New design for the StopBadware.org site

Posted by Erica George Wed, 23 Jul 2008 18:50:00 GMT

After two and a half years in operation, we’ve decided to give our website a bit of a facelift. Our new design features improved navigation, making it easier to find what you’re looking for – from our software alerts to website reports to tips for keeping your computer safe. The companies and organizations we partner with are more visible, too.

Take a look around and let us know what you think!

Posted in all | Tags redesign, stopbadware

Report: U.S. registrars won't take down illegal steroid sites

Posted by Maxim Weinstein Mon, 21 Jul 2008 12:51:00 GMT

The folks at KnujOn teamed up with watchdog site LegitScript to put together a report about websites selling anabolic steroids illegally. They found that, although the site owners themselves may be outside the U.S., they are using U.S.-based domain registrars, many of which don’t enforce their own terms of use prohibiting illegal use of registered domain names:

All 156 websites are registered with eight domain name registrars located in the United States. The website operators often use anonymous registration services offered by the registrars, or are located outside of the United States.

...

Three weeks prior to the report’s release, LegitScript and KnujOn requested that the US-based domain name registrars terminate, or “take down,” the steroid websites identified in the report. However, most of the websites were still accessible at the time of the report’s release.

“So far, most of the websites are still active,” said Garth Bruen, President of KnujOn. “This is a big problem, and it’s important that the domain name registrars terminate access to these websites.”

More details can be found in the full report.

Posted in all | Tags knujon, registrars, stopbadware

The ZlobFather

Posted by Maxim Weinstein Wed, 16 Jul 2008 16:57:00 GMT

Ars Technica reports on a recent report by security vendor Finjan, describing how criminal malware groups are getting more organized, much like the Mafia in The Godfather or the drug gangs in The Wire:

Finjan describes the employee structure that these cybercrime companies employ as being similar to the Mafia. In both cases, there is a “boss” who operates as a business entrepreneur and doesn’t commit the (cyber)crimes himself, with an “underboss” who manages the operation, sometimes providing the tools needed for attacks. In the Mafia, several “capos” operate beneath the underboss as lieutenants leading their own section of the operation with their own soldiers, and in cybercrime, “campaign managers” lead their own attacks to steal data with their “affiliation networks.” The stolen data are sold by “resellers,” similar to the Mafia’s “associates.” Since these individuals did not partake in the actual cybercrime, they know nothing about the original attacks. They do, however, know about “replacement rules” (for example, stolen credit cards that have been reported) and other company-specific policies, just like the sales representatives you talk to in your average store.

The more organized the criminals, the more industry players need to work together, share data, and organize ourselves against the badware threat. This is especially true if we want to thwart badware while still maintaining integrity and openness, as I described in my recent guest blog post at ZDNet.

Posted in all | Tags malware, stopbadware

Commtouch: Zombie PCs are everywhere

Posted by Maxim Weinstein Fri, 11 Jul 2008 17:01:00 GMT

A new report [pdf] from Commtouch, an e-mail security vendor, indicates that “zombies” (PCs infected with bots that send spam and malware) are geographically much more dispersed than we found infected websites to be. Turkey led the world by a small margin, with 11% of the ten million zombie IP addresses analyzed, while the U.S. was in 9th place with 4.3%.

Not mentioned in the report is that some of the countries near the top of the list, including Turkey, Germany, and Poland, must have very high “zombies per Internet user” rates, as these countries have far fewer users, yet more total zombies, than the U.S. Perhaps all the work that has been done here at home in the last few years to educate users about PC security is having some effect. Still a long way to go, though, if we have 4+ million zombies in the country.

Posted in all | Tags commtouch, stats, stopbadware

Stay away from fake StopBadware site

Posted by Maxim Weinstein Thu, 10 Jul 2008 13:01:00 GMT

They say that imitation is the sincerest form of flattery. Consider us flattered, then, that a rogue anti-malware distributor set up shop at stopbadware2008.com. Microsoft should be flattered, too, as the home page is designed to imitate an Internet Explorer malware warning screen:

It should go without saying, but I’ll say it anyway, that this site is in no way affiliated with StopBadware.org, and we do not recommend installing their deceptively advertised product.

Thanks to Donna for her post at Dozleng.com that brought this to our attention.

Posted in all | Tags rogue, stopbadware

Open and transparent malware filtering

Posted by Erica George Wed, 09 Jul 2008 20:51:00 GMT

StopBadware’s manager, Maxim Weinstein, has a guest editorial today in ZDNet’s Zero Day security blog. The editorial urges more transparency in malware filtering by anti-virus companies, search engines, and web browsers.

• A low false-positive rate
• Clear, publicly-available criteria for determining which sites are listed
• Information about why a particular site is listed
• A transparent, responsive process for requesting removal of incorrect or outdated listings
• Support and education for owners of compromised sites

Helping to foster these kinds of fair and open systems for user protection is, of course, one of StopBadware’s missions. Have thoughts on ways to make malware filtering better? Share them in the comments to Maxim’s post.

