• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Receiving the following error repeatedly - HTTP Malicious Toolkit Download Activity

Since 11 July 2008, I have been repeatedly receiving the following Norton error while browsing my 4 weblogs: "

Pop-up message – A recent attempt to attack your computer was blocked.". If I click on "View more", I get the following detail:

Risk level High

An intrusion attempt by LAPTOP (my computer) was blocked

Risk Name: HTTP Malicious Toolkit download activity

Attacking computer – My own computer

Destination address: google-analytics.com (202.xx.xx.xxx,80)

Traffic description: TCP, 49763

I am using Norton Internet Security 2008 on Windows Vista Business. I have seen a few posts regarding the same error, but attacking different sites. None of them had any solutions yet. My virus definitions are up to date, and I just finished a scan with no threats found.

The interesting thing is that like with the other guys who posted about this problem, mine also started on the 11th of July. I am a web developer and currently have 4 similar weblogs implemented for different clients. Every one of them started giving the same error when browsing through the pages on the same day. Any link or button clicked on the site generates the Norton pop up message "A recent attempt to attack your computer was blocked.". To make things worse no advanced functions work on the sites like uploading images etc. I get a browser error "Access denied" or "Object doesn't support this method" (in the bottom left hand corner). I am starting to get complaints coming in about the functionality of the sites, so I don't think I am the only one experiencing this.

I have built a script into the sites which sends tracking data to google analytics. This would be the site referred to as the attacked site in the detailed error report. The analytics script has been working perfectly in these sites for over a year now until the 11th July. I tried deleting the script from one of the sites, but strangely enough I still get the attacking error.

It is incredibly important that I get these sites up and running again as soon as possible. Since the error in all cases seems to have begun on the same day, please can I ask Norton to investigate the matter urgently? Perhaps a patch is displaying a false positive or a windows security update is at fault.

Thanking you kindly.

Replies

Kudos0

Re: Receiving the following error repeatedly - HTTP Malicious Toolkit Download Activity

Youmay have seen my post regarding a similar issue. However, my "attack" happened just once and was noted as a medium risk. Mine happened about 4:33pm central US time. What time did yours start?
Kudos0

Re: Receiving the following error repeatedly - HTTP Malicious Toolkit Download Activity

I did see your post and you were one of the guys I was refering to in my post. Mine happened at 4:14 PM Central US time, so almost the same time as yours. The times and dates are way too coincidental... It is for this reason that i think it has to do with an update from Norton or Windows. We really need the powers that be to investigate...

You said that your error only happened once. Was it while browsing a particular website, and if so, can you remember which site? My suspicions are as follows:

My error is caused by a script built into my websites which sends data to google analytics for the purpose of tracking usage stats. This is all harmless above the board stuff and not a malicious script in anyway. In fact it is used in the exact form as provided by google for developers. If you were browsing a website that also has a similar script embedded, maybe not to send data to google, but maybe gathering any other data about you as the user, and sending it to their own site or a third party site, it could be producing the same error as mine.

I hope Tony or someone from Norton will be able to help us on this as soon as possible, as I am taking huge strain here at the moment.

Kudos0

Re: Receiving the following error repeatedly - HTTP Malicious Toolkit Download Activity

Actually I was not on the computer when it happened. My wife was. I'm not sure what she was browsing. I can't ask, because she thinks I'm too paranoid about this stuff :), which I probably am. However, I know she likes to go to bigfishgames.com alot. I also noticed that later that evening about 8:40pm, my I received a new internet worm protection file

siganture file

20080711.001

Internet worm protection engine 4.0.1.80.206

I'm thinking that either there was a major attack that compromised Norton Products, or that its some type of major false positive.

I just use a littel home PC and am not running a server or anything. I'm also not computer savvy so I'm sorry for not presenting information properly.

Kudos0

Re: Receiving the following error repeatedly - HTTP Malicious Toolkit Download Activity

I am getting the creeps though that maybe some thing is sitting on my computer and using it without my knowledge. I have nothing to substantiate that though
Kudos0

Re: Receiving the following error repeatedly - HTTP Malicious Toolkit Download Activity

also the site that it said I was trying to "intrude" on was 68.142.213.132   80

Which is us.bc.yahoo.com

Kudos0

Re: Receiving the following error repeatedly - HTTP Malicious Toolkit Download Activity

I don't think you have anything to worry about. I think it is more likely to be a false positive rather than something sitting on our computers. The problem though is that it is compromising my websites which are being used by hundreds of subscribers, and they will be getting very nervous when they see anything about attacking computers etc popping up.

Let's wait until the administrator or moderator responds and see what they have to say. Thanks for your input though.

Kudos0

Re: Receiving the following error repeatedly - HTTP Malicious Toolkit Download Activity

sure. they seem to be very quick to respond which is nice. So you think it might be some type of false positive?

Kudos0

Re: Receiving the following error repeatedly - HTTP Malicious Toolkit Download Activity

africanChild,

Thanks for your post.  The alert, HTTP Malicious Toolkit Download Activity, you are seeing is associated with drive-by downloads and the protection we have included in the Norton 2008 products.   Today, drive-by downloads (malware being installed on a users systems without you having to do anything) from mainstream sites are increasing on a daily basis.  Many of the sites that have been affected by sql injection attacks, hosting malicious toolkits such as NeoSploit, or injected i-frames that lead to malicious sites, may trigger this alert.    If you see this alert, Norton has protected you from the drive-by download.  

Can you confirm the last time you did a LiveUpdate?

Is your website located in Asia or Australia?  The 202.xx.xx.xxx Internet registry space Assigned to the Pacific Rim and "apnic", Asia Pacific Network Information Centre.

I am seeing two separate issues here.

