Posted by Maxim Weinstein
Thu, 08 May 2008 19:50:00 GMT
It was reported on Tuesday that McAfee and Yahoo will be working together to protect users of Yahoo search:
Powered by the SiteAdvisor technology that McAfee acquired in 2006, SearchScan will offer “always-on” alerts for sites that may pose a security risk. Specifically, it will warn about sites hosting exploits and other hacking risks, sites offering malware downloads and sites that spam visitors.
It was widely mis-reported (including originally in the PC Magazine story linked above, until we contacted the author to correct it) that Yahoo’s competitor, Google, receives its data from StopBadware.org and/or that StopBadware.org is owned or operated by Google. Neither of these is true.
StopBadware.org does not run malware detection for Google. Google has a team that takes advantage of Google’s vast index of the web to identify malware sites and warn users. StopBadware.org plays a complementary role, providing support to site owners whose sites have been exploited, education to end users about malware, and a transparent review process for site owners who wish to question Google’s findings. These services from StopBadware.org are available to future partners of ours, as well, and are not exclusive to Google. Indeed, we hope that Yahoo and McAfee will consider partnering with us in the future to offer their customers a similar level of support and transparency.
StopBadware.org is also not part of nor controlled by Google. It is a partnership among academic institutions, leading technology companies (including Google), and volunteers. We are always looking to welcome additional partners with a demonstrated commitment to stopping badware.
To be clear, we think it’s great that Yahoo’s users will be protected through this new service. Our hope is that Yahoo and McAfee will be diligent in keeping the system fair and open, in accordance with the principles of StopBadware.org.
Posted in all | Tags mcafee, stopbadware, yahoo
Posted by Maxim Weinstein
Thu, 08 May 2008 17:39:00 GMT
Brian Krebs at the Washington Post has this nifty piece about a website that appears to be set up to allow malicious hackers to buy and sell traffic to/from particular websites. As the post explains:
Set up a free account at Robotraff and you’re ready to buy or sell Web traffic. Got 30,000 hacked personal computers under your thumb? Super! Now you can use those systems to generate a steady income just by pointing them at Web sites requested by a buyer.
Or maybe you’re just getting started and you can’t be bothered to build your own army of hacked PCs the old-fashioned way? No problem! Now you can set up a Web site that tries to exploit Web browser or browser plug-in vulnerabilities and simply buy all the traffic you need.
This is why the “good guys” need to work together to innovate and share information to protect users. Because the bad guys are already taking advantage of everything the ‘net has to offer.
Posted in all | Tags malware, stopbadware
Posted by Maxim Weinstein
Thu, 08 May 2008 14:59:00 GMT
Another badware alert release was averted this week, as Me.dium, “a social browsing software company,” worked quickly to improve the disclosure provided to users of their browser plug-in after StopBadware.org sent them a draft of the alert we intended to release. (Sending a draft of the alert to the software producer a couple business days ahead of time is our standard policy.)
The primary concern that we raised was that the plug-in is advertised as a way to share websites and messages with friends, but it was not clear that the plug-in also shared your browsing history with Me.dium. To address our recommendation to make this clear and conspicuous to the user, they added the following text to the installation pop-up:
This plug-in shares your browsing history with Me.dium. Get the facts here!
This text links to their privacy policy, which they also updated to use plain, user-understandable language. The policy includes this paragraph “above the fold” (i.e., on the first screen of text without scrolling):
The first and MOST IMPORTANT thing to know about Me.dium is that when you use Me.dium, you are sharing your web activity with us. If we phrase that in a way that most other people have had to in the past, it translates as, “We monitor your web browsing behavior.” There, that is as blunt and straightforward as we can make it. If you are uncomfortable AT ALL with sharing this type of information with Me.dium, then please don’t install Me.dium. And, if you’ve already installed and want out, please click here for clear uninstall instructions. If you still have trouble, please email us at Support and we’ll do whatever we can to help you uninstall Me.dium.
Me.dium also reportedly asked its distribution partners to add the “This plug-in shares…” text to their descriptions of the plug-in.
David, our contact at Me.dium, was not only professional and pleasant to work with, but he immediately got it, with “it” being the need for clear, conspicuous disclosure to users about a software behavior that, while not inherently bad, could be unwanted and unexpected. The changes that Me.dium made reflect this understanding.
We hope to continue seeing our alerts averted or quickly deactivated by companies that are responsive to the needs of users. Even better, of course, will be to see less need for the alerts to be drafted in the first place.
Disclosure: Me.dium sponsored the Cookie Crumbles Contest, an event sponsored by StopBadware.org and the Berkman Center last year.
Posted in all | Tags medium, stopbadware
Posted by Laureli Mallek
Wed, 07 May 2008 18:49:00 GMT
Brian Krebs blogged yesterday about a broad coalition of technology groups supporting Kaspersky, an internet security company, during its legal fight with Zango. Krebs writes that in May 2007 Zango sued Kaspersky “charging that the company interfered with its business” by removing Zango’s software, which has been classified as adware by multiple groups.
