The Corpus Callosum

If you encounter a web site that contains malware (virus, trojan,
etc.), how do you report it?  I had a devil of a time finding
out.  A friend had forwarded a suspicious email to me.  The
email contained a link.  The link indicated that it would take you
to a text file that explained a finding about a chance of an asteroid
hitting the Earth next year.  the file ended with .txt.exe,
obviously a bad thing. 

So I downloaded it, using Linux, of course (the .exe would not be able
to do anything without me affirming that the file was to be opened with
WINE, which I did not plan on doing).  I scanned it.  It was
a backdoor trojan.  I searched for reports about the malicious
site that was hosting the file, but there were no reports.  I
located the site using Google, which normally flags sites that are
known to be bad.  It was not flagged. 

You could report it to the FBI if there were some kind of fraud
involved, or the FTC, for identity theft.  But what if it is a
backdoor-type of malware?  It might not be used for those
particular purposes.  Those agencies might not have any interest,
or even any ability, to do anything.  If the site is masquerading
as a legitimate site, you could contact the legitimate site and let
them know about the deception.  But in this case, the legitimate
site has no “contact us” page, no email address (that I could find), no
way to send such information.

What you do, is this
: Go to badwarebusters.org. 
Register.  Post a message.  You then get a reply that gives
you the secret link.  Why do they not simply put the secret link
on their home page?  Don’t know. 

The secret link is: href="http://www.google.com/safebrowsing/report_badware/"
rel="nofollow">http://www.google.com/safebrowsing/report_badware

You submit a link to the site, along with a paragraph explaining what
is up.  In this case:

The file at this site clearly is malware.  I was urged
to visit the site via a suspicious email.

Note that if you go directly to the root directory, you are
silently redirected to the real European Space Agency website. 
This gives the site a veneer of respectability.
  However,
esa.thebluearth.com has no connection to the ESA.

I suspect that the domain is no longer used by the person who
registered it, and has been hijacked.

Then you get your little pat on the back:

Report Sent

Thanks for sending a report to Google. Now that you’ve done your
good deed for the day, feel free to:

1. Take a second to rejoice merrily for doing your part in making the
web a safer place.

2. Make sure you have upgraded your web browser to the latest version,
and that you have applied the latest patches for your operating system.

3. Learn more about malware that can infect your computer on href="http://www.stopbadware.org/">Stopbadware.org.

I wonder if the redirection trick effectively prevents malware scanners
from finding the malware.  The malicious file is in a
subdirectory, which you cannot get to, unless you follow a direct
link. 

Comments

  1. #1 humorix
    April 30, 2009

    Report(Relationship) Avast!: In 2008, several web sites of high profile were targeted, in particular ” USAToday, ABCnews, Target and Wal-Mart “.
    Called hostile script: ” HTML: Iframe-inf “.