1)  There are many malicious domains that that are similar to the one you listed in your post but a few characters have switched (typos on purpose).     Can you send me a PM (don't post the URL here in the forum) to confirm the exact url/address being reported?  A screenshot would be ideal.  One note - Never visit the domains/urls that are listed in the alert!  

 2)  The fact that your computer is listed as the attacking computer is an issue that we had previously updated in the field.  We incorrectly have switched data in the display fields for Attacking and Destination. Can you run liveupdate and see if this still occurs?

Thanks,

John

"Doctor Drive-By"

Symantec Security Response

Kudos0

Re: Receiving the following error repeatedly - HTTP Malicious Toolkit Download Activity

Hi John,

First of all, thank you for taking the time to respond to my post.

Re: Your explanation of drive-by downloads - So would you say that hackers these days have a way of "injecting" or adding malicious scripts into an existing site that does not belong to them by hacking into the SQL databases? Is it therefore possible that my own sites that I have built myself now have malicious code in them which has not been added by myself? Or do you mean that there are malicious websites out there that embed malicious scripts onto user's computers, which then try to connect back to the "mothership" when online? Please excuse my ignorance, but I need to understand the nature of the beast.

  1. The last time I did a liveupdate was just before posting yesterday and then a few times before that. I have also just done one as requested by you, but it said that my definitions are up to date and skipped downloading and installing new updates.
  2. I am still getting the same error when browsing my weblogs. The attacking and destination fields are still switched on my system, even after running live update ie. my computer is listed as the attacking computer and Google-Analytics is the destination address. How can I force my Norton to download the new updates?
  3. My websites are hosted in the USA on Linux servers. The 202 XXXXX you are referring to is part of the google-analytics.com IP address given in the error report. This is the destination address according to the Norton report.
  4. The destination address in the error report is the same as the google-analytics address in my script I have embedded into my websites. The full URL in my script is the reported URL plus urchin.js, which is the program that processes the tracking data for Google Analytics. Are you sure you guys aren't picking up a harmless Google tracker as malicious by mistake? It never used to be a problem. I will send you a screenshot.

Please try to answer all my questions so I can get a better understanding of how this works, and how we can fix it.

Thanking you kindly.

Regards

africanChild

Kudos0

Re: Receiving the following error repeatedly - HTTP Malicious Toolkit Download Activity

John, how does your response to African Child pertain to my issue? Or should I post my issue seperately?
Kudos0

Re: Receiving the following error repeatedly - HTTP Malicious Toolkit Download Activity

To John-

Here is my post (title of my post) of my issue, if perhaps you or someone from Symantec/Norton can take a look at it

My computer attacking a web address?

Kudos0

Re: Receiving the following error repeatedly - HTTP Malicious Toolkit Download Activity

 For more information on how the hackers are injecting their code into other websites take a look at the Symantec Internet Security Threat Report.  Here is a quick quote "Site-specific vulnerabilities affect custom or proprietary web-site code. These vulnerabilities are a concern because they allow attackers to compromise specific web-sites, which can then be used to launch subsequent attacks."

1.  Thanks for providing the update on your LiveUpdate.  

2.  We will re-investigate the issue with the attack direction being switched.  Thanks for that information. Don't worry about new updates at this time.  

3/4.  We haven't' seen this signature trigger with any Google urchin traffic before.  Can you send me the screenshot and url of your site via PM and I will take a look.

Thanks,
John

ps - NY1986, thanks for opening a separate thread on your issue

Kudos1 Stats

Re: Receiving the following error repeatedly - HTTP Malicious Toolkit Download Activity

Looks like from the second PM you were able to solve it and were protected by Norton from the drive-by download! Unfortunately it looks like your site fell to the SQL injection attacks, but I am glad you were able to find it .  Those domains that sound or look like common brand names are quite a problem.

There are a couple sites I use to keep an eye on the latest domains hosting potential malicious code.  PM me if you want some of these sites.


Microsoft has a few papers that has some good tips and info for webmasters on protecting your sites.   You can check that out here:  Microsoft Developers article on SQL injection


Here is another article in the Register that talk about tips for webmasters.  SQL injection tools

Let me know if you have any other problems.

John

"Doctor Drive-By"

Symantec Security Response

Message Edited by John_Harrison on 07-17-2008 06:34 PM
Kudos1 Stats

Re: Receiving the following error repeatedly - HTTP Malicious Toolkit Download Activity

John, thanks for answering all my questions and for the advice you have offered and the reference links regarding SQL injection.

I can confirm that my websites were victim to SQL injection. An encrypted script was appended to all my Java Script files in my websites, which resolved to a URL of a spoof website that seems to mislead one to believing they are on the Google homepage. We still don't know what this page does, but I can confirm that Norton Internet Security protected me from the site. I am just worried about my users that don't have protection software, although I haven't had any complaints yet.

I can also confirm that there is no problem with Norton triggering on the Google Urchin, so no need for me to send you a screenshot. As I mentioned this was a spoof site missleading one to think it was connecting to Google Analytics. To all developers out there, don't make the same mistake as I did; look at the destination site URL closely, as they are missleading.

I informed my hosting company of what I had found in my website files, and they confirmed that one of their hosting accounts which share the same server as my sites had been compromised. The end effect is that a shell script was propably executed on the server, injecting malicious script into all .js files it could find. They have removed all traces of the script and taken measures to prevent this from happening again.

NY1986 - I would guess that your wife visited a website which had fallen prey to a similar case of SQL injection and Norton was doing its job of blocking it from executing. Hopefully those webmasters have found the problem and fixed it. You should be fine as long as your Norton is kept up to date.

Again, thank you for your time John.

This thread is closed from further comment. Please visit the forum to start a new thread.