Feeds

AVG scanner blasts internet with fake traffic

You're not that popular after all

Top 5 reasons to deploy VMware with Tegile

The AVG LinkScanner scans search results on Google, Yahoo!, and Microsoft's Live Search. And unlike similar technology from ScanSafe, it doesn't mask the user's IP address.

"In order to detect the really tricky - and by association, the most important - malicious content, we need to look just like a browser driven by a human being," Thompson told us. According to Thompson, nearly all web exploit toolkits track IP addresses, and they won't serve the same exploit twice to the same address.

Thus, when a scan turns up in a web site's log file, it looks an awful lot like a legitimate user visit. Thompson points out that AVG only scans the first page of results on sites like Google - unless the user clicks on subsequent pages. But clearly, with 20 million web surfers on board, even this is enough to wreak havoc with sites that so often pop to the top of the leading search engines.

In the discussion forums at Webmaster World, site gurus have pinpointed a specific user agent that betrays the anti-malware tool: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)." Hoping to fix their traffic numbers, they're filtering this agent from their log files. And at least one webmaster is serving up a dummy file each time the agent turns up. That way, he burns less bandwidth.

"I prefer to feed the same dummy file to most robotic tools," says the web master of TheSilhouettes.org. "There are thousands of them crawling around out there and they have voracious appetites. Only a handful are of any benefit to me, the rest are a nuisance and many are actually malicious."

Of course, this is the last thing Roger Thompson wants. He acknowledged that an AVG scan can be identified with that user agent. But he indicated this may change.

He also said AVG is interested developing some other solution to webmasters' problems - but this will take a back seat to security. "Our primary responsibility is to provide the best possible protection for our users, but we can and will seek a programmatic solution," he said. "Given that we've only just been alerted to this situation, we're still researching it, and it's not clear what we'll do at this point."

If AVG does mask its user agent - and fails to provide another workaround - its ghost traffic looks exactly like real traffic. And then the web is in trouble. After all, 50 million AVG users have yet to upgrade.

The Reg has always believed in log file analysis. Alternative methods from companies like Comscore and Nielsen seem to underestimate traffic from those who surf on their daytime work machines. Plus, Comscore's software gives us the the willies.

We always make an effort to filter robotic clicks from our files. And we use an outside organization, ABCe, to audit our numbers. But if AVG kills that user agent, even ABCe is powerless.

When we contacted ABCe, it was unaware of the problem too, and though it now acknowledges the issue, it's still mulling the solution. "[The AVG Linkscanner] can cause noticeable spikes in traffic levels logged by [a] site," reads its canned statement. "[We] will continue to review this and other technical areas."

And this is separate from the bandwidth problem. Extra bandwidth costs are negligible to The Reg. But as Adam Beale points out, this is a serious burden to smaller sites - and the AVG scanner is certainly hitting smaller sites.

We can't help but think there's a showdown on the way. ®

Security for virtualized datacentres

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.