StopBadware Blog

Seeking comments on best practices for reporting

Posted on August 22, 2011 by Maxim Weinstein

As we worked on our Best Practices for Web Hosting Providers, a common refrain we heard was, “What about best practices for reporting badware URLs?” So, we pulled together another great working group and started figuring out what elements make a report of a badware URL most likely to get the URL cleaned up or taken down. After several virtual meetings, we have a draft to share with you for your feedback.

Download the draft as a Word doc (.docx) or as a PDF.

We welcome any feedback you have on this draft. In particular, we’re interested in thoughts on the following:

Are there better ways to identify the proper targets of the reports than those outlined in Practice 2?
Are there other critical pieces of information that could be included in the list in Practice 3?
Do you have suggestions for other escalation parties and/or guidance in Practice 5?
Are the sample notifications in the appendix easy enough to follow? Is there anything you would change about the format?
Should we also recommend an XML data format for reporting? If so, should it be based on an existing standard like IODEF, the Malware Metadata Exchange Format, the Mail Abuse Reporting Format, or something similar? Which one, and how would you recommend simplifying otherwise complex formats for the relatively simple job of reporting malware URLs for takedown/cleanup?

We would appreciate your feedback here in the comments or via email to contact\at\stopbadware\dot\org by Friday, September 16.

Comments Off

StopBadware introduces We Stop Badware™ program for web hosting providers

Posted on August 16, 2011 by ccondon

For some time now, StopBadware has advocated for increased focus on web hosting providersâ€™ role in protecting customers, Internet users, and the Web as a whole from badware. Last week at HostingCon, StopBadware launched the We Stop Badwareâ„¢ Web Host program for web hosting providers who pledge to follow policies and procedures consistent with our Best Practices for Web Hosting Providers.

The mechanics of the program are simple. To participate, web hosting providers should:

Compare their policies and procedures with the guidelines set out by the Practices to ensure compliance.
Sign up.
Display the We Stop Badwareâ„¢ Web Host seal to demonstrate commitment to protecting customers and strengthening the Webâ€™s resistance to badware.

One of our goals in creating the program was to give web hosting providers a way to advertise to customers and Internet users their commitment to security and their support for a stronger, safer Internet. At StopBadware, we believe that hosting providersâ€™ unique position in the architecture of the Web carries with it a responsibility to proactively protect users and create a more secure online experience for everyone. The We Stop Badwareâ„¢ Web Host program offers security-conscious web hosting providers a chance to fulfill this responsibility and actively participate in the badware solution.

To assist web hosting providers who are in compliance with the best practices, StopBadware also recently released a legal white paper titled Web Hosting Provider Liability for Malicious Content. Developed in conjunction with the Cyberlaw Clinic at Harvardâ€™s Berkman Center for Internet & Society, the white paper is available as an additional resource for web hosting providers seeking information about badware liability. Finally, to complement the Best Practices for Web Hosting Providers, StopBadware is currently in the final stages of developing an inaugural set of Best Practices for Badware Reporting. A public draft of these new best practices is expected later this month.

Tagged badware, hosting, program, providers, stop, stopbadware, we, web | Comments Off

Summer reading

Posted on August 5, 2011 by Maxim Weinstein

For those looking for some quality summer reading about badware, I recommend the following recent articles:

The Perfect Scam by David Talbot at Technology Review (aimed at a general audience)
Fake Antivirus Industry Down, But Not Out by Brian Krebs at KrebsOnSecurity.
How digital detectives deciphered Stuxnet, the most menacing malware in history by Kim Zetter at Wired

Tagged badware, reading | Comments Off

New insights on hosting provider badware liability

Posted on August 3, 2011 by imeister

When we at StopBadware released our best practices for web hosting providers back in March, we wanted to lay out a framework that helps providers address badware reports responsively and comprehensively while retaining the flexibility they need to function as businesses in a competitive market. Legal liability is a major concern for any business, and since addressing badware issues is often a tense and trying process, we wanted to determine the state of the law governing providers’ liability for hosting malicious content on their networks. How would adopting the Best Practices affect a provider’s legal risk? We consulted the Cyberlaw Clinic at the Berkman Center for Internet & Society for guidance.

