Musings about my volunteer website security scan experiences....

polonus · February 10, 2015, 10:16pm

@those interested in this topic, and bob3160 for the initial idea to bundle the posting subjects (thanks to all )

With thanks to those that share my enthusiasm here and check (against) my results,
Pondus, !Donovan, Eddy, Michael, Para-Noid, mchain and many many more.
Without your ongoing inspiration and cooperation I would not be where I am now
and not at least Avast that creates this wonderful platform here to work together to improve Avast support.

You will read here about a variety of topics considering to what I do in the virus and worms.
All I do here has one first and single aim, that is adding to the splendid avast online protection
and so users with avast are with the best here with the unique shields, domain rep scan, etc.

My first topic is called: Google Safebrowsing and Yandex Safebrowsing Results Differ considerably,
well most of the time they are consistent and alert the same website threats.

Blacklisting results play an important role in online protection against suspicious/malicious websites.
This starts with scanning a website at Virustotal which results mainly consists of blacklisting results.
A Quttera scan checks against the following blacklists:
PhishTank - domain is Clean.
Quttera Labs - domain is Clean.
Yandex-SafeBrowsing - domain is Clean.
Google-SafeBrowsing - domain is Clean.
MalwareDomainList - domain is Clean.
Combined with the avast protection of shields and avast’s browser extension, the DrWeb extension block list and all domains flagged by Bitdefender TrafficLight we have already streered away from many a dangerous click.

But safebrowsing differs, search page for htxp://www.oradio.com.br/ at google does not flag.
At Yandex searchpage we get:
Quote
Visiting this site may lead to malware being installed on your computer of mobile device, which may be used without your knowledge, and valuable data may become corrupted or stolen. Details

Details: https://www.yandex.com/infected?url=http%3A%2F%2Fwww.oradio.com.br%2F&lang=pt&fmode=inject&tld=com&la=&text=http%3A%2F%2Fwww.oradio.com.br%2F&l10n=en&mime=html SOPHOS detects malware on website as Troj/JsRedir-NN.

Also the options: View secure cached page
This will not harm your computer or its data
and
Visit this page anyway
Following this link may harm your computer or mobile device (a thing we are ill adviced to do i.m.o.).

Why the Yandex search page protects users against a visit there and Google Safebrowsing does not.

Conclusion - one should use various blacklists to feel somewhat more secure.

polonus

(more to follow in this thread…)

polonus · February 11, 2015, 2:58pm

FPs a problem for all anti-malware vendors, VT is gonna help against mistaken detection.
How is this going to work out in the grey area for PUP detections and persistent adware/junkware.
Will we get TRUSTED PUP or TRUSTED JUNKWARE?
Read here about this new feature coming to Virustotal:
http://blog.virustotal.com/2015/02/a-first-shot-at-false-positives.html

Anyone?

polonus

Secondmineboy · February 11, 2015, 4:05pm

Will read it when im finally back home, PUPs are a serious issue nowadays as we can see that even AV vendors bundle them with their software, pups need to be detected much better. Will forward that link to the developer of a new upcoming AV Software PS: he is 14 right now

polonus · February 11, 2015, 4:51pm

Why set this door open ajar, or build in a PUP-adware cat flap trap?
Please dear VT, my code swims like a PUP, quacks like a PUP, but I swear it is no PUP,
oh no, and it ain´t no adware, no way, it is just a genuine False Positive ;D

polonus

bob3160 · February 11, 2015, 9:49pm

I’d like to know how they can tell who put that key logger on my computer??? (If I had one.)
Did I do it intentionally or, was it done maliciously???

polonus · February 11, 2015, 10:00pm

Hi bob3160,

Indeed there is a thin grey line between legitimate keyloggers and hidden keyloggers that are part of full-fledged trojans. The term for this category of malware is the Trojan-Spy, malware that will

track user activity, save the information to the user’s hard disk and then forward it to the author or ‘master’ of the Trojan.

Read more in depth here: https://securelist.com/analysis/36138/keyloggers-how-they-work-and-how-to-detect-them-part-1/

polonus

bob3160 · February 11, 2015, 10:18pm

I’m well aware of what a Keylogger does Damien. If I choose to install it to monitor activity on my system, it a legitimate tool.
If it’s installed without my knowledge, then it’s malicious.
I want to know how an AV can tell the difference between my installation and a malicious install ???

polonus · February 11, 2015, 10:45pm

This is the main way to tell the difference:

Behavioral detection differs from appearance detection in that it identifies the actions performed by the malware rather than syntactic markers. Identifying these malicious actions and interpreting their final purpose is a complex reasoning process.

