Sunday, May 27, 2007

90,000 Malware Sites, Zero Regulation

Brian Krebs over at the Washington Post recently asked this question: should there be a law that requires web hosting companies to take down malicious sites, and protect law-abiding sites from malware.

You *bet* there should.

Cynics would say that I'm saying that so I can make a few bucks off hosting companies by providing them antivirus or antispyware scanners.

Rubbish. I'm saying it because I'm deeply worried about what I see going on in server-land. With more than 90,000 infected sites dishing up malware (source: Krebs,, Google), how will life improve for consumers until these servers are forced into compliance?

The DHS needs to bring hosting companies into line. Banks currently are mandated to "know their customer" - why should information transactions be treated any differently? How hard would it be for governments to mandate that hosting companies know their customer?

How much would it cost to install malware detection and alert owners if the code changes on their site? Peanuts, relative to the multi-billion dollar hosting industry - and it's evil twin, the multi-billion dollar online fraud industry.

As Brian does a terrific job of pointing out, the biggest problem that all of us face in this industry is that it doesn't matter how much client software we track down, put a ring around, neuter, or quarantine - there is always a hosting company standing ready to take a dollar off a phishing gang or similar criminal organization.

It is time for the government to pass a law, and empower an agency to step in and put a stop to hosting companies that willy-nilly take money from terrorists and criminals.

Yes, it will take a few years to clean out all the transgressors, but we need to start: servers, not clients, are the issue - and with the current level of escalation up the value chain we're seeing in the phishing world (nice "Rock Phish" article also, Brian), it won't take too many intrusions at the client level to add up to significant value for a criminal.

Time to clean house.

No comments: