Geek magazine hacker daily blog

2 years, 11 months ago
Great fight against programs wrappers

It is no secret that in the modern world the problem of unwanted and malicious software rises more and more sharply. Botnets of different function, loker, adware …
Certainly, many try to fight against it. I work for one regional provider, and we pursue policy of passive warning of users too, we advance antiviruses and culture of use of the Internet. Eventually it is better for us if everything works for the client quickly and adequately.
For quite some time now searchers also were connected to it. Under a cat an entertaining story about how we fell a victim of this fight, and also an occasion to reflect what all this can lead to.

Only the summer, nothing as it usually happens ended, did not portend trouble. Suddenly the letter from Yandex of the following contents comes:
On pages of the website *****.ru links to files or programs to which the additional software is added are found. Thus, together with the downloaded file on the computer of the visitor additional programs — safe or doubtful can be installed.
At the moment the website is displayed in search results marked "Be careful when downloading files from this website".

Please, delete links to downloading of such files. If at new check they are not found, the mark in search results will be removed.

The domain about which there is a speech — our small forum. We do not advance it in any way, it just the place for communication of subscribers with each other on different subjects.
The first thought — broke! The second thought — someone from users laid out something bad. Right there we begin check — we browse a page code, we watch the last forum attachments … And we find nothing. We write to Yandex support with a question that, actually, occurs, the answer which dumbfounded us a little and led to emergence of the following correspondence quickly enough comes.

Yandex:
On your website complaints from users to downloading of the unwanted performed files arrive. As soon as complaints stop, the mark will automatically disappear. We do not recommend to use partner programs which raise at you doubts.

Our relation to low-quality files is described on the following pages:

blog.yandex.ru/post/81042
habrahabr.ru/company/yandex/blog/226817
company.yandex.ru/rules/distribution

We:
We do not use any partner programs. We also do not distribute any ispolnyamy files, it is just backward forum of provider.
I ask to specify links to files which served as the warning reason.

Yandex:
We give an example of the low-quality page: http://*****.ru/viewtopic.php?f=15&t;=3503.

We:
I do not see on this page the uniform file. Placement of the link to some other forum in the first message of this subject means? Then how "the unwanted performed files" suddenly turned into "links to other resources"? And how we can control contents of other resource?

Yandex:
To avoid emergence of warning near your website *****.ru, there is no need to control third-party resources, it is necessary to save visitors of your website from low-quality content only. If the user passes from search issue to your website and after several transitions will load wrappers, then your website will be displayed about warning in search issue.

We:
In other words — if the person at a forum (the blog, the personal website, etc.) places the reference to some resource with which it is possible to download "the unwanted performed files", then by search in Yandex this website will be displayed with warning?
If yes, then I can place such reference on any popular hosting of blogspot or livejournal blogs, wait so far somebody according to it will pass and you will display this hosting of blogs with warning too?
If is not present, then to me the warning reason for our forum is still unclear.
As well as it is unclear what, actually, to do. To delete subjects? To check each link which whether the user regarding that laid out it is possible to download something with wrappers there?

Yandex:
We recommend to check contents of pages from which there is a large number of transitions to external resources from your website.
The situation described by you can influence passing a verdict about danger of the website algorithm. Any details of work of our algorithms, including as when and in what way the system recorded attempts of use of nepriyemlivy methods of distribution of additional software whether they are fixed now, etc., we do not provide. When developing the website we recommend to be guided by needs of users, but not by search engines.

Passes literally several hours after the last message and we receive the new notification:
The last check of the website 2015-09-07 did not reveal links to files with the added software.
In search results the website is displayed without marks.

What has happened? In 2012 some user created a subject with the following contents:

Great fight against programs wrappers

The only external reference on the page is the link to the unionpeer torrent tracker.
The directory of games that it is necessary to download something at first to pass into distribution is opened by clicking the link. That is at least 2 cliques from our forum. We, to put it mildly, were dumbfounded by such severe approach of Yandex to business.
Struck as well double standards. It is clear, that on some livejournal.com they will not begin to hang up warning though there more than enough links to this tracker. And here to shake a small forum that then it is loud to declare the fight against unwanted software is yes.

It would seem, incident is exhausted. In Yandex understood (?) absurdity of the events and removed a mark from the website.

