GSB and SURBL lookups - particularly FakeAV. Additionally, a number of the sites listed included porn sites that were listed in SURBL due to their advertisements within spam links. Snippet of some of the results.
While the GSB and SURBL lookups for 1 million sites aren't very quick repeatable processes, it is a fairly quick process to do the cross-reference with the MDL (MDL list here). The results from today's Alexa and MDL intersection include 87 sites. However, several of the listed sites are overly aggressive listings on MDL's part- for example: hotfile.com, rapidshare.com, and stashbox.org are free file hosting services that are listed. Free file hosting services are frequently abused to store malware- however, the sites themselves are legitimate and should not be blocked at the domain level.
Some of the more interesting sites listed, include:
- bulletproof-web.com - as the name suggests, it's a bullet-proof hosting provider
- bloggoogle.info, domaingoogle.info, hostinggoogle.info, datagoogle.info, businessgoogle.info - NeoSploit exploit kit (reference example)
- gdfgdfgdgdfgdfg.in.ua - FakeAV drive-by redirect related to Twitter spam campaign (reference example)
- protect-pc-2011.co.cc, multy-protect.co.cc, fastperot.co.cc - TDSS rootkit / FakeAV
Seeing these Alexa results further illustrates the threat of FakeAV and the recent come-back of NeoSploit in 2011 that others have highlighted with the release of its version 4 .