StopBadware Blog

Web chat: Applications’ role in protecting users from badware

Posted on August 19, 2010 by Maxim Weinstein

Badware often installs itself by taking advantage of bugs or exploits in software on the user's computer. While some of these exploits are in the operating system or default web browser, badware increasingly is targeting other applications and browser plug-ins.

What role can and should these applications—and their developers—play in protecting users from badware? Join Brad Arkin, Adobe's director of privacy and security, and Johnathan Nightingale, Mozilla's head of Firefox development, for a free moderated web chat next Thursday.

Title: Applications' role in protecting users from badware
Date/time: Thursday, August 26, 1-2 pm EDT
URL: http://www.stopbadware.org/events/apps-web-chat
Cost: Free! No preregistration required.

We hope you'll join us on the 26th for what promises to be an informative and interesting discussion!

Tagged adobe, events, mozilla, stopbadware | Comments Off

The continuing evolution of StopBadware

Posted on August 13, 2010 by Maxim Weinstein

As StopBadware and the environment in which we operate evolve, we continually evaluate where to focus our resources and attention. Over the next couple of months, we'll be making a few changes that reflect our current priorities. Hiring a "raconteur," or communication specialist, is one such change. This will allow us to work more closely with the community, our industry partners, and our other constituents to ensure that effective techniques for protecting users from badware reach the greatest possible audience.

Another change is that we'll reduce—for now—our emphasis on technical research and "deep-dive" analysis of badware sites. In place of a dedicated research function, we'll create a new, broader role that includes a bit of data sifting, along with hands-on systems work, testing, documentation, and more. (Job posting coming soon.)

Finally, we'll be introducing more events, like our upcoming web chat, that bring people together to discuss and share ideas about how best to protect users from badware.

With these changes, along with our continued work assisting webmasters and our data providers, we believe that StopBadware will be in a great position to expand our impact and make the Internet safer for all of us.

Tagged stopbadware | 2 Comments

Save the date: Upcoming web chat

Posted on August 12, 2010 by Maxim Weinstein

Save the date! On Thursday, August 26, from 1-2 pm EDT, StopBadware will host a web chat on the topic "The role of third-party applications in protecting users from badware." The featured "speakers" will be Brad Arkin, director of privacy and security at Adobe, and Johnathan Nightingale, head of Firefox development at Mozilla.

More information will follow soon. Meanwhile, if your company is interested in sponsoring this event, please let us know!

Tagged events, stopbadware | Comments Off

Now hiring a professional raconteur!

Posted on August 11, 2010 by Maxim Weinstein

StopBadware is hiring! If you know someone looking for a full-time communications job here in Harvard Square, be sure to refer him/her to the job description.

Tagged jobs, stopbadware | Comments Off

Americans want security, don’t know how to get it

Posted on August 10, 2010 by Maxim Weinstein

A study released today by the National Cyber Security Alliance (NCSA) and the Anti-Phishing Working Group (APWG) indicates that most Americans are genuinely concerned about online safety and security. Furthermore, according to the study, they recognize their responsibility to contribute to the Internet's overall security and are willing to take steps in that direction.

The biggest obstacle, perhaps unsurprisingly, is the lack of clear, concise instructions on what users should do to protect themselves. This is an area in which we, as an industry, have to improve. When you combine the complexity and diversity of available technologies with a lack of consistency around messaging, terminology, and visual symbols, it's no wonder that consumers are feeling confused.

The upcoming National Cybersecurity Awareness Campaign, which the NCSA and APWG are spearheading, should be a step in the right direction. It promises a unified messaging campaign to increase awareness nationwide, and perhaps even internationally. Of course, if this survey is any indication, this will be a challenge, as the issue isn't so much awareness of the problem, but rather awareness of the solution.

Over the coming months, StopBadware will be working with industry partners to help them do their part to protect consumers from badware. Part of this, undoubtedly, will be consumer education. Just as we (and, by extension, our partners like Google and Firefox) now offer webmasters specific tips on finding, removing, and preventing badware on their websites, we need to work together to present clear guidance for users on how to protect their computers, their handheld devices, and their online information.

Tagged apwg, consumers, ncsa, stopbadware, surveys | 2 Comments

Hijacked subdomains still serving malware

Posted on July 26, 2010 by Oliver Day

Last month the Unmask Parasites blog wrote about attacks using hijacked sudomains of legitimate websites to serve badware. At the time of that articles publication the attacks had been going on for a month already. We are still seeing a lot of infected websites pointing back to solk.seamscreative.info (on port 8080) and other sites like it.

The standard attack used in Driveby Downloads required the injection of iframes into normally benign sites however the landing or intermediary sites those iframes pointed to weren't normally registered to benign users. This represents an interesting evolution of tactics by creating another layer of innocent victim into the network of infections. The attack has been fairly successful if in the last two months the infected subdomains haven't been taken down yet.

Considering our own methods of alerting the public to infections it is easy to see why. The subdomains aren't something the owners will be on the look out for and the DNS registrar likely has no idea that attacks are occurring on their customer base. According to the blog post at Unmask Parasites the most affected DNS registrar seems to be GoDaddy. I don't know if this means there is some flaw in their DNS management panel or if legit customers have had their credentials stolen. Either way this trend warrants more investigation.

UPDATE 7/28: The GoDaddy abuse team has been notified.

Tagged godaddy, infections, subdomains, trends | Comments Off

NSFOCUS, our newest data provider

Posted on July 23, 2010 by Maxim Weinstein

We are pleased to welcome Chinese security firm NSFOCUS as a new data provider! NSFOCUS joins Google and Sunbelt Software in feeding our Badware Website Clearinghouse with updated information about URLs they have discovered to be bad. Like all of our data providers, NSFOCUS will participate in our independent review process.

