Save the date! On Thursday, August 26, from 1-2 pm EDT, StopBadware will host a web chat on the topic "The role of third-party applications in protecting users from badware." The featured "speakers" will be Brad Arkin, director of privacy and security at Adobe, and Johnathan Nightingale, head of Firefox development at Mozilla.
More information will follow soon. Meanwhile, if your company is interested in sponsoring this event, please let us know!
StopBadware is hiring! If you know someone looking for a full-time communications job here in Harvard Square, be sure to refer him/her to the job description.
A study released today by the National Cyber Security Alliance (NCSA) and the Anti-Phishing Working Group (APWG) indicates that most Americans are genuinely concerned about online safety and security. Furthermore, according to the study, they recognize their responsibility to contribute to the Internet's overall security and are willing to take steps in that direction.
The biggest obstacle, perhaps unsurprisingly, is the lack of clear, concise instructions on what users should do to protect themselves. This is an area in which we, as an industry, have to improve. When you combine the complexity and diversity of available technologies with a lack of consistency around messaging, terminology, and visual symbols, it's no wonder that consumers are feeling confused.
The upcoming National Cybersecurity Awareness Campaign, which the NCSA and APWG are spearheading, should be a step in the right direction. It promises a unified messaging campaign to increase awareness nationwide, and perhaps even internationally. Of course, if this survey is any indication, this will be a challenge, as the issue isn't so much awareness of the problem, but rather awareness of the solution.
Over the coming months, StopBadware will be working with industry partners to help them do their part to protect consumers from badware. Part of this, undoubtedly, will be consumer education. Just as we (and, by extension, our partners like Google and Firefox) now offer webmasters specific tips on finding, removing, and preventing badware on their websites, we need to work together to present clear guidance for users on how to protect their computers, their handheld devices, and their online information.
Last month the Unmask Parasites blog wrote about attacks using hijacked sudomains of legitimate websites to serve badware. At the time of that articles publication the attacks had been going on for a month already. We are still seeing a lot of infected websites pointing back to solk.seamscreative.info (on port 8080) and other sites like it.
The standard attack used in Driveby Downloads required the injection of iframes into normally benign sites however the landing or intermediary sites those iframes pointed to weren't normally registered to benign users. This represents an interesting evolution of tactics by creating another layer of innocent victim into the network of infections. The attack has been fairly successful if in the last two months the infected subdomains haven't been taken down yet.
Considering our own methods of alerting the public to infections it is easy to see why. The subdomains aren't something the owners will be on the look out for and the DNS registrar likely has no idea that attacks are occurring on their customer base. According to the blog post at Unmask Parasites the most affected DNS registrar seems to be GoDaddy. I don't know if this means there is some flaw in their DNS management panel or if legit customers have had their credentials stolen. Either way this trend warrants more investigation.
UPDATE 7/28: The GoDaddy abuse team has been notified.
We are pleased to welcome Chinese security firm NSFOCUS as a new data provider! NSFOCUS joins Google and Sunbelt Software in feeding our Badware Website Clearinghouse with updated information about URLs they have discovered to be bad. Like all of our data providers, NSFOCUS will participate in our independent review process.
We are particularly excited to work with NSFOCUS because their team's extensive knowledge will give us insight into the often opaque world of Chinese networks and hosting providers.
NSFOCUS's press release about the data provider arrangement can be found here.
StopBadware is pleased to welcome Matthew Shanley, our new lead developer! As we mentioned previously, our current lead developer, Brandon, will be heading off soon to tortue himself for three years as a law student.
Matt joins us from Constant Contact, where he worked on their web development team. He holds a Master’s of Fine Arts in Interrelated Media from Massachusetts College of Art and Design, a Bachelor’s of Science in Electronic Media, Art, and Communication from Rensselaer Polytechnic Institute, and also attended Cornell University. He's also an all-around cool guy, and we're glad to have him on the team!