Kaspersky does not deny that its program removes Zango-based software from computers. In August of 2007 the initial case was dismissed by a judge because the court believed that the Communications Decency Act (CDA) allows companies to remove software in order to protect users from material which may be considered objectionable.
Zango had previously faced off against the FTC in 2006. The settlement that resulted from that investigation required the company to pay $3 million. Caroline McCarthy wrote at CNet that the agreement also stipulated that “the company must adhere to FTC regulations that bar it from loading programs onto customers’ computers and monitoring them without their consent.” FTC spokesperson Lydia Barnes was quoted as saying: “It violates federal law to secretly install software that forces consumers to get pop-ups that disrupt their computer use.”
The current case has drawn significant interest within both the security and business fields. A previous amicus brief was filed in favor of Zango by the National Business Coalition on E-Commerce and Privacy, an organization representing powerful corporate interests according to Krebs. Behavioral advertising and many other profitable marketing strategies depend on installing tracking cookies or web beacons on user computers, so they are actions businesses would like to protect. Thomas M. Boyd, attorney for the organization, represents company concerns that “a security software company has unreviewable power to decide that any content is objectionable and to deny user access to that content without any accountability for any damages that action may cause.”
The amicus brief filed this week represents the other side of the issue in a broad coalition including the Electronic Frontier Foundation, the Business Software Alliance, and the Anti-Spyware Coalition. Ari Schwartz of the Anti-Spyware Coalition stated: “This is an extremely important case for consumers as to how security software protects them going forward, and whether the onus is put on the security company or [the adware vendor].” It is relevant to all the companies that classify Zango software as “adware” such as Microsoft (which removed 7.1 million instances of Zango software from customer computers) and Symantec (which has a description of Zango’s adware attributes here).
This case remains one to watch, as business and technology duke it out over consumers and rights.
Note: This blog post was updated on May 8, 2008 to make corrections regarding Zango’s 2006 involvement with the FTC.
Posted in all | Tags adware, kaspersky, litigation, security, zango
Posted by Maxim Weinstein
Wed, 07 May 2008 12:58:00 GMT
A few days ago, the team at Byet Internet Services contacted us. It seems they came across our list of the top 10 infected IP addresses from March and saw one of their addresses listed. It turns out this is an IP address they use for offering free web hosting, so it is not unusual for bad players to set up accounts for hosting malware. Byet says that they have a variety of technologies that they have developed to try to detect and block these malicious sites, so they asked us for the list of the URLs found on that IP address so they can investigate and update their systems to prevent these problems from continuing and recurring.
I know very little about Byet, other than that Craig, who contacted me, seemed very pleasant and had an enviable British accent. But the fact that they saw an indication of a security lapse and took action to gather more data and try to do something about it is a positive sign. They also asked if they can receive updated data next month, to ensure that their new measures are working. It would be great to see all web hosting companies giving this type of attention to preventing drive-by downloads.
I also want to acknowledge the Safe Browsing folks at Google, who allow us to share a bit of their data in situations like this to enable hosting providers to secure their systems, thereby protecting Internet users.
[Update 5/8] About 24 hours after we sent them the requested data, I received a follow-up from Byet indicating that they suspended all of the infected accounts and updated their security measures to make it more difficult for similar attacks to be launched from their system.
Posted in all | Tags byet, Google, stopbadware
Posted by Maxim Weinstein
Thu, 01 May 2008 20:28:00 GMT
StopBadware.org today released a badware alert about PerformanceOptimizer:
We find that PerformanceOptimizer (Trial Version) is badware because it installs deceptively, makes deceptive claims of system vulnerabilities in order to induce users to purchase the full version of the software, interferes with normal computer use by repeatedly prompting users to take previously declined actions, fails to inform users that the software will function as adware by prompting users to install additional software (including known badware), and fails to identify itself as the source of these advertisements.
The company responsible for PerformanceOptimizer, SellMoSoft, appears to specialize in “rebranding” software products for consumer distribution. SellMoSoft directly distributes through PerformanceOptimizer several additional applications that we or others have described as badware or adware.
We attempted to contact SellMoSoft and PerformanceOptimizer through the support e-mail addresses on their websites. We received no response from SellMoSoft and only an automated response from PerformanceOptimizer.
We currently recommend that users do not install PerformanceOptimizer, unless the user is comfortable with the behaviors we have identified or until the application is updated to be consistent with the recommendations in our alert.
Posted in all | Tags alerts, stopbadware
Posted by Laureli Mallek
Thu, 01 May 2008 20:09:00 GMT
In a paper titled Designing and implementing malicious hardware a team from University of Illinios Urbana (Samuel T. King, Joseph Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, and Yuanyuan Zhou) delved into the possiblity of malicious curcuits being used to circumvent current anti-virus protocols:
Hidden malicious circuits provide an attacker with a stealthy attack vector. As they occupy a layer below the entire software stack, malicious circuits can bypass traditional defensive techniques.
