The newest round of Storm Worm Propagation emails has come out, and its
again, largely undetected malware.
The main URLs we are seeing at this point are:
uhavepostcard.com <== (majority use this one)
happycards2008.com <== (all of these dated today)
There are more than 100 samples using these two URLs so far. The first
was received December 24th at 12:10 PM. The most recent was received
just moments ago.
- -------
Subjects include:
A fresh new year
A fresh new year...
As you embrace another new year
Blasting new year
Happy 2008 To You!
Happy 2008!
Happy New Year To (emailhere)
Happy New Year To You!
Happy New Year!
It's the new Year
Joyous new year
Lots of greetings on new year
Message for new year
New Hope and New Beginnings...
New Year Ecard
New Year Postcard
New Year wishes for you
Opportunities for the new year
Wishes for the new year
---------
A scan of the current malware on VirusTotal just now showed a 37.5%
detection rate. The version scanned was 142,337 bytes and had the MD5
checksum of:
44dc7307c81eb9fe0a0cf9147a9932ef
Notable non-detections include F-Prot, Kaspersky, McAfee, and Sophos
Those detecting named the malware as follows:
AntiVir = TR/Rootkit.Gen
Avast = Win32:Zhelatin-ASX
BitDefender = DeepScan:Generic.Malware.FMH@mmign.55A134E9
ClamAV = Trojan.Zhelatin
DrWeb = Trojan.Spambot.2386
Fortinet = W32/Tibs.G@mm
Microsoft = Backdoor:WinNT/Nuwar.B!sys
NOD32v2 = probably a variant of Win32/Fuclip
Panda = suspicious file
Prevx1 = Stormy:Worm-All Variants
Symantec = Trojan.Peacomm
Webwasher = Trojan.Rootkit.Gen
PREVX.com says this version was first seen on December 26th and has been
reported by one user in Spain. (That's where VirusTotal is, so I guess
that's me and others using VirusTotal.)
A Christmas version of the Storm Worm Propagation email may still be lurking in in-boxes as employees return from their holiday vacations. The Christmas version primarily used the malware domain:
merrychristmasdude.com
and used these subject lines. Visiting those sites now actually downloads the same "happy-2008.exe" malware as the New Year propagation uses, since these are in reality the same infected computers acting as the web hosts.
The Christmas subject lines were:
Christmas Email
Cold Winter Nights
Feel the Holiday Spirit
Find Some Christmas Tail
Ho Ho Ho.s
How.s It Goin
I love this Carol!
Jingle Bells, Jingle Bells
Looking for something hot this Christmas
Merry Christmas From your Secret Santa
Merry Christmas To All
Mrs. Clause
Mrs. Clause Is Out Tonight!
Santa Said, HO HO HO
Seasons Greetings
The Perfect Christmas
The Twelve Girls of Christmas
Time for a little Christmas Cheer.
Warm Up this Christmas
Your Secret Santa
The domain names for all of these are set up in a "round robin". For instance, I use "nslookup" to query "merrychristmasdude.com" ten times in a row and get the following list of IP replies:
66.78.160.196
24.126.208.180
86.125.107.157
70.249.186.39
79.172.83.168
91.142.197.135
62.43.161.233
78.60.109.65
91.122.89.214
75.58.60.145
A much longer list of IP addresses which answer queries for all three of these domain names:
12.207.192.66
12.215.209.21
12.219.197.139
12.227.173.1
24.165.167.150
24.181.224.249
24.181.42.5
24.182.40.236
24.2.46.250
24.210.99.223
24.3.160.88
24.95.77.206
58.226.226.6
58.8.20.129
59.112.81.137
59.113.187.86