At StopBadware, we're currently revising our guidelines for badware applications. The goal of these guidelines is to distinguish between applications that are badware (defined as "software that fundamentally disregards a user's choice about how his or her computer or network connection is used") and those that aren't. One major reason for distinguishing badware from non-badware applications is to help people make informed choices before installing software that may compromise their privacy or security.
It is in this context that we ask a question that has been troubling us: if a "legitimate" anti-virus or security product has to send data about your computer use (e.g., your web search or browsing history) back to the vendor's servers to protect you as promised, how clearly should that data usage be disclosed?
Historically, we have thought of surreptitious collection of this type of data as a badware behavior. But what if the data isn't really being collected or used in any nefarious way, and the transmission of the data is necessary to make the product work as intended?
Consider a product like McAfee SiteAdvisor, a free browser plug-in that informs you of the safety of websites as you visit them or while browsing through search results. SiteAdvisor has to query a McAfee server with the URL (or the hash of the URL) of every site you visit or find during a search. This means that, if McAfee wanted to (or if a rogue employee gained access), a profile of your browsing history could be compiled and tied back to your IP address. Yet this is never disclosed in any visible way prior to or during installation. In fact, it's not even in the Privacy Policy. (It could be considered covered by a vague provision in the EULA about the collection of personal information from your computer necessary to the function of McAfee's security products.)
This is not unique to SiteAdvisor. Many AV products now query a centralized database about URLs and/or executables to ensure users are protected. In our experience, most of these products fail to disclose this potential threat to a user's privacy in any meaningful way.
So, back to the question. Is this a badware behavior, one that in this case is being perpetuated by several well-respected software companies? Or is it reasonable to expect that users either know or wouldn't care that their security comes at the price of a company having access to some private data? Is it dependent on the trustworthiness of the vendor or the stated use of the data once it's been received? What should we expect as a minimum bar from AV vendors whose products behave in this way?
Please let us know your thoughts in the comments!
After months of looking into the infections of AS21844 (ThePlanet) we've decided to wrap up our investigations for now. We have learned quite a bit from our communications with customers at ThePlanet. While no one from ThePlanet has spoken with us officially we have learned that they possess a direct feed of infected URLs from Google. This means that large customers of ThePlanet, such as HostGator, should have the ability to learn of infections directly from their provider. Also partners such as Skenzo should be able to use the same list to purge previously infected, and now abandoned, domains from their monetization framework.
| WebsiteWelcome | 7909 |
| Skenzo FZE | 2838 |
| Unidentified | 683 |
| Site5 LLC | 430 |
| Bahram Boutorabi | 192 |
| SiteGround.com Inc. | 171 |
| webserver-a-rackshack.directi.com | 166 |
| Mochanin Corp | 136 |
| maktoob.com | 119 |
| server sea | 115 |
| Payam Torkian | 115 |
| Our Internet_ Inc | 112 |
| count | domain |
| 10 | vadakarapally.org |
| 12 | attorney2traffic.org |
| 16 | e-sense.tv |
| 17 | niftysensex.com |
HostGator has roughly 7,563 unique infected domains according to our last count and ThePlanet has 20,298 unique infected domains with their true number likely around 17,000 (adjusting for Skenzo). Where does that put ThePlanet in the context of our top 50 infected networks? Exactly where they are now actually. The next closest network is GoDaddy's AS26496 with 11,576 infections.
A recent report from Symantec reinforces the idea that most web-based malware is distributed via compromised, legitimate sites:
In 2010 so far, using the same approach, the proportion of malicious domains that are legitimate [i.e., set up for reasons other than distributing malware] has increased dramatically compared to last year – it’s now about 90%.
On a related note, Avast reports that, despite popular belief, adult sites are not carrying the load of malicious content:
…the statistics are clear – for every infected adult domain we identify there are 99 others with perfectly legitimate content that are also infected.
Everyday Internet users who are hearing this for the first time should take this as a wake-up call. Protect your computer. Protect your website. And recognize that, while making smart decisions about your Internet use is always a critical part of security, deciding which type of website you visit isn't as important as it once was.
Hat tip: H-Online via UnmaskParasites (Twitter)
