McAfee released a study late on Tuesday that indicates the domains that tend to be the most dangerous or malware-prone on the Web, and at the top of the list is the Hong Kong (.hk) domain.
The McAfee Mal Web report, which serves as a safety guidebook to risky online neighborhoods, reveals that 19.2 percent of all Web sites ending with the .hk domain pose a security threat to Web users, followed by China (.cn), the Philippines (.ph), Romania (.ro) and Russia (.ru).
By contrast, the safest domains on the Web are Finland (.fi), Japan (.jp), Norway (.no), Slovenia (.si), and Colombia (.co).
In general, the chance of downloading spyware, adware, viruses, or other undesirable software from surfing the Web increased 41.5 percent over 2007, the report found.
To arrive at these conclusions, McAfee researchers used the company's SiteAdvisor tool, which crawls the Web and clicks "yes" to test everything from downloadable software, screensavers, and peer-to-peer file-sharing clients to photo upload utilities, and e-mail and newsletter sign-ups.
The tool then monitors what happens to the test computer after it engages with the sites, looking particularly for risky things like malicious downloads, exploits, viruses, and spyware. Each site is then rated based on the behavior, with buttons on the browser colored green, yellow, or red for computers that have the tool downloaded.
Even if the greatest percentage of dangerous sites use the .hk domain, that doesn't mean they are all based in Hong Kong or that more malware distributors are located there, said Shane Keats, a research analyst for McAfee. Many sites, particularly the malicious software sites, choose the most affordable domain registrars in countries with the least regulation, so usually they are not located in that country, he said.
"They are looking for top-level domains with the least regulation, that are the easiest to maneuver and the cheapest to register," Keats said.
While registrars in China charge as little as 15 cents for a registration and others are free, sites with domains in Japan and Australia are found to be safer partly because those countries require proof that a company is incorporated to use their top-level domains, he said.
In addition, English speakers shouldn't feel safer just because many of the more risky domains are in foreign countries, because many of those sites are still presented in English, according to Keats. For instance, nine times out of 10, sites with the Romanian domain will be in English, he said.
The damage from risky sites runs from the "apocalyptic to the annoying," according to Keats.
"It can be as minimal as a pop-up track, and I can't exit out or it opens a new pop-up window and I have to reboot, (to) other sites where you just touch the site and you have downloaded software that turns the machine into a bot in a bot army that sends spam," he said.
A Web surfer has a 1-in-20 chance of "hosing" the computer if a file is downloaded at random from the Internet, while the odds increase to 1 in 10 if the file comes from an Italy (.it) domain and 1 in 7 if it comes from a Romania domain, he said.
As for online porn, those sites aren't considered any more risky than other types of sites on the Web in general, despite the common belief that they are, he said.
Because they have viable business models, porn sites don't need to use malicious software to make money. However, "when they are bad, they are really, really bad, and among the worst of the spammers and exploits," Keats said.
Top 20 top-level domains ranked by percentage of sites with red and yellow download ratings.
(Credit: McAfee)Updated May 6, 5:50 AM PDT to reflect the actual announcement from the two companies.
Yahoo and McAfee announced a partnership Tuesday under which potentially unsafe Web sites appearing in Yahoo search results will be flagged as risky.
The deal, an exclusive for Yahoo, uses McAfee SiteAdvisor technology to label a variety of potentially dangerous Web sites with red warning text and links to McAfee information about what risks the site poses. Among the triggers for a red warning message are sites that host spyware, adware, or virus-infected downloads; sites that have links to other Web sites with dangerous material; and sites that have a track record of harvesting e-mail addresses later used to send spam, the companies said.
The McAfee service flags risky Web sites in Yahoo searches with red warning text.
(Credit: Yahoo)The move, along with related technology at Google and protections now built into browsers such as Internet Explorer and Firefox, spotlights a gradual expansion of the war against computer attacks.
Mainstream computer security efforts began with antivirus software that runs on people's personal computers, spread to corporations that screen e-mails and other network traffic for dangerous traffic, and now is being built into the online search gateways that most people use to navigate the Web. Think of it as security software as a service.
Priyank Garg, director of Yahoo search product management, has high hopes for the Yahoo service, both for user protection and for hobbling attackers who try to exploit network insecurities.
"We expect users will have more confidence when searching on the Web," Garg said.
Deal extends beyond search results
And the multiyear partnership means the McAfee technology could be used elsewhere within Yahoo, Garg said.
"We have the ability to use their data throughout Yahoo," Garg said. "All the teams throughout the company are excited to leverage this information."
That could mean some changes. Yahoo currently uses Symantec's Norton Antivirus software to check e-mail attachments sent with its Yahoo Mail service.
Yahoo is trying the move to improve the clout of its search engine. In March, Yahoo was No. 2 in U.S. search results with 20.6 percent of queries, according to research from Hitwise. And it lost share to Google, which had 67.3 percent.
The idea is that people will tilt toward a search engine that will better protect them. Everybody wants more safety in searching, and some folks--parents, and those running schools, Internet cafes, and libraries spring to mind--are more sensitive than usual.
