Internet Map: Here There Be Malware

If you want to avoid being a victim of information highwaymen on the Web, you may want to pay attention to the domain names of the sites you surf to.

According to a study released Monday by security software maker McAfee, the Web is no different from the physical world when it comes to safety: there are safe neighborhoods and safe Web domains, and then there are places no one should ever visit.

In its study, McAfee analyzed and ranked 265 top-level domains (TLDs), such as Japan (".jp"), France (".fr") and Commercial (".com"). Rankings are based on Web safety tests developed by McAfee.

Color Ratings

Those tests are used by McAfee's free browser plug-in, SiteAdvisor, which has evaluated more than 8.5 million Web sites representing 95 percent of the traffic on the Net. Based on those tests, SiteAdvisor gives a Webpost a red, yellow or green ranking.

Red ratings are given to risky sites that fail one or more of the tests for adware, spyware, viruses, exploits, spam, excessive pop-ups or strong affiliations with other red-rated sites.

Yellow ratings are given to sites which pass the safety tests but still have nuisances warranting a user advisory.

Green ratings are awarded sites that clear all the tests.

"The vast majority of the Internet is relatively safe," McAfee Consumer and Small Business Senior Product Manager Mark Maxwell told TechNewsWorld. "Roughly 93 to 94 percent of the Web sites that we do have ratings for qualify for a green rating."

The Naughty Net

It was the remaining 6 to 7 percent of the Web sites that piqued the researchers' curiosity.

"We thought it would be an interesting exercise to go through and map those risky areas against top-level domains," Maxwell explained. "We saw some anecdotal trends so we thought we'd take a more scientific look at things.

"With this report, we were able to quantify some things we were already thinking, so there weren't too many surprises in it for us," he continued. "But the important thing we hope we are exposing to users is that the neighborhoods in which Web sites are hosted can dramatically impact their safety."

Among the findings in the study were:

• The incidence of red and yellow sites varies dramatically across top-level domains, from 0.1 percent for Finland (".fl") to 10.1 percent for the island of Tokelau (".tk").
• Web activities, like registering at a site or downloading a file, are significantly more risky when done at certain domains. For example, giving an e-mail address to a random ".info" domain results in a 73.2 percent chance of receiving spam.
• The most risky country domains are Romania (".ro"), with 5.6 percent of its sites labeled risky, and Russia (".ru"), with 4.5 percent of its sites rated risky. Those countries, the study said, are also the most likely to host exploit or "drive-by-download" sites.
• ".info" is the least safest generic domain, with 7.5 percent of its sites rated as risky. ".com" comes in second with 5.5 percent of its sites tagged as risky.
• The top five least risky country domains are Finland, Norway, Sweden, Iceland and Ireland.
• ".gov" is the only frequently tested domain for which SiteAdvisor found no risky sites.
• 86.6 percent of all clicks to red and yellow sites originate from the ".com" domain.
• Domains for the Netherlands, Germany and the United Kingdom each account for 2 million clicks to red and yellow sites every month.

China's Rising Star

While Web sites in Romania, Russia and the Ukraine remain fertile nesting areas for malicious Websters, China is rapidly ascending in the danger zone hierarchy, contends Roger Thompson, chief technology officer for Exploit Prevention Labs, which makes a safe surfing program called LinkScanner.

"We're finding an increasing number of exploit servers in China," he told TechNewsWorld. "If you asked me six months ago, I would have said the Russians or East Europeans are No. 1, but now I'm not so sure."

The last year and a half has been a period of experimentation for online scammers, according to Rod Rasmussen, cofounder and director of operations for Internet Identity, an anti-phishing firm.

"They've been trying out different top-level domains and country codes," he told TechNewsWorld. "Not only that, they've been testing the providers themselves, the registrars. The bad guys are pretty good at sniffing out where the weakest ones are and using them to their advantage."