Quote from:
Hervé Debar PhD, HDR. So the source and the way it was installed play an important role.
Compare it to shop camera monitoring that can discriminate between some-one buying tools for a DIY job or to be used in breaking & entering a house illegially. When you buy a Balaclava and a sledge hammer, you could be a security risk and suspicious. ;D ;D

Damian

bob3160 · February 11, 2015, 11:03pm

If it were that simple, there wouldn’t be any false positives.

polonus · February 11, 2015, 11:30pm

Hi bob3160,

Well, there is more to this than meets the eye. Many times in the virus and worms we see developers that come and complain about false positives and fp detections on (new) packer obfuscation for instance. And as a complication a whole row of what came whitelisted before can now come up as a FP with a new (slightly different) update. Avast has really some problems there to tackle. So the new VT whitelisting and demasking of FPs can certainly help towards that goal. Recently Avast had quite some problems with new updates of proggies and tools. Signing their code by developers and certification may help - also additional meta-scans can make a FP less obvious.
And of-course the bundled junk/ad-& spyware should never go under the detection radar as this ever expanding new bundling craze is making the whole exercise even more complicated. And then there is the explosion of new detections that is making the whole process even more complicated. That for simplicity… ;D

polonus

polonus · February 19, 2015, 3:39pm

When doing a “cold reconnaissance third party” website scan we always like to have the full story from a to z.
What vulnerable technology was being used for server and website software? What free plug-in’s and themes were vulnerable?
Was there any second line security being brought into place? And we want to know why the website could have been attacked, what attack was being performed and similar questions. Sometimes we can get these details from a Clean MX report or from a threat description by a researcher - or when we are lucky from a combination of online scan results and descriptions.

But NinjaFirewall also give all the “gory” details at once as there is: type of threat, what was being targeted, where it was being targeted, what vulnerability or exploit was being abused, the malware domain that caused the threat, and the malware raw code.
Example: http://ninjafirewall.com/malware/index.php?threat=2014-12-18.01 and now combine with info here: https://www.mywot.com/en/scorecard/clickevents.com.my?utm_source=addon&utm_content=popup and here:
https://wordpress.org/support/topic/gwt-malware-warning-for-my-website-and-defaced
When we let this info all sink in we’ll see we are being confronted with a flaw of the SoakSoak malware just by googling on “collect.js malware”. Whenever we see “collect.js malware” a little lightbulb flash goes off at the back of our head and we will
mumble “Oh, SEO related malcode!”.
Another lesson learned another threat recognized. ;D
NinjeFirewall has a free offshoot for WP PHP as a stand-alone plug-in, worth to recommend it to people that are curious and have similar interests like little old me,

polonus (volunteer website security analyst and website error-hunter)

polonus · February 24, 2015, 12:57pm

Time to return to the dramatically bad situation where security headers are concerned.
One important example from the Hall of Shame: https://www.microsoft.com
See: https://www.uploady.com/download/gN0Vfam8FKU/F9RytmG59o8~34EA
and https://www.uploady.com/download/GbzM~734U3J/7WSvra~jOTelppAr
X-Frame Options - missing
Provides clickjacking protection by instructing browsers that this page should not be placed within a frame. Possible values are: deny - no rendering within a frame, sameorigin - no rendering if origin mismatch, and allow-from: - allow rendering if framing page is within the specified URI domain. Allow from is supported by IE and Firefox, but not Chrome or Safari. It will also interfere with In Page Google Analytics since it requires your page to be framed by Google.
Strict-Transport-Security missing
HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server. This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. HSTS also disables the ability for users to ignore SSL negotiation warnings.
X-Content-Type-Options Use ‘nosniff’ missing
The only defined value, “nosniff”, prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that by clever naming could be treated by MSIE as executable or dynamic HTML files.
Warning on Content-Type
Instructs the browser to interpret the page as a specific content type rather than relying on the browser to make assumptions.
X-XSS-Protection Use ‘1; mode=block’ missing’
This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. Typically this is enabled by default, but if it was disabled by the user this header will force the filter to be active for this particular website. This header is supported in IE 8+.
Warning Set-Cookie MS-CV=Rzov4KmjtEO7jS…12:43:49 GMT; path=/ Add ‘secure; httponly;’
The secure flag on cookies instructs the browser to only submit the cookie as part of requests over secure (HTTPS) connections. This prevents the cookie from being observed as plain text in transit over the network.
The HttpOnly flag instructs the browser that this cookie can only be accessed when sending an HTTP request. This prevents scripts running as part of a page from retrieving the value and is a defense against XSS attacks.
Cache-control has warning.
Data returned in web responses can be cached by user’s browsers as well as by intermediate proxies. This directive instructs them not to retain the page content in order to prevent others from accessing sensitive content from these caches.
Two missing headers on caching: Data returned in web responses can be cached by user’s browsers as well as by intermediate proxies. This directive instructs them not to retain the page content in order to prevent others from accessing sensitive content from these caches.
Content-Security-Policy missing: Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections. (https://www.owasp.org/index.php/Content_Security_Policy). Content-Security-Policy is recotnized in Chrome 25+ and Firefox 23+
Additionally 4 warnings here: https://asafaweb.com/Scan?Url=https%3A%2F%2Fwww.microsoft.com
The excessive header info proliferation is one of the protection schemes everybody should know about, you do not want any script kiddie know your full server version number info.

