Pre-link scanners - snake-oil?

Talk about internet security, computer security, personal security, your social security number...
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Pre-link scanners - snake-oil?

Post by luntrus » Wed Jul 08, 2009 6:44 pm

Hi malware fighters and users of NoScript,

I tested the following part for malcode that was reported in the virus and worms section from a find on a hacked legit web site as a google search request to see how links scanners like finjan and WOT would react to these pages that avast shield would flag and then disconnect from, and against which the NoScript extension would protect . The results are not very reassuring where the link scanners are concerned....
This was the request you can put it into your google searchform and then see for yourself (Do not click on the result pages given as green by the pre-scanners, because all may be infected through the so-called "Islamabad" hack-code!) This

Code: Select all

var 
k1='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>#ohiw=#4>#wrs=#4%A?liudph#vuf@%kwws=22

was the search query.

On the first result page the first two results did not count because they were from avast webforum mentioning the malscript.
Best performaning was finjan 2 flagged as "potential virus can harm your computer", this for three result pages.
One result flagged by WOT- but not because of the code but because of the site's reputation, one yellow for another search result. McAfeeSiteAdvisor missed all, and DrWeb's av link checker plug-in also missed them all because it does not scan but within the same domain...

So if you want to use a link checker I would choose finjan secure browsing, but the performance of this scanner is also poor. Best is the avast live browser shield scanning. And off-course nothing can compete with the full protection of Firefox browser with NoScript and RequestPolicy add-ons installed.

My personal opinion of the present pre-link scanning results - I consider them mainly to be snake-oil,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090707 Shiretoko/3.5.1pre

User avatar
therube
Ambassador
Posts: 7404
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Pre-link scanners - snake-oil?

Post by therube » Wed Jul 08, 2009 7:44 pm

Well obviously a service that only scans a particular site every so often, will (may) only catch malware if it is there at the time of the scan. And in the same way, a report of malware detection is likely to remain even after the site has been cleansed.

I wouldn't call it snake-oil, but you have to understand what a particular service can or cannot do for you.

And any service like this can only be of benefit after the fact. They are not pro-active.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Pre-link scanners - snake-oil?

Post by GµårÐïåñ » Wed Jul 08, 2009 9:48 pm

I agree with therube to the extent that not necessarily snake oil which suggests they are incapable but rather that they might not be based on the best model. Even then, it is up to the user to KNOW what the tools can and cannot do and exercise a level of common care as well. As long as you understand that your tool has a interval for update, or uses a database, or this and that, you will be fine because you won't expect it to deliver what it cannot. I do agree that for the less technical users it can give a sense of false security and that's objectionable. Think of it this way, just because the light is green at the intersection doesn't mean that if you race through it, you won't be hit by someone who runs a red light. Can't blame the city or the green light, right? Always use with caution and assume the world is out to get you. :P
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Pre-link scanners - snake-oil?

Post by luntrus » Wed Jul 08, 2009 10:40 pm

Hi my friends GµårÐïåñ and therube,

But did you perform the test. Just try and give in the short bit of that particular code in as a search query that is scanned through finjan, WOT, or on scandoo.com and you will establish how poorly these "real time scanners" or partly reputation scanners handle code on legit sites that were hacked and re-direct to "malware all sorts" on behalf of CyberCrime & Co et al.
That is the new situation, my good forum friends, a new massive threat that goes largely unnoticed by these scanners (80%). At http://www.unmaskparasites.com/security-report/ based on Google's security website report I get a much better score here and an indication of what is wrong and attached to the source code, and real scanners like Anubis also givethese in depth report.
Even with Firekeeper with appropriate rules for detecting malcode the results would be better. What do link scanners do other than link, not much. They do not tell that on site so-and-so I will be confronted with obfuscated script, that I would like to deny access, that there is third party embedded script there, that I like to refuse anyway, or hidden iFrames that might take me to a silent download site with a dozen malcode scripts trying out exploits on my unpatched browser and other software vulnerabilities that I failed to update (I check that now with Secunia's PSI). So NoScript is on one side of the spectrum protecting me. What is there on the otherside of the spectrum, the detecting side? I do not want to be a victim of some self-proclaimed website admin that does not know how to secure his code or protect his website software. Well, old luntrus knows how to protect himself through SafeHex, limiting access to what should not have access on the OS, limiting rights to what should not have, and denying access to code to block malicious code insertions, but that cannot harm me much because normally malware can do as much harm as limited under normal user's rights (so even curtail system rights in certain circumstances). But what about the average user of a browser? Can they rely on the link scanner greens or halt for reds? I would not like to have these on a railway track, if I run a train like that a derailment would be round the corner I think. A lot of security here is make-believe, folks, you rely on a validation made at a certain point in time and then the assessment can be totally wrong in a large percentage of cases,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009021211 Firefox/3.0.6 Sulfur/2.1a1pre

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Pre-link scanners - snake-oil?

