Don’t forget to register for Wednesday’s web chat about automatic update mechanisms and their effect on end user security and control. More information about the topic and how to register can be found in the original blog post.

I’ve been very interested in applying epidemiology to the world of malware lately. Prevalence is quite simply the number of infected in a given population at a specific time. More specifically it is a ratio of infected over the number of people susceptible. When you look at the data we provide publicly we show you the number of infections for IP addresses and AS blocks. What we don’t show you however is the size of the networks that are infected.
This is something that is likely to change soon. I’m proposing that we start displaying the size of the network by summing up the total number of IP addresses under control of the AS derived from CIDR blocks. This would be fairly trivial for us to do but has some drawbacks. Firstly, CIDR blocks show the size of the network in terms of how many IP addresses are grouped together. It says nothing of how many web servers exist in that range or even how many of the IP addresses are active. This would be similar to saying there are 100,000 houses in zip code 02138 but not saying how many people live in those houses (if any at all). However I’m convinced that knowing the number of IP addresses under the control of an AS block is important.
For instance our page reporting on the top 50 AS block currently shows ThePlanet and Chinanet-Backbone in the number 1 and 2 positions. They have ~16,000 and ~15,000 respectively. However AS4134 (Chinanet) controls 70M IP addresses compared to only 1.5M for ThePlanet. The difference in those two numbers is staggering and it tells me that the number of infections sustained at ThePlanet is abnormally high.

In the past couple of years, auto-update mechanisms that allow software applications to check for and install patches or new versions have become far more prevalent. Some software vendors have looked to push auto-updaters beyond the traditional “an update is available, do you want to install it?” format. Last year, Apple began using its updater to push additional software applications. Google’s Chrome browser silently installs updates, including new major versions, with no user interaction or notice. A new updater for Adobe Reader appears to be a hybrid of Chrome’s silent installer and more tradiitonal updaters.

On Wednesday, Feburary, 10, at 1pm EST, we will be hosting a public web chat to discuss auto-update mechanisms from the standpoint of balancing their security benefits with questions about appropriate disclosure and user control. Brad Arkin of Adobe will be participating, and the Google Chrome team has been invited to join, as well. The chat will incorporate VoIP audio (requires headset or microphone/speaker on your computer) as well as text, using dimdim’s Flash-based web conference system. Pre-registration is free and recommended. Just enter your e-mail address in the widget below. Feel free, as well, to help publicize this chat by clicking the “Share Widget” link.

We noticed a large spike of activity on December 31, 2009 on ThePlanet’s network block 21844. The data can be viewed here:
http://stopbadware.org/reports/asn/21844
It is quite obvious that a large number of websites were infected at the same time just as can be said of October 1, 2009. We created two lists of URLs for December 30, 2009 and December 31, 2009. Comparing those two lists we were able to determine which websites were infected on that day and resolved the IP addresses for each. Using a simple distribution analysis of infections per IP address we are able to see that a majority of the infections (353) are spread out across the IP space. However roughly 70 of the IP addresses have 25 infections each. The highest infections (between 32-84) occur on single IP addresses.

We have emailed the abuse team at ThePlanet with this information with the hopes they will focus their efforts on those particular machines.

174.120.120.151 84
174.132.194.9 84
67.19.140.10 77
67.18.123.220 44
69.93.161.54 32
70.85.61.66 26

It is important to note that this only represents the 2000 infections seen occurring on December 31, 2009. It would be trivial to analyze the remaining 14,000 infections seen on just that network block alone. As soon as we hear back from the team at ThePlanet we will be sure to help them with this.

EDIT: The spike on Oct 1 was due to an issue with our resolver and exists across the board.

Four years ago today, StopBadware.org was announced as a Berkman Center project, with the ambitious goal of fighting badware by building and sharing knowledge through the collective efforts of the community. As the project has evolved, our activities have changed, but the goal has remained the same. So, too, have the tremendous spirit and support of the dedicated individuals and organizations that make our work possible.

Over the past year, our small team has worked with the Berkman Center leadership, our corporate partners, our advisory board and working group, and other key volunteers to figure out how we could make StopBadware even better and how we could lay a strong foundation to carry the organization forward as we enter our fifth year. During this process, we made the difficult decision to leave the Berkman nest and spread our wings as an independent organization.

After months of planning, fundraising, paperwork, and more planning, the time has come. This morning, we announced that the work of StopBadware.org has migrated to StopBadware, Inc., a new non-profit organization based here in Cambridge, Massachusetts. While we have dropped the .org for vanity’s sake—it becomes cumbersome to say “StopBadware dot org” all the time—the spirit (and finances) of a .org still apply. In fact, even with the generous backing of our corporate partners, Google, PayPal, and Mozilla, it will be more important than ever for individuals to contribute to our success. Some of our most important work is done by people who contribute their time, whether assisting website owners at BadwareBusters.org, coding for LittleVoice, or getting involved in some other way.

In celebration of this new stage of our existence, we’ve updated our logo and colors, as well as some of the content on our website. Over the next few months, watch for more changes, both aesthetic and substantive, as we embark on this new adventure. As always, we welcome your feedback and guidance.

Finally, we want to express our gratitude to our founders and principal investigators at the Berkman Center, Professor Jonathan Zittrain and Professor John Palfrey, to Berkman’s executive director, Urs Gasser, and to the Berkman Center staff for making the past four years—and the future—of StopBadware possible.

The press release can be found here.