Sponsored by..

Showing posts with label Porn. Show all posts
Showing posts with label Porn. Show all posts

Monday, 22 July 2013

David Cameron's porn block - how will it work?

This government likes its half-baked ideas, and David Cameron's attempt to bring in mandatory porn blocking in the UK seems to be one of those daft ideas. Yes, ISPs should offer blocking if people want it.. and perhaps they should be made to offer it by law. But there are a number of concerns which are well addressed by this New Statesman article.

Leaving aside the moral debate and the questions over who decides what, there is the tricky question of how ISPs would actually block access to porn.

DNS filtering

The simplest and quickest way to block it is to use DNS filtering. ISPs can simply set their DNS servers to not resolve adult sites. You can do this sort of thing with OpenDNS already. The advantages is that this is fairly easy to implement and it doesn't cause any latency in web traffic. The disadvantage from the point of view of censoring is that it is trivially easy to bypass, simpy change your DNS provider to one that doesn't block sites or access the porn sites through their IP address only where they  have dedicated servers (most big sites do).

Of course, if people bypass the DNS filtering by using non-ISP DNS filters, ISPs could then firewall all outbound DNS requests. But that would interfere with people's freedom to use Google or OpenDNS or other DNS providers if they want.

Deep Packet Inspection

A more sophisticated approach is to inspect every packet and determine where it is going. This should block sites even if the customer has chosen different DNS settings, and it can pick up and negate a lot of common attempts to bypass filters. But this sort of thing is slow and expensive, ISPs would need to pass on the costs to consumers and the added latency of filtering would make web surfing slower. Many businesses use a form of this to protect their corporate network already, but they are prepared to put up with the downsides for the additional protection.

You could still use a proxy, VPN or Tor to get around it. And HTTPS screws some elements of DPI because it is encrypted, there are ways around that but they are extremely messy and had many drawbacks.

And of course there's the privacy issue. If ISPs are slurping all your data to this level then who has access to it? Supporters of DPI may we have a hidden agenda.

IP address blocking

Instead of blocking domains, IP addresses hosting pornography can be blocked. That's a pretty quick and easy solution too, but it means that anything on shared hosting with "adult" content could lead to every other site on that IP being blocked too.. There would be a lot of legitimate sites blocked as a result.


Anti-circumvention

ISPs could use a combination of the above to stop traffic. But it is relatively easy to use a proxy or VPN connection, but the next logical step would be to go to war with providers of these services too. It is very difficult to stop people finding ways around blocks. And remember, we're not talking about illegal material here.. we're talking about perfectly legal material which is blocked by default.

So, in my opinion this approach will have the drawbacks of being a combination of ineffective, expensive and slow. More needs to be done to protect children from accidentally accessing material that they shouldn't have access to (and please could we include malware with that?), but this half-baked approach has the potential to be an expensive fiasco.

Tuesday, 9 April 2013

Top porn sites lead to malware

About a year and a half ago I wrote about a series of malware infections at xvideos.com that were potentially infecting visitor's PCs. This week I saw another spike in infections that also appeared to be caused by a popular porn site.

I decided to revisit the statistics that I compiled for those sites using a combination of Alexa and Google Safe Browsing diagnostics. Alexa gives an idea of how popular a site is and how many pages each user visits, Google gives the number of potentially infected pages out of the total indexed.

The results were quite surprising. Last time I calculated a 28% risk that the average visitor to xvideos.com would be exposed to malware. However, now that site has been cleaned up and appears risk free. But what was shocking was that now visitors to xhamster.com ran a 42% chance of malware contact, and pornhub.com users an atrocious 53% chance with a lower infection rate on tube8.com (14%) and youjizz.com (2%).

xvideos.com, livejasmin.com, redtube.com, xnxx.com, youporn.com and adultfriendfinder.com all appeared to be clean. Well.. you know what I mean.

