Tuesday, June 17, 2008

AVG 8 LinkScanner Fiasco Recap

For those of you that might've missed the whole AVG 8 LinkScanner disaster and ensuing AVG reputation nightmare, here's a quick recap and links to places to read all the details.

Webmasters started noticing a rash of distributed IP's with the same user agent, no referrer, and a few other technical issues I won't go into now, that suddenly started pounding their sites:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)
At first I thought it looked like a botnet scraper but soon someone figured out it was related to the new release of AVG 8 that included a LinkScanner that was amusingly called "Safe Search" which is now not-so-safe since everyone knows how to spoof it.

The story was first broken on WebmasterWorld, then again on The Register, then a follow up on WebmasterWorld and a few other places. The best part of the story on The Register actually unfolds in the comments section which is now over 200 posts but has some good comments if you're willing to wade through it all.

It appears this Safe Search link scanning was a knee jerk reaction to McAfee's SiteAdvisor. SiteAdvisor uses stale search results to flag sites with known exploits. However, Safe Search, much to everyone's dismay, hits all sites in real-time to check for exploits for every single search. The most amusing aspect is that the very AVG feature which is supposed to make the internet safer has been attacking sites and become malware itself.

Here's a list of all the major points so far:

1. AVG 8 appears to be causing an escalating DDoS attack as more and more AVG users upgrade causing some sites to be hit by many thousands of unique IPs per day.

2. AVG's Safe Search is causing webmaster analytics worldwide to be totally skewed unless you filter out the ";1813" user agent.

3. AVG 8 is exposing their customer information to sites their customer didn't even visit and potentially setting them all up for some future exploit. They'll be targets for direct marketing to switch to a new AV product at a minimum with savvy affiliates making out like bandits.

4. The Safe Search link scanner has the potential to automatically access sites that aren't allowed at work, could violate your ISP's AUP or be illegal in some jurisdictions. This could result in reprimand, losing your ISP or potentially being flagged in honeypot sites for illicit activities.

5. The malicious sites can already fake the Safe Search code which appears to put users of the free AVG 8 at risk. The risk is because you only get Safe Search, the link scanner which is being spoofed, but you don't get Safe Surf, which stops HTML exploits as you load the page. It appears you need a paid version of AVG 8 to actually be protected from online exploits so be careful where you surf using the free version of AVG 8.

Well, that's the recap in a nutshell.

This just goes to show you how the best intentions can have disastrous results when people don't think about the consequences of their actions, especially when dealing with an installed base of this scale.


Anonymous said...

I think what this really shows is a breakdown in professional programming standards over at AVG. The developers of this 'feature' that AVG bought in clearly need to go back to school.

You just can't code any apps - especially web apps - without understanding the complex IT environment apps have to work in.

A big part of this is having a technical understanding of the upstream and downstream interactions it might have with other systems. This is bound to be messy and complex when you have 70 million users, so developers have a responsibility to not just throw their shit out the door onto customers PC's before it is properly piloted and tested. Sloppy stuff, bordering on negligent, IMHO.

Another big issue in coding is also understanding who your stakeholders are when you are developing an app. In this case the legitimate stakeholders are not just domestic end users on home PC's, but also legitimate web content publishers, and corporate IT managers too, who have real issues about the arrival of these new AVG features that AVG have totally failed to account for.

Their developers are either just totally lazy, or totally stupid, or just plain irresponsible and un-professional for unleashing this 'feature' onto the Internet without proper design or planning.

This sloppy coding - with it's un-intended consequences and opening up of new security vectors - calls into serious question their security credentials too.

My trust level in them has dropped about 90%, and I don't think I'd be able to recommend them to any corporate clients again.

tmaster said...

Just tested this on my site and bad-behavior rejects the bot with a 403 error.

So the bot does not send the proper headers and is blocked by BB.

AVG sees this block as the site being safe. So the check is not worth the bandwidth it uses. It doesnt even work because it can not access websites or blogs protected by BB and it doesnt even understand that it is getting a error and reports the site as safe.

Not only that once you get blocked by BB for using a bot you wont be able to visit that site and will get a error page informing you that you have a bot running on your system.

Johann said...

Bill, do you block these user agents or do you let them through?

I blocked them at first but I was under the impression that people would not visit the page if the scanner got nothing but a 403.

IncrediBILL said...

I redirect them to, um, uh, their creator ;)

Ban Proxies said...

A AV company that doesn't understand content delivery parameters. What the .... is going on here!!!

Uninstall now!

Jason said...

AVG is a horrible application... wish it would die!

Anonymous said...

looks like they changed their ways. if you don't see the huge orange banner at the top of the site, the text of it is:
Community alert! — The LinkScanner component of AVG Anti-Virus 8.0 is causing undue load on popular websites such as Whirlpool, and wastes your bandwidth. If you (or anyone you know) use any AVG products, we urge you to consider superior alternatives such as Avast, Avira, and others.