StopBadware blogs

Highlights from five years of StopBadware work

ccondon — Wed, 16 Sep 2015 15:31:24 +0000

The Cambridge-based StopBadware team is signing off this week after more than five years of community building and collaboration with some of the best people in the security business. As we turn full operations over to Dr. Tyler Moore and his excellent team at the University of Tulsa, take a look at some of the highlights of our work these past five-plus years.

Tags:

stopbadware

What's next for StopBadware in Tulsa

ccondon — Thu, 20 Aug 2015 20:27:13 +0000

We asked Tyler Moore, StopBadware's research advisor and the boffin who's taking over our core operations, to expand on his plans for the organization in Tulsa and to throw in some 90s references. He obliged.

Dr. Tyler Moore on the new version of StopBadware

Recently we announced that StopBadware is transferring operations to the University of Tulsa. In today's blog post I will fill in some more details on this exciting new chapter of the organization. Some things will change as a result, but our non-profit mission to make the web safer will remain.

First, let me tell you a bit about myself and my history with StopBadware, which I hope will go a long way to help solve the mystery of how StopBadware has ended up in Tulsa. (Hint: it's not because of Hanson. And I promise the circumstances are happier than when Chandler was transferred there after sleeping in a meeting on Friends.)

I first began interacting with StopBadware in 2008 while I was a postdoctoral fellow at Harvard's Center for Research on Computation and Society. I wanted to engage with StopBadware due to my research interests in cybercrime measurement. We collaborated on several projects, one of which culminated in a 2012 paper describing an experiment that demonstrated the impact of transmitting detailed notices in cleaning up websites distributing malware. The paper was co-authored by Marie Vasek, who is now my Ph.D student and Research Scientist at StopBadware.

Since 2013, StopBadware has been closely collaborating with my research team under Marie's supervision. The website testing intern has regularly been an undergraduate student I have recruited from my courses. Last year, I became StopBadware's research advisor, further formalizing my long-term involvement with the organization.

When StopBadware's board of directors decided earlier this year to move away from being a stand-alone 501c3 non-profit organization, I volunteered to bring StopBadware back to its roots in academia. StopBadware will become a program operating within the Security Economics Laboratory at the Tandy School of Computer Science at the University of Tulsa, where I cut my teeth as an undergraduate security researcher and where I recently joined the faculty.

This change in organization will bring several benefits. One is that it should greatly reduce operating costs, as I will be serving as Director pro bono, and we can share other overheads with an existing institution. Another is that we will be able to continue to serve as a true non-profit—something that in the eyes of staff and community is both unique and essential in this space.

The new StopBadware will concentrate on the core competencies that we offer. First, we will continue the testing and review program, in which anyone can request independent review of URLs blacklisted for malware by StopBadware's data providers. Second, we will continue the Data Sharing Program (DSP), in which StopBadware serves as a trusted broker for community-contributed feeds of security datasets. Third, StopBadware's research mission will be expanded. We plan to more extensively mine the data contributed to the DSP and other sources. Finally, we intend to greatly expand the publication of data related to web-based badware. Our aim is to provide even greater transparency into the fight against web-based malware, so that we might more accurately track progress, highlight accomplishments and encourage improvements on part of the community.

We still need your help, in terms of contributing data, services and financial assistance. Donations will still be required in order for StopBadware to continue thriving in the years ahead. If you are interested in supporting StopBadware as we move onto the next chapter, please get in touch by emailing me at tyler@stopbadware.org.

- Tyler

Tags:

stopbadware, stopbadware news

Visualizing eight years of independent reviews

ccondon — Fri, 14 Aug 2015 16:24:40 +0000

StopBadware has been performing independent reviews of websites blacklisted by our data providers for more than eight years. As we've explained in the past, a manual review done by our staff is not always necessary: if a webmaster requests a StopBadware review of a site on Google's Safe Browsing blacklist, the first step in our review process is an automated request for Google to rescan the site in search of malicious code. If Google's automated systems don't find anything suspicious, that site will come off Google's blacklist without our ever having to touch it. When Google still finds malware, or when one of our other data providers is the blacklisting party, one of our website testing team uses a variety of tools to scour the site for malicious code and other bad behavior.

As our home page proclaims in red, we've helped de-blacklist more than 171,000 websites since 2007. Before we shutter operations as an independent nonprofit next month, we want to give our community a better idea of what goes into that number.

Since we started collaborating with Google, and later ThreatTrack Security and NSFocus, we've performed 53,167 manual reviews. We've also processed an additional 188,149 review requests that were resolved automatically thanks to our automated integration with Google. Those aren't all unique requests, so combining them doesn't yield an accurate number. Here's what all those review requests look like over time:

Why the decline?