59.12.125.252
59.15.71.112
59.3.40.145
59.86.244.147
59.92.78.2
59.93.39.233
59.95.191.39
60.249.4.119
60.50.100.42
60.53.25.73
60.56.115.109
60.9.222.137
61.15.254.115
61.32.177.59
61.72.147.153
61.80.150.87
62.65.232.246
64.85.228.164
65.189.233.73
65.31.39.88
66.142.52.23
66.31.113.211
67.164.126.186
67.173.35.121
67.177.191.148
67.181.90.28
67.186.43.176
67.187.30.81
68.127.51.120
68.167.71.243
68.187.46.125
68.204.186.99
68.248.237.55
68.54.157.173
68.54.234.64
68.63.133.158
68.79.7.249
68.80.244.129
68.81.122.156
68.81.195.121
69.154.137.176
69.183.216.161
69.215.175.83
69.225.12.176
69.226.25.20
69.247.40.180
69.248.212.75
69.254.83.191
70.115.222.172
70.126.163.174
70.243.43.6
70.245.14.188
70.249.186.39
71.200.198.181
71.205.208.104
71.224.88.232
71.227.249.98
71.230.219.209
71.230.66.163
71.237.134.222
71.86.54.0
71.96.13.37
72.40.18.255
72.48.192.221
72.8.101.213
74.128.121.44
74.138.172.43
74.164.251.210
74.75.193.213
75.131.212.194
75.132.160.97
75.21.75.238
75.35.110.9
75.35.252.137
75.37.39.88
75.50.232.119
75.61.64.23
75.68.231.167
75.73.216.43
75.85.190.206
76.107.42.125
76.111.115.55
76.119.119.58
76.15.46.122
76.171.99.77
76.173.57.101
76.212.92.117
76.22.76.57
76.229.114.65
76.243.202.32
76.25.147.99
76.254.139.102
76.65.181.160
76.68.144.93
77.41.47.214
77.48.16.49
77.57.127.78
77.99.143.61
78.107.182.172
78.107.190.69
78.92.91.186
79.112.4.123
79.120.35.238
79.120.56.38
79.126.167.63
79.139.178.64
79.165.162.240
79.182.0.73
80.73.89.69
81.190.78.83
81.210.133.54
82.1.108.104
82.181.41.160
82.233.232.162
82.79.129.214
83.5.77.234
83.54.12.240
84.10.43.106
84.126.102.227
84.31.89.195
85.180.66.14
86.102.1.205
86.125.170.161
86.61.66.60
86.63.107.2
87.207.117.102
87.8.161.149
88.156.9.155
88.164.68.15
89.110.51.47
89.137.201.205
89.161.22.219
89.178.170.110
89.20.119.182
89.215.180.33
89.228.40.58
89.36.102.75
89.38.163.176
90.150.126.235
90.150.215.50
90.157.92.141
91.106.18.142
91.122.147.67
91.122.19.127
91.18.246.67
98.194.162.228
98.196.29.67
99.145.19.221
99.241.144.189
117.199.240.218
121.1.85.140
121.124.15.53
121.146.205.123
121.150.127.150
121.158.220.126
121.162.87.237
121.165.21.31
121.172.10.95
121.173.45.111
121.179.107.71
121.246.163.37
121.246.86.244
121.247.143.131
121.247.165.149
121.247.66.110
121.96.253.35
122.164.35.171
122.202.44.89
122.32.53.35
122.36.84.38
122.50.173.172
122.99.16.4
123.201.0.167
123.202.81.199
123.203.20.137
123.215.177.241
123.236.114.63
124.120.35.98
124.120.36.238
124.125.116.171
124.199.33.113
124.244.198.114
124.82.112.191
125.137.205.157
125.208.107.18
125.233.65.153
125.235.36.97
125.24.82.14
168.243.219.228
190.17.101.223
190.21.9.139
195.189.153.21
196.217.102.238
200.84.241.161
200.94.163.191
201.172.192.141
201.222.110.245
201.231.140.173
201.241.57.55
201.255.181.193
201.27.179.128
203.223.220.24
203.255.10.96
206.45.91.55
209.102.185.215
210.105.165.204
210.109.244.10
211.109.96.223
211.195.3.79
211.201.18.155
211.204.48.194
211.54.167.69
213.169.180.110
217.123.175.129
218.156.143.96
218.174.73.42
220.118.185.247
220.121.81.72
220.19.166.13
220.225.184.83
220.76.90.93
220.78.225.208
221.147.22.23
222.114.18.22
222.238.245.88
222.98.228.236
Good luck, and thanks for any help terminating the three domain names in question:
Merry Christmas and Happy New Year, CyberCrime Fighters . . .