We’re pleased to shed some light on the issue in our new white paper, Web Hosting Provider Liability for Malicious Content, which we are releasing today as a complement to our Best Practices. The paper confronts three major issues:

Are providers generally liable for hosting badware?
Do providers become liable for hosting badware when they receive a badware report?
Can providers become liable when responding to a badware report?

The white paper is based on general principles of U.S. federal case law and is, of course, offered as an informational resource only. You can read the paper here (PDF).

Comments Off

Upcoming StopBadware events: HostingCon, Online Trust Forum 2011

Posted on July 11, 2011 by ccondon

Happy middle-of-July, everyone: we hope the season is treating you kindly. The next few months are going to be pretty eventful for us—literally. We have several events coming up in various cities (all stateside for now), and we’d love to see some of you there. StopBadware will be at HostingCon in San Diego, CA, August 8-10; we’ll be exhibiting at the conference and promoting our Best Practices for Web Hosting Providers, so if you’re a rock star in the web hosting industry, be sure to stop by, say hello, and learn how you can demonstrate your commitment to protecting the online ecosystem!

After our summer conference debut, join us at the Online Trust Forum 2011 in Washington DC, October 17-19. Hosted by the Online Trust Alliance, the Forum will address marketing, technical and regulatory challenges impacting trust and confidence in online services and communications. Now in its 7th year, the Forum brings together an international audience of business, industry, marketing, security, and government leaders to learn and collaborate on best practices to protect consumers and develop trust.

If you need another reason to come witness the all-star lineup at the 2011 Online Trust Forum, we’ll give you one: our intrepid leader, Executive Director Maxim Weinstein, will be participating in a panel called Evolving Cybercrime – How to keep from being a statistic along with leaders from the APWG, InfraGard, and Internet Identity.

Early bird registration (register by August 12): https://otalliance.org/dc.html. You can save $100 by using the code PTRORG.

In addition, the Forum will include the 2011 Online Trust Leadership Awards. If your company promotes online trust and protects online safety and identity, let everyone know by nominating yourself for an Online Trust Leadership award. (And of course, if you’re so inclined, feel free to nominate StopBadware for the NGO award!) More>

To learn about other events around the world geared toward protecting the Internet and stopping badware, check out StopBadware’s Badware Events Calendar. If you know of a great badware-busting event that should be included on our calendar, let us know at calendar<at>stopbadware<dot>org.

Tagged badware, events, hostingcon, otalliance, stopbadware, webhosts | Comments Off

Graphic design wanted!

Posted on June 28, 2011 by Maxim Weinstein

In preparation for a new StopBadware intiative that we'll be launching in August, we're looking to get a professional looking seal/logo designed within the next couple weeks. If you're a designer and want to put in a proposal for the job, take a look at the RFP. Note that the proposal deadline is this Thursday, and the design will have to be finished by July 15, so get those proposals in quickly!

Tagged design, stopbadware | 2 Comments

A new form of script injection

Posted on June 27, 2011 by Maxim Weinstein

The good people at Armorize recently discovered and analyzed a new form of script injection, which they have dubbed "Mass Meshing Injection." The unique characteristic of this new attack is that each compromised site loads a malicious script from a different compromised site, thus the "mesh" effect. According to Armorize, many of the compromised sites had not yet been picked up by major blacklists, including Google's, as of the date of the blog post.

According to Armorize, the telltale signs that a site has been compromised are the presence of a <script> tag pointing to somedomain/sidename.js within the website's contents, and two files injected in the site's root folder: sidename.js and wpcomplate.php.

Based on what we've read, it seems that sites that remove the above-mentioned files and tags often find themselves reinfected shortly thereafter, and there may be a backdoor in play.

We're asking the StopBadware community to help us become a resource for tracking this attack and helping site owners clean their sites of it. If you know more about this attack or new variations about it, please share them with the community. You can do so by posting to BadwareBusters.org or adding a comment here. If you have a lot to say, you may propose a guest blog post by emailing us at contact<at>stopbadware<dot>org. (Note: no guest blog posts containing product or service promotions will be accepted.)

Tagged badware, javascript, websites | Comments Off

Innocent sites caught in a dragnet

Posted on June 22, 2011 by Maxim Weinstein

A New York Times blog reported last night that entire racks full of web hosting servers were seized by the FBI in an effort, presumably, to get at some evidence living on one of the servers:

The F.B.I. seized Web servers in a raid on a data center early Tuesday, causing several Web sites, including those run by the New York publisher Curbed Network, to go offline.