What I find here, my dear forums friends, is beyond belief really. What security does MS uphold? I trust no one, unless I test,
and this is just one big EPIC FAIL: and what about all those poor coders that have to write code to bring their recent page to IE 6,7.

polonus

polonus · February 24, 2015, 1:30pm

Here the situation is not much better: https://securityheaders.com/test-http-headers.php
What These Numbers Mean

We detected 2 Happy Findings on microsoft.com. According to the data we have gathered microsoft.com scores worse than approximately 50% of sites out there. The good news is that adding many of our HTTP header recommendations for security take very little time to implement and have a big impact!

quote from SHODAN.
But that may have fallen on deaf ears with the MS coders?

polonus

polonus · March 2, 2015, 6:36pm

Tracking the trackers - nice to be used against ghostery and http switchboard extensions.
Go here: https://tools.digitalmethods.net/beta/trackerTracker/
Give in for example: https://plus.google.com/u/0/_/n/gcosuc
Results ntok=APfa0bpLV_DUrqCeO917WArh_zsnBp57wzFI67I7aw5QOWGaHfBGpm9lOUVMto9rzPAyGr1Yv-ZczxK3tE24GZgT-N_po0x_lA%3D%3D raw data

polonus

polonus · March 2, 2015, 10:15pm

Here we did a succesful query for a malware tracking result:
Process log
Retrieving: wXw.adayg.com/tj.js
Matching…
Retrieving: htXp://adayg.com/index.html
Matching…
Retrieving: htXp://www.zjhbot.com/fengshou/index.html
Matching…
Collating results
Results - first result was delivering object!
url scheme host path type query aid cid date patterns objects name affilition
htxp://adayg.com/index.html htxp adayg.com /index.html analytics 1184 2081 2015-03-02 23:05:40 .51.la htxp://js.users.51.la/17431151.js 51.La
wXw.adayg.com/tj.js wXw.adayg.com/tj.js n/a 2015-03-02 23:05:52
htxp://www.zjhbot.com/fengshou/index.html htxp wXw.zjhbot.com /fengshou/index.html n/a

Damian

polonus · March 3, 2015, 5:24pm

Interesting tracking facts.

polonus

polonus · March 4, 2015, 12:23pm

Para-Noid says users have to learn to look before they leap - alwats, and he is right. I wondered why certain https-everywhere re-writes will create undreamt of possibilties for devious user tracking.
Read through this posting first: https://forum.avast.com/index.php?topic=167274.0 and see the added attached report of what tracking goes on on that Dutch zimbra webmail website.
Para-Noid asked me to post a heads-up on this insecurity here. And so I did.
I had to combine some of my insights and do some research to be aware of such threats. I remember our forum member, DavidR, always warning about the risks involved with the https-only scheme. I then stumbled on the re-writes from HTTPS Everywhere’s Atlas to make http pages fit https-only and combined what I uri I found in the re-writes with the results of the tracking the trackers tool results. And then it dawned upon me. There are additional risk factors with all recent weakness found up in the SSL protocol and encryption -Poodle and Freak and so on.
Let us proceed with an example here. Combine the info from: https://www.eff.org/https-everywhere/atlas/domains/ with results here: https://tools.digitalmethods.net/beta/trackerTracker/
See the attached results. So be aware of trackers where you least expect them.

polonus

polonus · March 4, 2015, 5:20pm

What added tracking the trackers scan results brought on various script versions and according vulnerabilities (version info) and other CMS weaknesses and evental abuse: https://forum.avast.com/index.php?topic=167317.msg1190378#msg1190378

polonus

Para-Noid · March 4, 2015, 5:51pm

There is definitely a need for anti-tracking add-ons like Ghostery and ad blockers such as AdBlock Edge in Firefox or uBlock in Chrome.
Many people use NoScript in Firefox or ScriptNo in Chrome. Using link scanners such as “Scan URL with” (Firefox) before clicking is also wise. Check then click.

It’s all about security.

polonus · March 4, 2015, 5:54pm

Do not forget Avast Online Security!

pol

Musings about my volunteer website security scan experiences....

Announcements