VeriSign’s Bad Advice on Protecting Websites from Malware

If you do a Google search related to website malware right now you might right run across the following ad from VeriSign:

VeriSign Malware Scan
What you need to know about malware & how to protect your site

Someone interested in how to protect their website from malware might click on the ad hoping to learn about doing that. From the page the ad takes you to you could visit a page titled FAQ: Web Site Malware Scanning. One of the questions in the FAQ is “How can I protect my site from malware?”. This looks like the information their advertising was promoting.  Here is what they say:

Like most thieves, malware hackers look for easy targets—such as a Web site where malware will go undetected for as long as possible. Posting the VeriSign Trust Seal on your Web site is like posting an alarm security sign in your front window. It shows hackers that your site is scanned daily to detect malware.

There are probably many variations on what would be a good answer to this question. Verisigns answer is certainly not one of them. Not only have they given really bad advice for protecting websites, but the answer suggests a scenario that is almost never going to happen.

The scenario in the answer suggests that hackers are going to view the website before they attempt to hack it. In almost all instances that is not the case. Not only is someone not likely to view the website before attempting to hack it, but there probably will not be a person directly controlling the attempted hack. Instead, the hacking attempt is likely to be automated.

For example, someone might setup a program to go through every domain name attempting to exploit a vulnerability in an outdated version of WordPress. Because no one is viewing the website before attempting to hack it the VeriSign Trust Seal will have no impact on whether the website is hacked or not. The best that malware scanning could do in this case would be to quickly warn that the website is infected. The worst case would be the scanner not detecting the infection until it has potentially infected many visitors. What is hopefully obvious is that if you are not running an outdated version of WordPress you would not get infected in the first place.

The right way to protect your website against these types of hacks, which are done in this automated fashion, is by taking the measures we have written about here. If your website is properly secured you are very unlikely to get infected so malware scanning is of little use. If you wanted make sure that you are warned quickly if your website is ever infected you set it up so that Google will send email to an address of your choice if they ever detect malware on your website.

So would the seal have any deterring effect on someone who has decided to target your website? It is hard to say for sure, but it seems unlikely it would have any effect. If someone were looking for easy targets they wouldn’t be trying target specific websites at all. It is much more efficient for them to use untargeted methods to find easy targets. What would be more likely to happen if they were targeting you is that they would test their malware to make sure it is not detected by the scanning done by Verisign before infecting your website. In that situation letting them know it was going on would not be helpful.

Verisign is owned by a major security company, Symantec, so they should be aware of all of this, especially since they decided to run advertising promoting that they would tell “What you need to know about malware & how to protect your site”. Either they don’t know about website malware, but are offering the service any way, or they know about it and they appear to be intentionally misleading potential customers.

Increased PHP Requirement for WordPress 3.2 Not a Major Issue

With the release of WordPress 3.2 coming up shortly (we are running the release client of it on our other blog without issue) the issue of its higher version requirements for PHP and MySQL have been coming up as a possible issue. One comment that we noticed was from a self-proclaimed security researcher was making the point this would lead to more outdated WordPress installations because servers are still running versions PHP below 5.2.4, which is the new required version, will not be able to be upgraded. On that point we have actual data on what version of PHP is running on servers and, more importantly, information on why an actual security researcher would see a much bigger issue with people still running a version of PHP below 5.2.4 than not being able to upgrade WordPress.

For every client that we need access to their website’s filesystem during our work we check the PHP version as well as other software running on the server (you can check your host using a tool we have created). For hosts having particularly outdated versions of software we alert the client to the issue and we also document some cases on our page detailing hosts with security issues. Our clients host websites around the world and with host provider of all sizes so the data should be a good representation of what is exists overall. We reviewed our data for this year and we found that none of our clients had been running a version of PHP 5 below 5.2.4, the lowest we found was 5.2.6. We did have some clients that were still running PHP 4, in all those cases we were able to switch them to PHP 5, above version 5.2.4, through the host’s control panel without issue. If you are still running PHP 4 you should make the switch as soon as possible as support for PHP 4 ended on December 31, 2007 and updates for critical security issues ended on August 8, 2008.

If there are still people on hosts that are only running a version of PHP less than 5.2.4 they probably have much bigger security issue than not being able to upgrade WordPress. PHP 5.2.4 was released on August 31, 2007 and last version PHP 4 was released on August 7, 2008. So that means their host has not bothered to upgrade one of the core pieces of software on their servers for nearly three or four years. While PHP itself is not a common target of hackers other server software is. Keep software running on the servers is the most basic security measures a host should be taking, if the host is not doing that then there is good chance that are not taking care of other security measures. There are many hosts that do take the basic security measures of keeping the server software up to date, so no one should be using a host that isn’t.