_-_
gary warner
http://www.cis.uab.edu/forensics/
Wednesday, December 26, 2007
Thursday, December 13, 2007
"Google Referrer Only" malware sites
Here's a curious thing that I read in "Tacit's" LiveJournal post today. There is a new major infection on iPowerWeb.
This one has an interesting new twist. Based on Tacit's post, I decided to do some of the normal Google searches that I would do anyway, but add to them the requirement "inurl:/ad/har/", which was a string associated with what Tacit mentioned.
So, for example, I do Search Engine Optimization to keep some of the sites I host performing well. I'll do a search on "haiku books", where my haiku poetry website always is in the top 5, but with this additional requirement.
There are 142 webpages containing the words "haiku" and "books" that have the string "/ad/har/" in the URL. So, sites such as "joygabrieldentistry.com", "barkershotdogs.com", "wassermanandthomas.com", and "hawaiiyachts.com" have pages, ranging in topic from "geisha memoirs", "cybersex webcams", and "scrotum enlargement surgery", which respond to this.
I did another search on "warner genealogy", with the "/har/ad/" requirement and got 16 hits, but when I changed it to "smith genealogy" there were 3,010 with the link. All of them that I checked were hosted on iPowerWeb.
Being rather sure that "cabincraftskishop.com" was not actually a porn site, I continued with the experiment, after first making sure NoScript was running in my FireFox browser.
The sites were the traditional spam sites you've probably seen before, where whatever term you search on is randomly scattered through the content of a pornographic story. "Joan answered the door to her michael butch genealogy NY apartment. I couldn't help but notice her sizing up my centerville utah genealogy."
The links go all over the place when you click on them (with NoScript blocking like crazy...) The first took me to "3xpowered.com" which calls itself "PornTube" and is set up to look like YouTube only with porn movies. If it hadn't been for NoScript, my browser would have called a download.php file from "xyzsolution.com", which would pop a window saying "Would you like to continue?" and asking to install "setup.exe". (xyzsolution.com and 3xpowered.com are both hosted on URKTelecom in the Ukraine). 3xpowered.com is a "top 10,000 website" and is visited by over 330,000 American IP addresses per month.
3xpowered.com seems to be another venture from Nikolay Fedorov (not the philosopher) like his getxxxphotos.com. His getxxxphotos.com site forwards to "imgstorages.com", which currently tries to download malware to your computer through a link from "www.abcdperformance.com". abcdperformance.com is brand new. Not yet 48 hours old, but I bet it will gain in popularity!
The next link (compusupport.biz) tried to forward me to "xscanner.spyshredderscanner.com", which would warn me that I had malware on my computer and that I needed to install their software to protect myself. The file "Install1642.exe" would then have been run on my computer. SpyShredderScanner is hosted in Russia on the IP 77.91.229.106. According to statistics from a web monitoring company, 2.7 MILLION American IP addresses visited this website in the month of November, making it the 560th most popular website they monitor. Another webstat company gives it 2.5 Million unique visitors and calls it the 544th most popular site on the web. Anyone who goes there is at risk of infection, but the statistics clearly show that AT LEAST 100,000 AMERICAN COMPUTERS PER DAY visit the site.
Here's where things get very intersting though. Having just visited each of those sites, I then tried to visit them by typing the URL in my browser. Just as Tacit experienced, I received a "404 message" -- File Not Found.
Again, with my hat off to Tacit, we can duplicate this behavior using "wget", a text-based website fetcher.
Can you imagine what happens if someone calls iPowerWeb tech support to report the problem.
"What's the URL? Yes sir, we've just looked. No, there is no such page, it must have been discovered and removed."
Why wonder. I'm going to call them and try to get a live person on the phone. l-888-511-HOST.
(They are still experiencing heavy call volumes and refer me to their website. Their "live chat" puts my wait time at 12 minutes. Waiting . . .
SUCCESS! I'm on the phone with iPowerWeb now! I'll update with their response.
Well, ALMOST success. Support could duplicate the above, but said I would need to email "abuse@", who wasn't in yet this morning. (sigh)
An update (14 DEC 2007)
iPowerWeb is working closely with some Federal Cybercrime folks to get their sites cleaned up.
