StopBadware assisted the Open Net Initiative in evaluating China’s Green Dam filtering software, which the Chinese government recently mandated be installed on every new PC in the country.

The software violates our guidelines due to a lack of disclosure about some significant unexpected behavior. While the software advertises itself as protecting children from harmful content such as pornography and violence, it also filters political speech without notice. Also not mentioned is the fact that, if such political speech appears in an application window, whether Internet Explorer or Notepad, the window completely shuts down without advance notice and without saving the user’s work.

Based on our and ONI’s research, and also other research posted online, the software has additional flaws, as well, ranging from poorly implemented features to security vulnerabilities. The biggest flaw of all, though, appears to be China’s policy of mandating such a product. As ONI’s report, released yesterday, concludes:

The mandate requiring the installation of a specific product serves no useful purpose apart from extending the reach of government authorities. Given the resulting poor quality of the product, the large negative security and stability effects on the Chinese computing infrastructure and the intense backlash against the product mandate, the mandate may result in less government control.

Those interested should read the full report, which explains both the software’s behavior and the national reaction to the software, in detail.

Think a friend’s latest post on your Facebook wall is a little odd? Trust your instincts. Social engineering scams are on the rise.

The latest round of attacks on Facebook include messages and comments on users’ walls that appear to come from friends. The fake messages include seemingly irresistible bait – a claim that a video of you in a compromising position has been posted is one of the currently popular lures. If you follow the link in the message, the page you’re taken to could infect your computer with "drive-by" malware that can download without your permission. In other cases, the page might claim that you need to download an additional plug-in to view the video. You guessed it: that plug-in turns out to be malware.

It’s hard to protect yourself against this kind of attack, when our assumption is that messages from our friends are trustworthy. But think back to the early days of email viruses. Remember being warned not to open an unexpected attachment, even from a friend, without checking that your friend really sent it? If you receive a message that just seems odd – maybe it doesn’t sound like your friend’s normal writing style, or your friend isn’t usually the type to be snapping videos at drunken parties – check it out with the friend before clicking the link. If their account has been compromised, you’ll be protecting your friend and their entire network, as well as yourself, by letting them know there’s a problem.

Want to read up on the latest social network scams? Kaspersky Lab has a post about the current Koobface worm on Facebook and Myspace, and Trend Micro blogs about a similar social engineering trick targeting users of MSN Live Messenger.

In addition to the updated list of infected network blocks that we just posted, we also offer this list of the top 10 infected IP addresses:

Note: The AS block name does not always indicate the owner or operator of the infected servers on the listed IP address, and our publication of these data is intended to inform and educate, not to assign blame.

We see that most of the infections that show up in Google’s network block are from a single IP address that is associated with their Blogger network. As previously mentioned, this may indicate aggressive scanning and badware removal efforts more than it represents a threat to the public.

One positive story to come out of this latest round of stats is the response from Mzima Networks & Globat.com. Mzima forwarded our notification about the number of infections we’d observed on one of their IP addresses to the hosting provider, Globat, that leases the IP. The folks at Globat quickly called us up to ask what they could do to increase the security of their hosted sites. Globat had recently been the victim of a sophisticated hacking attack, and was already working hard to better secure their network. Our internal numbers from the past week indicate a marked drop in infections on the Mzima/Globat IP address.

In June we released a report with numbers from late May, showing the network blocks containing the largest numbers of badware sites reported by Google. In July, we released an udpate. Here is another update from mid-August:

Note: A network block owner is not always the owner or operator of the infected servers on that block, and our publication of these data is intended to inform and educate, not to assign blame.

Not too many changes from last month. AOL is no longer on the list, apparently following through on their commitment to address the issue that landed them on last month’s list. Google reappears with a few thousand infected sites from their Blogger network, which, as previously mentioned, may be more indicative of aggressive scanning and badware removal than it is of threat to the public. Endurance is still high up on the list, though with several thousand fewer infected sites than our last update.