But December and the whole two new notifications came:
On pages of the website *****.ru links to files or programs to which the additional software is added are found. Thus, together with the downloaded file on the computer of the visitor additional programs — safe or doubtful can be installed.
At the moment the website is displayed in search results marked "Be careful when downloading files from this website".
On pages of your website *****.ru the code which can be dangerous to visitors is found. Execution of this code at visit of the website can lead to effects, unwanted to the user: to computer infection with malicious applications, unauthorized use of its resources, damage or theft of personal data.
At the moment the website is displayed in search results marked "This website can threaten safety of your computer".

Both again check, and again anything. On virustotal the only operation just at Yandex Safebrowsing. Right there in technical support users who use Yandex the Browser and/or Yandex of DNS begin to address, in attempt of an input on a forum such warning without an opportunity to bypass it is issued to them here:

Great fight against programs wrappers

Fortunately, such there is not a lot of.

Again we ask what occurs. Again the ill-fated subject with the unique link to unionpeer is guilty.

Yandex:
At the last check of your website our robot found low-quality programs, available to downloading, for example, on the http://*****.ru/viewtopic.php?f=15&t;=3503 page. These programs may contain additional components which are installed without the knowledge of the user. For this reason on the page of search issue the corresponding warning near your website is displayed.

In more detail about it you can read in the following materials:

blog.yandex.ru/post/81042
habrahabr.ru/company/yandex/blog/226817
company.yandex.ru/rules/distribution

We:
In service of Yandex the Webmaster specifically is specified the http://*****.ru/viewtopic.php?p=109830 page with a verdict of "Bedep_payload", at all not that about which you speak.
No low-quality programs on our server are stored. The request to specify direct references on low-quality software, stored on our server that we could delete these files.

Yandex:
Verdict of "Bedep_payload" in service of Yandex. The webmaster on the safety tab was specified mistakenly. Please, ignore this information.

We checked, in this case algorithms worked correctly. We do not provide any detailed information on low-quality contents on the user websites. Use, please, recommendations from our previous letter.

We:
You to me already gave these references and in them there is still nothing that would explain your actions. Point please a direct link to our forum at which "program wrapper" is downloaded. According to the reference given in your first answer nothing is downloaded.

Yandex:
We do not provide similar information, I regret. Try to look, please, once again attentively at the page specified by us earlier and to analyze all external references to existence of low-quality contents.


I do not even know whether some comments are necessary here. All right, the hell with him with false drop for which they did not even apologize. But Yandex, under the pretext of fight against unwanted software, pursues some strange policy of blackmail and censorship, refusing to explain the reasons.
All this causes bewilderment and sets thinking seriously on the direction of the movement of a modern RuNet, we can think one Roskomnadzor a little.

For us the confidence to Yandex is undermined completely. Double standards and petty tyranny never yet brought anybody to good. Anyway at us not such and a wide choice — to issue in technical support of the instruction to advise subscribers to delete Yandex the Browser and Yandex of DNS if they have any problems with access to a forum, or to delete the subject specified by Yandex and to hope that they will not decide to mark something else in the future.

At the moment the website opens without forced blocking, warning hangs only in search results. However calls from users still proceed, possibly something got to a cache.

P.S. I intentionally replaced the forum address with asterisks to exclude sudden flow of visits. Persons interested can freely naguglit it in the text from a subject to check everything independently.

UPD: the mark from the website was removed again, we in return did nothing.
The last check of the website 2015-12-28 did not reveal links to files with the added software.
In search results the website is displayed without marks.

UPD2: the representative of Yandex contacted me, with its permission I publish a complete log of correspondence in pdf — link.
TLDR — the Website was marked because a significant amount of visitors of a forum got on a subject with reference to unionpeer. People passed on it and downloaded programs wrappers there. Yandex will try to be accurater when it becomes unintentionally, perhaps mark in issue the specific page instead of all website. Technical support, having decided that the website is not specially created for distribution of adware, will provide the most complete information on detection of links, unwanted to visitors. We, in turn, will delete the given specific reference from our forum.
Whether such policy from search engines is admissible?

1704 persons voted. 308 people refrained.

The users only registered can participate in poll. Enter, please.


This article is a translation of the original post at geektimes.ru/post/268406/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: sysmagazine.com@gmail.com.

We believe that the knowledge, which is available at the most popular Russian IT blog geektimes.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.