I have used Norton products since the mid 90's and have remained a faithful customer. Today, I'd really appreciate some input about "intrusion attempts".
I subscribe to an online guitar course and back in the end of January (2014) I clicked onto their site and was surprised to have my Norton 360 slam the web page shut. (Web Attack: Malicious Toolkit Website 14) I immediately called the company and let them know what had happened. I did some further research and checked their web address with Sucuri.com and discovered that they seemed to have some bad issues. During several conversations with their phone rep I was told that, because of me, the company started running all sorts of checks, etc. and that they were working to correct the problem even though "no one else had reported any problems at all." (Their quote.) They made me feel like I was "making it up", which I wasn't!
To make a long story shorter, over the course of the next two weeks I tried to access the site 6 more times and Norton stepped in to protect my machine (Dell Inspiron, Windows 7) each time. Finally, the online site checkers (Safe Web, Sucuri, etc.) seemed to indicate that the site was fixed and all was well. And I was able to login again without any hassles.
Until today (3/13/14), that is. Same problem 8-/ And, thank heavens, Norton stopped it again!
I hesitate to call the company again - even though I sent them each Norton Alert Security log with the malicious attack info, they seemed to think I was making a big deal out of nothing.
So, what does this type of intrusion attempt mean and why is it happening again at this site? What is weird is that while my Norton 360 is blocking it, none of the online checkers say it is bad. Even Norton Safe Web "finds no issues with this site."
Your suggetions will be very much appreciated - and I am glad to be part of the community!
If you only get this alert when you visit a particular website, then there is almost no doubt that the site itself has been compromised. What you are encountering is an exploit toolkit which looks for unpatched vulnerabilities in your software in order to install malware without user action. These exploit packs typically look for known security holes in Java, Adobe Flash Player and other programs. As in your case, Norton can recognize most of these attacks and block them outright. Your first line of defense, however, is to make sure that you keep your operating system and all installed programs up-to-date with the latest security patches, so that if one of these attacks get though, there will be no unpatched flaws to exploit.
If you are again getting these alerts from the same site, then the site has not been successfully cleaned up. Norton Safe Web and other site rating services (like McAfee SiteAdvisor), do give site information in real time, and the rating you see could be days, weeks, or months old, depending on when the site was last tested. Securi, however, should be giving you a real-time evaluation of what it finds at the site. Malware can use various tricks to try to avoid detection, so that may be why you are not seeing Securi pick up anything wrong yet. Did you have Securi run a repeat scan to make sure that the results it is displaying are not cached from an earlier scan?
Yes, when I ran the Sucuri check, I had it run a new scan, because, like you said, if it's been done recently they list the most recent scan cache results. It's weird that malware can disguise itself - I never thought about that!
And yes, I always keep everything up-to-date because of the threats out there. What a sad statement on the world...!
I wanted to let you know that, while I understand they are very rare, I have just sent off my security history information - as per your suggestion - to Symantec to see if this Web Attack: Malicious Toolkit Website 14 block might be a false/positive situation. I'll find out eventually, I'm sure.
Btw, something that I consider a bit unusual happened earlier today: over the course of 15 minutes, sucuri.com gave me two different responses about this particular URL. The first time I checked, it was listed as being infected (although not "blacklisted" by a variety of website checkers - including Norton Safe Web.) When I checked a while later, it was listed as being safe. Weird. And, yes, I refreshed the search each time because I know they use a cached response unless you force a rescan. (I just checked a moment ago and it is still listed as being safe.)
Any idea on why it would first be listed as infected, then as safe? If there is malware involved, could it "learn" that it was being investigated (sounds like shades of "Big Brother" or something here!) and, in a way, "cloak" its presence?
I'm staying far away from this site until I know what's up - it's a great concern. I haven't even tried clicking into it since my Norton 360 blocked the two intrusions on 3/13.
Hi, Northstar_5. I doubt that the site would *cloak* itself in that way. Rather that Sucuri scans in real time, and the results will vary from time to time.
With regard to the type of site, I read recently that a site that displayed guitar chord information, had also been red flagged by WOT.
I can't remember which one, but it seems it's not uncommon for these type of sites to BE compromised.
That's why I like to have WOT as a back up, for the Norton site icons.
Yeah, I kind of thought that my "cloaking" suggestion was a little far-fetched, actually! (Except if you're running from a Klingon Bird-of-Prey warship on Star Trek! ;-)
Forgot to mention in my previous post that, as per your other suggestion, I downloaded and installed WOT today. While it doesn't give a lot of info for this URL (not rated too many times at this point), I found one person's comment made on 2/6/14 to be quite informative (btw, I've deleted the site's name):
"I visited the site from a link on youtube. Within a minute my security software told me that ------------ had tried to hack me. It said it was a "Malicious tookit attack: Website 14" or something like that. I recommend against visiting this site."
That's exactly what Norton 360 has been telling me - so it looks like something bad might, indeed, be going on there.
Btw, other WOT users of the site gave it good ratings....but the last of these was made in 2012. Maybe 2014 is starting out to be a bad year for this company.
I'll wait and see what happens - and I really appreciate being in the Norton community! It's good to be able to ask experts about these kinds of problems. Thanks for the WOT suggestion, too.
Sorry, but I still need some advice/help about my ongoing problem - Web Attack: Malicious Toolkit Website 14. I have been busy for the past few days and haven't been able to work on it.
Sometimes Sucuri says the particular site is safe...sometimes it says it's infected. 8-/ In checking WOT, I noticed that, last month, one person had the same problem I did. So, regardless, I am quite certain that the site is compromised.
As per your other suggestion, however, I decided to submit a false/positive report to Symantec (even though I understand these are rather unusual) and received the following back from them on Monday:
If the issue persists with the latest definitions, please take the following steps in order to provide the additional information we require to further analyze the issue:
1) Disable the IPS option in your Symantec product Okay - I know what to do here, although disabling the intrusion feature sounds risky, considering what has been happening.
2) Generate a PCAP file as described here: http://www.symantec.com/connect/videos/capturing-network-communication-packets-wireshark-utility. And here's my problem: I read all the information on this link and am totally confused as to what to do - and what Symantec wants. I can usually figure these things out but this is "Greek" to me! -----------------------------------------------------------------------
So that's where I stand at this point and would really appreciate your expertise. Btw, I have switched back to Firefox and remember why I liked it so much before! I have also checked my updates on Java and Flash (and have bookmarked majorgeeks.com.)