McAfee Picks the Most Dangerous TLDs

CWRUisTakingMyMoney writes "Companies that assign addresses for Web sites appear to be cutting corners on security more when they assign names in certain domains than in others, according to a report to be released Wednesday by antivirus software vendor McAfee Inc. McAfee found the most dangerous domains to navigate to are .hk, .cn, and .info. Of all .hk sites McAfee tested, it flagged 19.2 percent as dangerous or potentially dangerous to visitors; it flagged 11.8 percent of .cn sites and 11.7 percent of .info sites that way. A little more than 5 percent of the sites under the .com domain — the world's most popular — were identified as dangerous."

.cx

[Junior J. Junior III (192702)]

Home of the goatse. Danger Will Robinson!

Re:

[192939495969798999 (58312)]

Obviously, this study was about quantity of dangerous sites, not quality... we all know that .cx has the single 'highest' quality dangerous site.

They're just slow

[sm62704 (957197)]

I let mcgrew.info lapse, so .info should be safe now. However, horror awaits the unsuspecting eyeballs that cruise .org, since I have a journal at slashdot. I'm told it's far worse than goatse.

But what about .nu?

[mangu (126918)]

Home of the complete goatse collection [www.exet.nu]. Enjoy yourselves!

Re:But what about .nu?

[Daimanta (1140543)]

My God, I though you were joking. And here I was, thinking that goatse was only 1 image.

Thanks dude, that's 12 extra therapy sessions for me.

Only on Slashdot...

[by Anonymous Coward]

...would a link to the full set of Goatse pictures be moderated "Interesting"

Re:But what about .nu?

[Junior J. Junior III (192702)]

Home of the complete goatse collection [www.exet.nu]. Enjoy yourselves!

<darthvader>Nuuuuuuuuuuuuuu!</darthvader>

Re:But what about .nu?

[css-hack (1038154)]

I don't know what's worse. The fact that I clicked, or the fact that it's already slashdotted.

Which is more dangerous, then?

[Hawthorne01 (575586)]

5% of .coms, or 19% of .hk's? On a percentage basis, the .hk, .info, etc. But as a whole, my money's on .com's?.

Bad math = bad reporting.

Word Problem Alert

[Colonel Korn (1258968)]

5% of .coms, or 19% of .hk's? On a percentage basis, the .hk, .info, etc. But as a whole, my money's on .com's?.

Bad math = bad reporting.

When solving a word problem, one must find the mathematical expression that best expresses the question. You've got the wrong one.

You're making the argument that what really matters is the total number of malicious sites in each domain, not the fraction of sites within a domain that are malicious.

Clearly, however, the fraction is the more important metric. Consider a silly analogy:

There are 100 violent criminals in my local jail out of a total population of 200. There are 1000 violent criminals running free in Hawaii out of a total population of 1 million. When choosing a safer place for a vacation, by your logic, I'd pick my jail, since the total number of offenders is lower. 50% of my fellows would be violent criminals. By my logic, I'd pick Hawaii, where there would be more criminals, but they'd only make up 0.1% of the people around me. I prefer my odds.

Re:

[gardyloo (512791)]

Clearly, however, the fraction is the more important metric.

    No, that's not clear. That's only even plausible if you restrict all of the sites you ever interact with to ones with a certain domain. No one does that.

Re:Word Problem Alert

[Mr. Underbridge (666784)]

He's right. If you pick a single site to interact with, the total number of sites that share that domain doesn't matter. His analogy is spot on.

In effect, he defined Bayes' rule for you.

Re:

[mckinnsb (984522)]

When solving a word problem, one must find the mathematical expression that best expresses the question. You've got the wrong one. You're making the argument that what really matters is the total number of malicious sites in each domain, not the fraction of sites within a domain that are malicious. Clearly, however, the fraction is the more important metric. Consider a silly analogy: There are 100 violent criminals in my local jail out of a total population of 200. There are 1000 violent criminals runnin

Why the hell...

[Jaysyn (203771)]

...would anyone want to take security advice from McAffe?

Not helping things

[StreetStealth (980200)]

Seriously, though, this report doesn't help their credibility.

Why should we care which TLDs are more likely to contain malware? Are we actually going to learn anything from making random correlations like this? Obviously there are also plenty of scammers at "less dangerous" TLDs and plenty of honest folks at the "dangerous" ones, and there are of course vastly more precise ways to determine the safety of a site than by its TLD.

So of what value is this distinction then, apart from an amusing press release to

not their problem

[Brian Gordon (987471)]

"Companies that assign addresses for Web sites appear to be cutting corners on security more when they assign names in certain domains than in others"
um since when is that the registrar's responsibility? they just point a domain name at an IP address-- that's the extent of the service.

