Last month the Unmask Parasites blog wrote about attacks using hijacked sudomains of legitimate websites to serve badware.  At the time of that articles publication the attacks had been going on for a month already.  We are still seeing a lot of infected websites pointing back to solk.seamscreative.info (on port 8080) and other sites like it.

The standard attack used in Driveby Downloads required the injection of iframes into normally benign sites however the landing or intermediary sites those iframes pointed to weren't normally registered to benign users.  This represents an interesting evolution of tactics by creating another layer of innocent victim into the network of infections.  The attack has been fairly successful if in the last two months the infected subdomains haven't been taken down yet.  

Considering our own methods of alerting the public to infections it is easy to see why.  The subdomains aren't something the owners will be on the look out for and the DNS registrar likely has no idea that attacks are occurring on their customer base.  According to the blog post at Unmask Parasites the most affected DNS registrar seems to be GoDaddy.  I don't know if this means there is some flaw in their DNS management panel or if legit customers have had their credentials stolen.  Either way this trend warrants more investigation.

UPDATE 7/28: The GoDaddy abuse team has been notified.

We are pleased to welcome Chinese security firm NSFOCUS as a new data provider! NSFOCUS joins Google and Sunbelt Software in feeding our Badware Website Clearinghouse with updated information about URLs they have discovered to be bad. Like all of our data providers, NSFOCUS will participate in our independent review process.

We are particularly excited to work with NSFOCUS because their team's extensive knowledge will give us insight into the often opaque world of Chinese networks and hosting providers.

NSFOCUS's press release about the data provider arrangement can be found here.

StopBadware is pleased to welcome Matthew Shanley, our new lead developer! As we mentioned previously, our current lead developer, Brandon, will be heading off soon to tortue himself for three years as a law student.

Matt joins us from Constant Contact, where he worked on their web development team. He holds a Master’s of Fine Arts in Interrelated Media from Massachusetts College of Art and Design, a Bachelor’s of Science in Electronic Media, Art, and Communication from Rensselaer Polytechnic Institute, and also attended Cornell University. He's also an all-around cool guy, and we're glad to have him on the team!

At StopBadware, we're currently revising our guidelines for badware applications. The goal of these guidelines is to distinguish between applications that are badware (defined as "software that fundamentally disregards a user's choice about how his or her computer or network connection is used") and those that aren't. One major reason for distinguishing badware from non-badware applications is to help people make informed choices before installing software that may compromise their privacy or security.

It is in this context that we ask a question that has been troubling us: if a "legitimate" anti-virus or security product has to send data about your computer use (e.g., your web search or browsing history) back to the vendor's servers to protect you as promised, how clearly should that data usage be disclosed?

Historically, we have thought of surreptitious collection of this type of data as a badware behavior. But what if the data isn't really being collected or used in any nefarious way, and the transmission of the data is necessary to make the product work as intended?

Consider a product like McAfee SiteAdvisor, a free browser plug-in that informs you of the safety of websites as you visit them or while browsing through search results. SiteAdvisor has to query a McAfee server with the URL (or the hash of the URL) of every site you visit or find during a search.  This means that, if McAfee wanted to (or if a rogue employee gained access), a profile of your browsing history could be compiled and tied back to your IP address. Yet this is never disclosed in any visible way prior to or during installation. In fact, it's not even in the Privacy Policy. (It could be considered covered by a vague provision in the EULA about the collection of personal information from your computer necessary to the function of McAfee's security products.)

This is not unique to SiteAdvisor. Many AV products now query a centralized database about URLs and/or executables to ensure users are protected. In our experience, most of these products fail to disclose this potential threat to a user's privacy in any meaningful way.

So, back to the question. Is this a badware behavior, one that in this case is being perpetuated by several well-respected software companies? Or is it reasonable to expect that users either know or wouldn't care that their security comes at the price of a company having access to some private data? Is it dependent on the trustworthiness of the vendor or the stated use of the data once it's been received? What should we expect as a minimum bar from AV vendors whose products behave in this way?

Please let us know your thoughts in the comments!

After months of looking into the infections of AS21844 (ThePlanet) we've decided to wrap up our investigations for now.  We have learned quite a bit from our communications with customers at ThePlanet.  While no one from ThePlanet has spoken with us officially we have learned that they possess a direct feed of infected URLs from Google.  This means that large customers of ThePlanet, such as HostGator, should have the ability to learn of infections directly from their provider.  Also partners such as Skenzo should be able to use the same list to purge previously infected, and now abandoned, domains from their monetization framework.  

HostGator has roughly 7,563 unique infected domains according to our last count and ThePlanet has 20,298 unique infected domains with their true number likely around 17,000 (adjusting for Skenzo).  Where does that put ThePlanet in the context of our top 50 infected networks?  Exactly where they are now actually. The next closest network is GoDaddy's AS26496 with 11,576 infections.