Saturday, November 25, 2006

McAfee SiteAdvisor Green Lights Notorious Malicious Sites

McAfee's SiteAdvisor is a great idea and I've been a big fan as it helps avoid many bad sites. However, they're obviously not catching certain things that some of the more clever malicious site owners are doing to avoid their detection. This has led to them green lighting one of the most malicious sites I've seen and this guy has a bunch of them just waiting for unsuspecting visitors.

In this instance, SiteAdvisor gave a completely false sense of security.


CAUTION: Some of the links below may try to inject a worm or trojan.


Here's the results for http://www.euc2005.com/ which claims it's perfectly safe which is blatantly wrong:



The info balloon claims they've scanned it and it's clean... WRONG!


Here's the site when you click to visit http://www.euc2005.com/:


I clicked the link "Czym jest GIS" which claims to be loading DIRECTIONS and up pops the bogus search page and my anti-virus goes off claiming that the site was atttempting to install a trojan from http://tisall.info/e/us02/e.cab. Additionally note the yellow warning bar at the top of MSIE 7 claiming the site was trying to install an add-on to the browser at the same time.


SiteAdvisor would do themselves a favor and just red flag anything that is related to Inhoster, where the trojan attempted to download from, as they appear to be a haven for spammers, scrapers and other malicious activity and numerous bad references can be found to their hosting all over the net.

Just for giggles I checked a few more bad domains I knew and SiteAdvisor hadn't checked any of them yet. However, this one below blew my mind because all of the URL's displayed in Yahoo were the actual CAB files themselves and SiteAdvisor didn't even warn me that clicking on a .cab file might be a bad idea.


Come on guys, this is a no brainer, if you actually find a listing in a search engine linking directly to the virus or worm file, or a suspicious file type such as a .cab or .exe, you should at least put up the yellow CAUTION symbol at a minimum.

IMO the real fault here isn't that McAfee SiteAdvisor missed these files, it's that the browser allows certain files to be executed randomly without asking. For the love of god, the browsers have options to ask per site if you want a stinking COOKIE which can do no immediate harm to your computer. Something as vulnerable as MSIE that can install trojans that just started downloading automatically, without warning or controls, and only when it looked like something was an add-on did I even get a warning from MSIE 7.

What's most amazing is both FireFox 2 and MSIE 7 are NEW RELEASES yet still vulnerable to some particularly nasty problems that has been around for ages and neither of them did anything to protect against this in their latest releases.

Is everyone at these browser companies asleep at the wheel?

Hopefully SiteAdvisor can figure out what they missed that allowed this rogue site to be green-listed and avoid these problems moving forward as it's obvious they're the only ones even trying to help as the browsers just left the problem remain in all their new versions.


P.S. The company hosting these sites, theplanet.com, has been notified about the problem and we'll all be watching to see if these domains continue to function.

1 comment:

Shane Keats said...

Hi, it's Shane Keats from SiteAdvisor. Thanks for catching http(colon)//www.euc2005.com. Our exploit crawl is really good but it's not perfect. The other sites you mentioned we haven't crawled yet - that's why we show the big question mark. We'll add them to queue. Thanks again!