Re:not their problem

[aredubya74 (266988)]

Exactly. I'd be much more interested in looking at the stats by assigned IP blocks. That way, network admins could blacklist those ranges at their edge, adding exceptions as needed. It's a tough game to play, but it would also give admins an idea as to what ISPs are leaving obvious botnets intact and which ones aren't.

Define "Dangerous"

[corsec67 (627446)]

Is that dangerous to someone running IE on Windows, or dangerous to the person, like scams?

It seems like they kind of mashed the 2 together, but that is McAfee, so I would expect them to exaggerate the dangers of browsing without McAfee.

Re:

[xouumalperxe (815707)]

Just parse "dangerous" as "hostile", and your question ceases to have meaning. But yes, take a security vendor's assessment of the level of threat you're under with a grain of salt...

I wonder...

[computerman413 (1122419)]

I wonder where .xxx would've come in if it had been created.

Re:I wonder...

[cryptodan (1098165)]

I wonder where .xxx would've come in if it had been created.

It would be 69%.

sorry, but i just don't get it...

[ketamine-bp (586203)]

i live in Hong Kong.

here, if we are to register domain names, especially .com.hk, we need business registration to get it registered, same goes for .edu.hk, .org.hk etc.

the possible exception would be .hk, but i think the HKNIC (i forgot the name..) does have reasonable abuse TOS that these bad things get cancelled... so i would be glad if they could provide us with the domain names they flagged 'dangerous' and let's see how it goes....

Re:sorry, but i just don't get it...

[gad_zuki! (70830)]

This issue may not be the number of shady TLD registrants, it may be the number of compromised hosts. If .hk has too many hackers or a culture of crime then they may prey on local resources and use those for international spamming/phishing. Or it may be a target for other reasons (lax computer crime laws, etc).

Because there are no more good dot-coms.

[Rob T Firefly (844560)]

Not even the malware folks can get a decent domain in .com anymore, they're all in use or squatted upon.

Age of website?

[QuietLagoon (813062)]

I'd bet if they would find an even better correlation if they looked at the age of the website's domain registration, not the domain it was registered under.

I used Site advisor once..

[Warll (1211492)]

The thing is far from foolproof. When I was bored one day I decided to start clicking on just about all the Google Adwords adverts I could find. Most of them were for those scam sites, you know the kind "click here to buy Firefox, Buy supsciption to Bittorent now!" Over half the sites were green according to Site Advisor. Really I'm sure that their numbers here at least give an idea as the how "dangrous" these TDLs are, put really they are liekly far off from the truth.

Chinese domains

[by Anonymous Coward]

The problem with .cn domains: 30 minutes after you surf there, you want to surf there again...

Stats To Drive Sales?

[RavenofNi (948641)]

I could be missing something, but the implication here seems to be that McAfee and TFA seem to think that domain registation companies should be responsible for what I do with my domains...

Hundreds, perhaps thousands, of companies are in the business of registering domain names; some are large and well known, while others are small and less reputable, offering their services on the cheap and with flimsy or no background checks to lure in more customers.

I've never had a registration questioned beyond my payment information...nor would I expect any sort of deeper investigation into my desire to register. Granted, most hosting providers specifiy restrictions on content/usage, but TLD registrars? Not in my experience at least...perhaps someone else can enlighten me?

No

Re:

[FishWithAHammer (957772)]

While your point is good, I lol'd at this from McAfee: "excessive pop-up ads."

"Excessive" pop-up ads? How about any pop-up ads?

Use Linux/Firefox and nobody gets hurt...

[drpickett (626096)]

What complete non-news. I read TFA, and the most informed statement that it made was don't buy your Prozac from China. Brilliant.

of course they're dangerous

[v1 (525388)]

Those sites are just chock full of advertisements for Norton and download links to NOD32...

My TLD is pretty safe

[Protonk (599901)]

Nothing wrong with mine [wikipedia.org]....

Numbers in names

[otacon (445694)]

I know they aren't TLD's but has anyone noticed ads on tv that have URLs like www.37CreditHelp.com or www.62CollegeDerees.com I always wondered why they do that. It's kind of a red flag to me when I see that.

Re:Numbers in names

[camperdave (969942)]

I think part of it is marketing research. They know which timeslot, and which show, a particular ad with a particular numbered website is going to appear. The number of hits that they gather off of a numbered website will tell them how effective that particular ad is. That way, they can tweak their marketing strategy: ie. buy more time on certain channels, or in certain time slots, or against certain types of shows.

lies, damned lies, and mcafee

[the_rev_matt (239420)]

I agree that crap math is the key to this story. If there are 1,000,000* .ru sites and 6.8% are hostile, that's almost 70000 sites, if there are 25,000 .hk sites and 19% are hostile that's (lemme get my slide rule real quick) 4,750 sites. Clearly the .ru TLD is more likely to cause troubles.

