We are pleased to welcome Chinese security firm NSFOCUS as a new data provider! NSFOCUS joins Google and Sunbelt Software in feeding our Badware Website Clearinghouse with updated information about URLs they have discovered to be bad. Like all of our data providers, NSFOCUS will participate in our independent review process.

We are particularly excited to work with NSFOCUS because their team's extensive knowledge will give us insight into the often opaque world of Chinese networks and hosting providers.

NSFOCUS's press release about the data provider arrangement can be found here.

Everyone is talking about Google’s latest move with regard to China and there is a possibility they will pull out of the country. If that were to occur there is the possibility that China will begin blocking Google from within the country. This raises some interesting questions for us here. Google provides the badware URL feed to Firefox browsers which prevents web surfers from viewing pages laden with infections. Will this tool continue to work for those in China?
We also receive appeals from Chinese webmasters whose sites have been infected, that produce warnings in Google’s search results. Will we see a drop off in appeals? Will those webmasters have the ability to use Google’s webmaster tools to manage the process of delisting themselves once they’ve cleaned their infection?

The China Internet Network Information Center (CNNIC) announced new rules a few days ago that are intended to "enhance the authenticity, accuracy, and integrality [sic] of the domain name registration information."

These rules require applicants for .cn domain names to submit copies of their business license and personal ID for review by the registrar within five days of registering the name. There are two big questions that aren’t clear from the announcement:

First, does the requirement to submit a business license apply only to registrations on behalf of businesses, or does this mean that individuals are no longer allowed to register .cn domain names? The latter would be a substantial restriction on the Internet privileges of individuals in the country.

Second, what happens between the time an online registration occurs and the end of the five day period? Is the domain active during this time, or does the domain not become active until after the paperwork is reviewed? The exact language is "From the day of the submission of online application, if CNNIC does not receive the formal paper based application material within 5 days or the application material auditing is not qualified, the domain name to be applied will be deleted." This implies that someone can sign up for a domain name with fake information, use it for five days, and then have the name revoked. I suppose that’s better than being able to use a fake domain indefinitely (sort of – it may make tracking down the perpetrator more difficult), but we’ve seen with domain tasting that this can be abused for creating ephemeral phishing and malware sites.

Underlying all of this, of course, is a long-running battle between privacy advocates who argue that being able to anonymously register a domain name extends the free speech opportunities, especially for dissidents in repressive regimes, and the security and law enforcement communities, which fret about the lack of accountability if the operator of a domain name cannot be tracked down. I’m not sure whether ICANN’s requirement for registrars to disable domains with false registrant information applies to country-level TLDs, but the CNNIC policy for .cn domains would certainly be consistent with that requirement, if more heavy-handed than we’ve seen from most registrars.

[Update 12/18: Berkman Center Fellow Donnie (Hao Dong) posted this piece explaining even more aggressive measures being taken by the Chinese government to crack down on malicious use of domain registrations. This will almost certainly reduce the number of misused Chinese domain names, but as indicated above, we may see some additional consequences.

It was reported today that a website of the official newspaper of the Chinese government, The People’s Daily, was flagged for malware by Google. The paper apparently complained that Google was maliciously flagging the site due to the paper’s criticism of Google Library. Google China denied the allegation, pointing out that the site was flagged by automated anti-malware systems, not based on content. As reported, the Google statement makes a small mistake in indicating that StopBadware.org provided the software for this automated system. In fact, Google’s Safe Browsing team developed the system themselves. For more information, see the relevant section of our FAQ.

The important lesson of this incident is that legitimate websites, whether operated by individuals or by large government-sponsored organizations, can fall victim to badware. Indeed, in China, where infection rates have historically been high, we hope this will serve as a wake-up call to website owners, hosting companies, and other parties about the need to secure their sites and platforms.

StopBadware assisted the Open Net Initiative in evaluating China’s Green Dam filtering software, which the Chinese government recently mandated be installed on every new PC in the country.

