Scan sites for threats

alexcrist

Hi everyone,

Every day I bump into very suspicious links. Some of them are safe, but some of them link to sites that contain viruses, spyware or other threats.

I'm not talking about sites that contain infected applications/files (like the crack sites, or XXX sites), because what a user downloads it's his responsability. I'm talking about the real dangerous links that are sent through IM, which link to sites that "plant" a worm into your PC (without any help from the user, which makes many innocent users victims to these threats). Also, the links in the SPAM messages on different forums are included in this category.

As the topic title says, is there a way to know (or at least guess) if a site has this kind of malware?

I know that using Firefox (with the NoScript plugin) I'm safe (I've even tried it, and I had no problems ), but I'd want to be sure if a certain link points to a worm, so that I can warn the user from which that message came (in the IM case) that he has the X or Y worm/virus/etc and what can be done to get rid of it.

So: is there a way to scan a site for malware? Maybe a site (like VirusTotal, for files), or a "manual" method (like looking at the page's source for that "something" that indicates the presence of a threat)?

I hope you understand what I mean.

Cris.

vladx

Hi Cris

If you reffer to exploits, i think the http scanner can block them.

alexcrist

Hi vladx,

As I said, nothing ever gets to BitDefender, because Firefox already blocks everything (it happened one time when I reached a completely blank page, because NoScript blocked everything from that page. The source contained only

). But I want to find out for sure if/what threat that page contains, so I can warn the user I received the link from. (to stop that worm from infecting anyone else).

Just yesterday I received such a IM from a friend. The link pointed to a page containing the W32/Imaut.U Worm (I don't know if this worm is detected by BD, because I couldn't find it in the Virus Encyclopedia).

Cris.

AndreiASM

Hi, Cris!

When you browse a site, it's files are temporary stored on your computer and BD scans them, and, if any of them is infected, BD will detect it (if it has it's signature). Generally, those malware are in fact scripts (JS, VBS, PHP etc.), which can be very dangerous.

PS: Cris, I know you already know these things, but I posted them here for the other users who will view this topic.

vladx

Like Andrei said, Bitdefender scans them thru the http scanner and if it has signatures for the threat it will warn you.

alexcrist

Bitdefender scans them thru the http scanner and if it has signatures for the threat it will warn you.

You said the key word: if. But, what if it doesn't have signatures?

Just opening those pages without any certainty would mean putting myself at unnecessary risk (which I don't want). As I said my my previous post, W32/Imaut.U Worm might not be in BD's virus list (I searched Virus Encyclopedia as well as the BD generated Virus List and I didn't find it). So, that could mean that, in my attempt to stop a worm from spreading, I would become a victim and actually helping the worm spread.

So, maybe I didn't make the question very clear: is there a safe way to see if a page contains suspicious scripts?

Cris.

P.S.: Don't missunderstand me, I trust BD. But my main rule is not to put myself in unnecessary risk, because BD is not perfect... nothing is.

AndreiASM

I don't think there's any way to see if a ****** is dangerous except to analyze it and posibly executing it. The safest way to avoid this kind of problems is to stay away from strange sites, like **** sites, crack & keygen sites etc. I have a motto: Better avoid the infection instead of treating it. I try to stay away from this kind of web sites as much as i can.

Andrei

Niels

Hi Cris

You can install these addon's to know if a site is safe:

siteadvisor: http://www.siteadvisor.com/download/ff.html You will see different colours and if you click on the colour than you get the description why it's an unsafe website.

Dr web link checker is also good: https://addons.mozilla.org/nl/firefox/addon/938 Here you can scan content of a link to see if there aren't threats.

That is how I verify sites if they are safe or not. But you can't be 100 % sure.

What you can do is copy the link that you received via im into your browser and than scan with dr web link checker or see what siteadvisor says. Otherwise you can't do much than enabling http-traffic scanning in BitDefender.

Regards

Niels

alexcrist

You can install these addon's to know if a site is safe:

siteadvisor: http://www.siteadvisor.com/download/ff.html You will see different colours and if you click on the colour than you get the description why it's an unsafe website.

Thanks, Niels. I already tried SiteAdvisor. The link that I was talking about is not referenced there.

Dr web link checker is also good: https://addons.mozilla.org/nl/firefox/addon/938 Here you can scan content of a link to see if there aren't threats.

Thanks again. I downloaded this addon. But it says that link is 100% clean (which, obviously, is false, because my friend got himself infected from there).