We are particularly excited to work with NSFOCUS because their team's extensive knowledge will give us insight into the often opaque world of Chinese networks and hosting providers.

NSFOCUS's press release about the data provider arrangement can be found here.

Tagged china, nsfocus, stopbadware | Comments Off

StopBadware welcomes new developer

Posted on July 14, 2010 by Maxim Weinstein

StopBadware is pleased to welcome Matthew Shanley, our new lead developer! As we mentioned previously, our current lead developer, Brandon, will be heading off soon to tortue himself for three years as a law student.

Matt joins us from Constant Contact, where he worked on their web development team. He holds a Master’s of Fine Arts in Interrelated Media from Massachusetts College of Art and Design, a Bachelor’s of Science in Electronic Media, Art, and Communication from Rensselaer Polytechnic Institute, and also attended Cornell University. He's also an all-around cool guy, and we're glad to have him on the team!

Tagged stopbadware | 2 Comments

Establishing expectations for AV vendors

Posted on July 7, 2010 by Maxim Weinstein

At StopBadware, we're currently revising our guidelines for badware applications. The goal of these guidelines is to distinguish between applications that are badware (defined as "software that fundamentally disregards a user's choice about how his or her computer or network connection is used") and those that aren't. One major reason for distinguishing badware from non-badware applications is to help people make informed choices before installing software that may compromise their privacy or security.

It is in this context that we ask a question that has been troubling us: if a "legitimate" anti-virus or security product has to send data about your computer use (e.g., your web search or browsing history) back to the vendor's servers to protect you as promised, how clearly should that data usage be disclosed?

Historically, we have thought of surreptitious collection of this type of data as a badware behavior. But what if the data isn't really being collected or used in any nefarious way, and the transmission of the data is necessary to make the product work as intended?

Consider a product like McAfee SiteAdvisor, a free browser plug-in that informs you of the safety of websites as you visit them or while browsing through search results. SiteAdvisor has to query a McAfee server with the URL (or the hash of the URL) of every site you visit or find during a search. This means that, if McAfee wanted to (or if a rogue employee gained access), a profile of your browsing history could be compiled and tied back to your IP address. Yet this is never disclosed in any visible way prior to or during installation. In fact, it's not even in the Privacy Policy. (It could be considered covered by a vague provision in the EULA about the collection of personal information from your computer necessary to the function of McAfee's security products.)

This is not unique to SiteAdvisor. Many AV products now query a centralized database about URLs and/or executables to ensure users are protected. In our experience, most of these products fail to disclose this potential threat to a user's privacy in any meaningful way.

So, back to the question. Is this a badware behavior, one that in this case is being perpetuated by several well-respected software companies? Or is it reasonable to expect that users either know or wouldn't care that their security comes at the price of a company having access to some private data? Is it dependent on the trustworthiness of the vendor or the stated use of the data once it's been received? What should we expect as a minimum bar from AV vendors whose products behave in this way?

Please let us know your thoughts in the comments!

Tagged antivirus, guidelines, policy | 4 Comments

What We Learned at ThePlanet (AS21844)

Posted on July 6, 2010 by Oliver Day

After months of looking into the infections of AS21844 (ThePlanet) we've decided to wrap up our investigations for now. We have learned quite a bit from our communications with customers at ThePlanet. While no one from ThePlanet has spoken with us officially we have learned that they possess a direct feed of infected URLs from Google. This means that large customers of ThePlanet, such as HostGator, should have the ability to learn of infections directly from their provider. Also partners such as Skenzo should be able to use the same list to purge previously infected, and now abandoned, domains from their monetization framework.

For those of you that look at our Top 50 Infected Networks you'll notice that ThePlanet is still at the top. There really should be an asterisk up there since some of those infections shouldn't be counted. In particular the Skenzo related infections aren't actually a threat but are still listed due to a policy decision by the Safe Browsing team (which you can read about in a previous blog post). The best solution for now is to get this list to Skenzo so they can remove it from their framework. I am preparing this list for Skenzo right now but eventually, I hope, ThePlanet will provide it for them. To add some transparency to our research I'll paste the top infected org names as reported by ThePlanet's RWhois server:

WebsiteWelcome	7909
Skenzo FZE	2838
Unidentified	683
Site5 LLC	430
Bahram Boutorabi	192
SiteGround.com Inc.	171
webserver-a-rackshack.directi.com	166
Mochanin Corp	136
maktoob.com	119
server sea	115
Payam Torkian	115
Our Internet_ Inc	112

Don't forget that some of the 7,909 infections listed as HostGator (WebsiteWelcome is the org name used by HostGator) are duplicates. Our hosting providers tend to include multiple pages (and/or directories) per website host so these numbers require additional explanation. If one were to sort the infections by unique domains alone the count would be noticeably less. Applying some command line fu to one of the data files shows us the repetition is not nearly as high as it used to be. Only four domains are repeated more than 10 times.

count	domain
10	vadakarapally.org
12	attorney2traffic.org
16	e-sense.tv
17	niftysensex.com

HostGator has roughly 7,563 unique infected domains according to our last count and ThePlanet has 20,298 unique infected domains with their true number likely around 17,000 (adjusting for Skenzo). Where does that put ThePlanet in the context of our top 50 infected networks? Exactly where they are now actually. The next closest network is GoDaddy's AS26496 with 11,576 infections.

Tagged as21844, research, theplanet, webidemiology | Comments Off