Tech Tip #7 - reporting malicious websites

If you encounter a web site that contains malware (virus, trojan,
etc.), how do you report it?  I had a devil of a time finding
out.  A friend had forwarded a suspicious email to me.  The
email contained a link.  The link indicated that it would take you
to a text file that explained a finding about a chance of an asteroid
hitting the Earth next year.  the file ended with .txt.exe,
obviously a bad thing. 



So I downloaded it, using Linux, of course (the .exe would not be able
to do anything without me affirming that the file was to be opened with
WINE, which I did not plan on doing).  I scanned it.  It was
a backdoor trojan.  I searched for reports about the malicious
site that was hosting the file, but there were no reports.  I
located the site using Google, which normally flags sites that are
known to be bad.  It was not flagged. 



You could report it to the FBI if there were some kind of fraud
involved, or the FTC, for identity theft.  But what if it is a
backdoor-type of malware?  It might not be used for those
particular purposes.  Those agencies might not have any interest,
or even any ability, to do anything.  If the site is masquerading
as a legitimate site, you could contact the legitimate site and let
them know about the deception.  But in this case, the legitimate
site has no "contact us" page, no email address (that I could find), no
way to send such information.



What you do, is this
: Go to badwarebusters.org. 
Register.  Post a message.  You then get a reply that gives
you the secret link.  Why do they not simply put the secret link
on their home page?  Don't know. 



The secret link is: href="http://www.google.com/safebrowsing/report_badware/"
rel="nofollow">http://www.google.com/safebrowsing/report_badware



You submit a link to the site, along with a paragraph explaining what
is up.  In this case:


The file at this site clearly is malware.  I was urged
to visit the site via a suspicious email.



Note that if you go directly to the root directory, you are
silently redirected to the real European Space Agency website. 
This gives the site a veneer of respectability.
  However,
esa.thebluearth.com has no connection to the ESA.



I suspect that the domain is no longer used by the person who
registered it, and has been hijacked.



Then you get your little pat on the back:


Report Sent

Thanks for sending a report to Google. Now that you've done your
good deed for the day, feel free to:



1. Take a second to rejoice merrily for doing your part in making the
web a safer place.



2. Make sure you have upgraded your web browser to the latest version,
and that you have applied the latest patches for your operating system.



3. Learn more about malware that can infect your computer on href="http://www.stopbadware.org/">Stopbadware.org.



I wonder if the redirection trick effectively prevents malware scanners
from finding the malware.  The malicious file is in a
subdirectory, which you cannot get to, unless you follow a direct
link. 


Tags

More like this

This is the third of 16 student posts, guest-authored by Mary Egan. Murine typhus has been in the news recently in Austin, TX, where in May of this year, two people were found to be positive and one died.  This rings a number of alarm bells for me, since I live in Texas, and specifically in Austin…
Summary: Lott now claims that an incriminating file where he had been caught cooking his results was not meant to have been on his website and was only there because his webmaster screwed up. Unfortunately, his latest story is full of holes. Way back in September last year I…
I got this email from Alan Kazlev, one of the main fellows working on the Palaeos website (a very useful paleontological resource), which I had previously reported as going offline. Plans are afoot to bring it back, and the answer seems to be to wikify it and build it anew, with a more distributed…
I like MySpace, it brought me over from Friendster and now I use it almost exclusively. I've found old friends, new friends, and also a nasty virus which hijacked my profile last week and used my name to post a bunch of crapola ads on the Message Boards. I wondered what the heck happened, how did…

Report(Relationship) Avast!: In 2008, several web sites of high profile were targeted, in particular " USAToday, ABCnews, Target and Wal-Mart ".
Called hostile script: " HTML: Iframe-inf ".