Site Checker/Vote On Domains may be enhanced by incorporating URIs.
Any website may selectively reply with alternate content based on a number of varying factors (such as HTTP referer header, source IP address/range/network, user-agent header, etc.)
In other words, independent reviewers may improperly categorize a site by following the link provided by the Site Checker service, as the default link currently provided results in retrieval of the default web page.
For example, a web server may be configured to only provide Adware whenever the HTTP referer header reflects a well known search engine (e.g. Google, Bing, Yahoo, etc.); all other requests would be met with benign content. When an OpenDNS reviewer clicks on the HTTP link provided to verify the site, they are not being referred from one of the major search engines and thus the reviewer is presented with benign content. The reviewer promptly votes "No" to the "Adware" category.
A more effective approach would be to incorporate methods which allow for identification of the original URI complete with the original HTTP headers.
A step closer to this goal would be to associate VirusTotal IP address information with every domain submitted for review.
While titled "VirusTotal IP address information" the report contains known URI locations which host Adware and potentially other malicious content. For those who aren't familiar with the term URI, see http://en.wikipedia.org/wiki/Uniform_resource_identifier
This approach would consist of the following:
For any given domain, a DNS query is performed to obtain all A and AAAA record types.
e.g. nslookup -type=a,aaaa dl.freeze.com
Once the IP address(es) are identified, links are dynamically provided which correspond to the associated VirusTotal IP address information page.
In the example provided, we see the following identified FQDNs:
We can easily determine which FQDNs are hosting known malicious content by leveraging the findings:
Now that the reviewer has the complete URI available, they can more accurately categorize the domain.
Automatically retrieving, parsing, and applying a predefined rule set to the VirusTotal data could be another approach used to reduce review time. VirusTotal provides an API and removes bandwidth restrictions for approved projects. They ask to be contacted @ https://www.virustotal.com/en/about/contact/
At the very least, moderators and other experts should receive a basic education which incorporates knowledge of the resources and circumvention tactics identified above, along with instructions on how to reproduce HTTP headers to replicate the actual request which prompted the original categorization.
It goes without saying that the OpenDNS browser plug-ins could be enhanced to support this functionality. Both in the capturing of the URI and HTTP headers and in the reproduction of HTTP headers when verifying a site. Other relevant data providers could certainly be considered on their merits.
VirusTotal is highly unique in that it provides exhaustive detail, consolidated reporting, and real-time scanning of specimens by over 45 leading antivirus vendors simultaneously.
To those who missed the point, this is not merely a suggestion to incorporate VirusTotal data. This suggestion is to provide the ability to report the actual URI locations, so reviewers are viewing the same content as the individual initially reporting the domain and suggesting an initial category. In certain circumstances, this requires reproduction of HTTP headers.
If you actually look at the example report above, you'll see many of the domains are actually hosting known adware, trojans, and other malicous programs. Yet, OpenDNS currently permits all of them and suggestions to classify some of the domains as "Adware" have been voted down, when they clearly shouldn't be. It's the VirusTotal data (in this example) which closes the gap. Had it been made available when these votes occurred it's very likely they would currently be classified properly.
Please sign in to leave a comment.