In this series of articles, we will be discussing issues relevant to popular Content Management Systems (CMS). These software packages make it relatively simple for web-administrators and lay people to host a website or an Internet forum and manage the content on it. Using a CMS, one can easily keep track of various versions of web-pages, allow visitors to contribute to the pages and host complex discussion forums too.

CMS software packages have gained widespread popularity owing to the easy to use interface they provide to web-administrators. CMS packages can be easy to set up. Most web hosting companies already have CMS packages ready to be set up on their client’s account, all the clients need to do is click a button in their hosting control panel! Furthermore, maintaining web-pages using CMS software takes away the pain of keeping track of multiple versions, manually granting user permissions and other mundane issues.

Joomla is prime example of popular CMS packages. With thousands of downloads and upwards of 7,000 followers on Twitter, this CMS package is extremely popular among web-administrators and content publishers. Joomla offers the flexibility to manage content easily, add attractive themes and customize web-pages to your hearts content. All this can be achieved without having any programming experience.

In this series of posts, we will be looking at five popular CMSs. Joomla is the first one on which we will focus.

The aim of the experiment:

• To determine the number of Joomla sites using older versions of the CMS package (and hence vulnerable to attacks).
• What associated scripts do Joomla users use in addition to core Joomla functionality?
• What are the vulnerabilities of using the associated scripts?

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed Joomla. Understandably, not all 100,000 websites would actually be using Joomla. Of these, approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by Joomla. Each website was also cross-referenced with the Google Safe Browsing List. The experiment was completed between January 27th and January 29th, 2010.

We present the most interesting results in brief:

• In 80.25% of Joomla websites examined, the version of the installation could be determined.
• All websites for which the Joomla version could be identified were running Joomla 1.5.
  Note: Publicly available exploits for Joomla version < 1.5.6 exist.
• None of the Joomla sites were blacklisted by Google Safe Browsing.
• Only 0.84% of Joomla sites had Iframes embedded in them.
• 75% of Joomla sites using Iframes were using Mootools.
• 79% of Joomla sites use Mootools.
  Note: MooTools has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• Only 0.42% of Joomla sites use AC_RunActiveContent.js.
  Note: When using HTML templates in Flash CS3 Professional, a JavaScript file linked to the HTML file, named AC_RunActiveContent.js is automatically created.
• Only 0.63% of Joomla sites use jQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.

This limited experiment showed that there is a correlation between Joomla installations and vulnerabilities targeted by hackers to spread malware. It will be interesting to compare this trend with the trends of the CMS packages that we will analyze in the coming days. Nonetheless, it is heartening to see that none of the websites hosting Joomla 1.5 were actually listed on Google’s Safe Browsing List.

Till next time.
Read more…

News, Report CMS, Joomla, Security, website reputation

Recently, we told you that Dmoz.org, one of the largest user-edited directories on the Internet, is also one of the safest directories. Directories such as Dmoz.org contain links to hundreds of thousands to millions of sites. These directories are categorized by volunteers or through automated means. Many search engines, including Google, Hotbot and others, potentially use data from these directories. These directories are also used as efficient lookup services by thousands of web-surfers who want to locate sites which belong to a very specific category.

Given the important role that these directories play in the Internet, one would expect that they would make an attempt to point only to websites which are “safe.” By “safe,” we mean sites which have not been injected with malware, via code-injection attacks or other attack vectors.

We are not picking on Dmoz.org here. We were very impressed to see that none of the 2.8 million sites we profiled, were present on the Google Safe Browsing List. This could indicate that sites listed on Dmoz.org are concerned about their image, hence care about their visitors, and take appropriate precautions against malware.

To follow up on our previous article, we have further analyzed 10,000 sites, randomly chosen from the Dmoz.org corpus of nearly 2.8 million websites. Each of the 10,000 sites was tested against each of the below website reputation services.

• McAfee SiteAdvisor
• Norton Safe Web
• Google Safe Browsing
• Microsoft Bing
• Comodo Site Inspector

Note: When analyzing a domain-name or URL, for verification with the Google Safe Browsing List, we have calculated the hash of the website name to match against the list. The test was conducted between January 19th and January 21st, 2010. The list of domain names tested are presented at the end of this article.

