Shedding some light on malware on Blogger

Recently SophosLabs published its Security Threat Report examining the first six months of 2008. The report is quite sizeable, covering topics as wide ranging as backscatter spam, cybercrime arrests, Apple Mac malicious code, state-sponsored espionage and – of course – web-based malware.

Publishing a report like this inevitably attracts the attention of the technology media, and some of the coverage has focused on a tiny part of it: our statistic showing that 2% of the malware is hosted on found on domains called (part of the Blogger network). If you think about it, Blogger’s position is probably not surprising – it’s a phenomenally popular platform for people to create their own webpages (blogs), and gives internet users the ability to comment on other people’s blogs. Criminals can try and abuse a great service like Blogger, by planting malware and malicious links on blogs.

As we all know though, there are lies, damned lies, and statistics. Well, the 2% isn’t a lie, but it doesn’t perhaps tell the whole story. After all, it doesn’t consider how popular a malware-infected webpage is. If the website of a major international company gets infected by malicious code then it’s more likely to be a problem for more people than if your Great Aunt’s blog about her pet poodle is struck.

Furthermore, the 2% doesn’t take into account the lifespan of an infected malicious webpage. We have seen cases where infected webpages belonging to multinational organizations are still infected days or weeks after the initial discovery. An infected webpage on Blogspot is much more rapidly shut down by Google – the company who own Blogger, and take security seriously, working hard to shut down webpages serving up malware.

So, although a statistic like the one about Blogger can be striking – don’t jump to conclusions that it is necessarily significant. The fact is that your users are most at risk of contracting web-based malware if they are not properly protected if the website they are visiting is infected at the moment they visit it.