Site
Alexa Rank
Infected pages / total pages
Infection rate
Average pages / user
Malware contact probability
42
0/176191
0.00%
12.9
0%
46
1067/20986
5.08%
10.3
42%
63
1777/13955
12.73%
5.5
53%
75
0/269
0.00%
2.2
0%
82
0/10387
0.00%
5.1
0%
98
0/84373
0.00%
10
0%
99
1/3854
0.03%
6
0%
129
837/22026
3.80%
3.9
14%
242
14/3537
0.40%
6.2
2%
344
0/593
0.00%
6.4
0%
Note: hyperlinks are safe for work and go to Google's Safe Browsing Diagnostics Page for the site

Now, I have no doubt that it is not the intention of the site operators to infect visitor's machines with malware, but instead third party content and infected banner ads are causing the problem. For example, with xhamster.com Google says:

Safe Browsing
Diagnostic page for xhamster.com

What is the current listing status for xhamster.com?

    This site is not currently listed as suspicious.

    Part of this site was listed for suspicious activity 4 time(s) over the past 90 days.

What happened when Google visited this site?

    Of the 20986 pages we tested on the site over the past 90 days, 1067 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-04-09, and the last time suspicious content was found on this site was on 2013-04-06.

    Malicious software is hosted on 2 domain(s), including exposedcamz-live.com/, ceskeporno.tv/.

    3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including brandreachsys.com/, traffichaus.com/, crakmedia.com/.

    This site was hosted on 3 network(s) including AS39572 (ADVANCEDHOSTERS), AS16265 (LEASEWEB), AS36351 (SOFTLAYER).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, xhamster.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.

for pornhub.com Google says:

Safe Browsing
Diagnostic page for pornhub.com

What is the current listing status for pornhub.com?

    This site is not currently listed as suspicious.

What happened when Google visited this site?

    Of the 13955 pages we tested on the site over the past 90 days, 1777 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-04-09, and the last time suspicious content was found on this site was on 2013-01-28.

    Malicious software includes 5 exploit(s), 2 trojan(s). Successful infection resulted in an average of 6 new process(es) on the target machine.

    Malicious software is hosted on 9 domain(s), including rodriguezwoca.com.ar/, crucerosinfantiles.com.ar/, ingenet.com.ar/.

    4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including trafficjunky.net/, gammae.com/, rockwork.ch/.

    This site was hosted on 4 network(s) including AS30361 (SWIFTWILL2), AS22822 (LLNW), AS29789 (REFLECTED).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, pornhub.com appeared to function as an intermediary for the infection of 34 site(s) including gaypornplanet.com/, xgaytube.com/, pornmd.com/.

Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.

finally, the report for tube8.com says:

Safe Browsing
Diagnostic page for tube8.com

What is the current listing status for tube8.com?

    This site is not currently listed as suspicious.

    Part of this site was listed for suspicious activity 63 time(s) over the past 90 days.

What happened when Google visited this site?

    Of the 22026 pages we tested on the site over the past 90 days, 837 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-04-09, and the last time suspicious content was found on this site was on 2013-04-06.

    Malicious software includes 63 exploit(s). Successful infection resulted in an average of 6 new process(es) on the target machine.

    Malicious software is hosted on 22 domain(s), including btsinvestments.com/, nymphdate.com/, dirtymechanics.org/.

    10 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including crakmedia.com/, trafficjunky.net/, justanaffiliate.com/.

    This site was hosted on 4 network(s) including AS30361 (SWIFTWILL2), AS3356 (LEVEL3), AS29789 (REFLECTED).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, tube8.com appeared to function as an intermediary for the infection of 38 site(s) including pornmd.com/, largeporntube.com/, ro89.com/.

Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.

So, we can see that the greatest risk comes from external sites such as crakmedia.com (report), trafficjunky.net (report) and traffichaus.com (report) [although see their statement below] plus several others. These too are intermediaries being abuse by third parties.. but this is part of the problem with poorly regulated banner ads and traffic exchangers. Bad things slip into pages easily, and very few people want to kick up a fuss.

