NIS 2009 blocks articles at Bloomberg.com

Codydog · ‎09-12-2008

A few times this week, NIS blocked articles at Bloomberg.

Risk name; HTTP Fake Scan webpage

attacker url ; trusted-scanner.com/2009//1/en/freescan.php?id=77075611&user=756

destination address trusted-scanner.com(84.16.252.138,80)

traffic description TCP, Port 51684

Is this a false positive?

Thanks

huwyngr · ‎04-13-2008

Codydog wrote:
A few times this week, NIS blocked articles at Bloomberg.

[ ... ]

Is this a false positive?

Thanks

It might speed up help if you could give a few URLs that lead to this reaction?

Hugh

shane_pereira · ‎04-13-2008

Hi Codydog,

We are looking into this.

Thanks,

Shane.

John_Harrison · ‎06-04-2008

Codydog,

Thanks for your post. We attempted to reproduce this and were unable to. If you have some specific links that this occurs on please PM me. Also, if you can note what ads may be on the page, that could help.

This is most likely a malicious advertisement on their site, otherwise known as a 'malvertisement.' I am working on a new blog post that will go into this topic in more depth. A malvertisement is a local ad on the site or a Google advertisement that then redirects to a malicious application or misleading application such as a fake AV scanner or fake codec. Malvertisements are also very hard to track down since it could be one ad out of 10,000 that rotate through on the site. Here is a quick analysis of your trigger.

This is not a false positive. The signature that triggered did so because something was going to that URL that you listed as the attacker URL which is known to host fake av scanner software
If you use Firefox and noscript, you can see Bloomberg.com has Google ads and links to other third party sites which is content that they don’t control.
Google ads have previously been used to redirect to malicious sites or sites containing misleading applications.
DSL Reports has a couple of posts where folks have similarly seen malvertisement on Bloomberg’s site.

Thanks,

John Harrison, aka “Dr. Drive-By”
Symantec Security Technology and Response

HAN · ‎09-28-2008

Shane and John: Thanks for stopping by.

This week, I was one of the users hit by the "HTTP Fake Scan webpage" warning on a good page. (My affected page is at a legitimate help forum at VirtualDr.) In my case, it was/is apparently related to an interaction between Ad Muncher and NIS 2009. Shane mentioned the other day that a fix for this issue is on it's way by Thursday or so. (Hopefully the fix is still on schedule. )

My question is, were there changes made to the IDS part of NIS within the last week or so that caused more of these "HTTP Fake Scan webpage" hits? I know that in my case, the page at VirtualDr had no issues until the last few days.

**EDIT**

I just updated my NIS 2009 and sometime within the last hour, the Ad Muncher / Intrusion Detection fix was made available as part of that update. I'm happy to report that it's fixed! NIS works fine at both my troublesome VirtualDr page and the page at Wilders! Thanks Norton team!

Message Edited by HAN on 10-15-2008 07:54 PM