Why we break links to possible malicious sites and silent drive by downloads...

[polonus]

Hi malware fighters and users of these forums,

Sometimes you see requests to new users to break links to malicious websites that may harm users that click these live links. I explained this to someone on the NoScript forum that did not understand this policy for obvious reasons, he was not aware of the risks.

As I work as a malware fighter on a web forum we know how to break links. So when a link with some possible malicious redirects or malicious script would be broken like: hxtp://evilmalicioussite.com or like evilmalicious dot com or : "www dot evilmalicious dot com. The person that knows what it should look like can enter the address in a (link) scanner like bad stuff detektor, Exploit Prevention Lab link scanner, DrWeb's av link checker plug-in extension for fx or Webpage Security Report = : http://www.unmaskparasites.com/security-report/ , without having to click on it directly and probably get infected as a worst case scenario (not if you have NoScript installed and active off-course, but we all know that here).
- So it is to prevent that curiosity will kill the proverbial n00b cat. -
We have to point this out to new users of anti malware forums again and again, but after a while they understand why we do this and why we follow this policy/
Also when publishing malicious or suspicious script in for instance a hidden iFrame or injected obfuscated script, we try to break that by putting ^ where > should be or entering some ..... Better is to make a screen dump and link to a picture of the code found, because that cannot be flagged by a scanner, while with a real script that can be a possibility under certain circumstances.
We find that some av now is alerting on all obfuscated scripts for reasons that the use of obfuscation is suspicious to them, for what do they have to hide? But sometimes the author of a script want to protect it from/for copy cats, but when they use packers that are also used by cybercriminals to hide their evil intentions, av may and will more often than not flag it.

That is another reason that I think NoScript has the only best elegant solution for these problems, what is blocked cannot run, and what does not run can't infect. The only hole now is that sites that you have whitelisted as trusted can have been hacked any time from the moment you gave them a clean bill and where they had a good reputation before, there is so much automated and bot-related injection of malcode with just some bits of older (vulnerable) software version or a changed or outdated component somewhere around that this may be enough to own a site for malicious purposes. In these cases I think RequestPolicy add-on in fx or flock is the best elegant solution to block any request to third party & possibly malicious re-directs. A webshield as a third layer of protection to flag and to disconnect from some redirect(s) to a malware downloading site with drive-by-downloads of malware all sorts is another option open to users, setting killbits and protecting via blacklist blocking is another option,

Well no excuse to do this any longer,

polonus

[DavidR]

One down many millions more to go. You will never succeed in this as new people simply don't know of the dangers and are oblivious to it.

So you will always be telling people to change the links, it happens with monotonous regularity, but that isn't their fault, they don't know better, until we mention it, then thats another one down many millions more to go

The major problem with avast users, who for the most part are protected against this type of thing, forget that others might not be so fortunate, so it is hard to understand why they need to get into the habit

[maugrimx]

does avast detect all obfuscated scripts?

[DavidR]

It does a very good job, but nothing detects everything. You only need to browse the viruses and worms forum to see that.

avast is one of the very few that even detect anything like this and it is above all very accurate of all those ones I have checked on the forums all have been good detections.

[maugrimx]

ok 

i saw on another forum that avast does not use heuristics, is that true? what does the resident shield high sensitivity level do then? scans all files?

[DavidR]

This really should be in its own topic as it is unrelated to this topic (hijacking) and just detracts from the main subject.