Posted by Maxim Weinstein
Wed, 16 Jul 2008 16:57:00 GMT
Ars Technica reports on a recent report by security vendor Finjan, describing how criminal malware groups are getting more organized, much like the Mafia in The Godfather or the drug gangs in The Wire:
Finjan describes the employee structure that these cybercrime companies employ as being similar to the Mafia. In both cases, there is a “boss” who operates as a business entrepreneur and doesn’t commit the (cyber)crimes himself, with an “underboss” who manages the operation, sometimes providing the tools needed for attacks. In the Mafia, several “capos” operate beneath the underboss as lieutenants leading their own section of the operation with their own soldiers, and in cybercrime, “campaign managers” lead their own attacks to steal data with their “affiliation networks.” The stolen data are sold by “resellers,” similar to the Mafia’s “associates.” Since these individuals did not partake in the actual cybercrime, they know nothing about the original attacks. They do, however, know about “replacement rules” (for example, stolen credit cards that have been reported) and other company-specific policies, just like the sales representatives you talk to in your average store.
The more organized the criminals, the more industry players need to work together, share data, and organize ourselves against the badware threat. This is especially true if we want to thwart badware while still maintaining integrity and openness, as I described in my recent guest blog post at ZDNet.
Posted in all | Tags malware, stopbadware
Posted by Maxim Weinstein
Fri, 11 Jul 2008 17:01:00 GMT
A new report [pdf] from Commtouch, an e-mail security vendor, indicates that “zombies” (PCs infected with bots that send spam and malware) are geographically much more dispersed than we found infected websites to be. Turkey led the world by a small margin, with 11% of the ten million zombie IP addresses analyzed, while the U.S. was in 9th place with 4.3%.
Not mentioned in the report is that some of the countries near the top of the list, including Turkey, Germany, and Poland, must have very high “zombies per Internet user” rates, as these countries have far fewer users, yet more total zombies, than the U.S. Perhaps all the work that has been done here at home in the last few years to educate users about PC security is having some effect. Still a long way to go, though, if we have 4+ million zombies in the country.
Posted in all | Tags commtouch, stats, stopbadware
Posted by Maxim Weinstein
Thu, 10 Jul 2008 13:01:00 GMT
They say that imitation is the sincerest form of flattery. Consider us flattered, then, that a rogue anti-malware distributor set up shop at stopbadware2008.com. Microsoft should be flattered, too, as the home page is designed to imitate an Internet Explorer malware warning screen:
It should go without saying, but I’ll say it anyway, that this site is in no way affiliated with StopBadware.org, and we do not recommend installing their deceptively advertised product.
Thanks to Donna for her post at Dozleng.com that brought this to our attention.
Posted in all | Tags rogue, stopbadware
Posted by Erica George
Wed, 09 Jul 2008 20:51:00 GMT
StopBadware’s manager, Maxim Weinstein, has a guest editorial today in ZDNet’s Zero Day security blog. The editorial urges more transparency in malware filtering by anti-virus companies, search engines, and web browsers.
Maxim argues that a good filtering system should have:
- A low false-positive rate
- Clear, publicly-available criteria for determining which sites are listed
- Information about why a particular site is listed
- A transparent, responsive process for requesting removal of incorrect or outdated listings
- Support and education for owners of compromised sites
Helping to foster these kinds of fair and open systems for user protection is, of course, one of StopBadware’s missions. Have thoughts on ways to make malware filtering better? Share them in the comments to Maxim’s post.
Posted in all | Tags filtering, stopbadware, transparency
Posted by Maxim Weinstein
Tue, 08 Jul 2008 15:31:00 GMT
Last month, Google found badware on www.webchat.pm.gov.uk. Yes, that would be an official web chat server provided by the UK Prime Minister’s office for use by government officials to hold chats with citizens. (Kudos to the Brits, by the way, for engaging in this way with their constituents.)
While I’m sure there are some conspiracy theorists who would disagree, I’m fairly certain that the UK government didn’t set out to infect its citizens. Rather, this was a classic case of a legitimate website being compromised via a SQL injection due to some old, insecure code in the server application. Iain Ballard, application support manager for Twofour Digital, the company that provides the web chat site for the PM’s office, explains:
This department has grown from one developer two years ago, to several teams totalling nearly 30
full-time development staff. Part of this growth has been due to the absorption of two other companies: Makeni and HMC.
As tends to be the way, the older software is implemented in a range of old technologies and not in best practice.
...
With over 100 old products to be managed and limited resources, turn around times can be long. Some of the products to be maintained are large and complex systems used by clients such as the BBC, UK Parliament recording, Europarl TV, several local government agencies, Volkswagen, Audi and a host of content and media suppliers.
To the credit of Mr. Ballard and his team, they not only removed the infection, but they fixed the vulnerability that allowed the SQL injection in the first place. (Specifically, a parameter was being passed directly from the web page into a SQL query with no validation, a big no-no in secure development.)
It’s easy to think that only small websites run by individuals are vulnerable, but as this example shows, even top sites managed by professionals need ongoing, careful attention paid to security.
