Wilders is attacking my computer??

Discussion in 'other security issues & news' started by denniz, Oct 4, 2008.

Thread Status:
Not open for further replies.
  1. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    430
    Location:
    The Netherlands
    When I'm trying to browse the "malware problems & news" section of Wilders, NIS2009 blocks it and pops-up this message:

    attack.jpg

    Can someone please explain why this happens? o_O
     
  2. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Looks like a false positive. The message is saying that you have gone to an adware page which is not true.
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Actually, that is quite common, though usually it occurs much more frequently on forums that do malware cleaning.

    The NIS alert is a fairly weak type of URL based signature detection. These are alerted when some known bad website is contained as a URL on a webpage. It doesn't mean that the page contains malware, just that there is a link to a known bad website on the webpage noted.

    Well, what types of things get posted on malware/spyware cleaning websites and forums? Answer: logs showing PC configurations and hijack-this listings from infected PCs, that's what. Contained in those logs are often the links to startup entries and browser pages contained on the infected PCs.

    Even though Wilders Security stopped taking HijackThis Logs about 4 years ago, our "malware problems & news" forum section still receives posts by people asking about the infections and detections they are getting alerted to on their PCs.

    What NIS is telling you is that, at that moment in time, one of the posts on the first page of the "malware problems & news" forum section contained a link in a log which pointed to some URL that Norton has flagged as a known bad website which provides a "fake scan" application.

    http://www.symantec.com/avcenter/attack_sigs/s23005.html

    Most likely, one of the posts in the malware section lists the link to one of those "Anti-Virus 200X" pages that we all know is a fake malware scanner that actually infects people's PCs. That's the problem with letting people post infection summaries... the bad links are included in those summaries.

    Wilders Security maybe gets one post like this every 2-3 weeks. A large active spyware cleaning forum, the size of say Geeks To Go or CastleCops, gets several of those links in a log posted each day.

    In my opinion, the jury is still out as to whether alerting on such links is a good thing or a bad thing. The Symantec page says there is no false positive associated with that detection... Well, does alerting on an anti-spyware scan log entry really make that detection a true positive? If so, people better stop posting HijackThis Logs on spyware cleaning forums which contain the URLs they are infected from, or they will all be flagged as purveyors of spyware.
     
  4. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Sounds like a rather crude form of protection...
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Well, it is but it isn't the end of the world either. These types of alerts were originally meant as simple warnings and the ability to ignore them was usually provided. I don't have NIS here, so, I don't know if that "Stop notifying me" button is also an ignore feature - meaning once you tell it to stop notifying you, whether it'll let you view the webpage without alerting or blocking it. If that's the case, then it's probably fine. If it will never let you see the webpage, then yes, that's definitely not a good thing since an innocent webpage would be blocked and you can't ever get to it.

    These types of alerts are not uncommon though. Avast, ESET and one or two other anti-viruses with web filter/web scanners built-in have been alerting on a particular HijackThis Log thread in our "adware, spyware & hijack cleaning" section for over 4 years now... (Edit: Found a note that McAfee used to alert that page as "Exploit-MhtRedir.gen".)

    This is the thread (be aware, you may get a webscanner alert if you click on this link):

    https://www.wilderssecurity.com/archive/index.php/t-37349.html

    I only have avast install here currently, so, that's the only AV I can test at the moment. It still alerts on that HijackThis Log because one of the contents of the results in the HijackThis Log. ESET may still alert on it, but, someone running it will have to confirm. A couple other "web scanner" AVs may still alert on it as well.

    It's an easy click in avast! to tell it to ignore the alert and let you see the webpage. Whether the detection is a bad thing or not, as I said, is still out for judgment, as long as the users understands what that type of alert really means and doesn't just assume the forum page is trying to infect them.

    I've had that thread above reported maybe 60 or 70 times over the last 4 years, but, I always refuse to remove it (the thread that is) because it serves as a good example of when a detection is not necessarily a proof that something is malicious. There are a few public threads on the forum discussing that alert, but, I don't have the links to them at present. I only bothered noting the link to the "supposedly infected" forum page not the discussion pages people have posted asking about it.
     
  6. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    I just tried the link and Kaspersky reported it as exploit.html.mht. Viruslist shows the other aliases it comes under.

    Regardless of whether such links should be flagged, there needs to be much better information available on what and why it has been flagged.
     
  7. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    430
    Location:
    The Netherlands
    Thanks for giving a very clear answer! :)

    The "stop notifying me" button isn't an exclude function, it just stops notifying the user it blocked something. NIS2009 does provide excluding options for the "HTTP Fake Scan Webpage" threat, but that exclusion isn't on a per website basis as far as I can tell.

    I will forward this thread to the Symantec forums and see if they have some kind of solution.
     
  8. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    430
    Location:
    The Netherlands
    NIS2009 indeed does display an alert about a threat if found and blocked, but I can still view that page. Whereas the screenshot I posted in the beginning of this thread, NIS2009 just completely blocks any access to that section of the forum. Weird.
     
  9. DevilFrank

    DevilFrank Registered Member

    Joined:
    Jul 20, 2003
    Posts:
    108

    Attached Files:

  10. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    430
    Location:
    The Netherlands
  11. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    430
    Location:
    The Netherlands
  12. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    430
    Location:
    The Netherlands
  13. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    430
    Location:
    The Netherlands
    Symantec pushed out an update to fix the problem. :)
     
Loading...
Thread Status:
Not open for further replies.