Author Topic: Musings about my volunteer website security scan experiences....  (Read 42511 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Musings about my volunteer website security scan experiences....
« on: February 10, 2015, 11:16:31 PM »
@those interested in this topic, and bob3160 for the initial idea to bundle the posting subjects (thanks to all  ;) )

With thanks to those that share my enthusiasm here and check (against) my results,
Pondus, !Donovan, Eddy, Michael, Para-Noid, mchain and many many more.
Without your ongoing inspiration and cooperation I would not be where I am now
and not at least Avast that creates this wonderful platform here to work together to  improve Avast support.

You will read here about a variety of topics considering to what I do in the virus and worms.
All I do here has one first and single aim, that is adding to the splendid avast online protection
and so users with avast are with the best here with the unique shields, domain rep scan, etc.

My first topic is called: Google Safebrowsing and Yandex Safebrowsing Results Differ considerably,
well most of the time they are consistent and alert the same website threats.

Blacklisting results play an important role in online protection against suspicious/malicious websites.
This starts with scanning a website at Virustotal which results mainly consists of blacklisting results.
A Quttera scan checks against  the following blacklists:
PhishTank - domain is Clean. 
Quttera Labs - domain is Clean. 
Yandex-SafeBrowsing - domain is Clean. 
Google-SafeBrowsing - domain is Clean. 
MalwareDomainList - domain is Clean. 
Combined with the avast protection of shields and avast's browser extension, the DrWeb extension block list and all domains flagged by Bitdefender TrafficLight we have already streered away from many a dangerous click.

But safebrowsing differs, search page for htxp://www.oradio.com.br/ at google does not flag.
At Yandex searchpage we get:
Quote
Visiting this site may lead to malware being installed on your computer of mobile device, which may be used without your knowledge, and valuable data may become corrupted or stolen. Details

Details: https://www.yandex.com/infected?url=http%3A%2F%2Fwww.oradio.com.br%2F&lang=pt&fmode=inject&tld=com&la=&text=http%3A%2F%2Fwww.oradio.com.br%2F&l10n=en&mime=html  SOPHOS detects malware on website as Troj/JsRedir-NN.

Also the options: View secure cached page
This will not harm your computer or its data
and
Visit this page anyway
Following this link may harm your computer or mobile device  (a thing we are ill adviced to do i.m.o.).

Why the Yandex search page protects users against a visit there and Google Safebrowsing does not.

Conclusion - one should use various blacklists to feel somewhat more secure.

polonus

(more to follow in this thread...)
« Last Edit: February 10, 2015, 11:33:56 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #1 on: February 11, 2015, 03:58:26 PM »
FPs a problem for all anti-malware vendors, VT is gonna help against mistaken detection.
How is this going to work out in the grey area for PUP detections and persistent adware/junkware.
Will we get TRUSTED PUP or TRUSTED JUNKWARE?
Read here about this new feature coming to Virustotal:
http://blog.virustotal.com/2015/02/a-first-shot-at-false-positives.html

Anyone?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Musings about my volunteer website security scan experiences....
« Reply #2 on: February 11, 2015, 05:05:06 PM »
Will read it when im finally back home, PUPs are a serious issue nowadays as we can see that even AV vendors bundle them with their software, pups need to be detected much better. Will forward that link to the developer of a new upcoming AV Software :) PS: he is 14 right now
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #3 on: February 11, 2015, 05:51:37 PM »
Why set this door open ajar, or build in a PUP-adware cat flap trap?
Please dear VT, my code swims like a PUP, quacks like a PUP, but I swear it is no PUP,
oh no, and it ain´t no adware, no way, it is just a genuine False Positive  ;D

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48524
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Musings about my volunteer website security scan experiences....
« Reply #4 on: February 11, 2015, 10:49:32 PM »
I'd like to know how they can tell who put that key logger on my computer??? (If I had one.)
Did I do it intentionally or, was it done maliciously???
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #5 on: February 11, 2015, 11:00:06 PM »
Hi bob3160,

Indeed there is a thin grey line between legitimate keyloggers and hidden keyloggers that are part of full-fledged trojans. The term for this category of malware is the Trojan-Spy, malware that will
Quote
track user activity, save the information to the user's hard disk and then forward it to the author or 'master' of the Trojan.
Read more in depth here: https://securelist.com/analysis/36138/keyloggers-how-they-work-and-how-to-detect-them-part-1/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48524
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Musings about my volunteer website security scan experiences....
« Reply #6 on: February 11, 2015, 11:18:24 PM »
Hi bob3160,