My advice from last time remains pretty much unchanged: If you are going to look at the shady side of the web, then it is very important to make sure that your system is fully patched (you can use Secunia OSI to check), and a combination of Firefox + NoScript is very good at locking down your browser (note that this isn't really for novices). Logging in as something other than an administrator can also help to reduce the impact of malware.. and of course a good and up-to-date anti-virus or security package is essential. In addition, Chrome is pretty good at picking up malicious sites.. the biggest problem tends to be Internet Explorer. Oh, if you have Java then you should probably uninstall that as it is one of the most popular vectors for infection.

Note: Google's figures stretch back over 90 days and do not necessarily mean that a site is serving malware right now. Interpret the "malware contact probability" in this way: a visitor viewing the reported average number of pages over the aggregate 90 day period would have this average probability of coming into contact with potential malware during a single browsing session, assuming that the infection rate figures are accurate.

Traffichaus's statement: It seems that it is actually OpenX is the main source of all these malware issues. It is not our server nor Xhamster, nor Brandreach and other sites you have listed. The site Crakmedia.com in this recent incident was hacked via an on going flaw within openx. And Openx is easily hacked on their free version, so this company was using the free version, had their servers completely locked down via ip, and apparently got their servers hacked via a bug update in OpenX.
I'd appreciate it if you could remove our domain and name from the story as it doesn't accurately paint the right picture. Also, the infection rate on Xhamster of 42% is not accurate, that infected advertiser was only on the site for maybe a day and only at a 10% rotation, and on minimal pages, so the infection rate was probably 5-7% and it was only for a 12 hour period before the ads were caught and removed.

FAQs

Q: What do you mean by "malware contact"?
A: This is an attempted malware / viruses infection whether it succeeded or not.

Q: Does this sort of malware impact just PCs or other devices too?
A: I haven't identified any individual malware strain here, but the bad guys are increasingly targeting mobile devices as well as PCs, especially Android. Other platforms are also potentially vulnerable.

Q: Who is behind it? Is it the site owners?
A:  It is almost definitely not site owners or even the ad networks behind it. You could even say that they are victims of it as well. If I had to point a finger at geographical regions then I'd start with Russia and Florida.

Q: Porn is disgusting. Why should we care?
A: I try to be non-judgmental. The biggest of these sites pull in about 2% of all web users per day. Not talking about it is not going to help.

Q: Does this just impact porn sites?
A: No. Infected banner ads can be found (less often) on mainstream media sites too. It is good to take some of the precautions listed above even if you don't stray far from the Daily Mail or NBC.


Friday, 18 November 2011

Xvideos.com compromised with abusedfire.com attack and other malware

UPDATE: as of March 2012, xvideos.com seems to be clean of malware. You can see Google's latest prognosis here.

UPDATE 2:  an xvideos.com IP has been connected with malware C&C servers, see here.

Original article follows:


xvideos.com is one of the most popular sites on the internet. According to Alexa, it is ranked number 51 in the world, making it the second most popular adult site after livejasmin.com (rank 42).

Although porn and adult sites have a reputation for spreading malware, most of the top-rated sites are actually pretty safe. Xvideos.com is different though, as it apparently has been spreading malware for a while.. but this week seems to have seen a sharp uptick in the number of infections coming from the site.

