Insights from StopBadware research

Posted on February 3, 2014 - 14:51 by ccondon

StopBadware’s data sharing program has been up and running since the end of September 2013. Last month, the program passed 1 million event reports. One of our goals for the program is to be able to facilitate high-quality academic research on malware. Marie Vasek, a doctoral student at SMU and StopBadware’s own operations technologist, started analyzing DSP data shortly before the new year. Below are some big-picture insights from our data sharing program data, as well as data from seven public malware lists (see acknowledgments). We’ll be sharing more in-depth analysis with the DSP contributing companies and our partners throughout the year.

Most abused TLDs

Phishing comparison data comes from the Anti-Phishing Working Group.

Malware attacks by TLDPhishing attacks by TLD - APWG

Types of webservers

We used W3Techs market share data for comparison.

Software on infected serversServer software breakdown - W3Techs

CMS distribution

Since StopBadware’s historical focus was websites, we were quite interested to see which content management systems (CMS) were running on infected websites. Again, we used W3Techs market share data as a general comparison baseline.

Infected CMS distributionCMS market share - W3Techs


All data sharing program (DSP) data comes from ESET, Fortinet, Internet Identity, and Sophos. We used data from the following public malware lists in addition to data from StopBadware’s DSP: CleanMx, Malc0de, Malware Domain List, Malware Domains, Malware Blacklist, Malware Patrol, and ZeusTracker.


StopBadware's 2011 Checklist

Posted on December 29, 2011 - 10:16 by ccondon

Last year, we posted a checklist of key accomplishments in our first year as a standalone organization. Our 2010 checklist included a lot of numbers—like the millions of users and webmasters who learned about badware via our educational pages or read our Tips for Cleaning & Securing Your Website—and while those numbers are still important to us, 2011 has been much more about engaging collaboratively with the security ecosystem to define new ways of thinking about the badware problem—and its solutions.

StopBadware's 2011 Checklist

  • By the numbers: Nearly 5 million people searching for information on preventing, identifying, and getting rid of badware found that information on our website. Those millions of people came from 211 countries and territories and spoke 204 different languages. Over 900 webmasters on our community forum,, asked for and received help getting rid of bad code that had compromised their websites. Our blog flourished, and our social media following grew by an average of 55%. And if that weren't enough, we also processed over 16,000 independent review requests from webmasters whose sites ended up on our data providers' blacklists.
  • We gained eight new partner companies this year, and all of them are fantastic, responsible, forward-thinking organizations dedicated to making the Web more open and secure: thanks for the great year, Verizon, Qualys, SoftLayer, Sophos, and Tucows! The other three we can't yet tell you about yet (though you're welcome to guess!), but look for announcements very soon. We also completely revamped our Partner Program so as to better engage and recognize our Partners. Have a look.
  • We published our inaugural State of Badware report, which analyzed badware trends, identified systemic weaknesses in the security ecosystem, and discussed key ways industry and policymakers could evolve to make the Internet more resilient to badware. It also leapt tall buildings in a single bound.
  • With advice from our cross-industry working groups, we developed and released two sets of industry best practices. Yep, count 'em. Two: Best Practices for Web Hosting Providers: Responding to Badware Reports, and Best Practices for Reporting Badware URLs. These best practices were a big first step for us in creating a collaborative, realistic industry standard that helps both reporters and report recipients streamline the badware reporting process, from detection to cleanup.
  • We commissioned a legal white paper on web hosting provider liability for malicious content from Harvard's Berkman Center for Internet & Society; this helps allay hosting provider concerns about taking good faith steps to address badware on their networks.
  • We launched the We Stop Badware™ Web Host program to recognize web hosting providers who are committed to security and to drive adoption of our web hosting best practices among the responsible hosts of the world. The program now has 28 participating providers from 13 countries across five continents. It's a big step, both for us and for the hosting industry.
  • We started a pilot reporting project, in which we reported URLs from our community feed in accordance with our Best Practices for Reporting Badware URLs. A research publication on the statistical results of this project will be forthcoming in 2012, but even preliminary results indicated that our initial foray into reporting was yielding a positive outcome.
  • We made appearances! Our executive director graced multiple panels and conferences with his badware-busting wisdom, a few of us rocked out and raised badware-awareness (badwareness?!) at HostingCon in San Diego, and we hosted our first-ever dinner in the Bay Area to get an in-depth discussion going on the badware threat and what industry players can do to combat it.
  • We got an award! Thanks to the ever-obliging Online Trust Alliance for bestowing us with the Online Trust Leadership Award for excellence in collaboration. We're digitally blushing.

We also physically moved this year: we left our beloved shared office in Harvard Square and hustled on over to the Cambridge Innovation Center, where espresso flows freely and start-ups of all stages huddle in iPad-controlled conference rooms. Staff Technologist Isaac regularly abuses snack privileges and our raconteur Caitlin still can't figure out how to use the office phones, but we have an office of our very own and two white boards on which we've already reinvented the Follow Friday Twitter hashtag. It's from here that we'll continue to build StopBadware and expand our badware karate chopping capabilities; with our amazing StopBadware Partners, hard working staff and intern, and lofty Board of Directors, the future is looking bright! 2011 has clearly been a big year for us (yeah yeah, we know—we said that last year, too). We're feeling like 2012 will be even better.

We're entering the New Year with our strongest group of StopBadware Partners yet. There's still much to be done; if you're interested in joining the discussion and the action in our partner community, let us know. We also welcome individual donations to help us continue and expand our existing programs.

Announcing the newest StopBadware report: The State of Badware

Posted on June 8, 2011 - 09:15 by ccondon

Today, StopBadware is proud to announce the public release of our first State of Badware report. The State of Badware offers insight into recent badware trends and responses and examines the factors that contribute to badware’s persistence. 

Badware is a significant challenge for all members of the Internet ecosystem, from individual computer users to big businesses and world governments. Cybercrime has evolved into a complex, profitable economy, and badware is the tool of choice for cybercriminals who perpetuate this economy. Despite the considerable resources poured into attempts to eliminate it, badware is, by all accounts, still on the rise. We believe that to truly understand the badware threat, it’s necessary to look at the interconnected systems that are tasked with defending against badware: The State of Badware explores four major areas of vulnerability—technical, behavioral, economic, and legal—in the Internet ecosystem’s overall structure that contribute to badware’s perseverance. 

It’s clear that the today’s approaches to security aren’t enough to repel or eradicate increasingly dynamic and hard-to-measure badware; we must create new and more centralized methods of measuring and responding to this threat. The State of Badware highlights key opportunities for improvement: it is intended as a resource to help individuals, business leaders, and policymakers understand how both badware and the industry’s response to it are evolving—and what steps we can take to defend against it.

You can read the full press release here. We at StopBadware are excited about this report--both its release and its potential as a tool for those who want to take action. As always, we welcome thoughtful discussion. You can download the full State of Badware at