In the meantime, I was thrilled by the response from Google Investigations, who says they are going to be taking immediate action, by adding a "This Link May Harm Your Computer" link on all of these sites. They also encouraged me to share this link with others:
http://googleonlinesecurity.blogspot.com/2007/11/help-us-fill-in-gaps.html
which tells of their "report badware" program, and gives a link to allow reporting of malware-drive-by sites and to pass notes which will be included in the report sent to investigators.
This one has an interesting new twist. Based on Tacit's post, I decided to do some of the normal Google searches that I would do anyway, but add to them the requirement "inurl:/ad/har/", which was a string associated with what Tacit mentioned.
So, for example, I do Search Engine Optimization to keep some of the sites I host performing well. I'll do a search on "haiku books", where my haiku poetry website always is in the top 5, but with this additional requirement.
There are 142 webpages containing the words "haiku" and "books" that have the string "/ad/har/" in the URL. So, sites such as "joygabrieldentistry.com", "barkershotdogs.com", "wassermanandthomas.com", and "hawaiiyachts.com" have pages, ranging in topic from "geisha memoirs", "cybersex webcams", and "scrotum enlargement surgery", which respond to this.
I did another search on "warner genealogy", with the "/har/ad/" requirement and got 16 hits, but when I changed it to "smith genealogy" there were 3,010 with the link. All of them that I checked were hosted on iPowerWeb.
Being rather sure that "cabincraftskishop.com" was not actually a porn site, I continued with the experiment, after first making sure NoScript was running in my FireFox browser.
The sites were the traditional spam sites you've probably seen before, where whatever term you search on is randomly scattered through the content of a pornographic story. "Joan answered the door to her michael butch genealogy NY apartment. I couldn't help but notice her sizing up my centerville utah genealogy."
The links go all over the place when you click on them (with NoScript blocking like crazy...) The first took me to "3xpowered.com" which calls itself "PornTube" and is set up to look like YouTube only with porn movies. If it hadn't been for NoScript, my browser would have called a download.php file from "xyzsolution.com", which would pop a window saying "Would you like to continue?" and asking to install "setup.exe". (xyzsolution.com and 3xpowered.com are both hosted on URKTelecom in the Ukraine). 3xpowered.com is a "top 10,000 website" and is visited by over 330,000 American IP addresses per month.
3xpowered.com seems to be another venture from Nikolay Fedorov (not the philosopher) like his getxxxphotos.com. His getxxxphotos.com site forwards to "imgstorages.com", which currently tries to download malware to your computer through a link from "www.abcdperformance.com". abcdperformance.com is brand new. Not yet 48 hours old, but I bet it will gain in popularity!
The next link (compusupport.biz) tried to forward me to "xscanner.spyshredderscanner.com", which would warn me that I had malware on my computer and that I needed to install their software to protect myself. The file "Install1642.exe" would then have been run on my computer. SpyShredderScanner is hosted in Russia on the IP 77.91.229.106. According to statistics from a web monitoring company, 2.7 MILLION American IP addresses visited this website in the month of November, making it the 560th most popular website they monitor. Another webstat company gives it 2.5 Million unique visitors and calls it the 544th most popular site on the web. Anyone who goes there is at risk of infection, but the statistics clearly show that AT LEAST 100,000 AMERICAN COMPUTERS PER DAY visit the site.
Here's where things get very intersting though. Having just visited each of those sites, I then tried to visit them by typing the URL in my browser. Just as Tacit experienced, I received a "404 message" -- File Not Found.
Again, with my hat off to Tacit, we can duplicate this behavior using "wget", a text-based website fetcher.
C:\incoming\danger\ipower>\tools\wget http://homeautomationtech.us/images/xpxrs/har/ad/1/het.html
--07:06:05-- http://homeautomationtech.us/images/xpxrs/har/ad/1/het.html
=> `het.html'
Resolving homeautomationtech.us... 66.235.203.141
Connecting to homeautomationtech.us|66.235.203.141|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /404 [following]
--07:06:05-- http://homeautomationtech.us/404
=> `404'
Connecting to homeautomationtech.us|66.235.203.141|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
07:06:06 ERROR 404: Not Found.
