The challenges of counting badware sites

Posted on November 5, 2010 by Maxim Weinstein

Like many folks who are trying to fight badware, we often find ourselves trying to quantify the problem. How many badware websites are there? How many are hosted by a particular IP address, or a specific AS, or a given hosting provider? And, knowing these numbers, how do we understand how big a problem these numbers represent?

Something as simple as counting may sound easy, but there are many challenges:

  • It's hard to know which units to count. Individual URLs? Fully qualified domain names? Base domain names? None of these consistently correlate to what a human would consider "a website." And counting any one of these results in skewed data.
  • What's the denominator? Suppose hosting provider A has more infected sites than hosting provider B. Is this a result of negligence on the part of A, or is A simply much larger than B? It's difficult to impossible to find accurate data about tne numbers of unique domain names or websites hosted by a particular provider.
  • How do you count a URL or domain name over time if its IP address changes? Suppose you're reporting weekly stats; if a URL moves from hosting provider A to B within that week, how do you account for that in reporting the numbers? What if the site was "bad" when it was provider A but is now clean when it's at B? Do you still report A as hosting a bad site for the week?
  • How do you count a URL that resolves to more than one IP address? Do you double count it?

These are questions with no easy answers. Yet, as Brian Krebs and various government officials have pointed out, it's difficult to know what action to take, and against whom, if you don't have a good way of measuring the problem. At StopBadware, we're gradually trying to work on answers to these questions. We've learned a few lessons from our successes and our mistakes, but we can also use more input. If you have ideas, or would like to talk with us further about the measurement challenge, please let us know in the comments or at contact <at> stopbadware <dot> org.

Tagged , , | 1 Comment

StopBadware’s public comments to the FCC and U.S. Dept. of Commerce

Posted on October 19, 2010 by ccondon

The evolution of public policy as it pertains to cybersecurity is of significant interest to us at StopBadware. Our extensive experience with badware websites puts us in the position to illuminate pressing issues and possible solutions with regard to security, and we continue to focus on influencing public policy in sensible ways. Our Executive Director, Maxim Weinstein, recently submitted public comments in response to inquiries from the FCC and the U.S. Department of Commerce. StopBadware’s response to the FCC’s request for comments regarding a Cybersecurity Roadmap discusses the role of ISPs in protecting users from badware. Our comments to the U.S. Department of Commerce Internet Policy Task Force identify challenges and potential solutions to collecting and analyzing data, and influencing market change. These comments are available in full at http://www.stopbadware.org/home/research.

As always, we welcome thoughtful discussion on these topics. Policy change with regard to cybersecurity can effect widespread change that greatly increases online security; we take every opportunity to inform policymakers as to practical ways they can better protect individuals and organizations. 

Tagged , , , , , | 1 Comment

Prevx’s ill-conceived idea

Posted on October 18, 2010 by Maxim Weinstein

Last week, BBC News reported that security firm Prevx will release a "small program" that will gather data about the effectiveness of anti-virus software:

In the face of the tidal wave of malware, said Mr Bolin, PC users need a better way to find out how well they are being protected and how long they have been at risk.

Mr Bolin believes the way to get a better sense of the performance of security companies is via a small program that sits on a PC and logs when files are installed.

The program would lie dormant most of the time but would alert a user if it noticed that a fix had been created for a particular virus or trojan it had spotted on a PC.

The idea seems to be that measuring the lag time between when a file is installed until a definitions file addresses it will "bring about change in an industry that is not changing."

My comments here are based on the BBC story, as I couldn't find any additional information about the plan at Prevx's website or blog.

The first problem with the plan is that Prevx is itself an anti-virus company. Therefore, it's hard to believe the real goal isn't to make its competitors look bad. Even if this isn't the case, the company's decision to release this software on its own, rather than working through a trade association or an independent third party, makes it appear to be the case. Only with independent scrutiny and a design that is intended to objectively measure effectiveness should a tool like this be considered reputable.

Another problem is that security software is changing. Most major AV products now use a combination of techniques to prevent and detect malware. They don't rely only on file signatures, but instead use various techniques for identifying suspicious behaviors, blocking the exploits that deliver the malware, and leveraging cloud-based data. Based on the BBC article's description of the Prevx software, it seems that the software would measure only those files that got past all of these defenses. This would measure not the products' effectiveness at protecting users, but only their response time to files that slipped through an extensive set of defenses.

