|Malicious Links and Loss of Traffic|
Let me preface this by confessing that I was recently the victim of a major malware attack on my system. A really nasty Trojan got by my defenses and wreaked havoc on my system. If it were not for [Malwarebytes.org...] and a program called ComboFix, I would have had to reformat the system which I really didn't want to do. To make a long story short, it is not an experience you want to be plagued with. It took just over 48 hours to recover and over a hundred system scans during that time period. Hey, this was something new to me and I learned each time I had to reboot.
So, now that I have additional protection at work, I'm finding some things that are rather disturbing; the detection of malicious IPs when clicking links to third party sites. Yes, that's right, my new protection seems to be a bit more robust than what I previous had. I have a feeling that I've been infected for longer than I suspect. And for those thinking that I may still be infected, think again. I'm now running full system scans on a regular basis and of course have all additional real time stuff at play. I wasn't so vigilant previously. All it takes is for me to get bit once and I'm making changes.
Back to the topic. In the past few days, I've visited websites and clicked on one of their external links which was blocked due to being a malicious IP. Those links are no longer available to me for safety purposes so I don't have to worry about clicking them again. But I got to thinking, how much of this is going on with your external links? Have you checked ALL of your outbounds to ensure that they are malicious IP free? Are you 100% certain? Could it be possible that many folks complaining of major losses in traffic are victims of their own outbound links?
The sites I visited and clicked on external links are well known industry news sites. I have this sneaky suspicion that many folks are unprotected against stuff like this and they don't see the malicious IP warnings. I'm going to be paying very close attention to this moving forward. I went to Mom's house after recovering my system. She too was infected with 9 Trojans that her existing security software did not detect. Why? Because two of the Trojans were security disablers. She was wondering why her Internet Security kept going off and would turn it back on. Only to find it go off again shortly thereafter. Scary stuff folks. She now has the same protection I do. :)
P.S. I was hit with a RootKit Trojan. That one initiated other RootKits which in turn wreaked total havoc on my system. It disabled all of the protection I had in place which was a bit more than average, or at least I thought it was. Be careful out there.
|Have you checked ALL of your outbounds to ensure that they are malicious IP free? |
I'm unclear on one point - how are you defining a "malicious IP"? Or do you simply mean a link pointing to a hacked page?
P1R you should still rebuild your system from scratch. Never ever take chances with rootkits.
|Have you checked ALL of your outbounds to ensure that they are malicious IP free? |
There's no guarantee that the link you check today and passes muster won't be harboring a trojan tomorrow.
Where does your responsibility end and that of the visitor / other webmaster start? What if you delete a valuable link today and the linked site cleans up their hack tomorrow?
What was your previous security software and what is it now?
|How are you defining a "malicious IP"? |
I'm not, the software I'm utilizing is. I'll get a warning that a Malicious IP has been detected and then the link to that is no longer available for me to click.
|P1R you should still rebuild your system from scratch. Never ever take chances with rootkits. |
I'm pretty confident that my system is cleansed. I am considering a clean install but I've only had to do that once in the past 15 years. I have a bit of a challenge at hand when it comes to the various software programs I'm using.
|There's no guarantee that the link you check today and passes muster won't be harboring a trojan tomorrow. |
If you're diligent in maintaining trusted link partnerships, you'll have done everything you can to minimize that from happening. Which means that sites with an excess of outbound links are going to have a security challenge on their hands.
|Where does your responsibility end and that of the visitor / other webmaster start? What if you delete a valuable link today and the linked site cleans up their hack tomorrow? |
If the link is that valuable, I'm guessing it is a trusted link and that the typical malicious environment is not present. If I delete that link today, and they clean up tomorrow? Too bad. If it was that important, then I'll probably reinstate it. But, I seriously doubt that will happen on any regular basis.
|What was your previous security software and what is it now? |
Ever try to remove Norton? What a test of research skills that was!
How did it get past my previous defenses? I know what those reading are going to say, Norton! You know, if you can't trust a company like Norton, who can you trust? Rhetoric question.
