Network News

X My Profile
View More Activity

SiteAdvisor Adds Search Safety

Since its inception, Security Fix has warned Microsoft Windows users to be extremely wary of clicking on Web links that arrive via instant messenger or e-mail, as these are the most common ways that malware spreads online today. But the sad truth is that for many Internet users, clicking on unfamiliar links that turn up in Google, MSN or Yahoo search results frequently expose users to security risks.

For the past few weeks I've been surfing the Web with the help of the beta version of a browser add-on called SiteAdvisor, a tool that offers users a fair amount of information about the relative safety and security of sites that show up in Internet searches. As I played around with this program, it became clear that this is a tool that not only allows users to make informed security decisions about a site before they click on a search result link, but it also holds the potential to fuel a more informed public dialogue about the often murky relationship between Fortune 500 companies and the spyware and adware industry.

But more on the Fortune 500 stuff later. SiteAdvisor is a browser add-on for Firefox or Internet Explorer that tries to interpret the relative safety of clicking on Web search results. With SiteAdvisor installed, each listing is accompanied by a small color-coded icon that indicates whether the software developers have received any reports of scammy, spammy or outright malicious activity emanating from the site.

The software gets its intel from a proprietary "spidering" technology that crawls around the Web much the same way as search engines do. The company's spiders browse sites with the equivalent of an unpatched version of IE to see if sites try to use any security exploits to install spyware or adware on a visitor's machine.

"Our attitude is, if a site gives you an exploit with an older version of IE, it's probably not one you want to visit with a newer version," said Chris Dixon, one of SiteAdvisor's co-founders.

If you use IE and try to visit any site that the program has seen using security vulnerabilites to install software, the program immediately redirects you to a SiteAdvisor page offering more information on the threat posed by the site (users can still chose to visit the site if they so wish after the initial warning). All such sites will earn a big red "X" next to their search listing, as will others that threaten to bombard suscribers with junk e-mail or have questionable relationships with third-party advertisers or shady Web sites.

Hover over the red "X" with your mouse arrow and a small window appears urging you to exercise "extreme caution" in visiting the site. If you then visit the site, a red dialogue box emerges that offers a brief description of why SiteAdvisor doesn't like it.

SiteAdvisor also may assign a green check mark (all clear), a yellow exclamation point (some fishy behavior found) or a grey question mark (not enough info to assign a rating yet), though I only enountered one or two grey marks in my browsing. Regardless of the rating a site receives, each time you hover over a rating it gives you an unobtrusive dialogue box that includes a "more info" link which users can click on to read a more detailed description of the threat as SiteAdvisor sees it.


Google listing for "lyrics" flagged by SiteAdvisor

I searched for "lyrics" in Google (song-lyrics sites are notorious for using exploits to install adware and spyware), and at the time of this writing the first results page turned up two listings earning red marks. Clicking on the "X" next to lyricsplanet.com, for example, brings up a page that includes a ton of additional info, including a warning that reads: "In our tests, we found downloads on this site that some people consider adware, spyware or other unwanted programs."

Drill down to the link underneath that says "More Detailed Analysis," and we see that the badware Lyricsplanet tries to install is known as "ImIServer IEPlugin," which earns a six out of a possible 10 on SiteAdvisor's "Nuisance Score." Below the meter is a link to anti-spyware vendor PestPatrol's writeup, on the this bugger, which flags it as adware that bombards the user with pop-up ads and tracks their online activities.


Google listing for "lyrics" flagged by SiteAdvisor

I decided to test SiteAdvisor's claims by visiting Lyricsplanet.com with a fresh (unpatched) Windows XP version of IE, and received a pop-up asking me if I wanted to install IEPlugin. My testing was interrupted by a phone call, but when I returned to the browser I noticed another installation popup, that said "Install Search Update?" with a radio button already checked for me next to the text "I accept the agreement." My options were "accept" or "finish," and I had to uncheck the agreement box to unmask the "abort" option. Hitting "abort" popped up another box that said "Please click yes to proceed with installation." I clicked no, and the box closed, only to reveal the "Intelligent Explorer" toolbar installed on my desktop and in all IE windows.

A look in Windows' "Add/Remove Programs" list showed that the site had also installed three other programs: "Netmon," "Command" and another program called "Tsa.exe." All of these are designed to either snoop on your browsing habits or randomly generate pop-up ads, according to writeups at various anti-spyware forums that track programs like IEPlugin. I received all of that after having declined the installation.

When I went back to the site again and accepted the install of IE plugin, I was immediately bombarded with a massive number of pop-up ads for companies including Verizon Wireless, Cingular and Classmates.com. Shortly after displaying about nine such ads, Internet Explorer crashed, taking the pop-ups with it.


