Slashdot Mirror
Google Highlights Trouble In Detecting Malware
JohnBert writes "Google issued a new study (PDF) on Wednesday detailing how it is becoming more difficult to identify malicious websites and attacks, with antivirus software proving to be an ineffective defense against new ones. The company's engineers analyzed four years worth of data comprising 8 million websites and 160 million web pages from its Safe Browsing service, which is an API that feeds data into Google's Chrome browser and Firefox and warns users when they hit a website loaded with malware. Google said it displays 3 million warnings of unsafe websites to 400 million users a day."
browse in Lynx.
When was the last time you saw malware for it?
hardley normals will go on selling the top dog joke av crapware. All browsers seriously need to be sandboxed HARD. Don't stop there though, the OS has alot to answer to... Next, on to orifice...
*sigh*
-sent from my ipad.
And that's even before you escalate UAC rights, I find software like Sandboxie works far better to protect my computer than any antivirus out there.
Yet another story hinting at the huge lie that is perpetrated on the world in the form of antivirus "protection". Like I've always said, these tools do more to undermine my PC than malware ever has. A good "secure-by-default" installation and a decent understanding of responsible Internet use is all you need. Instead, most people deal with significantly slower performance, and borderline criminal subscription tactics. Protection from new and future threats has always been and will always be a fantasy.
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
A good "secure-by-default" installation
One fundamental problem in home computer security is that vendors disagree on how to define "good 'secure-by-default' installation". For example, does it involve establishing a policy of trusting a third party to determine whether each program is safe and enforcing this policy with no way for the end user to override it? Apple (iOS), Microsoft (Xbox 360 and Windows Phone 7), Nintendo, and Sony seem to think so.
Javascript really is the source of the most recent problems because it can allow entry into systems and activation of malware remotely. This is why ActiveX is also bad. Developers rush into this kind of technology thinking of the payoff but not the cost.
Really though, JS is totally unnecessary so I run noscript and I don't visit sites that have a zillion JS calls to different sites. I probably could turn antivirus off and still be okay.
The dangers of knowledge trigger emotional distress in human beings.
Why not have the browser have some kind of globally coordinated download queue that queues the download until someone can scan it. If it's (by URL) already been scanned, then let it download, then verify the MD5 sum of the downloaded vs scanned content. If it matches, then all is good. If not delete it. I don't define "scanned" because it could be a virus scan, or an automated install to a virtual machine, which reports back any opened ports or initiated connections for further review.
This would be a pain for developers and IT, so have a way to disable it, but for most people telling them "we don't know if this download is safe" "We'll download it when we know more" would go a long way to stopping malware. And it has the peripheral effect of slowing up malware people too.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Then prove it. The IP of my Windows machine at home is 66.25.165.182. Come on, little script kiddy, show me your stuff.
What malware should I be worried about on my Samsung Chromebook?
* Carthago Delenda Est *
displays 3 million warnings of unsafe websites to 400 million users a day
I didn't RTFA, but doesn't that look like it doesn't add up? 400 million users are displayed 3 million warnings? I guess it means 400M users are warned from 3M identified sites?
Fear is the mind killer.
For years, I have had machines on the net that never used any antivirus. And so far, no virus on them either. Nice to have a system that is designed not to be vulnerable. (There is the occational software security error, but they usually get fixed before anyone have time to exploit them.)
If you care about security, don't bother with windows - or any system that need third-party security add-ons to work reliably. Windows has a series of design errors, in addition to the occational programming errors. Running everything with admin privileges, automatically running code embedded in email and documents, automatically running code off the web (activex) and so on. And who knows what new sillinesses they have, now that these things are slowly getting fixed.
Oh yeah? Stupid easy - ok. Compromise my machine then. Windows 7 64 bit, I've been lazy about patching it, haven't done so for about a month. My IP address is 24.107.113.55, and I've set my pc as the DMZ for all inbound traffic. I'll be at work for about 8 hours, I'll leave it running. Good luck.
mov ah, 4ch
int 21h
1and1 has been a host for me for some time.
Then I got flagged by Google as having malware and I was like... wtf... I don't even actively use
those sites. So, I FTP'd in and downloaded some files, there was an injection of code in all of
my index.htm(l) and default.htm(l) files.
Now, I've had 1and1, since they came to the US. I had a plan back then that had all the goodies,
ssh access to my shell for my sites, so it was easy to administer.
Well, "because of new policies" my old service I had was changed to another... like the cell
companies moving you around on new plans. My new plan, has no ssh access.
What's worse, 1and1, refused to give me shell access so I could take care of all of those
malware files.
Let me repeat... A HOSTING PROVIDER REFUSED TO GIVE ME ACCESS TO MY OWN SITE
TO CORRECT A MALWARE ISSUE!
Nice huh?
So, like I said, since I don't really use those sites, I just deleted them all via FTP and told
1and1 to go fuck themselves. I put up what I needed that was important (after cleaning) on
an EC2 "free" instance.