You'll undoubtedly notice that we received many more review requests early on than we do today. Better security awareness, wide availability of relatively low-cost security tools, and default use of things like Webmaster Tools all contribute to the decline we've experienced in review requests. We also have better ways of detecting and weeding out abusive requests than we used to.

Unfortunately, something else that's contributed to the decline in review requests is malware distributors' widescale use of stealthier, more targeted methods like malvertising. When a resource is compromised only very briefly (e.g., through an infected ad network), even when blacklist operators are able to detect the infection and warn users away, the compromise is often resolved too quickly for StopBadware's Clearinghouse to reflect that the resource was ever blacklisted. Generally speaking, if something is blacklisted for fewer than six hours, we won't have a record of it in our Clearinghouse. On the one hand, this is good news, in that we want blacklists to operate as narrowly as possible to maximize user protection while minimizing penalty to site owners; on the other hand, this is bad news, in that malicious actors are able to effectively utilize powerful technologies to spread malware in ways that are difficult to detect and counter.

What's not included in this data?

What you don't see in this chart is the tens of thousands of URLs we've reviewed in bulk for web hosting providers, AS operators, and other network providers over the years. We've worked with everyone from dynamic DNS companies and bulk subdomain providers to small resellers and abuse departments at big companies to clean up malicious resources on their networks and help remove them from blacklists. The majority of this process is manual, and because it's initiated based on trust and human communication instead of by clicking a button, bulk review data isn't reflected in our public review data.

StopBadware's review process will continue to operate normally during and after our operations transfer to our research team at the University of Tulsa. Thanks to our research scientist, Marie Vasek, for putting this data together!

Tags:

stopbadware, malware, security, review data

StopBadware transferring operations to University of Tulsa

ccondon — Thu, 25 Jun 2015 14:01:36 +0000

In 2006, Harvard’s Berkman Center introduced a new project: StopBadware.org, a collective effort to protect consumers from bad software and expose the people who profited from it. StopBadware was to be a collaboration between the academic community and leading technology companies, a force for transparency and openness in an increasingly siloed online environment, and a haven for users seeking information about bad software and malicious websites. The project was backed by Internet pioneers in both business and academia: founders Jonathan Zittrain and John Palfrey, advisers Vint Cerf and Esther Dyson, supporting companies including Google and Lenovo. From its first day, StopBadware was a collaboration intended to demonstrate the full promise of the Internet by protecting and expanding user choice.

After almost a decade of collaborative work and more than five years as a standalone nonprofit, StopBadware is shutting down operations as an independent organization and transferring core programs to the University of Tulsa, where they’ll be run by our longtime research adviser, Dr. Tyler Moore. This decision rested upon two pillars: the unpredictability of long-term funding prospects and the strength of our ties to the research community. Ultimately, StopBadware’s board and staff agreed that our mission is better served by re-establishing roots in academia under the capable guidance of Dr. Moore and his team.

The programs we expect to transfer to Tulsa include our independent review process, the StopBadware Data Sharing Program, and maintenance of informational resources and searchable Clearinghouse.

What does this mean in practical terms?

Users and webmasters will still be able to look up URLs, IPs, and ASNs in our Clearinghouse and report malicious URLs to our community feed.
Website owners whose resources are blacklisted by one or more of our data providers will still be able to request an independent review from StopBadware.
Technology companies, independent security researchers, and academic institutions will still be able to contribute malware data feeds to StopBadware’s data sharing program.
StopBadware’s shared and proprietary data will still be used to facilitate research on cybercrime and the security ecosystem.
Users who encounter browser or search warnings about malware websites will still be able to reach StopBadware information about badware and how to protect their computers.

StopBadware’s Boston-based office and staff will cease operation by September, as will our current board of directors. Over the next few months, we’ll also be shutting down the StopBadware Partner program and the We Stop Badware™ Web Host program in order to let the incoming team in Tulsa focus on the review process, data sharing program, and research projects. The StopBadware Board and outgoing staff have known Tyler Moore since our early days as a Berkman Center project; we have the utmost confidence in his vision and unflagging dedication to StopBadware’s mission.

Over the next two months, we’ll be painting a bigger picture for our community to illustrate StopBadware’s accomplishments, both as an independent nonprofit and as a decade-old project in collaborative security. We’ll also turn our blog over to Dr. Moore part-time so he can expound upon his plans for the new iteration of StopBadware. Like many other good Internet citizens, we welcome the future!

