Sophos Cloud Optix
If you got a call from a legitimate security source informing you that your website was infected, would you take action?
I certainly would, which is why I am rather frustrated when we take time to reach out to an organisation about a web infection, and they deliberately choose to do nothing about it.
Case in point: In January, Sophos contacted a Milan-based law firm, specialists in Intellectual Property, to inform them that its site was infected with Mal/Iframe-Gen.
Turns out that they have not acted on the information we provided. In fact, if you look below, it looks like they haven’t updated their site since November last year. We contact the firm again yesterday, and they are simply uninterested in dealing with the infection on their website.
pob@LinuxRed:~/nv$ wget -S www.xxxxxxxxx.it
--2011-03-23 15:50:21-- http://www.xxxxxxxxx.it/
Resolving www.xxxxxxxxx.it... NN.NNN.NN.NN
Connecting to www.xxxxxxxxx.it|NN.NN.NN.NN|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Sat, 27 Nov 2010 05:21:35 GMT
Accept-Ranges: bytes
ETag: "c024c3f5f28dcb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 23 Mar 2011 15:50:20 GMT
Connection: keep-alive
Content-Length: 6172
Length: 6172 (6.0K)
Saving to: `index.html'100%[======================================>] 6,172 --.-K/s in 0.09s
2011-03-23 15:50:21 (70.1 KB/s) - `index.html' saved [6172/6172]
Sophos detects the page as:
>>> Virus 'Mal/Iframe-Gen' found in file index.html
Most, though not all, Mal/Iframe-Gen infections are due to SQL injections. To find out more about web server security should consult this paper written by my colleague Fraser.
Advice to website owners: there are people out there like us who want to let you know when something is amiss. The communication method needs to be easy and straightforward. Please provide contact details on your sites to a webmaster or web administrator.
Oh, and when you are informed by a security company that you are infected, look into it and fix it quickly. Should you choose to ignore it, you are knowingly serving up infected pages to the public. That is perhaps not illegal in some parts of the world, but it probably should be.
We had an employee get infected from the NPR.org website. We tried, but couldn't tell if the site itself was poisoned, or if it had a poisoned advertisement. Regardless, we blocked the site. There was some push-back, but the safety of the network is more important than access to an infected media website.
Hello,
Here in Switzerland the national domain name registrar switch.ch is testing .ch and .li domains for malicious code (drive-by infectious code only). If malware has been found, the holder of the domain is contacted and able to eliminate the problem. If not, switch.ch is allowed by law to discontinue the domain[1].
If this approach is handled carefully and monitored properly, it's quite effective to prevent scenarios like the one you have described here.
Regards,
Marc
[1] http://www.admin.ch/ch/d/sr/784_104/a14bist.html
Welcome to the wonderful world of Italian lawyers… you're lucky they didn't threaten to sue you.