Web Sites Increasing Vigilance Against Malware

These days, if you're publishing a web site - or surfing the web - you have to watch your back, constantly. Merely publishing a secure site - or only surfing to secure sites - may not be enough. Any link on any web site might link to another web site, with malware. Worse, any link on any web site might not link to a web site with malware, but to a web site that links to another web site, with malware. And so on ...

How do you draw the line how far to look? You can use a browser add-on which monitors your surfing, and tells you which web sites are safe, or aren't safe - but that add-on better go beyond just checking the immediate web site.

This month, we see progress in that direction. Just yesterday, I was asked, in Blogger Help Forum: Something Is Broken

I see that Blogger says "Blog Unavailable"
Upon further investigation, I found interesting reports from "safebrowsing.clients.google.com", which appears to be a database fed by Google and StopBadware.org.


The top level reports simply says that "earnovertheinternet.blogspot.com" is a dodgy web site. Here I won't comment on the name, more commentary will be found elsewhere.



We click on the "Why was this site blocked" button, and see the report for "earnovertheinternet.blogspot.com". "earnovertheinternet.blogspot.com" is clean, but it links to "popuptraffic.com".



We click on the link for "popuptraffic.com", and see the report for "popuptraffic.com". "popuptraffic.com" is clean, but it links to "javapo.t35.com", "downner.blogspot.com", and "lpspain.galeon.com".



We click on the link for "javapo.t35.com", and see the report for "javapo.t35.com". "javapo.t35.com" is not clean. Reports for "downner.blogspot.com", and "lpspain.galeon.com" contained similar warnings.



I'll note here the stated dangers from "javapo.t35.com"
25 page(s) resulted in malicious software being downloaded and installed without user consent ...

Malicious software includes 26 exploit(s), 2 trojan(s), 1 scripting exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine ... Malicious software is hosted on 12 domain(s), including velassin.com/, rmbclick.com/, 39m.net/.

11 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including popuptraffic.com/, adtrak.net/, hele.t35.com/.
We see evidence that the web site monitoring process is persistently cyclic.
The last time Google visited this site was on 2009-09-04, and the last time suspicious content was found on this site was on 2009-09-04.
And, it describes details about the degree of danger.
Malicious software includes 26 exploit(s), 2 trojan(s), 1 scripting exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine.


"earnovertheinternet.blogspot.com" and "popuptraffic.com" had apparently been visited that same day, 2009/09/17.
What is the current listing status for earnovertheinternet.blogspot.com?
Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 1 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-09-17, and the last time suspicious content was found on this site was on 2009-09-17.


The owner of "earnovertheinternet.blogspot.com" (you'll note that I won't be linking there) states his intention to clean up his act, and to convince at least one other web site to do likewise.
I will remove those popups ... I asked the admin of popuptrafic


This is a start. Get the responsible web sites to remove their links to dodgy web sites. Enough action here, and one day, maybe no more dodgy web sites.

We can dream, can't we?

>> Top

17 comments:

Penny said...

Hi, Nitecruzr! Didn't know about this blog...God you love blogs! hee hee.

Those welcomed alerts and that funny option to "get me out of here!" is what I love about FF! On IE6 I got stuck on a handful of pages that claimed malware was detected or that my anti-virus program needed updating or whatever. I knew not to click on anything, but found I usually could not access the toolbars or shut down the page. I'd have to use taskmanager to shut down the browser. Annoying and scary. When I informed Windows (by the Report Site option) of the offending website, they made it difficult: call this person and blah blah blah. Isn't giving them the Google Search and Actual website link enough?

My brother recommended FF, and I've been in love with it ever since. I've only had two known encounters, both thwarted by FF warnings. Of course, that doesn't mean they are aware of every site, so I take precautions. When looking at the Google Search links, I skim the site link previews...if the wording is nonsensical or odd or (a group of words that that are not a complete and comprehensible sentence or if they're offering too much (such as, Hot Pics of So and So) those are clues for me to to bypass that search link.

My reason for visiting your site is to share with you the following post I saw today in the Statcounter forum. I wasn't sure which of your blogs to post it on. I'd really like your take on it--have you heard of a similar issue. Here goes:

I use SC to help see how many downloads my ebook site has, and one thing I noticed, some time ago, is visits by 'someone' with the browser name 'Rippers0' (or something similar).

Shortly after I was visited by these browsers my site was hacked. Luckily I managed to fix it, but a few weeks later the same thing happened again.

After I repaired it again (and moved hosts!!), I looked up what this Ripper browser was (something I should have done the first time). Turns out it's a package used to find weaknesses of sites so they can be hacked.

Since then every time I see a Ripper browser I ban the IP address range from my Host control panel.


The moderator suggested:

However you should really fix your site's weaknesses. Banning those IPs won't help.

Any thoughts?

Chuck said...

Penny,

Any computer application, that has a presence on the web, is vulnerable to hacking. Web servers are vulnerable two ways: through the server itself, and through the data (the websites served).

Web servers that use commercial code like Microsoft or Sun / Unix are more vulnerable in the server code, since there are thousands of web servers using the same code, and there's opportunity for the bad guys to find plenty of examples to experiment with, and to find the security holes.

With Blogger, their code is highly proprietary, and it's disbursed all over their server farm. My suspicion is that Blogger code is more vulnerable in the blogs themselves, and here you'll find social engineering attacks, like the hacker who has apparently taken over the Blogger Gadget Library.

I do feel that bloggers, as individuals, are more vulnerable to hacking. Since there are millions of Blogger blogs, I suspect that the chance of any one blog being successfully attacked will depend upon the vulnerability of the individual blog owner.

If you use common sense, such as the recommendations that I make in my blogs, you're probably safer with Blogger, than with any individual small dedicated or shared server host. The bloggers who are vulnerable are the ones who use third party code indiscretely, or gadgets, or who allow unknown third party services to install code on their blogs.

My suspicion is that Blogger / Google guard their servers rather vigourously, because they have millions of users, many of which are individually vulnerable.

Penny said...

Thank you for your words of wisdom.

Dananananakroyd said...

Nice post. Very informative.

Marc said...

Great read, even learned a few things I was a bit hazy on.

MikeNeuman said...

These guys get craftier everyday but then so do google and the protectors of the internet.

momo said...

Damn h4xors, i dont get the idea of viruses :(

Quinn Electronics said...

I like your tech blog.

christopher said...

Great read. I am actually pretty happy that i am getting warnings for malware threats, because i hate having to run cleaning programs every couple of months to fix some random issue caused by malware.

KillerKun said...

well that is one way to keep internet browsing secure

So We Heard You Like Fitness said...

I use linux, so I don't have to worry as much.

JoeFlow said...

You have a great blog going!

caliburnus said...

I'm looking forward to more great advice from you!

Oh oh! Banana! said...

Good advice. Thats why I run Opera. it references databases to protect me from stuff like that

BradsSportsBlog said...

this is great to hear

Abe said...

High quality blog!

ImmaFrog said...

amazing post!