A couple of folks have been asking about Beladen.net. Here's an attempt to answer some of those questions.

What is beladen.net?

According to Robtex, "beladen.net is delegated to three nameservers, however all three delegated nameservers are missing in the zone and three extra nameservers are listed". Beladen.net uses localhost (127.0.0.1) for reverse lookup. First registered in June 2008 and protected by anonymous name proxy, Beladen.net plays host to a fair number of trojans - but its actual direct involvement in website compromises is relatively small.

To put this into perspective, during the first two weeks of May 2009, Gumblar attacks accounted for 37% of all ScanSafe Web malware blocks. Conversely, Beladen accounted for only .02% during that same period and only .03% for the entire month.
 
Here's another way to judge the impact of Beladen compromises. A representative 15,000 seat customer experienced an average of 500 Web malware exposures per week through the month of May. During the first two weeks, that customer experienced an average of 250 Web malware encounters with Gumblar compromised domains. Yet at no time during the entire month, did that 15,000 seat customer come across a single Beladen compromised site. (The exposures were all blocked by ScanSafe at time of encounter).

How are the beladen.net compromises carried out?

The most recent Beladen compromises are thought to result from stolen FTP credentials. This is a common initial vector for many website compromises, particularly as the numbers of password stealing and data theft trojans continue to increase. David Wenzel of uptime.cz (PDF) has put together a detailed play-by-play of how the Beladen compromise is done on a website running under Apache on a Linux server. Mileage may vary, of course, depending on the platform used by individual sites.

How many sites have been compromised by the Beladen attacks?

There have been blog and media reports of tens of thousands of sites compromised by beladen.net, but as noted above these claims can't be substantiated by our own traffic logs. Google Safe Browsing Diagnostics, as of June 1st, has only seen Beladen.net compromises on a few thousand websites, which gels with our own findings.

What malware is delivered via the Beladen compromises?

At this point, it appears the malware being delivered are rogue scanners (aka scareware). Also known as fake AV, these rogue scanners typically comprise only a small number of Web malware threats - less than 5% of all ScanSafe Web malware blocks in the first quarter of 2009. Rogue scanners are often associated with domains affiliated with RBN, the Russian Business Network.

Is there a link to Google analytics typo-squatting domains?

Google analytics typo-squatting domains are fairly common. While a few do sometimes act as malware hosts, in many cases these appear to be actual traffic trackers. Quite often, these Google analytics typo-squatting domains are in use on sites that have undergone compromise. There is not enough information available to determine whether there is anything beyond pure coincidence with some Beladen.net compromised sites also containing scripts pointing to typo-squatting analytics pages.