C:\incoming\ipower>\tools\wget --referer=http://www.google.com/ http://homeautomationtech.us/
images/xpxrs/har/ad/1/het.html
--07:03:55-- http://homeautomationtech.us/images/xpxrs/har/ad/1/het.html
=> `het.html'
Resolving homeautomationtech.us... 66.235.203.141
Connecting to homeautomationtech.us|66.235.203.141|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://traffloader.info/go.php?s=homeautomationtech.us&ver=7 [following]
--07:03:55-- http://traffloader.info/go.php?s=homeautomationtech.us&ver=7
=> `go.php@s=homeautomationtech.us&ver=7'
Resolving traffloader.info... 87.248.180.67
Connecting to traffloader.info|87.248.180.67|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.clipsfestival.com/movie1.php?id=4161&n=teen&bgcolor=000000 [following]
--07:03:56-- http://www.clipsfestival.com/movie1.php?id=4161&n=teen&bgcolor=000000
=> `movie1.php@id=4161&n=teen&bgcolor=000000'
Resolving www.clipsfestival.com... 82.208.18.109
Connecting to www.clipsfestival.com|82.208.18.109|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://powerof3x.com/m2/movie1.php?id=4161&n=teen&bgcolor=000000 [following]
--07:03:56-- http://powerof3x.com/m2/movie1.php?id=4161&n=teen&bgcolor=000000
=> `movie1.php@id=4161&n=teen&bgcolor=000000'
Resolving powerof3x.com... 85.255.118.156
Connecting to powerof3x.com|85.255.118.156|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.3xpowered.com/m4/index.php?id=4161&n=&a=Gnark&v=1392601&preview=http%3A%2F%2Fww
w.3xfestival.com%2Fst%2Fthumbs%2F047%2F4521569111.jpg [following]
--07:03:56-- http://www.3xpowered.com/m4/index.php?id=4161&n=&a=Gnark&v=1392601&preview=http%3A%2F%
2Fwww.3xfestival.com%2Fst%2Fthumbs%2F047%2F4521569111.jpg
=> `index.php@id=4161&n=&a=Gnark&v=1392601&preview=http%3A%2F%2Fwww.3xfestival.com%2Fst%2
Fthumbs%2F047%2F4521569111.jpg'
Resolving www.3xpowered.com... 85.255.115.180
Connecting to www.3xpowered.com|85.255.115.180|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
[ <=> ] 33,097 71.19K/s
07:03:57 (71.08 KB/s) - `index.php@id=4161&n=&a=Gnark&v=1392601&preview=http%3A%2F%2Fwww.3xfestival.
com%2Fst%2Fthumbs%2F047%2F4521569111.jpg' saved [33097]
Can you imagine what happens if someone calls iPowerWeb tech support to report the problem.
"What's the URL? Yes sir, we've just looked. No, there is no such page, it must have been discovered and removed."
Why wonder. I'm going to call them and try to get a live person on the phone. l-888-511-HOST.
(They are still experiencing heavy call volumes and refer me to their website. Their "live chat" puts my wait time at 12 minutes. Waiting . . .
SUCCESS! I'm on the phone with iPowerWeb now! I'll update with their response.
Well, ALMOST success. Support could duplicate the above, but said I would need to email "abuse@", who wasn't in yet this morning. (sigh)
An update (14 DEC 2007)
iPowerWeb is working closely with some Federal Cybercrime folks to get their sites cleaned up.
In the meantime, I was thrilled by the response from Google Investigations, who says they are going to be taking immediate action, by adding a "This Link May Harm Your Computer" link on all of these sites. They also encouraged me to share this link with others:
http://googleonlinesecurity.blogspot.com/2007/11/help-us-fill-in-gaps.html
which tells of their "report badware" program, and gives a link to allow reporting of malware-drive-by sites and to pass notes which will be included in the report sent to investigators.
Saturday, December 8, 2007
Off Topic: Browser and OS Trends
WARNING!! I'm going a bit off topic today.