The move, while helpful, isn't necessarily going to mean a dramatic difference for the company, said Forrester analyst Natalie Lambert.
"I think it's going to very much help protect Yahoo users," she said. But when it comes to where people actually choose to search, "Fundamentally it's going to come down to how good the search is, and I think Google will still lead."
Google, here too, is a formidable search competitor. It's got some protections of its own now against sites that try to install malware via browser vulnerabilities. The company uses virtual machines check for Web sites that launch attacks, and those that do are flagged in search results with the warning, "This site may harm your computer."
Currently,Google doesn't check for viruses in downloads, e-mail harvesting schemes for spam operations, or outgoing links that could lead to dangerous Web sites, said spokesman Michael Kirkland. However, he wouldn't rule out that sort of possibility.
"It makes sense to assume Google has a vested interest in keeping its users safe and the Web safe overall," he said.
Curtailing Web attacks?
The Yahoo service could make life significantly harder for those who would attack people's computers, however.
"We see millions of clicks on some of these sites through our search engine today," Garg said. "It is going to have a material impact in distribution of this content."
The service will start in the United States, Canada, the United Kingdom, France, Italy, Germany, Australia, New Zealand, and Spain. So it has broad reach.
And the red flag is only the beginning. Through the McAfee technology, Yahoo has already removed an unspecified number of pages from its search results--for example those that attempt to compromise a vulnerable Web browser with a "drive-by download" attack launched simply by visiting a Web site. "We took out the risky sites where we don't want users to hurt themselves," Garg said.
But beyond the deleted entries and warning labels, Yahoo decided against altering search results. "There is an element of informed use," Garg said, likening the move to providing a city map with dangerous neighborhoods labeled as such rather than omitted altogether.
The Yahoo service isn't likely to directly address phishing, in which users are steered toward entering usernames, passwords, or other sensitive information into fake Web sites. "Phishing is less of a concern for the search experience," Garg said. "The Web sites that come up with phishing aren't usually around long enough" to make it into search results, he said.
While the service could improve security for searchers, it will also lead to a new phase in the constant battle between attackers and computer security firms, Forrester's Lambert predicted.
"At the end of the day, people are going to beat the technology," Lambert said. "You can only get so far ahead with security."
When walking through the San Jose Minetta airport on Wednesday, I couldn't help but see McAfee's name strewn throughout the terminal. The marketing folks at McAfee must be on an advertising kick because there are numerous, visible advertisements that read, "Hackers hack code. McAfee hacks hackers."
OK, McAfee, you got my attention, but my question is, just who are you trying to reach with this message? Here is a list of possibilities and my associated confusion:
1. Enterprise customers. This audience doesn't seem likely. Enterprise security today is much more about governance, risk management, and compliance than hacker paranoia. Yes, you do have to guard against hackers, but as part of an overall set of processes and architecture. Doesn't seem like McAfee's advertisements are a good fit here.
2. Consumers. I guess John and Jane Q. Public are more-likely targets, but this seems like a mismatch as well. Consumers want comprehensive protection against viruses, worms, spyware, phishing, etc. The average consumer probably associates the word hacker with movies like Firewall, Swordfish, and War Games--not end-point security.
3. RSA attendees. Maybe, but RSA Conference 2008 isn't for a month and it is in San Francisco, not San Jose.
I've been around high-tech marketing and advertising for a long time and I don't get this strategy or positioning at all. For security professionals, direct fear of hackers harks back to the early 1990s when Kevin Mitnick was on the FBI most-wanted list. Now he is a highly paid security consultant helping companies marry security defenses to business operations. Hmm, maybe this is what McAfee should be talking about as well.
PCLive.com, a service offered by SecurityCoverage, is attempting to upstage security giants Symantec and McAfee by offering a complete suite of security tools for your desktop--for free. Included within the basic PCLive Security package is a firewall, the open-source ClamAV antivirus product, antispyware capabilities and a pop-up blocker. What's more, PCLive will take out the trash (clean out old temp files) and check for the latest Microsoft Windows updates that haven't yet been applied to your PC. PCLive will also e-mail you a monthly report of any changes it has made on your computer.
SecurityCoverage offers users of their free PCLive service instant 24-7 technical support for a flat fee of $49.95 per session. That's less than what Symantec and McAfee charge. Short of that, there is a built-in forum link that allows users to surface questions and answers about the product. There's also a limited FAQ available online as well.
For a mere $4.95 a month, PCLive Premium Security includes all the basic PCLive Security along with Web content filtering, parental controls, disk maintenance and 24-7 live technical support.
How does it work? See our hands-on review on Webware.com
While we East Coast folks celebrated Columbus Day, McAfee announced its acquisition of privately held SafeBoot for $350 million. SafeBoot provides software for file and full disk encryption.
Now, I certainly understand the rationale behind this deal. McAfee can now bundle encryption software into its PC security software and integrate key management into its ePolicy Orchestrator (ePO). We saw this same market consolidation pattern a few years ago with antispyware, which went from a stand-alone product to an integrated feature in endpoint security suites. In that transition, CA bought antispyware vendor Pest Patrol, while Microsoft grabbed Giant. Obviously, the same type of market dynamics are at work here.
