An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#19277 - 11/19/11 09:38 AM Firefox Add-ons
Bensheim Offline

Registered: 08/16/09
Loc: UK

#19282 - 11/19/11 01:20 PM Re: Firefox Add-ons [Re: Bensheim]
Bensheim Offline

Registered: 08/16/09
Loc: UK
I note that this site has no WoT rating............

#19284 - 11/19/11 03:20 PM Re: Firefox Add-ons [Re: Bensheim]
tacit Offline

Registered: 08/03/09
Loc: Portland, Oregon, USA
There are a lot of services which purport to tell you which sites are trustworthy and which are not. McAfee SiteAdvisor (which has a browser pug-in) is the largest and best-known of these, but there are dozens of others.

In my experience tracking and documenting malware, none of them are worth a toss.

There are a lot of problems with the idea of such a system, the largest of which is scale. As you've observed, FTM doesn't have a Web of Trust entry. We do have a SiteAdvisor rating, but we're too small to have been noticed by the other ratings services.

There are, according to Netcraft, about 266,848,493 registered and active domains as of the start of 2011, with about 7 million new domains being registered each month. If you look at Web pages as opposed to sites, there are billions--depending on who you ask, somewhere between 4 billion and 6 billion. It is not possible to scan them all for malware or other problems in anything like real-time, especially not if you want to keep that database updated regularly.

Which brings up the second problem, stale data. Just because a Web site is safe today doesn't mean it will be safe tomorrow. One of the favored tricks of malware distributors is to hack existing, safe sites and plant hidden redirectors to computer viruses or Trojans in them. This happens surprisingly frequently; if you run Web software like WordPress or Joomla or vBulletin and you don't keep on top of security patches, it's virtually guaranteed that you'll get hacked. Doesn't matter how obscure your site is--the bad guys use automated software capable of scanning millions of pages an hour searching for exploits.

And it isn't just little guys, either.,,,, and other high-profile, big-name sites have been used to spread malware because they've contained programming errors that have been exploited to plant redirectors.

Even if oyur site has no exploits and you keep on top of security, that does no good if your Web hosting company has a security hole in their server or control panel software. Several years ago, iPower Web, a hosting company that hosts hundreds of thousands of sites, got hacked. They refused to admit the hack for more than eleven months, and during this time, nearly all of the sites they host were used to spread the W32/Zlob Windows malware and the OSX/RSplug.A Mac malware.

Right now, the big-name hosting company Dreamhost has a similar security problem going on; I'm seeing a LOT of Dreamhost sites compromised and used to plant redirectors. I've been in communication with Dreamhost many times over the last month and so far they refuse to admit they have a problem.

And it gets worse, too. The bad guys are becoming increasingly sneaky about hiding the hacks. The Dreamhost compromise I'm seeing right now does some sophisticated checking of the browser type and the browser referrer before it redirects visitors. If you are just surfing to a hacked site, it doesn't redirect you. If you arrive from a Google search, it looks at your browser type and your Google keywords; if they are not on a specific list, it doesn't redirect you. So the spiders and bots that companies like McAfee use? They will see the normal, innocent Web site code--they'll never know about the redirector.Only visitors who use certain browsers and arrive from Google with certain search terms will get redirected. (I wrote up a detailed analysis of how this hack attack works in my blog.)

And none of that helps at all when the malware is being spread by poisoned advertising banners. Eastern European organized crime is infamous for setting up phony companies, with phony Web sites and business licenses and the whole shebang, and buying banner ads from mainstream businesses like Doubleclick, Google, and Bing. The ads contain code that, after a certain amount of time, starts redirecting people to malware downloaders. The poisoned ads often contain lists of IP addresses belonging to the ad companies, so that when the ads are being checked by Google or Bing, they never redirect to malware, they only go to legitimate-looking sites.

And as if that wasn't bad enough, the bad guys will put multiple redirectors between a hacked site and the malware, so that the scanners have trouble connecting them. A legitimate site, say, will redirect visitors to a traffic loader site. The traffic loader site has a list of a dozen or more other redirection sites. It picks one at random, then sends the visitor to it. That traffic redirector will send the visitor to another traffic redirector, which sends the visitor to another, which sends the visitor to the actual site that drops the malware. At each step, the traffic redirectors may scan the browser type and referrer, so that if it looks like the visitor isn't an ordinary Web user (say if the visitor is a spider or bot), the redirectors won't redirect to the malware.

The maps of redirectors can get quite complicated, as I blogged about here; this diagram shows the traffic redirection network that was being used by the Zlob gang a couple years ago.

So, the short version is: In my experience, lists of "bad" and "good" Web sites are essentially worthless.
Photo gallery, all about me, and more:

#19293 - 11/20/11 11:28 AM Re: Firefox Add-ons [Re: tacit]
Bensheim Offline

Registered: 08/16/09
Loc: UK
Dear Tacit

Thank you so much for your long reply, which is really appreciated. I trust your wise words completely and have now disabled/uninstalled that plug-in.

You are a wonderful resource and long may you reign.

Best wishes,


Moderator:  alternaut, dianne, MacManiac