I did a search on Google for property in Dubai while participating in another WebmasterWorld topic. I clicked on one of the top results. Firefox froze for a few seconds and then the maliciousness began. There were so many popups that I couldn't figure out who was who. There were three Windows Security Alerts and they all looked similar. There were other alerts blended in that looked like Windows Security. At that point, it was too late. My audio had been modified, all sorts of weird stuff had taken place and I shut down and disconnected from the Internet. That's when all the crap started.
Note: iexplore.exe was the little bugger that was creating havoc. After I removed that from the system, I was able to start cleaning up. I sat there and watched via a system monitor and it was phoning home every 15 seconds, or trying to anyway. First thing I did was disable my connection to the Internet, at least I knew that much. What a learning experience this was too. I became extremely intimate with my system. :)
Confession: I was a bit overwhelmed with what to do when it started. I did know to reach over and disconnect the modem from communicating and, I knew I had to get into Safe Mode. From that point forward, it was search and research - then search and destroy.
I dont know what the stats are, but viruses are defently on the up. Nearly all my family members have had a serious infection this year.
Ive never been a fan of Norton - once i realised the huge amount of technical support pages microsoft have on it. Uninstalling often resolves machine issues!
Is there an automatted way of checking all external links for mailware from a single website?
I've investigated these Malicious IP warnings that I'm now seeing a little further and it appears that some folks are on a Shared IP that is classified as a bad neighborhood. I just ran into one yesterday and there are 665 other websites that share that IP and it was blocked by my software.
I wonder if folks really understand what they are getting themselves into when hosting in this type of commodity environment. Of course shared IPs are common, I'm well aware of that. Dedicated IPs are common too. And so are Trusted Shared IPs. I think a notable percentage of topics around here that discuss loss of traffic in certain industries are due to something along these lines.
THE - Trusted Hosting Environments
Are you at risk in your current hosting situation?
2006-04-23 - [webmasterworld.com...]
Almost 4 years ago. :)
|some folks are on a Shared IP that is classified as a bad neighborhood. I just ran into one yesterday and there are 665 other websites that share that IP and it was blocked by my software. |
I'm going to be blunt, hope you don't mind ;)
Your software is clearly total junk, as it is horribly broken. You appear to be forgetting that commercial "security" software depends on producing sufficient "noise" to give the continual impression it was worth the money you paid for it, regardless of the quality or accuracy of that noise. Norton is a great example of this, a constant nanny shouting "danger" at every turn for entirely spurious reasons.
Would you like a spam filter to block all mail from Hotmail just because one spam came from their server? In this case, your software is doing something similar: it ignores the fact that an IP address isn't always unique to one server or one site, and so you get a HUGE false-positive rate. So of those 666 sites sharing one IP, only one is evil ;) the 665 others are false positives. This is the software's fault, not the webmasters'.
There is no such thing as a "trusted" IP, or hosting company. The latter, however diligent, isn't responsible if I don't update my CMS and get 0wned. Those whose sites share my mythical "trusted shared IP" aren't responsible either - whatever some noisy anti-virus program that can't handle HTTP/1.1 says.
|I'm going to be blunt, hope you don't mind. ;) |
Let me have it, you know me. ;)
|Your software is clearly total junk, as it is horribly broken. |
I think my previous software was in the total junk category and was broken. I also think there are quite a few g33ks around this neck of the woods who might take that personally. :)
|You appear to be forgetting that commercial "security" software depends on producing sufficient "noise" to give the continual impression it was worth the money you paid for it, regardless of the quality or accuracy of that noise. Norton is a great example of this, a constant nanny shouting "danger" at every turn for entirely spurious reasons. |
I've run Norton for as long as I can remember. It is typically pre-installed on the systems I've purchased. In all the years that I utilized Norton, there were less than a handful of those Nanny Shouts you refer to.
|Would you like a spam filter to block all mail from Hotmail just because one spam came from their server? |
That may be a bit extreme. I would like a spam filter to determine that the mail originated from an IP that has a high volume of spam. And if so, to take the appropriate steps.
