Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.
Actually, I believe this message is just showing that we blocked an exploit attempt (I believe there is a defect in the way that we display text on IPS messages so that it seems as if the attacking computer is your own computer - I thought this was fixed already, but will dbl check because if so you should have received an update w/ the fix). This message doesn't indicate that you're infected, just that we've blocked an exploit attempt (I agree that the message should be improved for clarity).
This is my favorite feature in NIS - our Intrusion Prevention + Browser Protection - we did a ton of R&D to come out with an updated IPS + new Browser Protection in NIS 2008. We block browser exploit attempts, so that as infected sites are trying to get malware onto your system using a drive-by download (the #1 method these days used by hackers to get bad stuff on people's machines), we block the exploit from successfully exploiting whatever vulnerability it's targeting (Browser, ActiveX, SQL Injection, etc.). Blocking the avenue of entry to the machine is the safest way to keep off the bad stuff - because threats have been multiplying so rapidly, it's much easier to keep them off in the first place rather than trying to hunt one down and pull it off once it's already infected the machine. (Most often, the first thing that happens once an exploit has successfully exploited a vulnerability & gotten some shell code to run on the machine, it pulls down a downloader and starts downloading other bad stuff onto the infected machine. That's what we want to avoid at all costs).
Hope this helps!
CLLL,
Thanks for the post, as Jody mentioned, this is definitely a drive-by download being blocked by NIS. You have been protected by NIS when you visited a certain website. The domain you included (please do NOT visit or go to that domain) is one that is directly involved with SQL injection/drive-by download attacks. Also, I would recommend NOT visiting the site where you received the alert from either until they get it cleaned up.
It looks like we still have the issue with the attack direction being switched and will be providing an update via LiveUpdate. You are being protected from the attack, NOT the other way around. Sorry this is causing confusion.
Edit - I want to add that this explanation is for the "HTTP Malicious Toolkit Download Request" attack. We do have protection in the product where we are looking for malware, spyware, or misleading applications making outbound calls and is our post-infection protection. We prevent this from occuring and in this cause your computer WOULD be the 'attacker'.
Thanks,
Doctor Drive-By
Simtropolis is biggest simcity fansite around… you’re saying that over 200,000 people’s computers have been compromised?
Mainstream websites are compromised everyday. Larger ones then that have been - many forum boards. It only takes on SQL injection or malicious advertisement to attempt to infect users. Users running systems with a good Internet Security program and are fully patched (or have FireFox and NoScript) would be less susceptible to any compromises (good security hygene).
Two facts I know:
1) The domain you included in your post is included in Asprox/SQL injection attacks. You can google that or check out Malwaredomains
2) We have an issue where the attack direction is incorrect - in this case the domain attacked your computer and NIS blocked it.
If you want to PM me a URL (do not post here), we can check it out to see if it is active. With malicious advertisements it is much harder to trace and reproduce if an ad only runs once every 1000 times.
Thanks,
Doctor Drive-By
PC_confused wrote:Even safe sites aren't safe anymore, are they?
Hi, PC_confused,
You are correct; even Safe Web Sites are being Infected.
Please could you P.M. me the Web Address of the Web Site that you were on. Thanks!
PM's should be on the way to both of you.
Phil_D and Floating_Red, I PM'ed you both a screen snapshot of a second HTTP attack message. It almost sound like the same problem cplaplante is having except I am using IE7 and I think that poster is using FF3. At least NIS 2009 seems to be stopping the attacks.
Hi PC_confused,
First let me thank you for not posting a potentially hazardous web address on the forums. That is very much appreciated for the safety of others.
As you mentioned in your PM, I have also found that the attacks are not regular as I have only noticed one attempt in about 20 visits to the website. The website does not appear to hosting any "third party" advertising, but there is some changing content.
It seems to be a drive-by attack and I have forwarded the website address to Symantec for their review.
Thanks for bringing it to our attention!
Hi, Phil_D and PC_confused,
I can confirm that I get HTTP Malicious Toolkit Variant Activity 8.
It looks as though it tries to re-direct you to some other Web Site as something like the u7e.in as that flashes up for a second in the Loading Address Bar, then goes away again - un-less that is normal.
Thanks for bringing this to our attention and thank-you with your assistance with this Issue!
HTTP Malicious Toolkit Variant Activity 8: http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23364.
I was visiting a site, shown as green circle white check safe. While I was getting some information from that site, I received a notice from NIS 2009 that "An intrusion attempt by u6b.in was blocked. Application path \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\INTERNET EXPLORER\IEXPLORER.EXE". It gave the risk name as HTTP Malicious Toolkit Variant Activity 8, Severity: High and gave the attacking computer, URL, My PC address, Source Address and traffic description. NIS 2009 said it blocked the activity, so I don't think I need to worry about any malware getting on my PC.
Should I contact the Web Site and let them know what happened? I consider that company respectable and I've been to their Web Site before without this blocked message or should I just not go there again?
Even safe sites aren't safe anymore, are they?