My hope is that Prevx will reconsider this ill-conceived idea. Graham Cluley, from rival AV vendor Sophos, has his own critique of the Prevx plan here.

Tagged | 1 Comment

Sowing the Seeds – What Next?

Posted on October 13, 2010 by Maxim Weinstein

In "Sowing the Seeds for a Safer Internet," a piece for InfoWorld, Roger Grimes calls on the tech industry to work together to create a unified malware warning system:

…I think we all need a warning service built in to the backbone of the Internet. Most antimalware companies and interested parties get lists of all the rogue origination points each day, updated several times a minute. The antimalware companies know where the majority of the bad stuff is coming from far faster than the average consumer or regular business. My idea is that reported rogue information should be shared with the world, immediately, and not just posted in the circle of the few. As I said, more information is usually better.

He concludes with the million-dollar question:

All we need is a few servers and a few groups to agree on how to implement it. After 20 years of waiting for computer security solutions to actually put a dent in computer crime, we stand on the cusp of real solutions. I just wonder: What it will take to make it happen?

When StopBadware started the Badware Website Clearinghouse a few years ago, we envisioned creating a system much like Grimes describes: a shared pool of known badware URLs, updated frequently. We even took it a step further, establishing clear guidelines for badware, and building in mechanisms for transparency (you can search on our website to find out if a URL has been reported as bad, and by whom) and "due process" (our independent review process allows site owners to request manual investigation if they believe a URL is reported in error).

So, what happened? While the Clearinghouse and the work of our data providers (Google, Sunbelt Software, NSFOCUS, and soon Nominum) have been valuable in many ways, the collaborative sharing we've dreamed of has yet to come together. It turns out, companies like Google, the big AV companies, and Grimes's employer, Microsoft, are reluctant to share their data freely. Why? Lots of reasons, many of which are understandable from a business viewpoint:

  • The R&D and operations to detect malware are expensive, and it's hard to justify the investment if the data will then be given away to other industry players for free. (Essentially, this is a tragedy of the commons problem.)
  • Having better data than your competitor may translate to better protecting your customers, which can help differentiate your product/service in the market.
  • Data can be sold/licensed for revenue or shared/traded in exchange for something else of value (other data, public recognition, services that will help the organization).
  • Proprietary data can be used as a basis for academic or commercial research that elevates the researcher or serves as a PR/marketing function for the business.

Note: Google (one of our partners) is better than many companies, in that it offers a free API to query its own URL data. This is not the same as sharing the data into a common pool, but it's a step in the right direction.

Now, to the question "What will it take to make it happen?" Here's what I believe it will take:

  • A shared pool of data, fed by at least three large companies or research organizations (ideally, it would be fed by a much broader set of sources, but a few big ones are needed to start it)
  • A common set of guidelines for what does and doesn't qualify as bad
  • A shared set of protocols, APIs, etc., for feeding data in and pulling data out of the pool
  • A rapid process for updating those URLs/addresses/etc. that have demonstrably cleaned up after being identified as bad
  • A responsive and transparent process for reviewing reports of false positives and quickly removing any that are confirmed
  • A means of educating and supporting the victims whose computers or websites have been infected without their knowledge and have ended up in the "bad" pool
  • An independent, trusted entity to manage all of the above
  • Public and/or private funding to support that entity

Achieving all of this may seem like a tall order, but it's not out of reach. As Grimes pointed out, some of the technical pieces are already in place. StopBadware has implemented, or laid the groundwork for, several of the others. The biggest missing ingredient is the shared pool of data.

The question, then, is simple, if not easily answered: who is going to be the first to break down (or circumvent) the barriers to sharing data via a common pool?

Tagged , , , , | Comments Off

StopBadware welcomes Nominum as new partner

Posted on October 4, 2010 by ccondon

In the fight against badware, StopBadware is always looking for new ways to make the Internet safer and for more people to help us do it. Today, StopBadware is excited to announce its new partnership with Nominum, a leading provider of Intelligent DNS (Domain Name System) solutions to service providers, enterprises, and government agencies.

Nominum’s Intelligent DNS System protects users from online threats in real time, and Nominum has always been committed to ensuring that people have a safe, secure, and enjoyable Internet experience. Since Nominum’s software powers the majority of the Internet’s DNS lookups, Nominum is in a unique position to prevent large numbers of users from accessing badware domains. In return, StopBadware’s independent review process will provide a way of making sure that the domains listed as bad really belong on the list of threats.