This post started off to be about JavaScript enabled browsing by end-users. Security professionals have long recommended that JavaScript be disabled by default, and enabled only for those sites which require JavaScript and which are trusted by the user as a "Trusted Site".
In Internet Explorer this is done in a fashion that confuses most end-users, by creating a "Trusted Zone" and setting different security properties in the Trusted Zone than in the Global Zone. (Directions for using Trusted Zones are here)
In FireFox, the best way to accomplish this is by running the Plug-In "No Script", which disables scripting by default and allows the user to click to enable scripts on Trusted Sites that seem broken if they scripting is disabled. (The NoScript homepage is here)
Bottom Line: Unless a site requires Java support and you trust it, you should not be browsing with Java Enabled!
Unfortunately, as I reviewed three groups of web statistics - from visitors to this blog, from visitors to my haiku poetry website, and from visitors to my genealogy website, Almost EVERYONE had Java enabled. Between 97.7% and 98.5%!!
Then I laughed at myself as I realized that I was using Google Analytics to do that measurement, and Google Analytics doesn't record the visit unless Java is enabled. Which now has me puzzling over how ANYONE was recorded who had no Java.
But I still had some interesting, though slighly off-topic results to share with you, Dear Reader . . .
If we watch the media in its various forms, we are being bombarded with a few basic messages:
- The Age of the Macintosh is upon us
- Linux Threatens Windows
- Windows Vista is the Path to Security
- Internet Explorer 7 is the Path to Security
I thought it would be interesting to look at some statistics to see if these messages reflect the reality of the Average Internet User.
After careful reflection, I realized I don't have the ability to measure The Average Internet User, so instead I looked at some Google Analytics for three websites that I have tagged. The three are of course English-language biased, but then so is most of the media I consume, so I think that's ok.
Sample One: People who read this blog.
This blog is about CyberCrime, and usually CyberCrime in the United States. One hopes that the readers are people who care about CyberCrime and perhaps by a bit of a stretch, protecting their computers.
For the sample period I looked at there were 3,400 unique visitors to this blog from 85 countries and all 50 states, but with 78% of the readers coming from the US.
Sample Two: People who visit my haiku poetry website.
The Haiku Poetry fans, as you might imagine, are a bit different than the readers here. 6,600 unique visitors from 98 countries and all 50 states, with only 54% of the readership coming from within the US.
SLIGHTLY higher Macintosh adoption (not statistically significant), slightly lower Linux adoption (also not statistically significant), but a much greater chance of using "old" Internet Explorer, not being on Vista, and still running Windows 98.
Sample Group 3: People who visit my genealogy websites
This was the smallest group, with 1200 unique visitors representing 37 countries, but with 86% of the traffic coming from within the United States. Genealogists tend to be older and thriftier people than Security professionals. Probably on a "technology" basis, they are more similar to the haiku poets than the security professionals. I included this as a hope towards a "lower tech but US based" sample, to see whether the haiku poets trends were representing their tech level, or their nation of residence.
Conclusions?
Macintosh users, from my unscientific study, still represent less than 9% of the installed user base.
Linux users are still a small enough number for the average webmaster to safely ignore them.
Vista still represents less than 10% of the installed user base.
FireFox has an impressive market share and must be considered by all webmasters, but trails both IE 6 and IE 7 when considered individually.
Despite the security benefits of IE7, slightly less than half of those who could use it are using it. (From my experience this is because many web-based applications still don't work in IE7.)
This post started off to be about JavaScript enabled browsing by end-users. Security professionals have long recommended that JavaScript be disabled by default, and enabled only for those sites which require JavaScript and which are trusted by the user as a "Trusted Site".
In Internet Explorer this is done in a fashion that confuses most end-users, by creating a "Trusted Zone" and setting different security properties in the Trusted Zone than in the Global Zone. (Directions for using Trusted Zones are here)
In FireFox, the best way to accomplish this is by running the Plug-In "No Script", which disables scripting by default and allows the user to click to enable scripts on Trusted Sites that seem broken if they scripting is disabled. (The NoScript homepage is here)
Bottom Line: Unless a site requires Java support and you trust it, you should not be browsing with Java Enabled!