|In this case, your software is doing something similar: it ignores the fact that an IP address isn't always unique to one server or one site, and so you get a HUGE false-positive rate. |
Thing is, I'm not getting a HUGE false-positive rate. Since installing I've had approximately 6 alerts for malicious IPs and I do quite a bit of surfing, the numbers are very small.
|So of those 666 sites sharing one IP, only one is evil wink the 665 others are false positives. This is the software's fault, not the webmasters'. |
Heh! What a coincidence.
|There is no such thing as a "trusted" IP, or hosting company. |
I tend to think otherwise. There are plenty of references in various Google Patent filings that discuss the integrity of the hosting environment. I would think that IPs are part of the process, one of the signals that may be used to determine the legitimacy of the provider.
|Whatever some noisy anti-virus program that can't handle HTTP/1.1 says. |
What do you use? Are you saying that my current choice of security software is noisy? I wonder what ESET, Malwarebytes and TrojanHunter would think about that? ;)
I'm interested to know what you'd recommend as a defense against the current malware threats?
Well, I used to use Linux and looked on with pity reading about Windows security issues. However, my needs have pushed me back to Windows, so I'm stuck with the same issues. :)
The thing about the security software is that it should be the last line of defence, whereas too many see it as the first. I use very little in the way of anti-malware programs. I use Microsoft Security Essentials (simple, unobtrusive, free and with a reasonable reputation).
You don't mention what Windows you are running, but I'll guess that you're running a legacy XP installation. If so, you should be switching to Windows 7. It's not just hype, it really is much more secure than XP by default. UAC in 7/Vista is vital, it should not be turned off - and again, in 7 is is much more unobtrusive than in Vista. Combine this with an alternative browser (in my case Firefox with script-disabling add-ons) and already you're much safer than the average XP/IE user. (It goes without saying that if you use IE, it should always be IE8).
One thing you should do if you still run XP (other than upgrade already!) is to run as a limited user - this is the biggest step forward you can take to keep your machine secure. As a limited user, even if you get hit by the malware, it can't install. UAC in Vista/7 is very similar in approach, in that even those who log on as local administrator have limited privileges until a UAC prompt is answered.
|The thing about the security software is that it should be the last line of defence, whereas too many see it as the first. |
I'm one of those who see it as a first line of defense at the moment. Yes, I'm running XP on this system. Windows 7 on another and then I have an iMac.
|I use very little in the way of anti-malware programs. I use Microsoft Security Essentials (simple, unobtrusive, free and with a reasonable reputation). |
Isn't MSE a first line of defense? Just from a different provider? And what about all the Windows Security issues that make Front Page here at WebmasterWorld? ;)
encyclo, I spent some time this weekend performing various research into the IPs that were being blocked as malicious IPs. I only took 3 of the almost 10 now and did some digging. Using various Reverse IP lookups, DNS lookups, etc. I was able to make a determination that Malwarebytes was right on target by flagging those IPs. It didn't matter to me that there may be other sites sharing that IP that may be of interest to me. The first 50 websites I extracted from one report were ALL garbage. In the other instances, a large percentage of them were bad neighborhoods. One look at the TLDs and you could clearly see what the neighborhood was like.
During my research, I also came across a variety of resources that looked at IP Reputation. I found a few tools that allowed me to enter an IP and see that the IP(s) I was researching were flagged as being less than safe, in the yellow/red zone of the reports. And yes, I understand that it would be a mistake to make an assumption on that warning alone due to the shared IP environment. But, what if, just what if, there were enough sites on that IP that were flagged as being unsafe?
I don't know about you, but if I were an engineer trying to determine one of the many signals I could use to thwart a bad visitor experience, I'm going to look at the IP neighborhood. Sure, there are going to be some IPs that this won't apply to due to the sheer volume. But, if I can use this methodology on smaller scale operations where the volume is manageable, I just may find that to be a valuable piece of information, I'm referring to IP Reputation. :)