We would expect that a security researcher would know that you need to keep server software up to date and that PHP 5.2.4 itself is very outdated before making the statement they did. The fact that somebody claiming to be a security researcher doesn’t know this is a great example of why website security is in such a bad place. There are many people that are involved in website security that don’t’ know even the basics, but that doesn’t seem to stop them from telling others what they should be doing. If an actual security researcher were to complain about this, you would expect them to be suggesting that WordPress and other web software raise the required PHP version even higher. There have been numerous security fixes included in versions of PHP since version 5.2.4 was released and support for PHP 5.2 ended in December of last year. PHP 5.3 includes major changes that can cause software to break so many host are holding back switching to until more software is available with a version that supports PHP 5.3, but there is no reason they could not be running the last version of 5.2, 5.2.17. 5.2.17 was released over six months ago.

WordPress 3.2 also requires at least MySQL 5. None of our clients were running something below that this year. Support for the version below that, 4.1, ended on December 31, 2009.

Responses to Cybercrime in Japan and France

This week the Sorbonne University and the French Department of Justice hosted a meeting, the World and Development Institute (IMODEV) International Cybercrime, CyberThreat and CyberFraud Seminar. The audience heard eminent speakers including Pierre Joxe, a Member of the French Constitutional Council and former socialist Minister of the Interior, and Jacques Godfrain, the writer of the so-called French Godfrain Act (Loi Godfrain) of 5 January 1988, which updated the French penal code by introducing a section regarding the intrusion in information systems.

The seminar took an in-depth look at French and European penal and civil aspects of the fight against cybercrime. I’ll recap a couple of other topics.

Let’s start with the talk by Yoshiyuki Tsutsumi, attorney and First Secretary in charge of judicial affairs at the Japanese embassy in Paris. After reminding us that the Japanese parliament has just enacted legislation criminalizing the creation or distribution of computer viruses (punishable by up to three years in prison or 500,000 yen in fines) and the acquisition or storage of viruses (punishable by up to two years in prison or 300,000 yen in fines), he showed us the very latest unpublished statistics regarding cybercrime cases in his country in 2010.

In another track, Eric Edelstein from Orange/France Télécom discussed mobile security and the lack of awareness of mobile users. Among other things, he pointed out the mobile-spam average conversion rate compared with the rate seen in a traditional email-based spam campaign.

In 2008, a security analysis made by U.C. San Diego and U.C. Berkeley researchers showed that the average conversion rate for an email-based spam campaign was just 0.000008 percent

  • 35 million pharmaceutical spam emails sent
  • 28 individuals bought products for a total US$500 total profit for the crooks. In one year this would lead to $3 million in profits

In another study from 2010, a typical SMS-based spamming scheme can reach a conversion rate higher than 1 percent.

  • 10 million SMS sent
  • 288,000 recipients called a number, for a $780,000 profit
  • 217,000 recipients replied to SMS or signed up for a service, for a $224,000 profit
  • During the three-day active phase of attack, the crooks earned around $1 million

Another talk that grabbed my attention was made by Adeline Champagnat, assistant head of OCLCTIC (French National Unit for Countering Cybercrime). She presented the French responses to cybercrime, including the Pharos reporting platform, which allows the public to report suspicious websites or messages they encounter during their Internet surfing. The public reports about 1,500 alerts per day; this will result in more than 100,000 potential offenses for the whole of 2011. One of her graphs showed the public commitment as time goes by:

In 2010, Pharos gathered 77,646 reports, compared with 52,353 in 2009. Last year, this collection resulted in investigations of thousands of incidents (between 6,000 and 8,000). More than 700 required direct action by French authorities; another 1,941 were forwarded to Interpol. 57 percent of reports related to fraud. Nearly 22 percent were classified as an “offense against underage children.” The rest of the complaints were broken down into “xenophobia” (10 percent) and “others” (8 percent). Only 3 percent were classified as unfounded.

Combating Fake Alerts

The fake-alert families (bogus or rogue anti-virus software) are one of the most prevalent threats we face, and we see lots of new variants everyday. The threat is expanding constantly. For example, a couple of weeks ago, we observed MacDefender/MacProtector, which targeted Mac users, in addition to the usual attacks against Windows users.

Today, I’m really excited to see the news that the U.S. Department of Justice and the FBI announced they have taken action against two international cybercrime rings that have been spreading fake-alert malware. This operation hopefully will have a big impact on cybercrime rings and will discourage them from selling fake-alert products. I hope this will neutralize the fake-alert threat someday. 

For the time being, however, we need to protect ourselves from getting infected by fake-alert malware. McAfee Labs has prepared advisories for combating fake-alert families. One recent prevalent family is SystemDefender.

These advisories show how fake-alert malware deceives users and provides mitigation steps to avoid an infection. Please have a read and protect yourselves from such fraud!