SiteAdvisor's "Nuisance Meter" for LyricsPlanet.com

Clicking on the red X next to the other suspicious listing on our "lyrics" search results in Google -- a "sponsored link" paid for by www.rewardsgetaway.com -- and we find that this site was flagged because users who sign up can expect to receive no fewer than 134 e-mails a week as a result. SiteAdvisor knows this because on any site that asks for an e-mail address, the company signs up with a unique e-mail address that is not used anywhere else for any other purpose. That way, the company can track how many e-mails users can expect to receive from a given site each week should they fork over their e-mail address.


SiteAdvisor tracks junk e-mail from Rewardsgetaway.com

Here's where the part about Fortune 500 advertisers comes in. Check out each "more info" page and you'll see a graphic that shows which other sites have an advertising relationship with the Web site you're examining. For example, SiteAdvisor says Lyricsplanet.com is linked via advertising (pop-ups, banner ads or e-mail promotions) to absolutelyrics.com, a site which the software flagged as deceptive or fraudulent.

At first, it was difficult to understand why absolutelyrics.com received such a bad review. After all, it didn't try to foist adware onto my browser or bombard me with requests to sign up for spammy e-mail lists. Rather, SiteAdvisor's advertising relationship graphic shows it has ties to a slew of Web sites offering to sell software or other products available elsewhere for free. Absolutelyrics.com is related to several sites asking for a fee to register immigrants in the U.S. Green Card Lottery -- a legitimate program that grants U.S. visas to about 50,000 people each year at no cost.


SiteAdvisor's ad relationship analysis for Absolutelyrics.com

Browse the Web long enough with SiteAdvisor and you'll find this kind of dynamic at work most prominently in paid search ads. Enter "Internet Explorer" in Google and you'll see that the top paid result is for a site called "freedownloadhq.com," which tries to sell you a copy of IE. Microsoft gives IE away for free (indeed, you'd be hard-pressed to find a version of Windows that doesn't include it). Google for "Winamp," a popular media player (available for free from the legit site) and you'll see freedownloadhq.com at the top again. You might be asking whether people can get fooled by this type of trick, but if the complaints at just this one site are any indication, there are plenty of takers.


Care to purchase some free software?

At an anti-spyware coalition conference in D.C. last month, FTC Commissioner Jonathan Leibowitz noted that the only way to really make a dent in the adware and spyware problem is to "out" the big companies who pay shadowy third-party adware companies to market their products. SiteAdvisor could be an incredibly useful tool in helping reporters and researchers do just that. The company is making access to its databases free for non-commercial use under the creative commons license.

"I bet a lot of these larger companies would freak out if [their executives] knew exactly who they were paying to run their ads, because a lot of the bad practices we're seeing ... [are] happening because advertising companies [go] through five levels of intermediaries to get their clients' ads out there," Dixon said. "The public shaming of these companies is critical, because it takes away the 'plausible deniability' excuse."

Each SiteAdvisor site profile contains a "comments" space where any registered reviewer can add their 2 cents. Dixon said the company is working on a "reputation-based system" that would allow fellow members to rate the comments of SiteAdvisor members, thus giving more weight to reviews offered by individuals with a better reputation.

The company is headed by Dixon and a bunch of other students and graduates of the Massachusetts Institute of Technology, and as such it has received a fair amount of venture funding from Bessemer Venture Partners. Its board of directors includes Ben Edelman, one of the nation's preeminent anti-spyware activists and a Ph.D. student at Harvard University, and Avi Rubin, a professor of computer science at Johns Hopkins University.

Dixon said the company's long-term plan is to offer its basic services for free, charging only those companies that want to incorporate the technology into their products, such as instant-messaging applications or e-mail clients.

A couple of minor gripes about SiteAdvisor: For one thing, while there are exploits that allow malicious sites to install software on unpatched Firefox browsers, SiteAdvisor does not currently scan sites for these threats. Also, the company's site database is extensive, but not authoritative. I found a handful of Internet addresses that have been flagged by anti-virus and anti-spyware firms as serving up malware that were marked "safe" by SiteAdvisor. (The company appears to have fixed a problem that blocked site evaluations if users had chosen to nix IE pop-ups.).

By Brian Krebs  |  February 28, 2006; 7:43 AM ET
Categories:  Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: 180Solutions Issues 'Mea Culpa'
Next: Apple Update Fixes 13 Security Flaws

Comments

Preset options, hidden options, confusing options are so often par for the course whether it be so called reputable software or more questionable software. Things done regardless or without warning is also prevalent. Even to reputable so often forget whose computer it is. The best thing is to avoid free and cheap software. After all the reality is that there is a greater demand for software engineers than there are people with the right aptitude to fill those vacancies. It is little wonder there are so many software problems.

