Firefox Gets Proactive

I don't use Firefox as much as I used to. Chrome is just so much faster that I almost invariably turn to it first. But Firefox's rich collection of add-ons is so useful that when I have time and feel like some random web surfing, I'll usually fire up both Firefox and Chrome and use them side by side.

Tonight when I fired up Firefox, I was confronted by this dialog box. A bit aggressive no? Actually no. It turns out that Microsoft's Firefox add-ons expose Firefox users to malware attacks. I'd noticed this little piece of news this morning and by nightfall when I fired up Firefox, it was already uninstalling the Microsoft add-ons. That's a pretty fast turn around time for cleaning up a problem which was only recently discovered.

Now if only Firefox could identify the add-ons that are slowing it down....

Malware Goes Mobile

Image via Wikipedia

Two new stories by ZDNet caught my eye today. The first is a story about a piece of malware which attacks Symbian-based phones (most Nokia phones use some version of this operating system) by pretending to be a legitimate piece of third-party software and spreads through SMS messages. This was news to me as I didn't realize that mobile malware was so common (this was the latest of many Symbian viruses and differs from them only by being more transmissable). This is an unfortunate but development arising from the fact that phones have gotten so much more powerful these days.

The second story interested me mainly because I recently wrote something about this recently. Basically, you had a group of websites which got flagged by Google as malicious because the advertising network which they use was flagged as potentially carrying malicious code. And ironically enough, the advertising network claims that their ads were clean and that only website was attacked. Either way, it all adds up to a headache for everyone involved; users, website operators, and ad providers alike.

These stories caught my attention in part because they have become so commonplace. Our happy high-bandwidth Internet with its mobile access and fancy web apps is fun and exciting but it also creates new avenues for the bad guys to attack us.

Malware Comes to Android

Android Community reports that an application in the Android Marketplace called MemoryUp Personal destroys user data and spams users. A quick search of the Android Market as of 1AM Central Time turns up no such app but a quick search of the Android Community forums shows numerous threads dedicated to this app, mostly complaints and several comments about this application being pulled from the Android Market. There are too many threads for me to go over right now (it's late and I'm sleepy) but the point is pretty clear. Avoid this application, at best it doesn't work and at worst it can damage your phone.

As the original Android Community story points out, the fact that this application showed up in the Android Market at all raises some serious questions about Google's selection process for Market applications which seems to be to greenlight everything and only pull stuff later if people complain. It makes for a disturbing contrast with the iPhone App Store which is often criticized for being too overbearing and reluctant to approve apps. Presumably, a malware application would never make it into the Apple App Store which routinely rejects perfectly legitimate and useful applications. There has to be a middle ground between Apple's overbearing strictness and Google's not so benign neglect. I hope that someone at Palm is studying this incident because when the Palm Pre comes out with its App Store, they will be prime targets for these kinds of shenanigans.

You May Already Be Under Attack....

Slashdot has an interesting link to an article about the fact that malware authors have been targeting Blogger (which is the blogging engine that powers this blog along with millions of others) heavily. Since Blogger is owned by Google, this means that about 2% of all malware is hosted by Google. There are three big reasons for this:

1. It is easy to automate setting up a blog on Blogger
2. It is easy to set up Blogger to redirect links to another site
3. Blogger is owned by Google so it's blogs are automatically indexed by Google's search engine

As a result malware authors are drawn to Blogger and set up 16,000 malicious web pages every day—Google simply can't flag and delete these pages fast enough. It's an interesting phenomenon that is repeated over and over again. Call it the "Windows Effect"—a computer product or service becomes so popular that it becomes ubiquituous and it will inevitably be targeted and attacked by hackers. Just like Windows in general and Internet Explorer in particular have been (and still are) popular targets for hackers, now it's Google's turn. And it's not just Google either. MySpace and Facebook are also popular malware targets. Congratulations guys, you've been pulled into the same infamous club that Microsoft has been trying to kick and scream its way out of for years.

Old Palm Website Flagged "Bad" By Google

While browsing Palmaddicts, I came upon a link to an article at The Inquirer with a misleading headline suggesting that Google was pronouncing PalmOS utilities as dangerous to your computer. In fact, Google actually is referring to the hosting website as shown in this screenshot:



When you actually click on the "This site may hard your computer" link you get this page:


It's not too informative except for the final comment which explains that, "In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message." The first comment in the original Inquirer article gives us a better explanation than either Google or The Inquirer, pointing us to another Inquirer article. It seems that a few months ago, crackers began to take advantage of a flaw in Microsoft's SQL Server software which allows them to inject malicious code into web pages. Most webmasters have since fixed that problem but palmsource.com is actually an old website for PalmSource the company which owns Garnet (the official name for version 5 of the Palm Operating System) and which was bought by ACCESS a couple of years ago. Since buying PalmSource, ACCESS has sold the Palm name back to Palm and is working to build a new operating system with a new name. So it appears that ACCESS never bothered to update their old website even after a serious exploit made it vulnerable to being hacked. This makes me wonder if ACCESS will approach their new OS with the same care.

