Services Are Tapping People Power to Spot Malware

Companies and turning to the wisdom of crowds to fight increasingly sophisticated phishing, spam and nefarious sites.
Illustration: John Hendrix
People-driven security, an approach that pools the judgments of individual participants to identify new threats, is gathering momentum, with uses popping up in everything from antimalware and spam blocking to site filtering.

OpenDNS's Domain Tagging, introduced in February, is the latest example of this kind of strength in numbers. The free Web-filtering service allows subscribers to block sites in their choice of categories. But instead of one company deciding whether a site is malicious, pornographic, or otherwise unsavory, anyone who volunteers can help do the filtering.

Illustrating the trend's extent, Google created a page last fall where anyone can submit a site that they believe to be malicious. Once Google verifies a submission, it adds the tainted site to a shared blacklist. Other free and paid services for tracking attacks, identifying malware, and blocking spam are also tapping such people power.

Us Versus Them

The movement is achieving critical mass just in time, potentially overcoming one problem with such free exchange of information: At sites such as VirusTotal (where people can scan files believed to be malicious and share new finds), wrongdoers can use the information too.

"The good guys need to out-share the bad guys to help counter them," says Johannes Ullrich, chief research officer at the Internet Storm Center (ISC). The center's free D-Shield service analyzes data from people's firewalls to track breach attempts. With a thousand firewalls being tracked, the center can then identify an at-risk machine and alert its owner.

By allowing people to tag Web domains, as well as to vote on submissions, OpenDNS can categorize and filter the sites.
By allowing people to tag Web domains, as well as to vote on submissions, OpenDNS can categorize and filter the sites.
OpenDNS's PhishTank, launched in 2006, identifies phishing sites based on user submissions and community analysis. As a result, flagged sites are blocked for people who use OpenDNS for domain-name lookups. The Domain Tagging service, which expands on the idea behind PhishTank, permits any person who signs up to submit a site to a category, such as social networking. Other users then vote on that submission, and if enough people okay it, the site joins the domain-tagging lists. To help prevent incorrect categorizations or attempts by crooks to game the system, votes from trusted users have more weight than do those from people whose submissions have been voted down.

"Using a community costs less, is more thorough, and is more in real time," says David Ulevitch, chief executive of OpenDNS.

User Involvement Is Key

Submitting a suspicious site to Google allows any Web surfer to act as an Internet watchdog, but doing so is a somewhat altruistic act, since you don't see an immediate benefit. Mozilla's upcoming Firefox 3 browser, however, will use the Google blacklist to block known malicious sites.

McAfee employs VirusTotal's shared information. The company receives more than 200,000 samples per month from the site, says Dave Marcus, security research and communications manager for McAfee Avert labs. He says that antivirus companies share with one another the thousands of samples they receive directly from users, too.

Marcus notes that the increase in user involvement is coming at a crucial juncture, as targeted threats are on the rise: "User submissions are more important than ever," he says.

When you submit a virus sample, the antivirus engines and labs analyze it to decide whether it is malicious. But with spam, your eyes are often the best analytical tool available.

Though automatic filters in e-mail clients and servers can stop some junk mail, spammers typically test their trash to make sure it can bypass automatic filters before they send it out. To combat that tactic, several successful tools, such as those typically used by Web-based mail providers and companies such as Cloudmark, harness the collective power of millions of human eyes.

"Spam will always get through," says Jamie de Guerre, chief technology officer of Cloudmark. "So it's a matter of how quickly can antispam respond."

Cloudmark's system lets people click a 'This is spam' button when they get an obnoxious e-mail. When anyone does so, that person's judgment joins those of other users, based on a fingerprinting system that can track a message even if a few words or image pixels change.

As in OpenDNS's filtering system, each Cloudmark user has his or her own reputation. If the rest of the community agrees with your assessments, you gain a high reputation. If other users often disagree with your verdicts (suggesting that you might be a spammer trying to mess with the ratings), your reputation declines.

Together, people-powered tools and sites work to build genuine security that benefits the entire online community. "They are a very strong part of Internet security," de Guerre says.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon