Sucuri has developed next-generation scanning and monitoring technology that functions as Software as a Service (SaaS). The genesis of the technology is based on the idea of a Network-Based Integrity Monitoring (NBIM) toolset. Similar to other integrity monitoring solutions, we were curious to see if we could capture changes in the integrity of network connected applications, like websites.
These are the founding elements of how the Sucuri malware and security scanner works today. It's divided into two very distinct types of scanning elements: remote and server-side. The remote scanner is designed to trigger events in a user's browser, while the server-side scanner is designed to look for infections that don't present themselves in the browser.
This is the engine that powers the very popular SiteCheck Website Security scanner. It is a core feature of the Website Antivirus product and one of the flagship features under the Sucuri umbrella. The scanner is based on the NBIM concept, and is designed to look for Indicators of Compromise (IoC) which include website malware, blackhat SEO spam, defacements and other browser based compromise indicators.
Here is a more complete list of what the remote scanner is able to identify:
The remote scanner by itself is effective, coupled with the server-side scanner however the website owner is provided the most comprehensive scanning available for today's website threats. Unlike the remote scanner, the server side scanner is designed to crawl websites files independent of how they render on browsers. This is especially important for specific infections that don't display on browsers.
Website infections evolve everyday. It's not always about abusing your audience, it can sometimes be about stealing information, abusing your resources or any number of other nefarious acts. Here are some of the additional scanning features provided via the server side scanner:
The idea behind the Sucuri scanners is to provide website owners a single solution designed to look at all the possible attack vectors an attacker might abuse. To do this, we had to extend beyond the website itself and our scanners include the following monitoring services to website owners that pay for the subscription:
As alluded to in the Remote Malware and Security Scanning section above, part of the premium service in the Website AntiVirus is provide website owners with blacklisting monitoring, which allows Sucuri to monitor a website's online reputation. This option is set by default for all websites when initially configured. The blacklisting engine of the scanner makes use of publicly available API's for the following authorities:
Disclaimer: Contrary to popular belief there is not a conspiracy between Sucuri and any of these providers. We are not out to blacklist any websites and do not play favorites. The minute the API status is cleared, our systems are also cleared.
Whois is an internet directory that provides information on who owns a domain. It is regulated and monitored by the Internet Corporation for Assigned Names and Numbers (ICANN) which is responsible for registration of all domains. This record contains information about the Registrant (the person who owns the domain), the Registrar (the entity that registered the domain), the dates, nameservers and other similar, and important, information.
If at any time the information changes you will be notified.
If you are using Secure Socket Layer (SSL), a secure protocol to transmit over HTTP securely, you are most likely using a SSL certificate. The SSL certificate shows in the padlock icon of the browser's address bar for HTTPS websites. This certificate often contains your site information and, in some instances, company information.
If using an SSL certificate this option allows you to ensure it doesn’t change unexpectedly. If it does, a notification will be sent.
One of the hardest things to detect for any website scanner is the state of your website when Google blacklists it. Those blacklists come in many forms. One such form is by making it apparent to potential website visitors when they return results of a search.
These SERP’s are highly sought after by attackers, it provides them an opportunity to intercept your traffic and make money off your visitors. They exploit those visits by 1) generating impressions on their websites (often pharmaceutical-related pages) and 2) redirecting users to infected websites that try to exploit the client’s desktop environments (i.e., PC, Mac, etc.).