StopBadware.org staff security researcher Oliver Day has a guest blog post at SecurityFocus that explores the relationship between Microsoft’s anti-piracy measures and the number of vulnerable Windows machines around the world. His conclusion:

The simple answer is that the current WGA policies from Microsoft significantly extend the lifetimes of vulnerabilities, sometimes indefinitely.

Follow the link above to read his full, thoughtful post.

McColo, a web hosting company, was taken offline by its network peer, Hosting Electric, after reports by Jart Armin of HostExploit and Brian Krebs of the Washington Post implicated McColo as a major host of spam.

As you can see, there has been a significant drop in spam reported to SpamCop since McColo was taken down. While likely temporary, it does indicate that the reports were accurate in their assessment.

Even as I applaud the efforts of journalists and security researchers to cut off spammers and malware purveyors at the source, I wonder about who else is negatively affected by these takedowns. Surely McColo and previously-taken-down Intercage had legitimate customers, owners of websites and/or domain names that they used for their personal blogs, their small businesses, their family photo albums, and so on. What happened to those users when their providers and their sites suddenly became unavailable? This doesn’t necessarily make it wrong to shut down the providers, as the disease (spam, malware, etc., affecting potentially millions of people) is almost certainly worse than the cure. But it does raise the question of whether we can find ways to hit the bad guys where it hurts, without also hurting innocent bystanders.

If you have thoughts on this, please let us know in the comments.

Domain registrar EstDomains, which has been targeted by security researchers as being complicit in various malware, phishing, and illegal pharmaceutical schemes, has been deaccredited by ICANN, the organization that oversees Internet domain names.

According to a letter sent by ICANN to EstDomains President Vladimir Tsastsin, "this termination is based on your status as President of EstDomains and your credit card fraud, money laundering and document forgery conviction." The letter goes on to quote a section of ICANN’s Registrar Accreditation Agreement, which allows ICANN to deaccredit a registrar that retains as a corporate officer any individual convicted of fraud or other financial-related crimes.

This comes after reports released—and pressure applied to ICANN by—Jart Armin and KnujOn, among others.

Microsoft will release an emergency security patch for Windows tonight. This is unusual, as Microsoft typically releases security patches only once per month on what has become known as "Patch Tuesday." The rushed release may indicate that the security hole puts users at greater than usual risk.

A little more information can be found here and here. If you are a Windows user and you do not use Automatic Updates (which you probably should), or if you are a Windows sysadmin, you may want to go out of your way tomorrow morning to download and install the new patch. Home and small office users can do so via Windows Update, which can be found in the Start menu and/or in the Tools menu of Internet Explorer.

In June we released "a report":http://www.stopbadware.org/home/badwebs with numbers from late May, showing the network blocks containing the largest numbers of badware sites reported by Google. We released updated in "July":http://blogs.stopbadware.org/articles/2008/07/30/updated-infection-stats and "August":http://blog.stopbadware.org/2008/08/25/top-infected-network-blocks-for-mid-august. Here is another update from early October:

Note: A network block owner is not always the owner or operator of the infected servers on that block, and our publication of these data is intended to inform and educate, not to assign blame.

Compared to August, we see that Bizland/Endurance has dropped its number of infected sites by nearly 50%, though it still has several thousand, and Google and NetDirect are no longer on the list. GoDaddy is a newcomer to the list. I just got off the phone with the chief information security officer at GoDaddy, who let me know that they are using the list of infected URLs we provided them to notify customers, offer support in cleaning up the sites, identify the root cause of the infections, and develop proactive strategies for preventing and monitoring site compromises in the future.