Repeated intrusion attempts blocked by Norton - Toolkit Website %

On each of the past 3 days, a Norton pop-up on my computer has reported that an intrusion attempt was blocked.  Each time the "Severity" rating was "High." Following is the data for these events from "Security History - Advanced Details."

 

NORTON DATA

 

2012-11-24 16:23 (PST)

 

IPS Alert Name:               Web Attack: Exploit  Toolkit Website 30

Default Action:                 No Action Required

Action Taken:                    No Action Required

Attacking Computer:      [My computer name] ([My IP address], 56278)

Attacker URL:                     2f14b7bed3.osnart.info/?b=5

Destination Address:     2f14b7bed3.osnart.info (94.23.144.48, 80)

Source Address:               [My IP address] ([My IP address])

Traffic Description:         TCP, Port 56278

 

2012-11-25 15:32 (PST)

 

IPS Alert Name:               Web Attack: Exploit  Toolkit Website 30

Default Action:                 No Action Required

Action Taken:                    No Action Required

Attacking Computer:      [My computer name] ([My IP address], 56196)

Attacker URL:                     6f6fc59800.agninde.info/?b=5

Destination Address:     6f6fc59800.agninde.info (94.23.144.48, 80)

Source Address:               [My IP address] ([My IP address])

Traffic Description:         TCP, Port 56196

 

2012-11-26 16:10 (PST)

 

IPS Alert Name:               Web Attack: Malicious Exploit  Toolkit Website 4

Default Action:                 No Action Required

Action Taken:                    No Action Required

Attacking Computer:      statstrng.com (209.139.209.126, 80)

Attacker URL:                     statstrng.com/stats

Destination Address:     [My computer name] ([My IP address, 55730)

Source Address:               209.139.209.126, 80 (209.139.209.126, 80)

Traffic Description:         TCP, www-http

 

ADDITIONAL INFORMATION

 

whatsmyip.org reports Vancouver, Canada as the location of 209.139.209.126 (the "Source Address" in the third event above).

IPVoid reports 209.139.209.126 as a Canadian IP address, and that it is detected (as infected) by MyWOT.

 

MyWOT gives 209.139.209.126 ratings of 1 and 2 (their highest rating is 100).

 

According to comments on MyWOT, the name of the site for 209.139.209.126 appears to be askreview.net, and it has "malicious content, viruses."   Specifically, the content is hidden in iframes and redirects the user to "exploit kit hosted sites."

ZScaler rates askreview.net as "Suspicious 55/100."

 

URLVoid reports that 209.139.209.126 is associated with the new domains linkstatic.com and staticslist.com, and that the latter site is detected (as infected) by AVGThreatLabs.

 

AVGThreatLabs reports for staticslist.com that "During the last 7 days potentially active threats were detected on the main site of this domain."  Furthermore, there were 147 "compromised pages" and 1 "Threat Type."

 

MY QUESTIONS

 

1. Each Norton Security History page says "No Action Required."  My computer is running fine.  But the fact that I am getting repeated notifications of a blocked intrusion attempt raises the question, Are there actions I should indeed take because of these intrusion reports?

 

So far I have been running full scans:  with Norton (in both regular mode and Safe Mode); MS Safety Scanner (clicking "Run" on the download bar on the MS website); Windows Defender (which I keep up to date); MalwareBytes (free version, downloaded a month ago); and Norton Eraser.  The only positives found by these scans were tracking cookies that were found and quarantined by Norton, which is an everyday occurrence.  I have also run CheckDisk and System File Checker, both with negative results.

 

Should I run more scans, using programs such as Hitman Pro, SuperAntiSpyware, or the Kaspersky Anti-rootkit utility?

 

2. In its history of the first 2 events, Norton states that the "Attacking Computer" is my own.  Does this mean that malware is already resident on my computer and is causing it to attack itself?  Does it merely mean that Norton Antivurs found the attack at the point at which my computer was beginning to respond to the attacking computer?

