Protecting users from malware hosted on bulk subdomain services

Posted by Oliver Fisher, Google Anti-Malware Team

Over the past few months, Google’s systems have detected a number of bulk subdomain providers becoming targets of abuse by malware distributors. Bulk subdomain providers register a domain name, like example.com, and then sell subdomains of this domain name, like subdomain.example.com. Subdomains are often registered by the thousands at one time and are used to distribute malware and fake anti-virus products on the web. In some cases our malware scanners have found more than 50,000 malware domains from a single bulk provider.

Google’s automated malware scanning systems detect sites that distribute malware. To help protect users we recently modified those systems to identify bulk subdomain services which are being abused. In some severe cases our systems may now flag the whole bulk domain.

We offer many services to webmasters to help them fight abuse, such as:

• Webmaster Tools lets webmasters find examples of URLs under their domains that may be distributing malware.
• Google Safe Browsing Alerts for Network Administrators allows owners of Autonomous Systems to get notifications for hosts that are involved in malware delivery.

If you are the owner of a website that is hosted in a bulk subdomain service, please consider contacting your bulk subdomain provider if Google SafeBrowsing shows a warning for your site. The top-level bulk subdomain may be a target of abuse. Bulk subdomain service providers may use Google’s tools to help identify and disable abusive subdomains and accounts.