Post by GµårÐïåñ » Wed Jul 08, 2009 11:23 pm

As I said in my earlier post, the effect on the average user is more noticeable due to a false sense of security but unfortunately there is no one size fits all, set it and forget it solution without some degree of involvement. I think the bottom line is that users need to be educated more and they need to take a more proactive approach and do their due diligence or face running into problems. Its an unfortunate sign of the times but hardly anything new.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5

User avatar
therube
Ambassador
Posts: 7404
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Pre-link scanners - snake-oil?

Post by therube » Wed Jul 08, 2009 11:33 pm

No didn't test anything.
I did see where the code was prevalent.

As far as all the tools you mention, I briefly looked at the finjan website didn't find anything & generally don't know where to go to look for such tools. I'm assuming you plug in a URL (online) & the site scans your URL? If not, then they would interest me even less.

Most all security is "make believe" because most only react when some occurs rather then being proactive. And most often something has to occur before they even know to react.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090705 SeaMonkey/2.0b1pre

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Pre-link scanners - snake-oil?

Post by luntrus » Thu Jul 09, 2009 10:05 pm

Hi folks,

I like this to check against: http://www.malwareurl.com/listing-urls.php?urls=off

And two Amsterdam students have started to build a promising detecting tool for finding silent malware download exploits from analyzing meta-data characteristics from header-interchange-information, in this stage of tool development they could get an accuracy for 93% of their finds. So GµårÐïåñ, as we know, they can build such a tool for us,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090708 Shiretoko/3.5.1pre

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Pre-link scanners - snake-oil?

Post by GµårÐïåñ » Thu Jul 09, 2009 10:40 pm

Let's hope they are successful, my best wishes and most positive hopes for their success. I didn't categorically say it cannot be done and I have nothing against such tools but I will maintain that no matter how good it gets, no matter how advanced it becomes, no matter how close to 100%, you need to remain involved and you can't become complacent and expect it to protect you without any involvement. To be used as a layer of protection, as a tool, as a companion or as a means, I am all for it, but not to replace common sense or individual judgment. The users can only milk the, "I am a novice", "I am an idiot", "I am not a techie", etc etc so long before they need to just take responsibility for the fact that if they are going to use the technology, they need to at least put minimal effort in learning it. No one is expecting them to write the next great code or become the next Italian master like Giorgio, but at least try to have basic competency and understanding and put some effort into it. We have non-techies here on this forum who show us each and every day that you don't have to be able to disassemble it but if you put enough effort into it, you can understand it, manipulate it and use it productively. Its the greatest proof of concept of my position ever and is demonstrated here each and every day.

If it uses an algorithm or code logic to detect it, code logic and algorithm can be used to defeat it, hacker 101 and I am sure I am not the only one who knows or thinks that. Giorgio has been a hacker, maybe he can comment too or our great contributor and friend sirdarkcat. I have spent my whole life breaking code to make it better only to break it again so it can become better but no matter how complex it becomes and no matter how good it becomes, it might slow the defeat and make it harder, but it will never make it IMPOSSIBLE. It will just slow it down and make it harder, not stop it, ever. I believe that is best demonstrated with software licensing, no matter how hard they try and no matter what model they implement, it has been and will always be defeated. Anyway, don't want to go on too much of a ramble here but the fact is that I am all for great tools such as these and I am hopeful and will always support such efforts, if for nothing else than to help the average user stay safer, but the fact remains that sometimes they lead to a false sense of security and complacency that is far worse than "running naked" and just being more careful and employing common sense.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5

User avatar
therube
Ambassador
Posts: 7404
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Pre-link scanners - snake-oil?

Post by therube » Fri Jul 10, 2009 8:00 pm

Not sure I understand this http://www.malwareurl.com/listing-urls.php?urls=off ?

I enter '3b3.org' into Quick search & I'm not sure what its giving back to me?
I enter '3b3.org' into Search & it shows, no match found.

3b3.org is bad.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17

Post Reply