- The StopBadware team

Tags:

stopbadware

Community news and analysis: May 2015

ccondon — Tue, 09 Jun 2015 16:54:31 +0000

Malware news + analysis

ESET: Whitepaper on CPL malware in Brazil
Sophos: “PolloCrypt” ransomware sounds as ridiculous as its mascots look—but it’s a real thing targeting Aussie users. Also from Sophos: Can Rombertik malware really destroy your computer? Nope.
Fortinet analyses of Rombertik malware and Tinba botnet malware
Sucuri: Hacked websites redirect to...Bitcoin?

Other security news

SiteLock: Who else is reading your email? A guide to PGP encryption
Fortinet: Should new WHO disease-naming guidelines also be applied to malware?

Tags:

stopbadware, StopBadware Partners, community news, malware, security

Community news and analysis: April 2015

ccondon — Fri, 08 May 2015 18:54:52 +0000

Malware news + analysis

ESET research on the Mumblehard Linux malware family, along with fascinating analysis of Operation Buhtrap aimed at Russian banks
Fortinet analysis of Dridex malware’s macro downloader, plus a writeup on hiding malicious traffic under the HTTP 404 error
Sophos on Dyreza malware’s discrimination and evasion techniques

Other security news

Internet Identity video: Putting the NIST cybersecurity framework to work
Mozilla statements on distrusting new CNNIC certificates and removing e-Guven CA certificate.
Advice from Automattic: “Please enable two-factor authentication for your WordPress.com account.”
A SiteLock primer on DoS vs DDoS attacks
Sophos: Five online privacy and security tips for travelers
Sucuri: How to create a website backup strategy; case study of a website blacklisted for distributing SEO spam

Community news and analysis: March 2015

ccondon — Mon, 13 Apr 2015 16:11:49 +0000

Featured news

Google cracks down on Chrome extensions that inject ads and degrade users’ browsing experiences (31 March). Google also added information about unwanted software to their Safe Browsing API last month (24 March).

Automattic: Five ways to secure WordPress plugins (27 March), preventing cross-site scripting in JavaScript (25 March), and a blind SQL injection vulnerability found in Yoast’s popular WordPress SEO plugin (13 March).

Three cheers for open information: Check out DreamHost’s first ever Transparency Report!

Malware news

ESET analyses “Casper” malware used against Syrian targets and likely developed by the same group behind the Babar and Bunny malware (5 March).

SiteLock demonstrates what it looks like to infect a website (19 March).

Sophos on the new TeslaCrypt ransomware targeting gamers running Windows (16 March) and developments in Microsoft Office malware (6 March).

A couple pieces of interesting Sucuri analysis: WordPress malware causes pseudo-DarkLeech infection (26 March); ‘inverted WordPress Trojan’ adds useful features along with malware (11 March).

Other security news

Mozilla on memory scanning for server security (12 March) and revoking trust in one CNNIC intermediate certificate (23 March).

Qualys: GHOST remote code execution exploit (17 March).

Fortinet: Cross-site scripting vulnerability discovered in WordPress Photo Gallery plugin with 12 million downloads (20 March).

Tags:

community news, StopBadware Partners, malware, security news

Community news and analysis: February 2015

ccondon — Tue, 03 Mar 2015 16:08:36 +0000

Featured news: Superfish, new malware warnings, universal SSL

Read Mozilla’s directions for getting Superfish out of Firefox (Feb. 27), Sophos on Superfish removal (Feb. 20), and a Fortinet Superfish FAQ. (Feb. 20) ESET also has a wise piece on unwarranted panic and false positives. (Feb. 20) Note: We hope we don’t ever have to write the word “Superfish” again.

Google Safe Browsing expands Chrome warnings: New warnings let users know when they’re about to visit a site known for encouraging downloads of unwanted or suspicious software. (Feb. 23)

Feedback and data-driven updates to Google’s Project Zero disclosure policy (Feb. 13)

Universal SSL: Public beta version of new CloudFlare service encrypts data from the browser to the origin for free. (Feb. 24)

Malware news + vulnerabilities

Google releases free, cloud-based web application security scanner that can help App Engine developers check for cross-site scripting and mixed content vulnerabilities. (Feb. 19)

Highlights from Internet Identity’s 2014 eCrime Trends Report (Feb. 25)

Fortinet: Decoy files used to spread CTB-Locker ransomware (Feb. 16)

Automattic (Feb. 6), Sucuri (Feb. 16), and SiteLock (Feb. 26) on a serious vulnerability affecting most versions of the Fancybox-for-WordPress plugin

SiteLock on a security flaw in the UpdraftPlus premium WordPress plugin (Feb. 17)

Sucuri: Vulnerabilities in Gravity Forms WP plugin (Feb. 26) and analytics plugin WP-Slimstat (Feb. 24)

Security news + perspectives

In case you missed it: After six years, StopBadware is shutting down its community forum. Details and recommended alternatives here.