We identify the most interesting results below:

1. McAfee SiteAdvisor marked 0.39% of domains as Unsafe, 84.23% as Safe, 15.08% as Untested and 0.3% as Potentially-Unsafe.
2. Norton Safe Web marked 0.39% of domains as Unsafe, 59.02% as Safe, 39.79% as Untested and 0.8% as Potentially-Unsafe.
3. Google Safe Browsing marked 0.02% of domains as Unsafe, 99.98% as Safe.
   Note: The presence of the hash of the domain name being tested, on the Google Safe Browsing List, is interpreted as “Unsafe” while its absence is interpreted as “Safe.”
4. Microsoft Bing marked 0.06% of domains as Unsafe, 93.2% as Safe, and 6.74% as Untested.
5. Comodo Site Inspector marked 0.08% of domains as Unsafe, 99.46% as Safe, and 0.44% as Unreachable.
   Note: We were only able to test the first 5000 URLs with Comodo Site Inspector.

McAffee SiteAdvisor and Norton SafeWeb seem to detect nearly 19 times more websites as “Unsafe to Visit” than Google, and nearly 6 times more websites as “Unsafe to Visit” than Bing. It is interesting to note that it is an order of magnitude difference in the number of websites marked as “Unsafe to Visit” by these competing services.

We would like to know how long McAfee, Norton or Bing cache results for a particular site. Google allows webmasters to request reviews when they believe the site has been disinfected, and Comodo’s service seems to be an On-Demand service. This makes an interesting place to start for a future experiment. Further, it would be interesting to see whether sites listed on Yahoo the Directory and other directories are classified by these services.
Read more…

Report, Security bing, comparison, dmoz, safebrowsing, safeweb, siteadvisor, siteinspector, website reputation

We have recently published statistics comparing various website reputation services and have received good feedback over private channels regarding our article. In this sequel we add Microsoft’s Bing, malware filter along with comparison to other website reputation services.

At StopTheHacker.com (Jaal LLC) we have conducted tests of 721 URLs, all of which have been reported as malicious by volunteers of various blacklists. We follow a similar format for presentation of results as in the last post.

Website Reputation services: agree to disagree.

Note: All 721 domains/URLs, were reported as malicious, and were collected from malware.com.br on January 14, 2010. The blue column (maximum 100) indicates the percentage of sites that the website-reputation service correctly identified as unsafe. The orange column (maximum 100) indicates the percentage of sites that the website-reputation services incorrectly identified as safe.

The aim of the test:

1. Identify the accuracy of the website reputation service
2. Identify the overlap in terms of safe/unsafe websites

We present the most interesting results in this article. First we detail the parameters of the testing procedure to provide an idea of how the test was set up.

First, 721 URLs were collected from malware.com.br (mbr) on January 14, 2010. These URLs are reported for listing by one or more of the following: individuals, organizations, agencies and software products or services.  For the purposes of this test we assume that all the URLs obtained from the “regular” list on mbr are malicious and hence deemed “unsafe” to visit.

We compare the reputation provided by each website-reputation service and observe how many websites are marked unsafe, safe, untested, maybe-unsafe/caution/potentially-unsafe, and unreachable.

Website-reputation services tested:

• McAfee SiteAdvisor
• Norton Safe Web
• Google Safe Browsing
• Microsoft Bing
• Comodo SiteInspector

Note, that when analyzing a domainname/URL, for checking with the Google safebrowsing API, we have calculated the MD5 hash of the website name to match with the malware hash list. The date that we conducted this test was: January 15, 2010. The list of domain names tested are presented below and a graph representing the statistics for the 721 sites tested is above.

We identify the most interesting results below:

1. McAfee SiteAdvisor marked 36.75% of domains as Unsafe, 27.18% as Safe, 32.32% as Untested and 3.74% as Potentially-Unsafe.
2. Norton Safe Web marked 41.75% of domains as Unsafe, 45.49% as Safe, 4.3% as Untested and 8.32% as Potentially-Unsafe.
3. Google Safe Browsing marked 5.96% of domains as Unsafe, 94.04% as Safe.
   Note: The presence of the hash of the domain name  being tested, on the google malware hash list, is interpreted as “unsafe” while the absence is interpreted as “safe.”
4. Microsoft Bing marked 0.69% of domains as Unsafe, 34.26% as Safe, and 65.05% as Untested
5. Comodo SiteInspector marked 0.19% of domains as Unsafe, 95.82% as Safe, and 4.08% as Unreachable.

This follow-up experiment also shows that the variance between website reputation services that are currently being offered by large Internet-services/security companies continues to be very large indeed.

After discussions with representatives of the companies mentioned in this article, and getting a better idea of their behind the scenes methodologies. It seems that these website reputation services will continue to “agree to disagree.” We welcome their comments.

A note on differences between website reputation services:

Some of the services scan pages and some scan parts of a site. Some scan for potential “signs” of an infection, while others scan for the “postmortem” effect of an infection, such as an exploit being launched. Furthermore, the time difference between one of the services testing a web page or site versus when another one tests the same web page can also complicate issues. At StopTheHacker.com we recognize the current limitations of website reputation services that being offered by the industry.