People Actually Read This?

I found an interesting comment attached to my post about AVG's LinkScanner identifying itself as IE6. Pat Bitton says:

Following is AVG's official response to LinkScanner concerns:

We’d like to thank our web community for bringing these challenges to our attention, as building community trust and protecting all of our users is critical to us. We have modified the Search-Shield component of LinkScanner to only notify users of malicious sites; this modified version will be rolled out on July 9th 2008. As of this date. Search-Shield will no longer scan each search result online for new exploits, which was causing the spikes that webmasters addressed with us. However, it is important to note that AVG still offers full protection against potential exploits through the Active Surf-Shield component of our product, which checks every page for malicious content as it is visited but before it is opened.

I couldn't find any reference to this on AVG's website but it's late and I wasn't looking too hard. A quick google search leads a blog post which link to comments from an article by The Register on the controversy. Among those comments is one by (presumably the same) Pat Bitton:

Response from AVG
By Pat Bitton
Posted Saturday 14th June 2008 02:59 GMT

Hi, folks. Pat Bitton from AVG here. This issue has clearly raised some concerns that we had not anticipated, and we acknowledge that we need to do something. Our primary purpose with LinkScanner, as Roger Thompson has pointed out, is to protect users against web-based threats that they cannot see. These threats are also usually invisible to web site operators, who presumably also don't wish to be unwittingly passing infections on to their visitors. This kind of problem can and does affect all types of web sites, big or small, and is extremely transient - which is why we don't use the static database approach cited by some as a viable alternative. Over the next few days, we will be exploring ways in which we can continue to deliver informed protection as unobtrusively as possible without adversely impacting site analytics. Any webmaster reading this post who is interested in working with us constructively to reach this goal is welcome to contact me at pat.bitton(at)avg.com.

These two comments suggest that AVG is taking this problem seriously and is working hard to fix it. Hopefully their update will do just that. In the meantime, I've reinstalled AVG antivirus without the Safe-Search component which includes LinkScanner. I've done this even though Firefox 3 is not affected by LinkScanner because AVG's Search Shield extension doesn't work with the newest version of Firefox. But you never know when you'll want or need to use Internet Explorer right?

Ultimately, the problem of malicious websites installing drive-by malware is a real one and it is good to see antivirus companies trying to do something about it. Basically what we have here is an arms race between the malware authors and security software authors. What is happening now is a lot like what happened with old computer viruses which would infect any executable file on your computer which led antivirus software to scan every program that tries to run on your computer. The same thing is going to start to happen now with web pages.

Is AVG Bad For Websites?

A new website called AVG Watch claims that a component in AVG's antivirus product can overwhelm web servers by hitting them hard and downloading pages in an attempt to determine if they are hosting malware that can infect your computer. Another website complains that this component also hurts websites financially by skewing their traffic statistics which affects their ad revenue.

The component is called LinkScanner:

"LinkScanner works with both Internet Explorer and Firefox, and consists of two features, AVG Active Surf-Shield and AVG Search-Shield. AVG Active Surf-Shield prevents you from accidentally becoming infected by drive-by downloads and other exploits, ensuring the web pages you visit are safe at the only time that really matters - when you are about to click the link. AVG Search-Shield works with Google, Yahoo and MSN search engines to deliver a real-time safety verdict on all search results, including search ads, displaying an icon to show the safety rating for each site."

That's a direct quote from the documentation of AVG Anti-Virus Free 8.0 describing LinkScanner.

AVG Watch seems pretty steamed about the practice, comparing comparing it to a Denial of Service Attack. They claim that according to their own tests LinkScanner will download a page it encounters during a Google search hundreds of times more than necessary, leading to a lot of stress on webs servers as the number of people using the latest version of AVG Anti-Virus grows.

This seems like a worrisome possibility for me since I've always sworn by AVG for protecting my computers from viruses and other malware. Recently, AVG has been giving me problems with false positives and now this....

There is one ironic post-script to this episode. I have been using Firefox 3 as my main browser since its second Beta version and right now AVG Safe Search, which presumeably allows AVG to run LinkScanner within Firefox, is not compatible with the latest version of my favorite browser. So it seems that none of this applies to me right now. I'm neither "protected" from accidentally clicking on evil websites and I'm not inadvertantly "attacking" good websites either. Still, it's an interesting issue.