The raid happened at 1:15 a.m. at a hosting facility in Reston, Va., used by DigitalOne, which is based in Switzerland, the company said. The F.B.I. did not immediately respond to a request for comment on the raid.

[snip]

DigitalOne provided all necessary information to pinpoint the servers for a specific I.P. address, Mr. Ostroumow said. However, the agents took entire server racks, perhaps because they mistakenly thought that “one enclosure is = to one server,” he said in an e-mail.

Other sites that were using those servers reportedly include popular services Pinboard and Instapaper.

If the reported information is accurate, it appears the FBI really messed up here, harming several legitimate sites that didn't have to be harmed, and potentially damaging the reputation of the web hosting provider (presumably an innocent intermediary).

This also raises questions about how to apply the concept of property seizures to the cyber world. If I'm suspected of a crime, law enforcement can—with a court's permission—seize my computer and search it for evidence. In this case, though, it seems the servers seized didn't belong to the party under investigation. Rather, that party was renting space on a shared server, which in turn was part of a server farm. The FBI's actions seem equivalent to seizing an entire lot full of rental cars because one of the rental agency's customers was suspected to have committed a crime using one specific car on the lot.

Courts and law enforcement organizations are going to have to put some effort into figuring out a better way to execute seizures against shared digital resources. This might, for example, mean temporarily taking the server in question (and only that server) offline to create a forensically-valid clone of the contents, rather than seizing the physical equipment.

In any case, I hope that we won't see many repeats of this apparent over-reaching.

Tagged enforcement, fbi | Comments Off

Adobe Reader further automates updates

Posted on June 16, 2011 by Maxim Weinstein

Last year, we noted that Adobe took the important step of enabling automatic updates by default for new installations of its free, widely used Reader product. Existing installations, however, maintained their existing settings. Because previous versions of Reader defaulted to downloading, but not installing, updates, many computers are still running outdated versions that are prone to drive-by downloads and other malicious threats.

It therefore comes as good news that Adobe will now prompt users to switch to the more automatic setting:

While the Computerworld article describing this change compares the behavior to the Chrome browser's silent update feature, Adobe is making a clear effort to respect users' choices more explicitly than Chrome does. Not only are users prompted to opt into this feature in Adobe Reader, but there are other options available for those users who wish to opt out. Chrome, in contrast, makes this a default with no notification to the user, and there is no setting within the user interface to disable or change it.

As we discuss in our recent State of Badware report [PDF], Adobe deserves credit for taking several steps over the past year or so to make it easier for customers to keep their products patched.

Tagged adobe, autoupdate | 2 Comments

Announcing the newest StopBadware report: The State of Badware

Posted on June 8, 2011 by ccondon

Today, StopBadware is proud to announce the public release of our first State of Badware report. The State of Badware offers insight into recent badware trends and responses and examines the factors that contribute to badware’s persistence.

Badware is a significant challenge for all members of the Internet ecosystem, from individual computer users to big businesses and world governments. Cybercrime has evolved into a complex, profitable economy, and badware is the tool of choice for cybercriminals who perpetuate this economy. Despite the considerable resources poured into attempts to eliminate it, badware is, by all accounts, still on the rise. We believe that to truly understand the badware threat, it’s necessary to look at the interconnected systems that are tasked with defending against badware: The State of Badware explores four major areas of vulnerability—technical, behavioral, economic, and legal—in the Internet ecosystem’s overall structure that contribute to badware’s perseverance.

It’s clear that the today’s approaches to security aren’t enough to repel or eradicate increasingly dynamic and hard-to-measure badware; we must create new and more centralized methods of measuring and responding to this threat. The State of Badware highlights key opportunities for improvement: it is intended as a resource to help individuals, business leaders, and policymakers understand how both badware and the industry’s response to it are evolving—and what steps we can take to defend against it.

You can read the full press release here. We at StopBadware are excited about this report–both its release and its potential as a tool for those who want to take action. As always, we welcome thoughtful discussion. You can download the full State of Badware at http://stopbadware.org/pdfs/state-of-badware-june-2011.pdf.

Tagged badware, of, reports, research, state, stopbadware | 2 Comments