In conclusion, while website reputation services have come a long way, they still have an even longer path to tread in order to become something that users should trust implicitly.

News, Report, Security bing, comodo, google, mcafee, norton, safebrowsing, safeweb, siteadvisor, website reputation

Websites on the Internet have now become the standard modus operandi for spreading malicious software to infect personal and corporate environments. A large number of benign and well-meaning websites are compromised everyday by hackers inserting malicious code to, in turn, infect the computers used by visitors to the hacked site. One of the ways to combat this is to develop a website reputation mechanism which can warn of potential threats before visiting a compromised site.

Website-reputation services vary wildly in their opinions.

Note that all 350 domains, were reported as malicious, and were collected from malware.com.br on December 18, 2009. The blue column (maximum 350) indicates the number of sites that the website-reputation service correctly identified reported bad sites. The orange column (maximum 350) indicates the number of sites that the website-reputation services incorrectly identified reported malicious sites as safe.

Website reputation services have been around for nearly 5-7 years now. Initially developing as a niche product line which could serve to provide an opinion of a site’s reputation to full fledged offerings which provide advisories about websites, whether they are distributing malware, and if they are, what kind, and using which Autonomous Systems.

At StopTheHacker.com (Jaal LLC) we have conducted tests with 350 domain names, all of which have been reported as malicious by volunteers of various blacklists.

The aim of the test is to:

1. Identify how accurate the website reputation services are
2. What is the overlap in terms of safe/unsafe websites

We have found some interesting results which we present in this article. First we detail the parameters of the testing procedure to provide an idea of how the test was set up.

350 URLs were collected from malware.com.br (mbr) on December 18, 2009. These URLs are reported to this website for listing by one or more of the following: individuals, organizations, agencies and software products or services.  We assume for the purposes of this test that all the URLs obtained from the “regular” list from mbr are malicious and hence deemed “unsafe” to visit.

We compare the reputation provided by each website-reputation service and observe how many websites are marked as unsafe, safe, untested, maybe-unsafe/caution/potentially-unsafe, unreachable.

• McAfee Siteadvisor
• Norton Safeweb
• Google SafeBrowsing
• Comodo Siteinspector

Note, that when analyzing a domain name, for checking with the Google safebrowsing API, we have had to calculate the MD5 hashes of the website names to match with the malware hash list. The date that we conducted this test was: December 21, 2009. The list of domain names tested are presented below and a graph representing the statistics for the first 350 sites tested is above.

We have identified some of the most interesting results below:

1. McAfee Siteadvisor marked 32.5% of Domains as Unsafe, 22% as Safe, 43% as Untested and 1.7% as Potentially-unsafe.
2. Norton Safeweb marked 50.86% of Domains as Unsafe, 43.71% as Safe, 2.29% as Untested and 3.14% as Potentially-unsafe.
3. Google SafeBrowsing marked 10.86% of Domains as Unsafe, 89.14% as Safe. Note: the presence of the hash of the domain name  being tested, on the google malware hash list, is interpreted as “unsafe” while the absence in interpreted as “safe”.
4. Comodo Siteinspector marked 0.29% of Domains as Unsafe, 98.86% as Safe and 0.86% as Unreachable. Note: after feedback from Comodo, a retest was conducted, accuracy changed from 0.29% -> 1.2%.

This limited test is a first step towards showing how much variance there is website reputation services that are currently being offered by large Internet-services/security companies. To highlight this point we present immediately below the relatively few domains (~6% of the total domains tested) that were marked as bad by all three major services, Norton, McAfee, and Google.

In brief:

• 6% of domains tested were marked as “unsafe” by all 3, McAfee, Norton and Google
• 10% of domains tested were marked as “unsafe” by Norton and Google
• 22% of domains tested were marked as “unsafe” by Norton and McAfee
• 5.7% of domains tested were marked as “unsafe” by Google and McAfee

Update: December 28, 2009

After receiving helpful feedback from representatives at Comodo, we were informed that Comodo’s service could provide more accurate answers if complete web page locations were checked instead of just the domain name. We followed the advice and saw a definite increase in Comodo’s accuracy. Comodo marked 1.2% of the website/pages as malicious. Prior to this re-test, the same service marked 0.2% of the websites as unsafe. The graph at the beginning of this article does not represent the results of this re-test.
Read more…

News, Report, Security comodo, google, mcafee, norton, safebrowsing, safeweb, siteadvisor, website reputation