Tag Archives: Phoenix

The Source of the Malware Scourge

Despite appearances, the U.S. is still the most popular place for the bad guys to place their malware code.

StopBadware.org has listed those Internet Service Providers that wittingly or unwittingly host “badware” — an umbrella term for any kind of software that insidiously installs itself on your computer. What’s interesting is that while there is one China company on the list, by far the biggest culprit is one iPowerWeb Inc, based in Phoenix, Arizona, which has more than 10,000 infected sites on their servers. (By comparison, then next biggest culprit has a quarter that.)

Badware is usually installed on a site without the owner’s knowledge, either by exploiting holes in the software that delivers content to the site or hacking into the site by guessing the owner’s password or making use of a hole in the server software. Victims would unwittingly download the badware by either visiting the website in question or be directed there from other websites which had been infected. Here’s a case of a fake MySpace page which lures victims to an iPowerWeb-hosted site where users give up their MySpace password. Interesting detail on how these work is here.

iPowerWeb appear to have a long history of attracting accusations that it doesn’t take this kind of thing seriously. Examples are here, here and here (from two years ago). So far there’s no press statement from iPowerWeb on its website; I’ve requested comment.

The sad thing here is that when Google and organisations like StopBadware find these hacked sites the sites are flagged and removed from Google searches, or else prefaced by a warning page. While this makes sense, it causes mayhem for the owners of these sites who are either not technically savvy enough to resolve the problem, or find themselves in limbo while their site is removed from the list after they’ve cleaned it up. A recent discussion of the problem on the stopbadware Google Group is here. (StopBadware says it will respond to appeals within 10 days and says the time is closer to two.)

One can only imagine the scale of the mess caused by all this. Hosting companies need to be smarter about monitoring this problem they’ll face declining custom or lawsuits.

Now, The MyDoom Backslapping

Queue trumpets. The security software folk have started congratulating themselves for saving us from MyDoom.

Here’s DeepNines Technologies, “the only company to offer a security platform that includes firewall, intrusion prevention and gateway anti-virus functionality in front of the router”, which says: “Companies that have Sleuth9 deployed in front of the router, are finding that approximately 1.5 out of every 10 emails are infected and they are successfully blocking those emails at the perimeter, thus preventing MyDoom from impacting the network.”

Here’s CrystalTech Web Hosting Inc, “a Microsoft Windows-based web host located in Phoenix, Arizona”, which says it “has effectively eliminated the threat of the MyDoom virus for over 1.2 million mail accounts and over 38,000 domains that are hosted on their network”.  Customers, the company is not shy in pointing out, were impressed: “The speed and efficiency with which CrystalTech acted did not go unnoticed by their customers. Several noted on the CrystalTech message board that they were seeing few, if any, infected messages in their inboxes. The majority stated that they were seeing more in their outside accounts, with one customer stating that their free email account was full with infected messages within a day, whereas his CrystalTech account had a single infected message.”

In fact, reading this stuff you’d think the virus had only hit folk in outer space. BorderWare Technologies Inc., “The Security Appliances Company(TM)”, says “no MXtreme Mail Firewall customers have been affected by the MyDoom outbreak or any of its variants and mutations”.

And, then of course, there’s the intoxicating smell of free publicity: 0Spam.Net, “the most accurate Anti-Spam solution in the world for eliminating Spam, Pornography, Phishing (Identity Theft Fraud) and Viruses from email”, is offering “free protection against email delivery of the MyDoom virus and any variants that might appear over the next 30 days” to ISPs, companies, governmental or non-profit organizations, and extends to individuals and families as well. It’s not clear whether this offer was already in place before MyDoom hit. Now that really would have helped.

The there’s the individual heroics: My favourite is from San Diego, where, hours before the world realized what was happening, a certified Juvio computer technician, assisting a customer with a troubled computer detected the MyDoom virus. “With no known protection codes available, the Juvio technician immediately set about to write script to defeat this destructive new virus. In a matter of minutes, the victimized customer ceased to be attacked by this malicious virus thanks to the expertise and quick skill of the attending Juvio technician. The technician immediately alerted fellow Juvio technicians to the situation and provided them with a repair solution, effectively assisting several global customers who found themselves to be in need of emergency help.” I’m not complaining, by the way: This is an uplifting tale and much more fun to read than most press releases.

The serious point in all this, I guess, is that the flood of press releases that tracked MyDoom’s progress (including interactive maps and charts), and now this self-congratulatory fluff, brings home how much money is to be made from selling stuff to protect people.