Posted in all | Tags stopbadware, uk
Posted by Maxim Weinstein
Mon, 07 Jul 2008 13:24:00 GMT
Friday the 13th (of June) was an unlucky day for the folks at AVG, an anti-virus vendor known for its free Windows scanner. On that day, tech site The Register reported that a component of the paid version of AVG’s security suite was generating large amounts of “fake traffic” to websites in its effort to proactively protect users:
Early last month, webmasters here at The Reg noticed an unexpected spike in our site traffic. Suddenly, we had far more readers than ever before, and they were reading at a record clip. Visits actually doubled on certain landing pages, and more than a few ho-hum stories attracted an audience worthy of a Pulitzer Prize winner. Or so it seemed.
As it turns out, much of this traffic was driven by the new malware scanner from AVG Technologies.
Six months ago, AVG acquired Exploit Prevention Labs and its LinkScanner, a tool that automatically scans search engine results before you click on them. If you search Google, for instance, and ten results turn up, it visits all ten links to ensure they’re malware free.
After protests from webmasters, perhaps fanned in part by Nathan McFeters’s blog post last Friday, The Register reports that AVG is modifying its product to no longer pre-scan pages that a user hasn’t clicked on yet.
Note that Nathan went as far as to call AVG’s LinkScanner “badware” in Friday’s blog post on ZDNet. Here at StopBadware.org, we did not evaluate the product against our Badware Guidelines, nor do we intend to now that the product is being modified.
Posted in all | Tags avg, stopbadware
Posted by Maxim Weinstein
Tue, 01 Jul 2008 16:12:00 GMT
Brian Krebs at the Washington Post reports on a study that found that 40% of Google users do not have all the latest security updates for their web browser. This means they’re susceptible to a broader range of drive-by download and other web-based attacks.
Google users may not be globally representative of the Internet using population, as we know that 60% of users in China use a search engine other than Google. However, it certainly represents a large portion of the Internet-using public.
Another finding was that Firefox users are the most likely, and IE users the least likely, to have an updated browser:
The report concluded that Firefox users were more likely to be using the latest version because Mozilla’s patch process is the quickest and most painless (no arguments there). Firefox downloads updates automatically and prompts the user to install them immediately.
Posted in all | Tags browsers, security, stopbadware
Posted by Maxim Weinstein
Fri, 27 Jun 2008 18:05:00 GMT
A researcher from security firm Kaspersky reportedly claims that he told Microsoft of a vulnerability in Internet Explorer “a long time ago,” but Microsoft didn’t consider it a security issue. Now, he claims he has found an example of an exploit in the wild that takes advantage of the vulnerability.
The attack, discovered at a compromised legitimate site, is using a modified GIF file to exploit the cross-site scripting feature/vulnerability.
...
Fast forward to the latest site compromise — on a high traffic Web site — where a GIF file containing an embedded iFrame is pointing IE users to a known malicious site. (The malicious site is currently offline but there’s evidence that it’s tied to ID-theft attacks)....
If the researcher’s findings are true (we haven’t confirmed them), then Microsoft should be embarrassed for missing an opportunity to protect its users and should immediately reconsider its position and treat this as the security issue that it is.
Posted in all | Tags ie, microsoft, stopbadware, vulnerability
Posted by Maxim Weinstein
Thu, 26 Jun 2008 19:57:00 GMT
Today, StopBadware.org staff Oliver Day and Brandon Palmen, along with affiliated Harvard researcher Rachel Greenstadt, presented research at the Workshop on the Economics of Information Security, held at the Tuck School of Business at Dartmouth College. A final version of their paper will be available in the proceedings from the conference. For now, here’s an abstract:
Internet end-users increasingly face threats of compromise by
visiting seemingly innocuous websites that are themselves compromised
by malicious actors. These compromised machines are then incorporated
into bot networks that perpetuate further attacks on the Internet. Google
attempts to protect users of its search products from these hidden threats
by publicly disclosing these infections in interstitial warning pages behind
the results. This paper seeks to explore the effects of this policy on
the economic ecosystem of webmasters, web hosts, and attackers by analyzing
the experiences and data of the StopBadware project. The Stop-
Badware project manages the appeals process whereby websites whose
infections have been disclosed by Google get fixed and unquarantined.
Our results show that, in the absense of disclosure and quarantine, certain
classes of webmasters and hosting providers are not incentivized to
secure their platforms and websites and that the malware industry is
sophisticated and adapts to this reality. A delayed disclosure policy may
be appropriate for traditional software products. However, in the web
infection space, silence during this period leads to further infection since
the attack is already in progress. We relate specific examples where disclosure
has had beneficial effects and further support this conclusion by
comparing infection rates in the U.S. where Google has high penetration
to China where its market penetration rate is much lower.
Posted in all | Tags research, stopbadware
Posted by Maxim Weinstein
Thu, 26 Jun 2008 19:28:00 GMT
Over on my own Harvard blog, I’ve started a series of posts about my foray into the field of public health and how it relates to the malware world. If you’re interested, please read along and post your thoughts in the comments.
Posted in all | Tags publichealth, stopbadware
|