Indeed there is a thin grey line between legitimate keyloggers and hidden keyloggers that are part of full-fledged trojans. The term for this category of malware is the Trojan-Spy, malware that will
Quote
track user activity, save the information to the user's hard disk and then forward it to the author or 'master' of the Trojan.
Read more in depth here: https://securelist.com/analysis/36138/keyloggers-how-they-work-and-how-to-detect-them-part-1/

polonus
I'm well aware of what a Keylogger does Damien. If I choose to install it to monitor activity on my system, it a legitimate tool.
If it's installed without my knowledge, then it's malicious.
I want to know how an AV can tell the difference between my installation and a malicious install ???
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #7 on: February 11, 2015, 11:45:18 PM »
This is the main way to tell the difference:
Quote
Behavioral detection differs from appearance detection in that it identifies the actions performed by the malware rather than syntactic markers. Identifying these malicious actions and interpreting their final purpose is a complex reasoning process.
Quote from:
Hervé Debar PhD, HDR. So the source and the way it was installed play an important role.
Compare it to shop camera monitoring that can discriminate between some-one buying tools for a DIY job or to be used in breaking & entering a house illegially. When you buy a Balaclava and a sledge hammer, you could be a security risk and suspicious. ;D  ;D

Damian

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48524
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Musings about my volunteer website security scan experiences....
« Reply #8 on: February 12, 2015, 12:03:31 AM »
If it were that simple, there wouldn't be any false positives. :)
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #9 on: February 12, 2015, 12:30:50 AM »
Hi bob3160,

Well, there is more to this than meets the eye. Many times in the virus and worms we  see developers that come and complain about false positives and fp detections on (new) packer obfuscation for instance. And as a complication a whole row of what came whitelisted before can now come up as a FP with a new (slightly different) update. Avast has really some problems there to tackle. So the new VT whitelisting and demasking of FPs can certainly help towards that goal. Recently Avast had quite some problems with new updates of proggies and tools. Signing their code by developers and certification may help - also additional meta-scans can make a FP less obvious.
And of-course the bundled junk/ad-& spyware should never go under the detection radar as this ever expanding new bundling craze is making the whole exercise even more complicated. And then there is the explosion of new detections that is making the whole process even more complicated. That for simplicity...  ;D

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #10 on: February 19, 2015, 04:39:01 PM »
When doing a "cold reconnaissance third party" website scan we always like to have the full story from a to z.
What vulnerable technology was being used for server and website software? What free plug-in's and themes were vulnerable?
Was there any second line security being brought into place? And we want to know why the website could have been attacked, what attack was being performed and similar questions. Sometimes we can get these details from a Clean MX report or from a threat description by a researcher - or when we are lucky from a combination of online scan results and descriptions.

But NinjaFirewall also give all the "gory" details at once as there is: type of threat, what was being targeted, where it was being targeted, what vulnerability or exploit was being abused, the malware domain that caused the threat, and the malware raw code.
Example: http://ninjafirewall.com/malware/index.php?threat=2014-12-18.01 and now combine with info here: https://www.mywot.com/en/scorecard/clickevents.com.my?utm_source=addon&utm_content=popup and here:
https://wordpress.org/support/topic/gwt-malware-warning-for-my-website-and-defaced
When we let this info all sink in we'll see we are being confronted with a flaw of the SoakSoak malware just by googling on "collect.js malware". Whenever we see "collect.js malware" a little lightbulb flash goes off at the back of our head and we will
mumble "Oh, SEO related malcode!".
Another lesson learned another threat recognized.  ;D
NinjeFirewall has a free offshoot for WP PHP as a stand-alone plug-in, worth to recommend it to people that are curious and have similar interests like little old me,  ;)

polonus (volunteer website security analyst and website error-hunter)

