Tech Tip #7 - reporting malicious websites

If you encounter a web site that contains malware (virus, trojan,
etc.), how do you report it?  I had a devil of a time finding
out.  A friend had forwarded a suspicious email to me.  The
email contained a link.  The link indicated that it would take you
to a text file that explained a finding about a chance of an asteroid
hitting the Earth next year.  the file ended with .txt.exe,
obviously a bad thing. 



So I downloaded it, using Linux, of course (the .exe would not be able
to do anything without me affirming that the file was to be opened with
WINE, which I did not plan on doing).  I scanned it.  It was
a backdoor trojan.  I searched for reports about the malicious
site that was hosting the file, but there were no reports.  I
located the site using Google, which normally flags sites that are
known to be bad.  It was not flagged. 



You could report it to the FBI if there were some kind of fraud
involved, or the FTC, for identity theft.  But what if it is a
backdoor-type of malware?  It might not be used for those
particular purposes.  Those agencies might not have any interest,
or even any ability, to do anything.  If the site is masquerading
as a legitimate site, you could contact the legitimate site and let
them know about the deception.  But in this case, the legitimate
site has no "contact us" page, no email address (that I could find), no
way to send such information.



What you do, is this
: Go to badwarebusters.org. 
Register.  Post a message.  You then get a reply that gives
you the secret link.  Why do they not simply put the secret link
on their home page?  Don't know. 



The secret link is: href="http://www.google.com/safebrowsing/report_badware/"
rel="nofollow">http://www.google.com/safebrowsing/report_badware



You submit a link to the site, along with a paragraph explaining what
is up.  In this case:


The file at this site clearly is malware.  I was urged
to visit the site via a suspicious email.



Note that if you go directly to the root directory, you are
silently redirected to the real European Space Agency website. 
This gives the site a veneer of respectability.
  However,
esa.thebluearth.com has no connection to the ESA.



I suspect that the domain is no longer used by the person who
registered it, and has been hijacked.



Then you get your little pat on the back:


Report Sent

Thanks for sending a report to Google. Now that you've done your
good deed for the day, feel free to:



1. Take a second to rejoice merrily for doing your part in making the
web a safer place.



2. Make sure you have upgraded your web browser to the latest version,
and that you have applied the latest patches for your operating system.



3. Learn more about malware that can infect your computer on href="http://www.stopbadware.org/">Stopbadware.org.



I wonder if the redirection trick effectively prevents malware scanners
from finding the malware.  The malicious file is in a
subdirectory, which you cannot get to, unless you follow a direct
link. 


Tags

More like this

Frequent readers here know we are fascinated with the similarities between computer viruses and real viruses. Both use their unwittingly infected hosts (computers or host cells) to make copies of themselves and in the process can cause varying degrees of sickness. It's hard to give any solid…
I was looking for some information on the intertubes and google dropped me onto a website that it thought would help. I found a large block of ad content on the site that said "Add emoticons to your emails!" with a collection of the ever-stupid animated gif images that wink, grin, clap, and do all…
If you've ever wondered how spammers got your email address, the answer might be that you gave it to them by following a link you thought had important or interesting information. We all know the kind of "interesting" information people will follow. Sex is the biggest business on the internet. But…
Photographer Scott Rowed has penned an excellent essay on his experience making the switch to Linux, and he's agreed to place it here as a guest post. Please read it and pass it on to people, school districts, small island nations, and others who may benefit: Switching to Linux by Scott Rowed…

Report(Relationship) Avast!: In 2008, several web sites of high profile were targeted, in particular " USAToday, ABCnews, Target and Wal-Mart ".
Called hostile script: " HTML: Iframe-inf ".