Posted in all | Tags filtering, stopbadware, transparency

A prime website compromise

Posted by Maxim Weinstein Tue, 08 Jul 2008 15:31:00 GMT

Last month, Google found badware on www.webchat.pm.gov.uk. Yes, that would be an official web chat server provided by the UK Prime Minister’s office for use by government officials to hold chats with citizens. (Kudos to the Brits, by the way, for engaging in this way with their constituents.)

While I’m sure there are some conspiracy theorists who would disagree, I’m fairly certain that the UK government didn’t set out to infect its citizens. Rather, this was a classic case of a legitimate website being compromised via a SQL injection due to some old, insecure code in the server application. Iain Ballard, application support manager for Twofour Digital, the company that provides the web chat site for the PM’s office, explains:

This department has grown from one developer two years ago, to several teams totalling nearly 30 full-time development staff. Part of this growth has been due to the absorption of two other companies: Makeni and HMC.

As tends to be the way, the older software is implemented in a range of old technologies and not in best practice.

...

With over 100 old products to be managed and limited resources, turn around times can be long. Some of the products to be maintained are large and complex systems used by clients such as the BBC, UK Parliament recording, Europarl TV, several local government agencies, Volkswagen, Audi and a host of content and media suppliers.

To the credit of Mr. Ballard and his team, they not only removed the infection, but they fixed the vulnerability that allowed the SQL injection in the first place. (Specifically, a parameter was being passed directly from the web page into a SQL query with no validation, a big no-no in secure development.)

It’s easy to think that only small websites run by individuals are vulnerable, but as this example shows, even top sites managed by professionals need ongoing, careful attention paid to security.

Posted in all | Tags stopbadware, uk

Bavarian Government Gets Up Close and Personal

Posted by Laureli Mallek Mon, 07 Jul 2008 21:02:00 GMT

The German state of Bavaria has approved laws that allow the police to plant spyware on the computers of suspected terrorists. While German federal laws restrict the government to infecting computers with email, Bavarian laws allow police to enter a suspect’s home to physically infect the machine. According to The Register, Bavarian interior minister Joachim Herrmann “gave short shrift to [privacy] objections, stating that Bavaria is leading the field in ‘internal security’ in becoming the first German state to approve the plan.”

This step taken by the Bavarian government counters a ruling earlier this year by Judge Hans-Juergen Papier in North Rhine-Westphalia. He opined that under regular circumstances spying on individuals was unconstitutional, and that permission of a judge would be required prior to implementing this type of surveillance during extreme situations.

In 2007, the internet was talking, though not over VOIP, about the Bavarian government looking to monitor and record Skype phone calls. Documents leaked through Wikileaks showed the thrifty Bavarian government haggling to get a better price on the products needed to invade their citizen’s computers.

Posted in all | Tags enforcement, law, privacy, security, spyware, trojan

AVG addresses "fake traffic" concerns

Posted by Maxim Weinstein Mon, 07 Jul 2008 13:24:00 GMT

Friday the 13th (of June) was an unlucky day for the folks at AVG, an anti-virus vendor known for its free Windows scanner. On that day, tech site The Register reported that a component of the paid version of AVG’s security suite was generating large amounts of “fake traffic” to websites in its effort to proactively protect users:

Early last month, webmasters here at The Reg noticed an unexpected spike in our site traffic. Suddenly, we had far more readers than ever before, and they were reading at a record clip. Visits actually doubled on certain landing pages, and more than a few ho-hum stories attracted an audience worthy of a Pulitzer Prize winner. Or so it seemed.

As it turns out, much of this traffic was driven by the new malware scanner from AVG Technologies.

Six months ago, AVG acquired Exploit Prevention Labs and its LinkScanner, a tool that automatically scans search engine results before you click on them. If you search Google, for instance, and ten results turn up, it visits all ten links to ensure they’re malware free.

After protests from webmasters, perhaps fanned in part by Nathan McFeters’s blog post last Friday, The Register reports that AVG is modifying its product to no longer pre-scan pages that a user hasn’t clicked on yet.

Note that Nathan went as far as to call AVG’s LinkScanner “badware” in Friday’s blog post on ZDNet. Here at StopBadware.org, we did not evaluate the product against our Badware Guidelines, nor do we intend to now that the product is being modified.

Posted in all | Tags avg, stopbadware

Forty percent of users use insecure web browser

Posted by Maxim Weinstein Tue, 01 Jul 2008 16:12:00 GMT

Brian Krebs at the Washington Post reports on a study that found that 40% of Google users do not have all the latest security updates for their web browser. This means they’re susceptible to a broader range of drive-by download and other web-based attacks.

Google users may not be globally representative of the Internet using population, as we know that 60% of users in China use a search engine other than Google. However, it certainly represents a large portion of the Internet-using public.

Another finding was that Firefox users are the most likely, and IE users the least likely, to have an updated browser:

The report concluded that Firefox users were more likely to be using the latest version because Mozilla’s patch process is the quickest and most painless (no arguments there). Firefox downloads updates automatically and prompts the user to install them immediately.

Posted in all | Tags browsers, security, stopbadware