The infections appear to use the Blackhole Exploit kit to download the Zeus trojan on the target PC. In all the cases I have seen, a Flash cookie for a site called www.abusedfire.com is present. This site is hosted at 67.228.2.138 (Softlayer, Dallas) in a small block allegedly allocated to:

network:Class-Name:network
network:ID:NETBLK-SOFTLAYER.67.228.0.0/20
network:Auth-Area:67.228.0.0/20
network:Network-Name:SOFTLAYER-67.228.0.0
network:IP-Network:67.228.2.136/30
network:IP-Network-Block:67.228.2.136-67.228.2.139
network:Organization;I:shanghai Municipality
network:Street-Address:Rm 309,Xin Wu Building,Guang Zhong Road
network:City:shanghai
network:Postal-Code:200072
network:Country-Code:CN
network:Tech-Contact;I: sysadmins@softlayer.com
network:Abuse-Contact;I: abuse@go.com
network:Admin-Contact;I:IPADM258-ARIN
network:Created:20071219
network:Updated:20110509
network:Updated-By: ipadmin@softlayer.com

Blocking 67.228.2.136/30 would probably be a good idea.

The abusedfire.com domain is registered to:

Barbara Rogers
Barbara Rogers
3000 5th St NW
New Brighton
MN
55112
US
Phone:         +1.6516334311 
Email Address: brightonrogers@gmail.com
 
Another domain being used in malware delivery is safecomputermonitors.info, hosted on 95.211.15.161 (Leaseweb, Netherlands).


Google's prognosis of xvideos.com is not good.

Safe Browsing
Diagnostic page for xvideos.com


What is the current listing status for xvideos.com?

    This site is not currently listed as suspicious.

    Part of this site was listed for suspicious activity 18 time(s) over the past 90 days.

What happened when Google visited this site?

    Of the 9325 pages we tested on the site over the past 90 days, 248 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-11-17, and the last time suspicious content was found on this site was on 2011-10-23.

    Malicious software includes 14 trojan(s). Successful infection resulted in an average of 5 new process(es) on the target machine.

    Malicious software is hosted on 34 domain(s), including warm-freezer.myftp.info/, cheapbagel.xe.cx/, deadapricot.faqserv.com/.

    4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including stats1.in/, loading321.com/, main3.in/.

    This site was hosted on 4 network(s) including AS22822 (LLNW), AS46652 (RCN), AS16265 (LEASEWEB).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, xvideos.com appeared to function as an intermediary for the infection of 18 site(s) including pornorama.com/, magicmovies.com/, milfmovs.com/.

Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.

248 out of 9325 pages indicates 2.7% of pages are infected with malware - and as the average visitor views 11 pages on xvideos.com (according to Alexa), then there is roughly a 28% chance that an average visitor would be explosed to malware.

But remember, this isn't just any site.. this site is one of the busiest in the world, pulling in millions of unique visitors per day (estimates for this vary between 4 million to 10 million). Per day. This should be a big deal.. but noise about malware on xvideos.com is about nil.. presumably because people don't like to admit that they have been infected from a porn site.

As a comparison, I looked at the malware rates for the top 10 adult sites (according to Alexa). They are almost completely clean.

Site

Alexa Rank

Infected pages / total pages

Infection rate

Average pages / user

Malware contact probability

livejasmin.com

42

0/138

0.0%

2

0%

xvideos.com

51

248/9325

2.7%

12

28%

xhamster.com

57

0/273

0.0%

9

0%

pornhub.com

74

0/140

0.0% 5

0%

youporn.com

85

3/1206

0.2%

7

2%

xnxx.com

113

1/696

0.1%

11

2%

tube8.com

114

0/89

0.0%

5

0%

redtube.com

121

0/139

0.0%

6

0%

youjizz.com

201

0/776

0.0%

6

0%

adultfriendfinder.com

227

0/10623

0.0%

7

0%


If you are going to look at the shady side of the web, then it is very important to make sure that your system is fully patched (you can use Secunia OSI to check), and a combination of Firefox + NoScript is very good at locking down your browser (note that this isn't really for novices). Logging in as something other than an administrator can also help to reduce the impact of malware.. and of course a good and up-to-date anti-virus or security package is essential.

Alternatively, if you enjoy smut.. you may enjoy this Tom Lehrer song from 1965.. [sort of NSFW]: