XYMer's Home away from Home

When http://bbs.xlr8yourmac.com is down (i.e. always)
It is currently Tue May 23, 2017 4:27 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 20 posts ] 
Author Message
PostPosted: Fri Jan 13, 2017 3:32 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
Takes only a few seconds to get a URL scanned at VirusTotal, including, e.g., a report from Quttera https://quttera.com/, to which, if I submit a URL directly, can often take quite a few minutes to get a full report.

Makes me wonder how reliable a URL scan from VT is. (Talking about using the re-analyze option, not the first offered historical report.) Seems like they must be using cached, not up-to-the-minute, live data.


Top
 Profile  
 
PostPosted: Fri Jan 13, 2017 5:51 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14411
Quote:
(Talking about using the re-analyze option, not the first offered historical report.)

Where is that at?


Top
 Profile  
 
PostPosted: Fri Jan 13, 2017 9:14 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
BDAqua wrote:
Quote:
(Talking about using the re-analyze option, not the first offered historical report.)

Where is that at?


Attachment:
Screen Shot 2017-01-14 at 12.10.45 AM.png
Screen Shot 2017-01-14 at 12.10.45 AM.png [ 48.08 KiB | Viewed 886 times ]


Top
 Profile  
 
PostPosted: Sat Jan 14, 2017 5:54 am 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14411
I never get that box to come up!???


Top
 Profile  
 
PostPosted: Sat Jan 14, 2017 8:42 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
How are you getting to VT, the addon, the web site (what I do), or some other way?


Top
 Profile  
 
PostPosted: Sat Jan 14, 2017 8:55 am 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14411
By using your link...

https://quttera.com/

Safari 6.0.5, 10.8.5


Top
 Profile  
 
PostPosted: Sat Jan 14, 2017 10:19 am 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14411
Just tried FF42, no diff, where are you getting that blue Scan it! button, this is all I get...


Attachments:
MalwareScan Sm.gif
MalwareScan Sm.gif [ 19.9 KiB | Viewed 875 times ]
Top
 Profile  
 
PostPosted: Sat Jan 14, 2017 10:23 am 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14411
PS. I'm beginning to think the slower response there is simply to make you think it's working really hard for you.


Top
 Profile  
 
PostPosted: Sat Jan 14, 2017 1:00 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
Misunderstanding? I'm talking about the Reanalyse button on VirusTotal, not Quttera. I asked how are you getting to VT and you replied with the link I gave for Quttera. :confused:


Top
 Profile  
 
PostPosted: Sat Jan 14, 2017 2:22 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14411
Aw geez... I had that part backwards. :oops:

Still think Quttera is either making it look like deep thought, or severely under powered.


Top
 Profile  
 
PostPosted: Sat Jan 14, 2017 3:05 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
BDAqua wrote:
Aw geez... I had that part backwards. :oops:

Still think Quttera is either making it look like deep thought, or severely under powered.

Not sure about that. Just scanned the URL, measurement-lab.org associated with this HTML5 speed test http://www.measurementlab.net/tools/ndt/

Took quite a while to finish. Quttera downloaded and scanned over 100 files and reported 1 malicious, 2 suspicious. Then I rescanned, and it came up right away with the same result, because, presumably, it had cached the results of my first scan. I've used Quttera before and think it really does live sometimes time consuming scans.

(I had to allow connections to ports 54274, 3001, 4527 to get this speed test to work. This organization, http://www.measurementlab.net, seemed on the up and up, VirusTotal, including Quterra, said the main site was clean, but the prompts coming from measurement-lab.org, both directly at Quttera and VT, from Quttera, not so clean. Probably not any of the malicious or suspicious files were involved, probably malicious on Windows only, but now I am thinking I shouldn't have allowed those connections.

EDIT: upon having a look at what those malicious and suspicious files actually are, don't think they're anything that would affect me.)


Top
 Profile  
 
PostPosted: Sun Jan 15, 2017 7:28 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
Seems that results from Quttera must be taken with a large dose of salt. It's a "heuristic" scanner, which basically means it's making guesses at anything that can possibly contain a whiff of something possibly malicious. This is what it finds:

Image

Image

The "malicious" seems to be because that file contains a "reference" to a blacklisted domain, http://www.cs.ccu.edu.tw, whatever they mean by "reference." And yesterday it found a different "reference" to another blacklisted domain www-npa.lip6.fr. I'm thinking that these two could easily be links from spammers or someone in comments somewhere at the site, or who knows. (Quttera downloaded and scanned 100 files.) And even if not from either of those sources, if they are only "references," those "references" themselves wouldn't necessarily contain any direct executable malware payload.

And the "suspicious" files are simply two that redirect to an external source. However, the external source in this case would appear to be a redirect to somewhere at http://www.measurementlab.net/ the parent site. If one reads the documentation at http://www.measurementlab.net/who/, there is the following, which would seem to explain that redirect to planet-lab.org

"M-Lab was founded by New America’s Open Technology Institute (OTI), the PlanetLab Consortium, Google Inc., and academic researchers."

Just checked directly with google safe browsing and a few others, and measurement-lab.org comes up clean. Except for Quttera, It comes up clean everywhere else at VirusTotal, as well. VirusTotal really should put an asterisk at the malicious entry for Quttera. Perhaps explain the possible dubiousness of anything Quttera finds.

Looks like Quttera, using scare tactics, is pimping for its paid service ThreatSign.

Image


Top
 Profile  
 
PostPosted: Sun Jan 15, 2017 10:31 am 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14411
Thanks, I think you've nailed it.


Top
 Profile  
 
PostPosted: Tue Jan 17, 2017 5:47 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9608
Location: North of the State of Jefferson
Perhaps I've missed it in the shuffle of this thread, but what's the URL of concern in the first place? (Maybe disable automatic URL parsing if you paste it.)

- Anonymous


Top
 Profile  
 
PostPosted: Wed Jan 18, 2017 8:39 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
Anonymous wrote:
Perhaps I've missed it in the shuffle of this thread, but what's the URL of concern in the first place? (Maybe disable automatic URL parsing if you paste it.)

- Anonymous

This all got started when I disabled Flash and found an HTML5 speed test that seemed OK as an alternative http://www.measurementlab.net/tools/ndt/

Here's a summary of VirusTotal and Quttera results for the URLs used. Note: I've tried to keep all this straight and organized, but my head is spinning now and unsure of that. Difficult keeping track of the URLs with or without the preceding dot. Didn't realize until I tried reproducing all this, which this summary is based on, that there was a preceding dot. What drove me nuts is that sometimes Quttera would reject the URL with a preceding dot, e.g., http://www.measurement-lab.org as "invalid input" and at other times it would accept it, and proceed to scan.

What led me down this rabbit hole was when I began checking out the URLs from the Little Snitch prompts to see if they were OK.

Don't know if you wanted or needed all this, but here goes:

VirusTotal results:

http://www.measurementlab.net/tools/ndt/ (speed test page)

Result: clean

http://www.measurementlab.net (parent site)

Result: clean

The following three are from Little Snitch prompts:

ndt.iupui.mlab1.lga06.measurement-lab.org

ndt.iupui.mlab1.lga07.measurement-lab.org

ndt.iupui.mlab1.lga05.measurement-lab.org

Results: all three above clean

However,

http://www.measurement-lab.org

Result: Quttera “Malicious”

————————————————


Quttera results:

http://www.measurementlab.net/tools/ndt/

Result: "invalid input"

http://www.measurementlab.net (parent site)

Result: clean

ndt.iupui.mlab1.lga06.measurement-lab.org (from LS prompt)

Result: “status: unreachable”

http://www.measurement-lab.org

Result:

“Scanning URL: http://www.measurement-lab.org” “Normalized URL: http://.measurement-lab.org”

or

measurement-lab.org (no preceding dot)

Results: one file “malicious,” two files “suspicious


Last edited by WZZZ on Wed Jan 18, 2017 11:53 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Wed Jan 18, 2017 11:53 am 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14411
http://www.thesafemac.com/the-problem-w ... -scanning/


Top
 Profile  
 
PostPosted: Wed Jan 18, 2017 12:03 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
Vaguely remember reading that blog back then. Interesting that there's an endorsement of Quttera--wonder if he would feel the same way now.


Top
 Profile  
 
PostPosted: Wed Jan 18, 2017 12:35 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14411
Maybe ask him?


Top
 Profile  
 
PostPosted: Wed Jan 18, 2017 3:00 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9608
Location: North of the State of Jefferson
Since they often do security-related research it's entirely plausible they're detecting something that would be nefarious if it were misused, but is benign in its actual deployment because they're not doing anything nefarious. At any rate, it's really hard to know without knowing what they're flagging, which seems something we're unlikely to find out.

- Anonymous


Top
 Profile  
 
PostPosted: Wed Jan 18, 2017 4:43 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
Yep, for the "malicious" file, it's impossible to know just what "reference" is supposed to mean in "Detected reference to malicious blacklisted domain http://www.cs.ccu.edu.tw." Could be anything from completely harmless to not so harmless. They give zero information.

And these are the two "unconditional redirects" to external source ("unconditional" meaning automatic, I suppose.) As I said before, I think they redirect to somewhere (a wiki) in the parent organization of measurement lab, so should be innocuous.

Image

Image


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 20 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: Yahoo [Bot] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group