We were surprised this morning when we learned that StopBadware.org received over 50,000 visits from users across Poland yesterday, an increase of 69,000% from the previous day. The mystery increased as we learned that the visits were all "direct," meaning they didn’t come from web searches or referrals from other sites. Most of the visitors looked at the home page and left, while a couple thousand clicked over to BadwareBusters.org before leaving.

The mystery was at least partially explained by an e-mail we received from a man in Poland who noted that he received a spam message via Gadu-Gadu, an instant message system popular in Poland. This spam contained a TinyURL link to StopBadware.org.

We don’t know why someone included our website in a spam message, though our best theory is that they used it to build trust before luring the user to click a malicious link. If anyone has a sample of this spam, please let us know at contact@stopbadware.org.

[Update Apr. 15] We have learned that the spam included only a link to us, offered as an "Easter Egg – Surprise." (Original text: Świąteczne jajeczko niespodzianka! Dla Ciebie, ode mnie http://tighturl.com/d24) We don’t know whether this was sent in an attempt to cause a denial of service against us (it didn’t), to discredit us (we didn’t have much traction in Poland anyway), or to "help" us (we appreciate the thought, but really please don’t use spam to "help" us).

[Update Apr. 15] Zaktualizowano tłumaczenia. Dzięki Artur Wawrowski.

Dziś rano byliśmy strasznie zaskoczeni, gdy odkryliśmy, że wczoraj na StopBadware.org mieliśmy ponad 50.000 wizyt użytkowników z całej Polski, co stanowi przyrost o 69.000% w stosunku do dnia poprzedniego. Zdziwiliśmy się jeszcze bardziej, gdy wyszło na jaw, że wszystkie wizyty miały charakter "bezpośredni", co oznacza, że nie są to wejścia z wyszukiwarek czy przekierowania. Większość odwiedzających rozejrzała się jedynie po stronie głównej i opuściła serwis, kilka tysięcy kliknęło jeszcze BadwareBusters.org przed opuszczeniem naszej strony.

Tajemnica zostało częściowo rozwiana przez e-mail od użytkownika z Polski, który poskarżył się na spam z Gadu-Gadu (popularnego komunikatora używanego w Polsce), zawierający link do StopBadware.org skrócony przez serwis TinyURL.

Nie wiemy, dlaczego umieścił link do naszej strony w spamowej wiadomości, chociaż najlepsza nasza teoria wskazuje na wzbudzenie zaufania przed nakłonieniem użytkowników do kliknięcia w niebezpieczny link. Jeśli ktokolwiek ma próbkę tego spamu, prosimy przesłać na contact@stopbadware.org

Two fake StopBadware domains, stopbadwareorg.com and livestopbadware.org, have popped up recently. We haven’t observed malware, though both sites show an attempt at copying our badware alert layout. The only reference I’ve found to the network they’re on is at this security blog, which doesn’t paint a pretty picture of the network in question.

Microsoft released their fairly comprehensive Security Intelligence Report today. Among the interesting badware-related findings:

• Rogue security products, such as XP Antivirus 2008 and its many similarly-named variants, have increased significantly in recent months
• Attackers are increasingly focusing on exploiting applications (e.g., MS Office, Adobe Reader, etc.) in addition to or instead of the OS and browser
• The types of badware targeted at particular populations vary significantly by country. For example, password stealers for game and other account information are much more prevalent in China and Brazil, while other types of Trojans are more prevalent in the U.S.
• Malware hosting is most concentrated in China, Russia, the Balkan nations, the U.S., and Spain. This is a bit different than our findings, which makes sense, as Microsoft is looking more at where the actual executables are hosted, while Google (which supplies us with data) looks at where the drive-by exploits are found.
• Microsoft detects one drive-by download in every 1,500 web pages indexed.

Far more information can be found in the report, which can be downloaded here.

The folks at Real Networks, creators of RealPlayer, recently brought to our attention a new version of the software that addresses the badware concerns we raised last year. We have therefore archived our alert about RealPlayer and updated it to reflect the presence of the new version. It’s always good to see software companies respond in a positive way to the concerns of the community.

There have been two high-profile malware stories in the news this week. The first is a report from our friends and colleagues at the University of Toronto’s Munk Center for International Studies. As reported by the New York Times:

A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded.

The interesting thing about this spy operation is that, according to the report, it uses pretty standard and widely available malware, combined with spear phishing (i.e., targeted communications), to spy on a specific set of targets.

The second second centers around the Conficker worm, which has been around and multiplying rapidly for the past few months. The reason it has suddenly gotten press this week is that it contained a mechanism to automatically update itself on April 1. As Brian Krebs notes on his Washington Post blog:

Computers already infected by the worm are supposed to be automatically updated with some unknown software component on April Fools Day. That’s more or less the sum of what computer experts know about the rhyme or reason behind this worm, but it hasn’t stopped pundits and the press alike from issuing ominous warnings.

Krebs isn’t alone in thinking the warnings may be exaggerated. Halfway through April 1, PC World notes that not much has happened so far, nor is much expected:

Among security experts, the consensus seems to be that very little will happen today. This may be in part because of the high amount of publicity Conficker has received, but then again April 1 is not the first time Conficker has been programmed to change the way it operates. Similar trigger dates have already passed with little change, including January 1, according to according to Phil Porras, a program director with SRI International. Security experts at Symantec, the maker of Norton Antivirus, also believe the threat is overblown and says Conficker today will "start taking more steps to protect itself" and "use a communications system that is more difficult for security researchers to interrupt."

This doesn’t take away from the fact that Conficker is a widespread, potentially dangerous piece of malware. The industry is concerned enough about it that many organizations have banded together to create the Conficker Working Group to share information about its prevention and removal. The fact that Conficker continues to evolve to make the security world’s job more difficult highlights the severity of this particular malware. I think the working group is a great sign, as this is exactly the kind of cooperation and information sharing necessary for the good guys to effectively fight back against the bad guys.