Posted by: Steve | February 28, 2006 8:39 AM | Report abuse

Steve,

Judging the quality of software by its price tag is just silly. Esp. here since this article is about a free product that was created to fix flaws in a not-free product.

Posted by: Jeff | February 28, 2006 10:08 AM | Report abuse

Jeff - ??? He likes SiteAdvisor. SiteAdvisor doesn't fix flaws - it alerts you to possible dangerous activity. You want to pay another company for IE when it comes preinstalled on a PC? I got this bridge that you may be interested in...

Posted by: HP | February 28, 2006 11:37 AM | Report abuse

gad, look at all the stuff that happens when you have windows... I'm not a techie, not a geek, just a user trying to keep my life simple, and every time I read one of ur columns on all the stuff that windows systems can have done to them I go home and hug my mac....

Posted by: charlie in ogden | February 28, 2006 11:57 AM | Report abuse

Brian,

Thanks for the article, and also for including information on who is behind SiteAdvisor (instead of sticking to just a product review.) Security Fix is quickly becoming one of the main reasons I visit the Post's webpage.

Posted by: Ashley in Richmond | February 28, 2006 12:09 PM | Report abuse

Hear...hear!

I always find great information on this website and push it onto my constituents, whether they want to listen or not.


SiteADvisor will be getting a review as well from me.

THANKS> :)

Posted by: DOUGman | February 28, 2006 12:41 PM | Report abuse

Great article Brian!!

This looks like a good way to detect fraudulent websites that try to install spyware like that described in your article.

However, I would like to see better integration with the search engines like Google. To the point where the search engines don't even list these fraudster websites in their search results. That is, instead of giving a little "red x" icon, don't even list the website.

The result will be that when these fraudulent websites don't show up in (Google, MSN, etc.) search results, they will either have to clean up their websites (to start showing up) or simply fade out of existance (since they won't be "seen").

Posted by: Disappear | February 28, 2006 2:46 PM | Report abuse

Dear Brian;

Great Job! This desires a raise!

I sent a copy to almost everyone on my address list and the link to the original article.

Adware scares me. I use Norton, Webroot and Lavasoft. I set Norton to stop 2o7.net; but it keeps coming back like a bad dream.

Today, I cleaned out my prefetch folder in Windows and found the below files. They seem to know the current date. Could they be from adware/spyware?

{00000001-00000000-00000001-00001102-00000004-20061102}.BAK

{00000001-00000000-00000001-00001102-00000004-20061102}.CDF

Posted by: Hadov | February 28, 2006 4:47 PM | Report abuse

Being technically challenged, & not understanding everything you talk about, I was leery of downloading Siteadvisor, but figured there's always Uninstall! So glad I did download it. Surprising how many sites there are NOT to click onto. Wish I knew more about computers & their language!Thanks for this info.

Posted by: flaggermom | February 28, 2006 5:31 PM | Report abuse

I looked around for SiteAdvisor for Firefox both at SA and Mozilla. Where is it?

Posted by: almag | February 28, 2006 6:28 PM | Report abuse

I'mlike flaggermom -- probably more so. Anyway, thanks to all of you who write - it's really helpful to read thru these comments, and learn each time I do.

Posted by: ezduzit | February 28, 2006 6:46 PM | Report abuse

Almag -- the direct download link is here: http://www.siteadvisor.com/download/

Posted by: Bk | February 28, 2006 6:55 PM | Report abuse

Brian:
Thanks for a very informative article, much needed.

Posted by: oldkec | February 28, 2006 8:34 PM | Report abuse

>>Microsoft gives IE away for free

"No extra charge up-front" does not equal "free" (besides, it's the back-end costs that get you).

>>(indeed, you'd be hard-pressed to find a version of Windows that doesn't include it).

I'm less hard-pressed to create a version of Windows that dispenses with it.
http://en.wikipedia.org/wiki/Removal_of_Internet_Explorer

>>a tool that not only allows users to make informed security decisions about a site before they click on a search result link,

I was hoping SiteAdvisor would give me an information tally like this:

[ ] Number of ActiveX controls found on this site
---- [ ] (list of names of all controls found)
---- [ ] Number of controls found on Malicious ActiveX page
---- [ ] Number of controls suspect in other ways
[ ] Number of Java programs found on this site
---- [ ] (list of names of all controls found)
---- [ ] Requires {MS-JVM} {Sun JVM} {version}
---- [ ] Number of programs found on Malicious Java page (e.g., ByteVerify trojan)
[ ] Number of active scripts found on this site
---- [ ] JavaScript
-------- [ ] any encoding? {single} {double}
-------- [ ] any IFRAMEs spawning/spawned by JavaScript?
-------- [ ] any other suspicious JavaScript?
---- [ ] JScript
---- [ ] VBScript
---- [ ] Other

. . . all without having to have ActiveX, Java, or active scripting enabled in the Internet or Restricted Sites zones: sort of like doing a WGET on the site's content, then parsing it without letting any of it directly touch the browser.