The software violates our guidelines due to a lack of disclosure about some significant unexpected behavior. While the software advertises itself as protecting children from harmful content such as pornography and violence, it also filters political speech without notice. Also not mentioned is the fact that, if such political speech appears in an application window, whether Internet Explorer or Notepad, the window completely shuts down without advance notice and without saving the user’s work.

Based on our and ONI’s research, and also other research posted online, the software has additional flaws, as well, ranging from poorly implemented features to security vulnerabilities. The biggest flaw of all, though, appears to be China’s policy of mandating such a product. As ONI’s report, released yesterday, concludes:

The mandate requiring the installation of a specific product serves no useful purpose apart from extending the reach of government authorities. Given the resulting poor quality of the product, the large negative security and stability effects on the Chinese computing infrastructure and the intense backlash against the product mandate, the mandate may result in less government control.

Those interested should read the full report, which explains both the software’s behavior and the national reaction to the software, in detail.

According to a story at Wired.com, Internet use in China is soaring:

China’s booming Internet population has surpassed the United States to become the world’s biggest, with 253 million people online despite government controls on Web use, according to government data reported Friday.

The latest figure on Web use at the end of June is a 56 percent increase from a year ago, the China Internet Network Information Center said. It said the share of the Chinese public using the Internet is still just 19.1 percent, leaving more room for rapid growth.

Last month, we reported that China hosts over half of the infected websites reported to us by Google. Combine a whole lot of Chinese Internet users with a whole lot of infected Chinese websites, and you have the potential for one heckuva lot of bots and trojans on Chinese computers. I hope that groups in China will work together to educate the population (and software vendors, hosting companies, etc.) about the risks and how to stay safe.

StopBadware.org today released a report analyzing over 200,000 sites reported by Google as exhibiting badware behavior.

See the press release and/or the report for more information.

We attempted to contact the owners of the top 10 infected network blocks identified in the report. Note that a network block owner may or may not have control over the content of sites hosted on that block. Here’s what we heard from the companies we reached:

Google:

We take malware blogs very seriously. On a daily basis, malware blogs are created by bad guys, and subsequently detected and deleted by Google. The 4,261 figure represents some of the malware blogs we delete over a 30 day period.

Because we’re very aggressive and very proactive in preventing and detecting harmful content placed on our services, the Blogger numbers are disproportionately higher than they would be on non-Google properties.

Given that there are millions of active blogs in our network, 4,261 is just a very small percentage of the total blogs.

With our aggressive approach, malware blogs, like spam blogs, tend to have short lifespans. WRT to the impact on users, if an existing popular site that gets millions of page views per day gets compromised for a few hours, that represents a huge number of infections compared to one of these blogs.

The Planet:

The Planet provides dedicated, self-managed hosting services to our 22,000 customers, which means they maintain full control of their servers. Many of our customers are resellers, and they lease space on their servers – sometimes to as many as 200 companies per box – to their clients.

Nonetheless, we have an Acceptable Use Policy (AUP) that precludes customers from distributing malware of any kind. Once we are aware of any inappropriate use of our servers, our Abuse Department initiates an investigation. If we identify issues, we proactively work with customers so they meet our AUP.

SoftLayer:

SoftLayer Technologies is a provider of data center services centered around the delivery of on-demand server infrastructure. We do not manage the content or applications hosted from our infrastructure as this is the direct responsibility of our customers, many of which are in fact hosting resellers. Having said that, we also have a very strict acceptable use policy which you can find here: http://www.softlayer.com/legal.html.

We try to be as proactive as possible in eliminating any and all content from our network that breaches the terms of this policy. But, as I am sure you are aware, this is not always an easy task.

I have forwarded your email to our abuse department so that they can start investigating the findings you have suggested below. We will take all necessary actions to remove any malicious material from our network so that we can better serve our customers and the entire Internet community.

iEurop:

Of course we’re interesed in any tool that helps us protecting internet users.

If you can send us any info regarding malware hosted on our machines we’ll be more than happy to remove those websites …