Blog Attack Prediction Comes True

Last week, in a series of blog entries and interviews, Ray Dickenson and I called attention to the possibility that blogs and RSS feed aggregators would soon become a new and powerful vector for malware.

Unfortunately, this week, that prediction came true - in the form of a new variant of the Storm Worm.

No one - not even the CEO of a security software company - likes to be right when it comes to predicting doom, but blogs and forums and RSS feeds were a disaster waiting to happen. Now, the cleanup must begin - and it will not be pretty: Not enough people will get the message in the short term, and because the effects will only be felt by end users, it is likely many blog operators will keep those open channels open - which may end up enabling a new form of malware syndication on an unprecedented scale.

Why is it important to act? As several people have recently commented, blogs are extremely important tools that enable the proliferation of free speech and political freedom, and the sharing of opinions from all over the world, and all sides of the political spectrum. The fourth-largest blogging population by language is Iranian, and much of what is discussed there involves the creation of a state representative of its young, progressive thinkers. We cannot allowing blogging to become untrusted - it is too valuable.

So what are the next steps? At this moment, it is unclear what examples of best practices exist with respect to blogging and forum sites, and RSS aggregation (gator) sites (I'd love to hear your opinions on what sites you think do represent good examples of best practices). Many of the sites that I visit seem to allow comments by default and load those comments right into the feeds - one of the main vectors by which other aggregating and distributing sites can be attacked.

One approach that we have been working on is going to be moved up the product roadmap for earlier release. Right now we have an RSS aggregator and blog creation widget in beta that has been hardened for this form of attack - it is code-named (and trademarked) SpinStream, and filters all streams in and out of the widget for malware.

This approach will work for delivery of RSS feeds and blogs to and from the desktop. Sorry for the inclusion of the commercial pitch (it isn't really that commercial because we're planning on making this app completely free) but we've been thinking about this for some time, and it might just be useful for someone.

In the absense of end point solutions and up to date malware protection (and kick-ass heuristics-based analysis, which is the only thing you can really rely on in these situations), owners of web-based forums and blogs should consider putting heuristics-based anti-malware engines on their servers, in-line with their feeds.

Bottom line: we need to protect our blogs. Community isn't just a buzzword, folks - for some populations (i.e. the Iranian student population), the blog *is* the community.