We at StopBadware think this shared interest in keeping users safe has fantastic potential to make a big difference in fighting malware. Later this year, Nominum will become the first DNS vendor to act as a data provider for StopBadware; in addition to sponsoring us, Nominum will contribute malicious domain data gathered by its researchers over the Nominum global network to our Badware Website Clearinghouse. You can read the full press release here.  We’re extremely excited about the opportunities this partnership will offer to improve Internet security. Look for more updates from us over the coming months!

Tagged | Comments Off

Google offers automatic reporting for network operators

Posted on September 30, 2010 by Maxim Weinstein

Our partners in Google's security team are offering a great new tool for operators of "autonomous systems" (ASes). Now, large web hosting companies and other AS operators will be able to request Safe Browsing Alerts for badware URLs that Google has detected on their networks. This will allow these operators to quickly learn of badware and hopefully take prompt action to notify customers, clean servers, patch vulnerabilities, and otherwise keep their networks clean.

Companies that identify badware websites have a responsibility to share this information with the sites' owners and/or hosting providers, and this new tool is an important step forward by Google in meeting that responsibility.

You can read more about the Safe Browsing Alerts on the Google Online Security Blog.

Tagged , | 5 Comments

SBW welcomes our new Raconteur!

Posted on September 22, 2010 by Maxim Weinstein

Astute StopBadware blog readers may have noticed that yesterday's event announcement was posted by someone new: Caitlin Condon, our new Raconteur! Caitlin is a graduate of USC's Annenberg School for Communication & Jounalism. She previously worked in communications at Equipois, a California-based startup, and taught English in Korea.

We're thrilled to have her on the team, and you can expect to see much more from her over the coming months.

Tagged | Comments Off

StopBadware Bay Area Event October 4

Posted on September 21, 2010 by ccondon

 

Keeping the Net Healthy: A Conversation with Vinton Cerf, Paul Mockapetris and Esther Dyson

StopBadware is offering an exciting opportunity for anyone in the Bay Area interested in Internet security: Join StopBadware and The Commonwealth Club the evening of Monday, October 4 in Menlo Park, CA, for a discussion on how to keep the Net safe. Three Internet pioneers—all StopBadware Board members—will lead a conversation entitled Keeping the Net Healthy: How Can We Develop an Immune System for the Internet? with opening and closing remarks by StopBadware's Executive Director, Maxim Weinstein.

Featuring:
Vinton Cerf, VP and Chief Internet Evangelist, Google; one of the "fathers of the Internet"
Paul Mockapetris, Chief Scientist and Chairman of the Board, Nominum; creator of the Domain Name System (DNS)
Esther Dyson, Chairman EDventure Holdings; angel investor, philanthropist, and recently trained cosmonaut

Viruses, spyware, spam, phishing, zombie machines. Several years ago, we might have thought of these as just a nuisance, and their perpetrators as mostly underemployed kids. Today, cybercrime is worth billions of dollars to loosely organized networks of criminals that prey on individuals, businesses and governments with malicious or profit-seeking intent. What are some of the current threats, and how is industry responding to them? What new threats might we expect in the coming years? Is the Internet's health partly a result of misaligned incentives, where those who cause the damage don't bear its costs? How can we change that? What more should industry, government and individuals be doing to protect the network and, ultimately, ourselves?

The event begins with a networking reception at 6:15, followed by the main program at 7:00. Tickets are $30 in advance and $50 at the door. Advance tickets are available here. We hope you'll join us for what promises to be a spirited and educational discussion.

Tagged , | Comments Off

Another job opportunity – SBW seeks a geek!

Posted on September 13, 2010 by Maxim Weinstein

Even as we finish the hiring process for our new raconteur, we are hiring again! We are looking for a team geek to help us with everything from setting up virtual machines to writing reports about badware trends. For more information, see the job description.

Tagged , | Comments Off

A successful web chat

Posted on August 27, 2010 by Maxim Weinstein

We'd like to express a heartfelt thanks to Adobe's Brad Arkin, Mozilla's Johnathan Nightingale, and the many people who observed and contributed to yesterday's web chat. The topic, applications' role in protecting users from badware, proved interesting and engaging. You can read the transcript of the chat here.

We hope to do more of these web chats in the future. What topics would you like to see covered?

Tagged , | Comments Off