 

3. The attacks have occurred on subsequent days between about 3:30 and 4:30 p.m. local time ( stayed offline today till 5 p.m).  Does that indicated a hacker is sending out this malware during this period every day?  And that when a target computer's AV program prevents the attack, the hacker tries again the next day, with a different version of the malware?  (According to ZScaler, there is a report that anyone can buy a Blackhole exploit kit from a Russian malware developer for 3 months for $700.)  Should I simply continue stay offline for the time being between, say, 3 and 5 p.m. every day?

 

4. Is there a way to block 209.139.209.126, so that I do not have to rely on Norton's recognition of one type of malware after another?

 

5. What kind of URL and "Destination Address" is "6f6fc59800.agninde.info/?b=5"?

 

6. What do the Norton "Traffic Descriptions" mean:  "TCP, Port 56278" "TCP, Port 56196"and "TCP, www-http"?

 

As is evident, I am an ordinary computer user trying to keep my nose above water, so any help will be gratefully received.

Hi Caliwag,

 

Web attacks are essentially driveby download attempts.  In these cases an exploit toolkit, which looks for vulnerabilities in your operating system and multiple programs, would have tried to install malware using whatever unpatched security hole it might have found in software you have on your PC.  Norton detected the exploit pack and blocked it.

 

It is rather unusual to be hit so often in a short time.  Were you connected to a specific website each time you were attacked?  It is possible that something on a particular site is redirecting users to different malicious sites where the toolkits are being hosted.

 

As long as Norton blocked the attack, your machine is most likely unharmed - although it is always a good idea to run a couple of scans afterward to make sure that nothing managed to sneak through.  In your case the scans are showing your machine is clean.

 

Read the descriptions of the attacks in the Norton Security History Intrusion Prevention log to see if your browser is mentioned as having been involved.  That is most likely why your machine is shown as the attacking computer - because the attack came by way of the browser.

 

Blocking a specific IP address won't accomplish anything.  The web address is just a web address, ".info" is a top-level domain, just like ".com" or ".org."  Traffic descriptions provide the protocol used (TCP) and the involved ports.

Hi SendOfJive,

 

Thank you for your generosity in sharing your knowledge and insights.  They were particularly helpful with respect to preserving my sense of perspective.  Trying to maintain a balance between computer-security diligence and computer-security hypochondria is still a novelty.

 

In answer to your questions:

 

1. Specific websites -- My best guess is that I was on Yahoo during one attack, and doing a Google>Images search for autumn foliage for another.  For the third attack the website would have been equally commonplace.  Yahoo and Google Images both offer opportunities for iframe infection, which seems to be associated with this sort of malware.

 

2. Norton Security History Intrusion Prevention log - - I am unable to offer any information on this.  (I discovered that Norton has an updated version of Antivirus 2012 only while I was in the process of posting to the Norton Community yesterday.  The older version does not have the option for Security History>Intrusion Prevention; and after I updated to the new version, I found that the intrusion attacks do not appear in the history there.

 

Also--in Internet Explorer, under Tools>Internet Options>Security>Restricted sites>Sites, I entered the URLS for the questionable websites mentioned in my first post.  On the theory that it may not do any good, but won't do any harm.

 

This wouldn't be the first time that Google Images have been used to launch attacks.

 

http://krebsonsecurity.com/2011/05/scammers-swap-google-images-for-malware/

HiSendOfJive,

 

My apologies for being a little slow in responding.  Yesterday evening I thought I noticed the database on my password manager (KeePass) opening before I entered the password.  Therefore I re-downloaded the program and began changing all my passwords.  This may be overbalanced on the side of paranoia, but the wolf has just come to my door three days running (in the form of the intrusion attacks), and hacking the password to one's password manager is tantamount to identity theft.

 

Thank you for the link about Google Images infection.  Fifteen million referrals from Google to malware sites a month!  This discouraging information requires now researching defenses for this specific threat, such as Google Image Ripper (I use IE).  I'm beginning to think the Internet is the closest thing to Pandora's box since Pandora herself.

 

Thanks again for your concern and advice.