-AI
For me, it is far better to grasp the Universe as it really is than to persist in delusion
Strangely enough, I just got my first ever warning from the safe browsing service about 10 minutes ago. Visiting a website that I go to regularly... I'm glad they caught that one site getting compromised at least as I place very little confidence in AV software nowadays.
http://tech.slashdot.org/story/11/08/16/200209/IE-9-Beats-Other-Browsers-at-Blocking-Malicious-Content
Google: "But it's hard!"
That said, I'm not particularly thrilled with a browser feature that tells you where not to go on the internet. I'd rather be able to go there and not get infected by browser exploits. Drive-by downloads I'm not worried about. Embedded PDFs I'm not worried about. (I uninstalled the Adobe plugin. Any PDFs are downloaded rather than opened.) That pretty much just leaves the browser, Flash, and Java. And even Java should warn me before starting an applet.
1. use a more secure OS (meaning anything other than MS-Windows) a Linux distro or one of the flavors of BSD
.. and if any of those unknown websites wants you to download something or run a plugin within the browser DO NOT LET IT...
2. keep two webbrowsers = one with plugins and goodies for websites you know are known safe like slashdot, youtube, & etc... but never use that fancy browser with the plugins for general purpose webbrowsing
3. for general purpose webbrowsing and looking in to unknown websites use a locked down and secured webbrowser that does not even have any plugins and with javascript disabled,
i know this is just elementary & incomplete but it is a good start...
Politics is Treachery, Religion is Brainwashing
Gladly, but first you need to prove that the IP of your home machine is what you say it is.
Surprisingly enough it's in one of RoadRunner's residential IP blocks ("Allocations for this OrgID serve Road Runner residential customers out of the Austin, TX and Tampa Bay, FL RDCs").
He should have at least made it interesting, like 209.251.178.99.
You are missing the point, and are not the OP.
mov ah, 4ch
int 21h
That's not what the web works like. The people endangered by malware are your neighbors (particularly your male neighbor because he's watching porn all day, and we all know women don't watch porn). Your neighbors are people who hardly know what "Browser" means, have once heard about this "Microsoft Linux" thing and will buy a new PC when their current one gets slow. This is the majority of the society, and you can't fix it by adding more instructions and manuals to every piece of software.
I got into your computer and turned it off, it's inappropriate to waste energy like that. Think of the environment!
Why is that surprising? This just in: someone's home computer will be using an IP within a residential block of their ISP! STOP THE PRESSES!!!
Except that anything I post you will attempt to claim doesn't prove anything and you'll slink away like a chickenshit. You either are going to have to believe me or not. I don't really care.
I got into your computer and turned it off, it's inappropriate to waste energy like that. Think of the environment!
And to teach him a lesson I downloaded Glitter.
I'm fairly sure that a simple web-page or telnet reply saying "This is HarrySquatter (1698416), tukang (1209392) please come in for /. story 1328237" would've been sufficient.
But that doesn't prove anything. Could I not just as easily be at someone else's computer doing that? Once again, nothing I can do or so is going to be something irrefutable so he's either going to have to man up and just prove himself or slink off like a chickenshit. I honestly don't give a flying fuck.
The surprising part is that you posted your real IP address. The one I posted is what resolved for fbi.gov (I know, I'm not terribly creative).
For someone who doesn't give a flying fuck, you seem to be religiously replying to this thread.
NoScript.
Seriously, how is any script going to hit your computer if you have them completely disabled? Oh, wait, three words: Windows Metafile vulnerability.
Could I not just as easily be at someone else's computer doing that?
What would that accomplish? So somebody else's Windows computer could be hacked.
Anyway, your Slashdot user ID number is stored in plain readable text in the cookies.sqlite file, which would be the most obvious way to determine if you'd got into the right computer. If you wanted to, I mean...
Granted, that same cookie could probably be used to access your Slashdot account, but I'm confident he'd never do that...
You misunderstand. I don't give a flying fuck if tukang does or doesn't believe me or does or doesn't attack my computer because my point is that if the original poster wants to prove his laughable statement that he has my information to do so. Most likely he won't because he's wrong and is most likely a chickenshit the same as tukang.
My point is that any evidence I can give can easily be faked. Nothing I can do or say is 100% irrefutable evidence. Hell I could be posting from my friend's computer that is running Slackware instead of Windows and we could be doing nothing but laughing at tukang. He's never going to know if that's true or not despite what I can say to the contrary.
My IP address is 127.0.0.1. Come get some.
No doubt. But the overall point was that Windows is "stupidly easy" to compromise, and if that's true it presumably wouldn't be that hard to determine that the computer at that IP wasn't even running Windows. Anyway, I still think you should have posted the IP address for the FBI or CIA or some other spook agency on the outside chance that he'd really try to break in.
You are making yourself look like a complete jackass. Just, FYI.
I just hacked in and checked your browser history. Good God, man! Don't you know just thinking about that shit is illegal in all but like 3 countries??
The soylentnews experiment has been a dismal failure.
It can't be. That's my IP address
Come on, people. UF FTW.
Captcha: "toying"
Oh noes! My entire life is going to fall apart because an AC on slashdot has called me a jackass. Oh wait, I already know I'm a jackass and don't really care.
I'm not afraid of little script kiddy boy. If someone wants to try their hand, they are more than welcome.