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #11 on: February 24, 2015, 01:57:04 PM »
Time to return to the dramatically bad situation where security headers are concerned.
One important example from the Hall of Shame: https://www.microsoft.com
See: https://www.uploady.com/download/gN0Vfam8FKU/F9RytmG59o8~34EA
and https://www.uploady.com/download/GbzM~734U3J/7WSvra~jOTelppAr
X-Frame Options - missing
Provides clickjacking protection by instructing browsers that this page should not be placed within a frame. Possible values are: deny - no rendering within a frame, sameorigin - no rendering if origin mismatch, and allow-from: - allow rendering if framing page is within the specified URI domain. Allow from is supported by IE and Firefox, but not Chrome or Safari. It will also interfere with In Page Google Analytics since it requires your page to be framed by Google.
Strict-Transport-Security missing
HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server. This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. HSTS also disables the ability for users to ignore SSL negotiation warnings.
X-Content-Type-Options      Use 'nosniff'  missing
The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that by clever naming could be treated by MSIE as executable or dynamic HTML files.
Warning on Content-Type
Instructs the browser to interpret the page as a specific content type rather than relying on the browser to make assumptions.
X-XSS-Protection      Use '1; mode=block' missing'
This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. Typically this is enabled by default, but if it was disabled by the user this header will force the filter to be active for this particular website. This header is supported in IE 8+.
Warning Set-Cookie   MS-CV=Rzov4KmjtEO7jS...12:43:49 GMT; path=/   Add 'secure; httponly;'
The secure flag on cookies instructs the browser to only submit the cookie as part of requests over secure (HTTPS) connections. This prevents the cookie from being observed as plain text in transit over the network.
The HttpOnly flag instructs the browser that this cookie can only be accessed when sending an HTTP request. This prevents scripts running as part of a page from retrieving the value and is a defense against XSS attacks.
Cache-control has warning.
Data returned in web responses can be cached by user's browsers as well as by intermediate proxies. This directive instructs them not to retain the page content in order to prevent others from accessing sensitive content from these caches.
Two missing headers on caching: Data returned in web responses can be cached by user's browsers as well as by intermediate proxies. This directive instructs them not to retain the page content in order to prevent others from accessing sensitive content from these caches.
Content-Security-Policy missing: Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections. (https://www.owasp.org/index.php/Content_Security_Policy). Content-Security-Policy is recotnized in Chrome 25+ and Firefox 23+
Additionally 4 warnings here: https://asafaweb.com/Scan?Url=https%3A%2F%2Fwww.microsoft.com
The excessive header info proliferation is one of the protection schemes everybody should know about, you do not want any script kiddie know your full server version number info.

What I find here, my dear forums friends, is beyond belief really. What security does MS uphold? I trust no one, unless I test,
and this is just one big EPIC FAIL: and what about all those poor coders that have to write code to bring their recent page to IE 6,7.

polonus
« Last Edit: February 24, 2015, 02:12:57 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #12 on: February 24, 2015, 02:30:06 PM »
Here the situation is not much better: https://securityheaders.com/test-http-headers.php
What These Numbers Mean
Quote
We detected 2 Happy Findings on microsoft.com. According to the data we have gathered microsoft.com scores worse than approximately 50% of sites out there. The good news is that adding many of our HTTP header recommendations for security take very little time to implement and have a big impact!
quote from SHODAN.
But that may have fallen on deaf ears with the MS coders?

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #13 on: March 02, 2015, 07:36:22 PM »
Tracking the trackers - nice to be used against ghostery and http switchboard extensions.
Go here: https://tools.digitalmethods.net/beta/trackerTracker/
Give in for example: https://plus.google.com/u/0/_/n/gcosuc
Results ntok=APfa0bpLV_DUrqCeO917WArh_zsnBp57wzFI67I7aw5QOWGaHfBGpm9lOUVMto9rzPAyGr1Yv-ZczxK3tE24GZgT-N_po0x_lA%3D%3D  raw data

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #14 on: March 02, 2015, 11:15:36 PM »
Here we did a succesful query for a malware tracking result:
Process log
Retrieving: wXw.adayg.com/tj.js
Matching..
Retrieving: htXp://adayg.com/index.html
Matching..
Retrieving: htXp://www.zjhbot.com/fengshou/index.html
Matching..
Collating results
Results - first result was delivering object!
url   scheme   host   path   type   query   aid   cid   date   patterns   objects   name   affilition
htxp://adayg.com/index.html   htxp   adayg.com   /index.html   analytics      1184   2081   2015-03-02 23:05:40   \.51\.la   htxp://js.users.51.la/17431151.js   51.La   
wXw.adayg.com/tj.js         wXw.adayg.com/tj.js   n/a            2015-03-02 23:05:52            
htxp://www.zjhbot.com/fengshou/index.html   htxp   wXw.zjhbot.com   /fengshou/index.html   n/a

Damian
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!