Human networks used to spot malware

People-driven security, an approach that pools the judgments of individual participants to identify new threats, is gathering momentum, with uses popping up in everything from anti-malware and spam blocking to site filtering.

OpenDNS' Domain Tagging, introduced in February, is the latest example of this kind of strength in numbers. The free web filtering service allows subscribers to block sites in their choice of categories. But instead of one company deciding whether a site is malicious, pornographic, or otherwise unsavoury, anyone who volunteers can help do the filtering.

Illustrating the trend's extent, Google created a page last fall where anyone can submit a site that they believe to be malicious. Once Google verifies a submission, it adds the tainted site to a shared blacklist. Other free and paid services for tracking attacks, identifying malware, and blocking spam are also tapping such people power.

The movement is achieving critical mass just in time, potentially overcoming but one problem with such free exchange of information: At sites such as VirusTotal (where people can scan files believed to be malicious and share new finds), wrongdoers can use the information too.

"The good guys need to out-share the bad guys to help counter them," says Johannes Ullrich, chief research officer at the Internet Storm Center (ISC). The centre’s free D-Shield service analyses data from people's firewalls to track breach attempts. With a thousand firewalls being tracked, the centre can then identify an at-risk machine and alert its owner.

OpenDNS's PhishTank, launched in 2006, identifies phishing sites based on user submissions and community analysis. As a result, flagged sites are blocked for people who use OpenDNS for domain-name lookups. The Domain Tagging service, which expands on the idea behind PhishTank, permits any person who signs up to submit a site to a category, such as social networking. Other users then vote on that submission, and if enough people okay it, the site joins the domain-tagging lists. To help prevent incorrect categorisations or attempts by crooks to game the system, votes from trusted users have more weight than do those from people whose submissions have been voted down.

"Using a community costs less, is more thorough, and is more in real time," says David Ulevitch, chief executive of OpenDNS.

Submitting a suspicious site to Google allows any Web surfer to act as an Internet watchdog, but doing so is a somewhat altruistic act, since you don't see an immediate benefit. Mozilla's upcoming Firefox 3 browser, however, will use the Google blacklist to block known malicious sites.

McAfee employs VirusTotal's shared information. The company receives more than 200,000 samples per month from the site, says Dave Marcus, security research and communications manager for McAfee Avert labs. He says that anti-virus companies share with one another the thousands of samples they receive directly from users, too.

Marcus notes that the increase in user involvement is coming at a crucial juncture, as targeted threats are on the rise: "User submissions are more important than ever," he says.

When you submit a virus sample, the anti-virus engines and labs analyse it to decide whether it is malicious. But with spam, your eyes are often the best analytical tool available.

Though automatic filters in email clients and servers can stop some junk mail, spammers typically test their trash to make sure it can bypass automatic filters before they send it out. To combat that tactic, several successful tools, such as those typically used by Web-based mail providers and companies such as Cloudmark, harness the collective power of millions of human eyes.

This story, "Human networks used to spot malware" was originally published by


Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon