Norton repeatedly blocking Blackhole Toolkit Website Attack whenever I sign on

Hi all,

 

Since yesterday, Norton's been blocking the following attack every single time I log on - same attacking IP, different URLs.  I don't know if that means Blackhole has injected itself into one of the Iframe ads on Yahoo, but that's my homepage, and I've been getting them within minutes of signing on every single time for the past couple of days.  (There are some reports that Adsense ads are being targeted on Google's website, so that indeed might be the case.)

 

I guess there might be an underlying infection/rootkit that's instructing the computer to dial out to this IP, and I want to double-check to make sure that's not the case.

 

Here's the IPS statastical submission info for it:

 

Category: Norton Community Watch

Date & Time,Risk,Activity,Status,Recommended Action,Date Updated,Submitted By,Description,

Submission Details5/25/2011 2:19 PM,

Info,IPS Detection Statistical Submission,

Submitted,No Action Required,

"Wednesday, May 25, 2011 2:19 PM"

,Norton Internet Security,IPS Detection Statistical Submission,

"Signature ID: 24092  

<br>Local or Remote Attacker: 2

 <br>Remote Port: 80

 <br>Local Port: 49438  

<br>Protocol: 6  

<br>Signature Set Version: 20110518.001  

<br>Application Name: \DEVICE\HARDDISKVOLUME2\USERS\MELISSA\APPDATA\LOCAL\GOOGLE\CHROME\APPLICATION\CHROME.EXE  <br>Offending URL: (Readacted for the safety of others, but they're from the same Checzoslovakian .com)

<br>Date Detected: Wed, 25 May 2011 18:19:09 GMT  

<br>Application File Checksum: CBE930A1D7EFF7F1A6794D195E9B3E19

 <br>Application File Information: 0.0.0.0  <br>Network Data: 434D50520014000078DAED916F6BDB3010C6CF6B1883755B61A13018637F88DEC5B19D784907A2D8B14742D3AE7312CADECC28B2EC78716C632B2CD9A79FEC66615DFB0DA61FE2243DF7E82CF9AE9CA1D57802D0048023004581DB75350B195E7F07387E2476CA5B68887D034E60F4653AF3ED8935BC988CA733D7810AE5C33EDFBC97F7EDEBC9ADE7DDDD1A37A3F1CCFDBBC6FB7DFED53E3F9E88EB79CE7DE333782CA65C3905CFFD3A778577E45A8EEBF99EFBD9F55C6FC979FEA9D3D994EA3A32D535891375479659A6D26CDD09A918E739AE649F9234D8450559A345847941D23227054B394AF0F4E25BAB6B5F5EDDB4BA56CBD0433A12DE2C0C51887553334D4D370D1407D84074B1C2219D64246001E211C7FE2221E90A2D4B9164298ECBAC3D1898676D1DB1356E1966DF16C130CA98B336E1BC88171BCE6A4984EA6B6245B3948B8B5482238239AC55216D0A7670693F195BD50BBDD7AE543BCD7CB6CDC54DC922A97D36F941B63E6505BF9BD817FC13FA0E1206AC6B1A52E3942778532255BC22C22C6DCFA788631D89DF1360BDAB7DECF6FAA618031D2135DA621D94E3BA2327F0F2DF8E549DCC5812ACC20DDF452AFDA5520ACA8BDADE84E707FBB5E55997D3739E63F1983393EABD5E4003261E06CA51ED7E034F0FEEB937EEC469C0B66ABECC1F3AF460218944229148241289442291482492FF8FDF9CB4B9D8  <br>Sub-signature ID: 66060

 <br>Remote Address: 193.105.154.238  <br>

 <br>OS-Country:1  <br>OS-Language:English

 <br>Processor:AMD64 Family 16 Model 6 Stepping 3  <br>System:Windows 7 build 7601 Service Pack 1  

<br>Platform-GUID:7787E638-91EC-11DF-9544-C80AA996553E

 <br>DateSubmitted:Wed, 25 May 2011 18:19:12 GMT  <br>Product:Norton Internet Security 18.6.0.29"



Hi mml_1980,

 

Are all of the references to this in the form of IPS Statistical Submissions?  If so, then you have nothing to worry about as these submissions alone without an actual IPS block of the attack are false positives.  IPS Statistical Submissions come about in the following way:

 

The Norton Intrusion Prevention System uses signatures to detect and block exploits that leverage vulnerabilities in software programs to install malware.  When a new exploit is discovered a signature is created and distributed as quickly as possible in order to provide immediate protection. After this initial signature is released refinements are made to perfect a new signature that is smaller and more efficient.  Because there is an increased likelihood of false positives, the revised definition is first released as a test signature.  When one of these test signatures is triggered it is reported back to Symantec as an IPS Detection Statistical Submission.  These submissions help Symantec fine-tune the accuracy of the detections. Once testing is completed, the initial signature will be replaced or updated with the improved version.  While testing is in progress you are protected from the actual exploit by the originally released signature, which will trigger IPS to block, log, and alert you to any real attack.  A statistical submission alone without a corresponding IPS action would indicate a false positive.

Reese Anschultz provides a couple of good explanations, which I have paraphrased here, in the following thread:

http://community.norton.com/t5/Norton-Internet-Security-Norton/IPS-detection-statistacal-submission/...

 

If you are seeing actual IPS blocks, please post the information that Norton is providing with the alert, especially regarding the risk and activity that is prompting the block.  This will indicate whether your are being attacked from the internet, or if there is an infection on your system that is connecting out to the attack site.

Nope, they also block an attack before the IPS statistical submission happens:

 

Here are the details for the actual blocked attack reports:

Category:

Intrusion Prevention

Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,

Source Address,

Traffic Description5/25/2011 2:19 PM,

High,

An intrusion attempt by 193.105.154.238 was blocked.,

No Action Required,

Web Attack: Blackhole Toolkit Website,

No Action Required,

"193.105.154.238, 80",(Website readdacted)"ASHANDSHEILA (10.0.0.2, 49438)",193.105.154.238,"TCP, www-http"

 

The behavior triggering them is simply either connecting to my wireless connection or clicking on yahoo.  I noticed today that I didn't get it the second I logged on, so it might indeed be related to one of yahoo's adsense ads, but I'd like to double-check my comp anyway.


Hi mml_1980,

 

That information is helpful.  A Web Attack indicates that you are encountering a driveby download attempt.  Since you indicate that this is only happening when you access your homepage, then this is likely resulting from a compromised website or poisoned ads, as you say, rather than from malware on your system. 

 

If you are getting this without going to the Yahoo! site, either manually or automatically, there may be an issue.  If just getting online causes these alerts, then something may be connecting out.

I'll try disconnecting from the web, rebooting and reconnecting without accessing yahoo and see what occurs :) .  I've made a quick homepage change to google.  

 

Will report back in around an hour with any new informaton! 

 

ETA: And yes, this so far has only happens once, within around two minutes of me connecting to the internet and to yahoo after each reboot.  It happened right away yesterday, but today I managed to get to my Yahoo homepage, click on two news articles and log into my inbox before it blocked an attack.

 

And according to my Norton protection timeline, the first attack happened four minutes after I connected yesterday, and one today.

And after shutting off my computer, waiting, rebooting, updating my Norton and then deliberately surfing ad-free sites for over  a half-hour, I haven't experienced any blocked attacks.  

 

Is there any way to block the attacking IP?  I know Norton autoblocks attackers that repeatDo AdBlock and NoScript agree with Norton?  I'm thinking of using them until this gets straightened out.

 

Hi mml_1980,

 

NoScript would be the best solution.  You can leave scripts blocked for the Yahoo! site.  If you find that the site does not work properly you can enable JavaScript for the main Yahoo! site only.  All third-party sites, including any ad sites, will still be prevented from running scripts, since they would need to be individually whitelisted as well.  NoScript keeps attacks from ever reaching your browser, so Norton won't even need to be called upon to block anything.  Security writer Brian Krebs posted an article about blocking JavaScript in browsers today:

 

http://community.norton.com/t5/Tech-Outpost/Handling-JavaScript-in-your-Browser/m-p/461146/message-uid/461146/highlight/true#U461146

Oh, thank you for the link!

 

Since I use Chrome, I've blocked images and scripts net-wide, allowing for certain forums and for the main yahoo mail website (it refused to work unless I allowed java on it). It really has made a world of difference, thank you so much!

 

Hi mml_1980,

 

You are quite welcome.  Sorry about all of the links related to the Krebs article being broken.  So far the reason for this remains a mystery, as I tried everything, including typing in the HTML by hand, to get the links to work but it was no use.....

I have been getting a similar message when I go to a website about cats. The originating IP is the same. This has been happening everytime I go to this home page.

 

 I am worried that my other computer got infected when I went to this website because I do not have Nortons on it.  What will happen to infected computers? Can someone explain this very simply so I (very computer illiterate) can understand. 

Thanks!!

 

Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default
Action,Action Taken,Attacking Computer,Attacker URL,Destination
Address,Source Address,Traffic Description
5/28/2011 7:26 PM,High,An intrusion attempt by experat.co.be was
blocked.,Blocked,No Action Required,Web Attack: Blackhole Toolkit Website
5,No Action Required,No Action Required,"experat.co.be (193.105.154.238,
80)",experat.co.be/index.php?tp=0be1ae10eae13733,(my IP was here),193.105.154.238 (193.105.154.238),"TCP, www-http"