Automattic: WordPress 4.1.1 is out! This one’s a maintenance release. (Feb. 18)

ESET on exploits: What are they, and how do they work? (Feb. 27)

DreamHost’s Mika E. talks about the virtues of open source and his experience writing plugins for WordPress. (Feb. 10)

SiteLock: How you can tell if a website is secure (Feb. 24)

Sucuri: Why websites get hacked (Feb. 26)

Tags:

community news, stopbadware, StopBadware Partners, malware, security news

StopBadware shutting down community forum BadwareBusters.org

ccondon — Tue, 24 Feb 2015 18:43:39 +0000

It's been nearly six years to the day since StopBadware and its partners launched BadwareBusters.org, our community platform for those who wanted to learn about and prevent badware. Over the years, the forum has helped thousands of website owners clean up hacked websites. Dozens of security experts have volunteered their time and talent to examine compromised sites, offer advice, and guide users to the best security resources for their needs. BadwareBusters has been exactly what it was intended to be when it launched in 2009: a place for our community to define its own needs, share stories, and learn from each other's experiences.

At the end of this month, StopBadware will be shutting down the forum. We're terribly proud of all that our community has accomplished these past six years; we don't take lightly the decision to close up shop, but limited resources mean StopBadware is no longer able to maintain the forum in a way that's fair and productive for users.

We're confident those seeking help with hacked sites and malware cleanup can find what they're searching for in places such as Google's malware forum, Bleeping Computer's forums, or Stack Exchange's community Q&As. StopBadware's hacked sites resources section also has useful tools and tutorials on finding and removing website malware, and longtime BadwareBusters moderator RedLeg maintains a gem of a site on website cleanup.

Thanks for your participation and your wisdom. Keep learning.

Tags:

badwarebusters, stopbadware, malware, hacked sites

Community news and analysis: January 2015

ccondon — Fri, 06 Feb 2015 18:44:10 +0000

General security news

Google looks back on how its security rewards programs did in 2014 and details a new vulnerability research grant it will offer in 2015. (Google Online Security Blog Jan 31)

Mozilla on referers [sic]: “This HTTP header has become quite problematic and not very useful...What’s needed is a better way for referring sites to reduce the amount of data transmitted and thus providing a more uniform referrer that’s less privacy invasive.” Firefox 36 Beta supports a “meta referrer” feature that gives sites tighter control over their referrers. (Mozilla Security Jan. 21)

Mozilla is also progressing in its project to phase out certificates with 1024-bit RSA keys. See the post for a list of affected root certificates. (Mozilla Security Jan. 28)

A WordPress security Q&A with VaultPress Vaultkeeper and lead developer Mark George (Automattic Jan. 30)

Vulnerabilities

Qualys, SiteLock, and Sophos on what you need to know about the much-mentioned GHOST vulnerability in the Linux glibc library. Patches were available as of Jan. 27, 2015.

Qualys (Jan. 21 and Feb. 2) and Sophos (Jan. 23 and Jan. 24) have also offered excellent coverage of multiple recent Adobe zero-day vulnerabilities.

Webmaster warnings from Sucuri: Security vulnerabilities in Pagelines and Platform themes for WordPress (Jan. 21), remote code execution vulnerability in vBSEO (Jan. 13), and a fake “mobile-shortcuts” WordPress plugin that injects SEO spam into websites. (Jan. 30)

Malware

CTB-Locker: New campaigns spread malware that demands Bitcoin ransoms from victims; Poland, the Czech Republic, and Mexico have the highest infection rates. (ESET Jan. 21)

Apparently, it’s such an ordeal for Belarusians wanting Polish visas to get an appointment at the Consulate of Poland that someone created a botnet with the express purpose of filling out forms to secure an appointment slot. Yes, really. (ESET Jan. 29)

5 ways to protect your website from malware (SiteLock Jan. 20)

Fortinet malware analysis: Cracked version of an old Andromeda botnet malware variant spreads Bitcoin miner (Jan. 7), analysis of recent VBA macros (Jan. 6)

After a multinational takedown operation in December 2013, the ZeroAccess click fraud botnet has reappeared. At the end of January 2015, around 50K computers were compromised by the resurgent botnet, although researchers noted it doesn’t appear to be growing. (Sophos Jan. 31)

A mid-January malvertising campaign abused AdSense to redirect users to fake health websites. (Sucuri Jan. 14)

Tags:

community news, partners, stopbadware, malware