I'd expect that any site which blocks SiteAdvisor's spider(s) in ROBOTS.TXT would receive an immediate "X" verdict as having something to hide.

Posted by: Mark Odell | March 1, 2006 12:00 AM | Report abuse

Siteadvisor can be a useful complement although it forces the user to make a decision about what to click on.

If you want a true block list, one that prevents your PC from making ANY internet connection with known threat sites or advertising servers, use a customized HOSTS file and keep it updated. Instead of hooking up with a malicious web site, you simply get an error message from your web browser.

http://www.mvps.org/winhelp2002/hosts.htm

HOSTS configuration affects all connections, no matter what web browser or media player you use.

Posted by: Ken L | March 1, 2006 3:48 PM | Report abuse

Or just run Firefox.

Posted by: andrew | March 1, 2006 6:26 PM | Report abuse

I just started SiteAdviser last week, and so far I've been happy to use its guidance to avoid visiting "bad" links based on SA's recommendation.

But I've been more impressed with the results I've gotten by using WinXP's options to make all XP request my wishes for disposal of all requests for storing cookies.

And I'm looking forward to implement the smart "hosts" file mechanism mentioned above by Ken L.

Your article has been very helpful in the battle for a safe Internet.

Thanks for publishing it.

Posted by: Richard Muller | March 1, 2006 7:48 PM | Report abuse

Internet explorer is a horrible obsolete program. like andrew said, use firefox.

Posted by: jim | March 2, 2006 1:29 PM | Report abuse

Thnx for tip to SiteAdvisor. Question: I visit various sites daily, wherein a password is required. Occasionally, I make an online purchase requiring a password. SiteAdvisor encrypts passwords but requires the additional password only once a day. If I remain online after entering the additional password, are my other passwords and similar information no longer protected for the remainder of my online session?

Posted by: Teresa Binstock | March 5, 2006 11:47 AM | Report abuse

BK - Thanks for the SiteAdvisor information. Just downloaded and started using a little. Looks interesting. One note though. I used "porn sites" as search criteria and got page after page of green arrows which makes me wonder.

Posted by: Robert | March 5, 2006 7:27 PM | Report abuse

you think you know every thing but you dont

Posted by: ashley krebs | March 7, 2006 2:22 PM | Report abuse

Can i block sites who siteadvisor mark as dangerous ? I mean Whitout adding for example One to One at restricted sites in IE ?

Posted by: Anonymous | March 11, 2006 4:40 AM | Report abuse

Very interesting and beautiful site. It is a lot of helpful information. Thanks!

Posted by: Martin | March 12, 2006 10:31 AM | Report abuse

Porn, porn, porn.. Annoying? Want something new? Fresh idea of people online meeting on http://www.porno-diary.be! You will like it!

Posted by: Eric | April 5, 2006 7:08 AM | Report abuse

Want you know how to do blowjob professionally? With nice pictures on http://www.oral-xxx.info, with this examples you'll see more than you know now!

Posted by: Brett | April 5, 2006 7:11 AM | Report abuse

Well, you should fix this comments page.
http://www.explainingmortgages.com

Posted by: Jennifer Hershey | April 16, 2006 6:59 PM | Report abuse

I learned that I am not the only one that loves sex and try's to better myself in it.. Sometimes I visit http://www.asian-xxx-video.info and download different videos. But it isn't cheap.. :) I hear there are free analog sites in web. Somebody can help?

Posted by: Milene | April 30, 2006 4:21 PM | Report abuse

I just wanted to tell you that I really enjoy playing there. I just wish the machines were as generous to me, lol, lol.

Posted by: Yaniv | June 6, 2006 5:05 AM | Report abuse

Last night,i was doing my homework,at the moment i need the program microsoft word, went look through my computer, the 60 day was expired . At 2:52.a.m.,i write a letter to feeb back microsoft.com, tom see if they can help me out,submit the letter. Later I made a subcription to microsoft, start fill blank, as new subcripber,I give name,last name, imade new e-mail valentinanasco@hotmail, and continuos unto in finish,I accept the agreement of microsoft. And what happen went i wake-up ,i can to my computer,try to finish my home work,suddenly appear on screem of my computer without put a finger to the keyboard, can anyone explain this to me. How MSN work,could happen,after i subcribe, open a link to some access my computer or could be a hackers? how know,in thi cyber fellony how shuold investiegate, microsoft or the government. For the answer my e-mail:valentinanasco@yahoo.com Than You.

Posted by: Charles Valentin | June 28, 2006 8:41 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company