I got into your computer and turned it off, it's inappropriate to waste energy like that. Think of the environment!
I can't tell whether this is a joke or not. THE GP's IP is not responding to ping and nmap reports the host is down (I know that these don't mean anything on its own, but deep down, I so wish parent isn't joking!)
Google used to have a problem with malware and phishing sites being hosted on their own Google Sites. Once they plugged that hole, the malware moved to Google Spreadsheets. Because you can put HTML in Google's spreadsheets, it can be used as a free hosting service. Google hadn't anticipated this, and their abuse operation couldn't handle it.
Google seems to have plugged the spreadsheet hole now. I noticed recently that Google has disappeared from our major domains being exploited by active phishing scams. There were pages hosted by Google which were in Google's own "this site may harm your computer" blacklist. So their hostile-site detection wasn't coupled to their abuse department. That was kind of embarrassing, but until we publicized it, it didn't get fixed.
Basic truth - run a free hosting service, a free "forms" service, a free "poll" service, or a free URL direction service, and you will end up hosting phishing sites and related annoyances. If you run a free service, you must have an automatic check against the major phishing blacklists, or you will be pwned. This week's big sites being abused by phishers are "piczo.com" (social networking for teenage girls), "webs.com" and "moonfruit.com" (free hosting), and "t35.com" (which, the last time we contacted them, has one poor abuse guy trying to deal with a daily tide of phishing pages by hand).
Those sites are used by the bottom-feeders of the malware/phishing world. The big guys buy hosting with stolen credit card numbers, use botnets, and contract with "bullet-proof hosting services.
There is progress. "Open redirectors" are more or less gone from major sites. Over the last three years, MSN, Yahoo, eBay, and Facebook have all had open redirectors. Publicity and nagging put a stop to that. Slowly, too slowly, IE6 is dying out.
And to teach him a lesson I downloaded Glitter.
Totally disproportionate actions like this are the reason hackers are classified as terrorists.
Experience (do not install any softwares without making a diff of you registry before and after) and sensible software configuration (like no script in wmv, no script in pdf,..., no script in any kind of document except a web page with everything from the adds servers around the world blacklisted) works even better but is it less convenient.
Jehovah be praised, Oracle was not selected
The surprising part is that you posted your real IP address. The one I posted is what resolved for fbi.gov (I know, I'm not terribly creative).
LMAO creative indeed.
"We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
hey, that's the combination to my luggage!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I'm thinking of environment variables, hope that counts..
Don't worry, I'm ok. I do use the Windows fw, which blocks ICMP.
mov ah, 4ch
int 21h
Wrong! It's 12345.
Sorry, but gray text on gray background is making my eyes bleed.
You killed my brother.
I mean, my computer.
If you say so, but all I'm saying is, it's lulz enough if script kiddie boy tries hacking the FBI and gets caught.
Simply because "I can't get burned IF I never go into the 'malware-in-general kitchen'" period (& yes, even sandboxing's been KNOWN to have been broken thru in the past by malwares (think chroot JAILS as an example thereof)):
So, what's better here (& even better if added in with sandboxie + other "layered-security"/"defense-in-depth" methods in my p.s.s. section below)? THIS IS:
My custom HOSTS file currently protects me vs. 1,571,476+++ (& growing every 15 minutes) KNOWN bad sites/servers/hosts-domains that are KNOWN to be either maliciously scripted, or serving up malware-in-general, plus spamming/phishing sources as well as botnet C&C servers.
HOW/WHY/WHEN/WHERE? Read on!
(Do use 0.0.0.0 on most OS, but Windows 2000/XP/Server 2003 can use a smaller one, in plain 0 as a blocking "IP Address" even (thus, smaller HOSTS files result, & their entries are parsed FASTER that way, line by line, w/ no "loopback operation" occurring @ all, due to "blackhole routing", & NO "ABE warning" problems, noted here -> http://hackademix.net/2009/07/01/abe-warnings-everywhere-omg/ either))
20++ ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK ALONE for added "layered"/"defense-in-depth" security:
1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).
2.) Adblock blocks ads in only 1-2 browser family, but not all (Disclaimer: Opera now has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc.).
3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.
4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 5-7 next below).
5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions via NSLOOKUP, PINGS, &/or WHOIS though, regularly, so you have the correct IP & it's current)).
* NOW - Some folks MAY think that putting an IP address alone into your browser's address bar will be enough, so why bother with HOSTS, right? WRONG - Putting IP address in your browser won't always work IS WHY. Some IP adresses host several domains & need the site name to give you the right page you're after is why. So for some sites only the HOSTS file option will work!
6.) Hosts files don't eat up CPU cycles like AdBlock does while it parses a webpages' content, nor as much as a DNS server does while it runs. HOSTS file are merely a FILTER for the kernel mode/PnP TCP/IP subsystem, which runs FAR FASTER & MORE EFFICIENTLY than any ring 3/rpl3/usermode app can.
7.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).
8.) AdBlock doesn't let you block out known bad sites or servers that are known to be maliciously scripted, hosts can and many reputable lists for this exist:
GOOD INFORMATIO