See also our updated list of top infected IP addresses.

Periodically, we update our Badware Guidelines to reflect what we have learned from the community and from our work. We have recently put together a draft of our new guidelines for software, and we’d like your feedback. Please let us know what you think in our discussion group or via e-mail to contact@stopbadware.org.

In addition to any observations, corrections, or suggestions you have, we’re interested in a couple specific questions:

1. Do we adequately cover the issue of behavior that is/isn’t appropriate with automatic update features?
2. Is the “deceptive behavior” section overly broad, or does it accurately capture an element of badware that we were missing?

Thanks for your input!

Oliver Day, our lead security researcher, will be facilitating a panel at the IT Security World Conference & Expo in San Franscisco on September 14.

Moderated by StopBadware.org’s Oliver Day, four of today’s greatest information security visionaries will gather for a panel discussion and audience Q&A to reveal and debate the latest trends in “badware” that IT security officers need to monitor as we head into 2009. Learn how the trends unveiled at this panel will impact your enterprise in the months to come – and how a community-based approach is among the best hopes for combating dangerous software.

At a time where 90 percent of Americans say they feel safe online according to a recent Zogby poll for StopBadware.org, the panel participants including PayPal’s Chief Information Security Officer, Michael Barrett, and Mozilla Corporation’s Chief Security Something-Or-Other, Window Snyder – will bring to light the latest threats in phishing, whaling, spyware, drive-by downloads and other types of badware. They will explore why the public shouldn’t be that confident and what was as security professionals should be doing about it.

Oliver will also be participating in the “Rock Star” keynote panel on the 15th. Check it out if you’re in the Bay area in September!

Sandi over at the Spyware Sucks blog pointed to this thread on Apple’s Mac forums, indicating that some Mac users have been victims of a web-based malware attack:

This has happened to me twice now, on two separate computers at work. My clipboard has been hijacked with this:

[potentially dangerous URL removed]

And once it’s in the clipboard, I can’t copy anything else over it until I’ve restarted the machine.

Several other users reported similar attacks, whether they were using Safari or Firefox as their browser.

[Update 8/19: There are also reports of this issue from users of Ubuntu, a popular distribution of Linux.]

This is a good reminder that users of operating systems other than Windows are not immune to malware or social engineering.

Symantec describes a vulnerability in Internet Explorer that allows a website with malicious content to install a Microsoft-signed ActiveX control and then exploit a known vulnerability in that control:

Because the control is Microsoft signed, its installation is silent, and does not require any user interaction. Once this vulnerable control is installed on the victim’s computer, it is exploited in the same way as if the control was installed all along. To top it off, this attack is carried out as a drive-by attack, so the unprotected user may never know that they were vulnerable, or had been targeted, let alone infected.

It does not appear that there is a known fix for this right now, so it’s just one more reason to keep your security software up to date if you’re using Internet Explorer.

The other day, Rob Pegoraro at the Washington Post wrote a column about Apple’s tendency to keep its mouth shut rather than communicating with customers:

The Cupertino, Calif., corporation provides some of the best tech support in the business — no other major computer vendor makes it easier to sit down with a live employee and get help. But if you’re not at the Genius Bar at one of its stores, Apple can be one of the least communicative companies around.

And when Apple’s MobileMe online service melted down after its launch last month, subscribers might as well have been yelling at their monitors.

Here at StopBadware.org, we’ve found Apple to be equally uncommunicative. A couple months ago, when we notified them that we were preparing a badware alert about Apple Software Update, they quietly changed the product at the 11th hour but never contacted us about it. More recently, we’ve tried to contact several senior executives there to initiate an informal, low-pressure conversation about their disclosure practices, but our invitation has gone unanswered.

No one is questioning Apple’s ability to design a neat product or generate enthusiasm about a product launch. Failing to engage with the security and user communities, however, is a different thing entirely, and one in which Apple is coming up short. It’s time for the folks in Cupertino to change their (i)tune and start loosening their lips.