Services tap people power to spot malware

PC World - People-driven security, an approach that pools the judgments of individual participants to identify new threats, is gathering momentum, with uses popping up in everything from antimalware and spam blocking to site filtering.

OpenDNS's Domain Tagging, introduced in February, is the latest example of this kind of strength in numbers. The free Web-filtering service allows subscribers to block sites in their choice of categories. But instead of one company deciding whether a site is malicious, pornographic, or otherwise unsavory, anyone who volunteers can help do the filtering.

Illustrating the trend's extent, Google created a page last fall where anyone can submit a site that they believe to be malicious. Once Google verifies a submission, it adds the tainted site to a shared blacklist. Other free and paid services for tracking attacks, identifying malware, and blocking spam are also tapping such people power.

Us Versus Them

"The good guys need to out-share the bad guys to help counter them," says Johannes Ullrich, chief research officer at the Internet Storm Center (ISC). The center's free D-Shield service analyzes data from people's firewalls to track breach attempts. With a thousand firewalls being tracked, the center can then identify an at-risk machine and alert its owner.

OpenDNS's PhishTank, launched in 2006, identifies phishing sites based on user submissions and community analysis. As a result, flagged sites are blocked for people who use OpenDNS for domain-name lookups. The Domain Tagging service, which expands on the idea behind PhishTank, permits any person who signs up to submit a site to a category, such as social networking. Other users then vote on that submission, and if enough people okay it, the site joins the domain-tagging lists. To help prevent incorrect categorizations or attempts by crooks to game the system, votes from trusted users have more weight than do those from people whose submissions have been voted down.

"Using a community costs less, is more thorough, and is more in real time," says David Ulevitch, chief executive of OpenDNS.

User involvement is key

McAfee employs VirusTotal's shared information. The company receives more than 200,000 samples per month from the site, says Dave Marcus, security research and communications manager for McAfee Avert labs. He says that antivirus companies share with one another the thousands of samples they receive directly from users, too.