Re: AV detection of malware during real-time web browsing (cache, java, etc)?


"Art" <null@xxxxxxxxx> wrote in message
news:gri142tqqcmj2hk1giibvjjuckrqnskk4i@xxxxxxxxxx
On Sat, 15 Apr 2006 00:47:53 -0700, "* * Chas" <dnafutz@xxxxxxxxxxxx>
wrote:

Yesterday I tried for several hours using IE6 with "Medium"
(default)
setting for Internet Zone, and KAV 6 Beta set as paranoid as
possible
as my alerting tool. Tons of porn, cracks, warez, and virii
download
sites and nothing!!

I have a few ideas on ways of obtaining blacklisted urls lists
which I
plan to follow up on today. I've given up on trying to just troll
for
bad sites since it's turning out to be just a big waste of time and
effort.

Art, here's an example of a bad dead link. The original web URL is:

http://www.wilderssecurity.com/showthread.php?t=93155

The link is for SoftwareDiner.com

http://www.softwarediner.com/

It takes you to:

http://luckyluxorcasino.com/

And what? No dingys there for me. Did NOD32 alert? Does it still
alert?

Thanks to Dave Lipman who sent me a couple of lists of possibilities,
I managed to snare a couple of real baddies. They are both porn sites,
and they both attempt various IE exploits. What's rather interesting
in these two cases is:

1. IE must be set to Medium (default) security or lower in order for
KAV 6 to alert. If IE is set to Maximum security, KAV 6 doesn't alert.
2. KAV 6 doesn't alert when using Firefox or Opera (latest versions)
with javascript enabled (I don't have Java installed).
3. Trying again this morning, the situation with both urls is
different. In one case, a apparently legit and harmless page has
been substituted. In the other case, the porn and porn links are
there but apparently not the exploits code. No alerts at all. So these
clowns are obviously trying to be clever and tricky.

#3 probably explains (partially) why I only found two baddies out of
maybe twenty or thirty on Dave's lists. The site owners make sure
the exploits aren't always there. In other cases, there seems to be
some sort of blocking in effect somewhere along the line. I just see
a Fedora Core Test Page. I don't know what's going on in those cases,
but there are a large number of them and I can't get through to any
alleged bad sites.

Anyway, the inconsistencies make it very difficult to do any kind of
study. Now you see it, now you don't. I had originally thought that
I might test the effectiveness of various realtime scanners using a
goat machine since it would likely get infested with malware whenever
a scanner failed to do its job. But the damn targets have to stay in
place long enough to run the tests. And I would need quite a number
of stable targets to make the test worthwhile and significant. Doesn't
look like this is going to happen.

Art

It seemed like the site was trying to DL a tool bar???

I didn't get any warning from NOD32 but I also run an old popup blocker
AdSubtract 2.55. I use it to stop ads, popups and unders. It's probably
not the best but it lets me easily clean out selected cookies and IE
temp files and it will block some trash.

Chas.


.

Relevant Pages

  • Re: AV detection of malware during real-time web browsing (cache, java, etc)?
    ... Tons of porn, cracks, warez, and virii download ... I have a few ideas on ways of obtaining blacklisted urls lists which I ... Did NOD32 alert? ... KAV 6 to alert. ...
    (alt.comp.anti-virus)
  • Re: WSS 3.0 sends new subscription alert, but no further alerts
    ... when i turn up sharepoint diag logs, i can see where the initial alert is ... i have tested SMTP... ... this is happening on all lists. ...
    (microsoft.public.sharepoint.windowsservices)
  • Alert me for companyweb options
    ... Can you tell me if it's possible to setup an alert on the ... companyweb site for a helpdesk list to alert the user that has had a tasks ... task (pretty basic helpdesk function), can seem to get it do do that anywhere! ... is it possible to make options in lists only avalible to specific ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: SharePoint Portal Architecture
    ... The mentioned book seems to be a very good ... the database to make the changes in the subsites where the checkboxes ... populated with read-only users accept for 2 maybe 3 lists. ... Since the alert engine, as I understand it, scans ...
    (microsoft.public.sharepoint.portalserver)
  • Re: WSS 3.0 sends new subscription alert, but no further alerts
    ... i get the initial "welcome to" email that confirms the alert has been set... ... this is happening on all lists. ... i'm sure this issue is not SMTP. ... the issue is that sharepoint is not generating alerts. ...
    (microsoft.public.sharepoint.windowsservices)
Loading