Unfortunately, as I reviewed three groups of web statistics - from visitors to this blog, from visitors to my haiku poetry website, and from visitors to my genealogy website, Almost EVERYONE had Java enabled. Between 97.7% and 98.5%!!
Then I laughed at myself as I realized that I was using Google Analytics to do that measurement, and Google Analytics doesn't record the visit unless Java is enabled. Which now has me puzzling over how ANYONE was recorded who had no Java.
But I still had some interesting, though slighly off-topic results to share with you, Dear Reader . . .
If we watch the media in its various forms, we are being bombarded with a few basic messages:
- The Age of the Macintosh is upon us
- Linux Threatens Windows
- Windows Vista is the Path to Security
- Internet Explorer 7 is the Path to Security
I thought it would be interesting to look at some statistics to see if these messages reflect the reality of the Average Internet User.
After careful reflection, I realized I don't have the ability to measure The Average Internet User, so instead I looked at some Google Analytics for three websites that I have tagged. The three are of course English-language biased, but then so is most of the media I consume, so I think that's ok.
Sample One: People who read this blog.
This blog is about CyberCrime, and usually CyberCrime in the United States. One hopes that the readers are people who care about CyberCrime and perhaps by a bit of a stretch, protecting their computers.
For the sample period I looked at there were 3,400 unique visitors to this blog from 85 countries and all 50 states, but with 78% of the readers coming from the US.
Windows | 88.65% |
Mac | 7.91% |
Linux | 3.09% |
Windows breakdown | |
XP | 83% |
Vista | 10% |
2000 | 5% |
Server 2003 | 1% |
98 | 0.8% |
Internet Explorer | 58.01% |
FireFox | 34.69% |
Safari | 4.44% |
Opera | 1.13% |
IE breakdown | |
IE 7.x | 50.24% |
IE 6.x | 49.42% |
IE 5.x | 0.34% |
Sample Two: People who visit my haiku poetry website.
The Haiku Poetry fans, as you might imagine, are a bit different than the readers here. 6,600 unique visitors from 98 countries and all 50 states, with only 54% of the readership coming from within the US.
Windows | 88.49% |
Mac | 8.86% |
Linux | 2.53% |
Windows breakdown | |
XP | 85% |
Vista | 6% |
98 | 4% |
2000 | 3% |
Internet Explorer | 67.26% |
FireFox | 24.57% |
Safari | 5.64% |
Mozilla | 1.43% |
IE breakdown | |
IE 6.x | 58% |
IE 7.x | 39% |
IE 5.x | 2% |
SLIGHTLY higher Macintosh adoption (not statistically significant), slightly lower Linux adoption (also not statistically significant), but a much greater chance of using "old" Internet Explorer, not being on Vista, and still running Windows 98.
Sample Group 3: People who visit my genealogy websites
This was the smallest group, with 1200 unique visitors representing 37 countries, but with 86% of the traffic coming from within the United States. Genealogists tend to be older and thriftier people than Security professionals. Probably on a "technology" basis, they are more similar to the haiku poets than the security professionals. I included this as a hope towards a "lower tech but US based" sample, to see whether the haiku poets trends were representing their tech level, or their nation of residence.
Windows | 88.7% |
Mac | 5.67% |
Linux | 5.25% |
Windows breakdown | |
XP | 86.5% |
Vista | 7.5% |
2000 | 3.2% |
Server 2003 | 1.3% |
98 | 1.2% |
Internet Explorer | 70.14% |
FireFox | 20.35% |
Mozilla | 4.4% |
Safari | 3.48% |
IE breakdown | |
IE 6.x | 50.15% |
IE 7.x | 49.04% |
IE 5.x | .08% |
Conclusions?
Macintosh users, from my unscientific study, still represent less than 9% of the installed user base.
Linux users are still a small enough number for the average webmaster to safely ignore them.
Vista still represents less than 10% of the installed user base.
FireFox has an impressive market share and must be considered by all webmasters, but trails both IE 6 and IE 7 when considered individually.
Despite the security benefits of IE7, slightly less than half of those who could use it are using it. (From my experience this is because many web-based applications still don't work in IE7.)
Subscribe to:
Posts (Atom)