Note I'm pulling all numbers out of thin air for demonstration purposes, I've no idea if these are the actual numbers but it's safe to assume that McAfee spent less than half the time and effort on their report than I did in writing this comment.

Re:lies, damned lies, and mcafee

[mattwarden (699984)]

Um, no. You are exactly wrong, in fact. It is true that there are a greater quantity of troublesome .ru sites in your example, but given a .ru domain and a .hk domain, the .hk domain is more likely to be troublesome. The fact that there are more .ru troublesome sites out there is only a result of there being more .ru sites out there. The only thing that affects is the likelihood that a given domain is a .ru domain.

Consider this:
Bag 1: 7 of 10 marbles are blue
Bag 2: 35 of 100 marbles are blue

There are more blue marbles in bag 2, but you are far more likely to pick a blue marble in the first bag.

The point of the article is: how much of an indication is it that a .xy domain is dangerous?

List is incomplete

[UnknowingFool (672806)]

WTF? They left out the most dangerous TLD of them all: .cowboyneal

Interesting bits

[rock56501 (1301287)]

I am willing to bet that there are a lot more .com site's registered than .cn or .info or whatnot, so the fact that 5% of the .com's are flagged is huge, seeing that most people think about going to .com's before anything else.

One other interesting note is that .05% of .gov's are listed as dangerous. So is that like from when the www.nsa.gov website left that tracking cookie on your computer or is there a actual government website out there that is actually dangerous to visitors?

Re:Where can I get a list of these TLD to block ou

[Brian Gordon (987471)]

What the heck? The numbers are less than 20%.. would you block out 80% of a TLD?

Re:

[Tridus (79566)]

Is there anything in .info worth reading anyway?

Seems like its only purpose is to garner registration fees.

Re:

[Brian Gordon (987471)]

Um, yes. info is my favorite TLD. com is for commercial, net is for network services, org is for community organizations, us is for patriotfags, name is for 2-page autobiography websites... what do you do if you have a miscellaneous site or a site for hosting a programming project? Drop it in .info! (see sig)

Re:Where can I get a list of these TLD to block ou

[eln (21727)]

I think it's cute how you still think any of the TLDs are still used for their originally intended purposes.

Re:

[TheRaven64 (641858)]

gnuplot.info [gnuplot.info]?

Re:Where can I get a list of these TLD to block ou

[liquidpele (663430)]

Here is the list:
cz
info
nl
ru
st
up
id
net
biz
org

Re:Where can I get a list of these TLD to block ou

[zeromorph (1009305)]

Here is the list: cz info nl ru st up id net biz org

Don't forget .ng (Nigeria). I don't think anything good ever comes from that domain.

.no - Norway

.sh - Saint Helena
.it - Italy

sherlock

Re:

[fracai (796392)]

not even http://growl.info/ [growl.info] ?

hang your head in shame.

5%, I'm surprised

[goombah99 (560566)]

5% seems absurdly high.

I wonder how the 5% was chosen? I mean how does one actually sample this in a meaningful way. For example, suppose one enumerated every possible webpage and sampled those randomly. Or, given that that is impossible, suppose one enumerated every TLD and samlpled those.

This still would not accord with user experience. User experience is you start from some place on the web and click outward following links. Usually the starting place is some aggregator like Google.

Following that kind of trajectory is not the same as uniformly sampling TLDs or webapges, but is how users interact.

I can say with certainty that 5% of the links I click are not "dangerous".

Re:5%, I'm surprised

[gnuman99 (746007)]

The 5% number cames straight out of goatse.cx's ass

Re:

[blueskies (525815)]

You're a complete idiot. If you are running IE there are sites out there that will compromise your computer. Their plug-in is a free (as in beer) and you get access to why exactly a site is marked as dangerous. They will even show you which downloads they think are bad -- go download them and deal with the exploits and malware if you really think it is BS.

Sure they are selling security software, but why don't you at least check it out before shooting your mouth off?

Re:

[Chief Camel Breeder (1015017)]

The robust-scanner one, almost certainly. This is likely an easier job than hardening an interactive web-browser. Their robot has no need to execute anything it comes across, so downloaded script needn't be allowed to execute anything, ever. It has no need to render any of the media, so none of the image-library attacks can work. They don't have to keep anything that they scan, so no save-to-disc code. In short, they can maintain exceptionally strong separation between their scanner and its host.

If the