Most AV software is USELESS against SCRAPER Sites

jimbo45 · 01 Feb 2010

Hi all

We seem to get more and more bogged down with finding the best AV software for preventing Viruses / worms / trojans etc etc.

These are largely old hat now -- what most of this software DOESN'T protect you against (and its difficult to see how to devise good protection for this type of attack) is clicking on to sites that you've been directed to via SCRAPER SITES which have already adjusted the search order say in Google putting Rogue sites at the top of the search list.

These are automated sites that continually scan pages in say News sites to scrape info from these that keep their pages at the top of a google search. Now on a google search most people tend to click on sites at the start of the search so a lot of the Scraper sites have ensured that the rogue sites are at the top of the search and the "Victim" is directed to a rogue site with "fly by" or other malware stuff present.

You need to be careful now in just using things like google without realizing what can happen.

Most AV software is currently 100% (in fact 150%) USELESS against this type of attack.

I wish some of the AV companies were even as HALF as good as some of the scammers.

I'm using MS Forefront Client security which has a decent real time protection but most of the typical stuff people have on their machines doesn't do real time protection. This these days is a MUST if you use any search engine and then visit a site you don't know and trust COMPLETELY.

Cheers
jimbo

Jacee · 01 Feb 2010

This would be a 'browser hijack'.

<snip> from a web page:

Most browser hijackers take advantage of Internet Explorer's ability to run ActiveX scripts straight from a web page. Generally, these programs will request permission to install themselves via a popup that loads when you visit a certain site. If you accidentally give them permission to install, IE will execute the program on your computer, changing your settings. Others may use security holes within Internet Explorer to install themselves automatically without any user interaction at all. Worse, these can be launched from popup ad windows which the user has not even intended to view.
As well as making changes to your home page and other Internet Explorer settings, a hijacker may also make entries to the HOSTS file on your system. This special file directly maps DNS addresses (web URLs) to IP addresses, so every time you typed 'www.pcstats.com' (as an example) you might be redirected to the IP address of a sponsored search or porn site instead.

This is why I advocate using SpywareBlaster and SpywareGuard. Please read the tutorial.
Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware

Muad Dib · 01 Feb 2010

Jacee said:

This would be a 'browser hijack'.

<snip> from a web page:

Most browser hijackers take advantage of Internet Explorer's ability to run ActiveX scripts straight from a web page. Generally, these programs will request permission to install themselves via a popup that loads when you visit a certain site. If you accidentally give them permission to install, IE will execute the program on your computer, changing your settings. Others may use security holes within Internet Explorer to install themselves automatically without any user interaction at all. Worse, these can be launched from popup ad windows which the user has not even intended to view.
As well as making changes to your home page and other Internet Explorer settings, a hijacker may also make entries to the HOSTS file on your system. This special file directly maps DNS addresses (web URLs) to IP addresses, so every time you typed 'www.pcstats.com' (as an example) you might be redirected to the IP address of a sponsored search or porn site instead.

This is why I advocate using SpywareBlaster and SpywareGuard. Please read the tutorial.
Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware

Most definitely use SpywareBlaster. I also suggest installing Spybot Search & Destroy and loading its HOST table which redirects known bad sites IP addresses to the host PC (effectively NULL address). Note that with Spybot I use the Internet Protection option and loading its HOST table. I do not use its "TEATIMER" function as it incurs additional overhead.

The home of Spybot-S&D!

These two steps/apps utilize passive protection against known bad sites with little to no processor overhead.

jav · 01 Feb 2010

jimbo45, I do agree with you in a way and respect you, but...
Yes, most AV can't stop this kind of attack.
But wait They are "Anti Virus" (and I mean classic only signature based scanners, which are rare now), and they are not meant to stop this kinds of attacks...

But If we are talking about Internet Security programs, Internet Security Suites or other programs like Jacee has suggested or any other programs designed for this then it's another subject and most of them can protect from this kind of attacks.
Note: That's actually why they are called "Internet Security" and almost all AV vendors recommen it if you want to use Internet...

There are lots of new technology now being implemented to Internet security programs to protect not only from browser hijacks but even from phishing and user stupidity...
Almost all Internet Security suites give you browser protection, hijack protection, ActiveX control and even link scanners.

So AV softwares aren't designed for Internet attack, that's why they are in a way useless, but we can't blame AV companies. They have created more specific programs for those of us who want protection from Internet threats and called them Internet security.

I am not saying that AV is the best thing ever... But I think it's unfair blame to AV companies...

P.S. No offence meant to you

I do respect your opinion, it's just we have different opinions.

Jaxryley · 01 Feb 2010

There is only one way to browse the net in complete safety and that's to run your browser through Sandboxie.

Learn Sandboxie's capabilities and I doubt you would ever surf the net without it.

brady · 01 Feb 2010

Jaxryley said:

There is only one way to browse the net in complete safety and that's to run your browser through Sandboxie.

Learn Sandboxie's capabilities and I doubt you would ever surf the net without it.

flash clipboard is still exploitable...Sandboxie only prevented local buffer overflows if they happened against a protected process. Sanboxie doesn't protect (via virtualization) the entire OS. Leaving several heavily exploitable attributes "unprotected".

Jaxryley · 01 Feb 2010

Probably not with start/run restrictions implemented and I can't remember seeing this exploit being posted over at SB's forum.

Do you have a link or poc.

Muad Dib · 01 Feb 2010

I am wondering which websites you folks are visiting that allows the internet to so easily infect your PCs...

Perhap 2 machines are needed. One to do actual work on and the other for surfing porn/cracked software sites.... you can just restore the porn site machine's system image after each "session".....

Jaxryley · 01 Feb 2010

Muad Dib said:

I am wondering which websites you folks are visiting that allows the internet to so easily infect your PCs...

You can find a few sites below. Some links go dead fairly quick and there are quite a few lists like this around the place.

MalwareURL - URL listing

Jaxryley · 01 Feb 2010

brady said:

Jaxryley said:

There is only one way to browse the net in complete safety and that's to run your browser through Sandboxie.

Learn Sandboxie's capabilities and I doubt you would ever surf the net without it.

flash clipboard is still exploitable...Sandboxie only prevented local buffer overflows if they happened against a protected process. Sanboxie doesn't protect (via virtualization) the entire OS. Leaving several heavily exploitable attributes "unprotected".

OK I found a link to this exploit over at SB's forum.

www.sandboxie.com :: View topic - Flash Clipboard Exploit