Otherwise you can't do much than enabling http-traffic scanning in BitDefender.

That is not the case, because not many of my friends use BitDefender.

I don't think there's any way to see if a ****** is dangerous except to analyze it and posibly executing it. The safest way to avoid this kind of problems is to stay away from strange sites, like **** sites, crack & keygen sites etc. I have a motto: Better avoid the infection instead of treating it. I try to stay away from this kind of web sites as much as i can.

Well, that's what I said. But the link that points to the worm that I posted is not such a site. It's a simple page that redirects you to something else (which also contains the worm, and some advertising).

Advanced users stay away from links sent through Y!Mess, but simple users (which don't know the difference between an OS and a TV) click on links which say: "Hey! I've won 100.000$ at the lottery!!! Take a look here: <link>". Who can blame them?

======================================================================

OK, thanks for your suggestions, but I see that this is not getting where I wanted. The first part of my question was answered: "is there a way to scan a site for malware? Maybe a site (like VirusTotal, for files)?" The answer is obviously NO (except for Dr. Web, which Niels posted. But that is not very reliable, considering that it failed the first check I made with it).

For the second part ("or a "manual" method (like looking at the page's source for that "something" that indicates the presence of a threat)?"), I'll try to rephrase, maybe you know something:

Is there any application that can be used to explore sites or to download a webpage (with absolutely everything that it contains... scripts, links and other things), but that won't execute anything from that page? (I only need to see the source of that page, with everything it contains).

I'm not an expert when it comes to HTML/Java/JavaScript/PHP etc... but, with some help from the Web and some of my friends which know these things, I can discover if a page tries to download something without the user's knowledge.

Does anyone know such an app?

Cris.

P.S.: I've asked my friend to send me the files which belong to Win32/Imaut.U, but I never received the email (maybe he forgot, maybe he sent the files without encrypting them and Yahoo rejected the email, or maybe he used a cleaning tool and then he realized that he has nothing left to send me ). When I'll see him online I'll ask him about it (don't know when that will happen, because my friend is from Malaysia and, because of the Time difference, we hardly see eachother online). If I can get those files, I'll see if BD knows this virus under a different name (or it doesn't know it at all, in which case I'll attach it in the Malware section).

AndreiASM

Hi, Cris. Yes, there might be a tool which could only download the content of a page, and save it in text format, revealing it's source. It's not that hard writing one, if you know socket programming. I really don't know if such a tool exists, but if you know really good the HTTP protocol, you can use TELNET to explore the sources of "suspect" web-sites.

Andrei

alexcrist

Yeah, thanks for that info. But I don't know (YET) how to make apps which connect to the internet (I managed only an app that pings ) and I really don't have time to start learning right now... with the BAC and the rest of those things, you know

Anyway, if you (or someone else) bumps in a tool like that, please let me know

Cris.

AndreiASM

Hi Cris!

I'll let you know if I find such a tool. Maybe I will write one, I will let know in both cases.

Good luck with your BAC exam!

Andrei

Niels

Hi Cris

What I always say is always ask if someone really send you a link to a website or offers a download. I know that this isn't a real solution.

So far as I know are the add-ons that I mentioned the only one that can verify if it contains malware or not. But for siteadvisor the site must be first examined. Did also checked for updates when you used dr web link checker.

Here is a tool to download the content of a website : http://downloader.snowcron.com/index.html

or getleft: http://sourceforge.net/projects/getleftdown/

Regards

Niels

alexcrist

Hi Niels,

Thanks for those links. I'll try them as soon as possible.

What I always say is always ask if someone really send you a link to a website or offers a download.

You didn't understand. I never had any problems with such viruses. I never click on those links because I know they are not sent by my friends, but by viruses. The problem was: how can I find what possible virus does my friend have, so I can help him clean his PC? Viewing the page's source can give important clues about this.

Cris.

Niels

Hi Cris

That was only a suggestion that you could give to your friend before he clicks on a link. I knew that your pc wasn't infected.

I think that your friend his computer is infected with lots of malware. That was also the case when I also disinfected a pc that also clicked on a link in a msn conversation. Most of it was a combination of spyware,trojans,keyloggers,.. So I think that is also the case now.

So I recommend that you let him scan his pc with superantispyware: http://downloads2.superantispyware.com/dow...AntiSpyware.exe Update it and reboot the pc into safe mode by pressing several times on the F8 button before the windows loading screen and choose safe mode. Start the program and perform a complete scan. Download also dr web cureit!: ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

Hopefully you can do something with the links.