King and his team designed and implemented malicious circuitry using a processor called a field programmable gate array (FPGA). Connecting the FPGA to an external computer enabled the team to steal data from machines without software vulnerabilities. At the Large-Scale Exploits and Emergent Threats conference in San Francisco last month, King said this is not a threat that can be executed on the weekends, as it requires contact with hardware during the manufacturing phase, yet the reward is immense.
Symantec raised concerns over the manufacturing process in a report issued earlier this year. “The longer the manufacturing supply chain during this process, the greater the opportunity for malicious code to be embedded in the devices directly.” Similar exploits have occured already: virus infected digital picture frames, thumb drives, and counterfeit hardware.
New Scientist quotes Simha Sethumadhavan who believes the increasing complexity of both chips and their design processes increase opportunities for hackers to infiltrate undetected.
Posted in all | Tags hardware, malware, security
Posted by Laureli Mallek
Tue, 29 Apr 2008 17:14:00 GMT
Several major ISPs are substituting ad pages for the error messages normally displayed when users navigate to non-existing subdomains. Ryan Singel writes in Wired that:
“The rub comes when a user is asking for a nonexistent subdomain of a real website, such as http://webmale.google.com, where the subdomain webmale doesn’t exist (unlike, say, mail in mail.google.com). In this case, the Earthlink/Barefruit ads appear in the browser, while the title bar suggests that it’s the official Google site.”
Within this system, when a user tries to locate a nonexistent subdomain of a real website the title of the browser page changes to correspond with the searched-for site. By signaling that the user has reached a subdomain of the target website, ISPs create a potentially dangerous situation. It is possible that nefarious actors could combine fake subdomains with active spamming campaigns to draw users to links and badware camouflaged by a legitimate website’s branding.
Dan Kaminsky, a security researcher at IOActive initially reported the problem. He says that even after the vulnerabilities with advertisers were patched, the loophole remains dangerous as it allows ISPs (Kaminsky cites Earthlink, Verizon, Time Warner, Comcast and Qwest) to subvert the DNS system map to monetize on those nonexistent subdomains. Since 2006, Earthlink has intercepted the non-exsting domain response, sending it to its advertising partner (Barefruit), and then serving a page of suggestions and ads. While the company claims this action enhances the user experience, it exposes them to third party content which may not be held to a high level of security scrutiny.
Katherine Noyes at TechNewsWorld writes that Kaminsky does not see a technical way to fix this problem until ISPs, and others, are forced to stop spoofing subdomains through legal means: “It’s someone else’s domain, someone else’s property.”
Paul Vixie, president of the nonprofit Internet Systems Consortium, believes the problem correlates to ISP’s desire for increasing monetization of their users browsing without necessary regard for security. Speaking with TechNewsWorld he said “The only reason this one wasn’t dangerous is that the discoverer was a good person.”
Additional Coverage
Brian Krebs posted a new piece with additional information on his Washington Post blog, Security Fix, on March 30th.
Happy hunting!
Posted in all | Tags isp, security, stopbadware, subdomain
Posted by Erica George
Tue, 29 Apr 2008 16:54:00 GMT
The Symantec Security Response blog today features a bizarre end user license agreement (EULA) – not for a legitimate piece of software, but for a bot builder sold in the criminal black market.
Many of the restrictions the bot vendor places on its customers are straightforward enough, but without the ability to resort to actual laws to enforce their EULA, the botmakers take a more direct approach. Symantec translates the threat for noncompliance with the EULA from Russian:
In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies.
As Symantec notes, none of this has stopped the software from being traded in underground markets. No word on whether security companies have been flooded with bot binary code reports from mysterious sources recently.
Posted in all | Tags botnets, copyright, EULA
Posted by Erica George
Mon, 28 Apr 2008 15:49:00 GMT
From the official WordPress.org blog:
Version 2.5.1 of WordPress is now available. It includes a number of bug fixes, performance enhancements, and one very important security fix. We recommend everyone update immediately, particularly if your blog has open registration. The vulnerability is not public but it will be shortly.
If you run a WordPress site, and haven’t already implemented this new security update, doing so now is your best bet to prevent your site from being victimized. Once hackers can reverse engineer the vulnerability, there will probably be attacks on sites running earlier versions of WordPress.
Badware distributors have attacked WordPress sites before, most notably with the recent wp-stats iframe. At StopBadware, we’re still hearing from website owners whose sites are running older versions of WordPress and are being compromised with wp-stats, which exploits a vulnerability that’s now several months old.
Our advice for owners of WordPress sites? As StopBadware volunteer Steven Whitney wrote during the previous wave of attacks:
New versions of WordPress should always be installed promptly because the popular blogging software is heavily targeted by hackers using automated crawlers. You can register at http://wordpress.org/ to receive email notifications when new versions are announced.
Posted in all | Tags iframes, security, update, WordPress
|