What makes no sense at all to me, however, is the price tag. Three hundred and fifty million dollars? Holy cow!
Software-based disk encryption has about two years of runway ahead of it, then the market tanks. Why? In that time frame users will opt for hard-drive-based encryption from Seagate Technology, Western Digital and the like, or it will be based upon Windows Vista BitLocker. These products will be baked into new laptops one way or the other. No encryption utilities to install, with no fuss.
My view is that the hard-drive guys win, but it's pretty certain that the software-based utilities lose, regardless. Most of these software vendors are already planning for this inevitability by developing heterogeneous key management capabilities or expanding their product focus to non-PC devices.
McAfee is selling this deal to Wall Street by saying that it bought a market leader with more than 100 million desktops under management in 20 different languages and 76 countries. OK, but who cares? McAfee brings way more brand recognition and leadership to the table than SafeBoot ever could. Any full-disk encryption software bundled into McAfee would do the job just fine. McAfee could have paid a fraction of $350 million and bought someone--Voltage, Utimaco, PC-encrypt, etc.--and gotten the same functionality. Heck, it could have used open PGP and done it for free!
In summary, I like the strategy but not the financial execution. While a few investment bankers and SafeBoot executives are laughing all the way to the bank, I can think of a half dozen companies that McAfee could have purchased that would bring in more future upside than SafeBoot.
McAfee on Monday released its 2008 line of security products, including McAfee VirusScan Plus 2008, McAfee Internet Security 2008, and McAfee Total Protection 2008.
In a move that McAfee hopes will distinguish it from the competition, the company is now offering three user licenses for all its desktop products, and is including its SiteAdvisor site-rating software in each product to protect against online fraud. Finally, McAfee is also including VirusScan mobile protection with its desktop Internet Security and Total Protection products.
This "triple play" perhaps makes McAfee's products more economical, but it remains to be seen if the programs themselves have improved over those of last year. CNET Reviews will have a full review of McAfee VirusScan Plus within the week.
McAfee says its mobile software will be available at the end of October and will work only with Windows Mobile devices. Additional compatibility requirements will be posted on the McAfee Web site at that time.
There's a new zero-day attack in progress against Yahoo Messenger users. The instant messaging solicitation invites users to open their Webcam. However, the code used in this China-based exploit causes a heap overflow to be triggered when the target accepts a Webcam invitation. That means a remote attacker could execute malicious code on a compromised machine.
The McAfee security blog recommends the following: do not accept Webcam invites from untrusted sources until a patch is released, and block outgoing traffic on TCP port 5100 on your firewall until a patch is released.
Yahoo has been informed and says it is working on a patch.
If you're feeling swamped in unsolicited e-mail, you're not alone. Enterprise security vendor Secure Computing this week reported spam increases 53 percent above July's daily average and 70 percent above June's average. That's not, however, a record. The current level of spam is equivalent to those reported during December 2006.
Reasons for the August bump in spam are varied. One, there's been a resurgence of the Storm worm, which is known to relay spam.
Two, enterprise security companies are seeing a higher level of attachment-based spam. In addition to the usual suspects of PDF and Excel attachments, security vendor McAfee reports the first sighting of FDF-based spam. FDF is the format used by Adobe to export data from PDF form fields.
Finally, U.K. antivirus vendor Sophos reported last week seeing an increase in what are called pump-and-dump stock scams. The latest victim, Prime Time Group, which has interests in the retail oil and gas, convenience stores and automotive services, has opened a Non Objecting Beneficial Owners list (NOBO list) investigation in an attempt to find the parties responsible.
After finishing dead last in a comparative antivirus test,
That's until you look closer at the tests. AV-Comparatives performed two different tests, months apart, alternating between real-time detection and on-demand detection. The two tests are not the same. With real-time detection, a fully updated version of the antivirus product is exposed to a list of viruses (and their variants) currently in the wild. This is the test that OneCare failed back in February. On-demand tests use a smaller collection of viruses, usually viruses received since a predetermined freeze on signature file updates from the vendor. The idea here is to see if older signature files can detect newer malware. On this, the Microsoft AV product scored slightly higher in the latest (May 2007) results. We'll have to wait until the next real-time test to see if OneCare has improved or not. The FAQ section of the AV-compartives site provides more information on the testing process.
A blog on the McAfee site also goes into greater detail on this. Among the points made by McAfee researcher Joe Telafici is that results for proactive tests might vary because of distribution size (i.e. larger vendors will have to be more cautious with their heuristics than a smaller company in order to avoid false positives) and that with the on-demand test the signatures are frozen months beforehand, whereas a user who is only two days out of sync with the latest update will experience much better results. Telafici also includes several McAfee-authored essays on antivirus testing in his blog:
Comparing the comparatives
Counting spyware detections
Antivirus testing workshop in Reykjavik
- prev
- 1
- next
