Jump to content
Redkyte2005

wikipedia.org being blocked by Malwarebytes

Recommended Posts

Hi guys,

The default landing page for wikipedia.org is being blocked by Malwarebytes.

I've double checked the management console to confirm that it definitely malwarebytes and not any of the other software or hardware in our environment.

What the best work around for this?

Thanks

blocked.PNG

Share this post


Link to post
Share on other sites

Hello,

The block you are experiencing is not on the Wikipedia/Wikimedia domain, but rather the 91.198.174.192 IP address which is currently housing a Command and Control (C2) server for the Locky file encrypting ransomware. Malwarebytes Anti-Malware is blocking the IP address based on this. Unfortunately, Wikipedia/Wikimedia also makes use of this IP address. Therefore, this IP block may impact use of Wikipedia. 

If you wish to circumvent the block, you can add the IP address as an exclusion within Malwarebytes Anti-Malware. For Home users, this can be done as follows: 

  • Open Malwarebytes Anti-Malware.
  • Click the SETTINGS tab.
  • Click Web Exclusions.
  • Click Add IP.
  • Enter 91.198.174.192 and click OK.
     

Once the Locky C2 server is cleaned up on the 91.198.174.192 IP address, the block will be removed. 

Edited by LiquidTension

Share this post


Link to post
Share on other sites
9 minutes ago, LiquidTension said:

Hello,

The block you are experiencing is not on the Wikipedia/Wikimedia domain, but rather the 91.198.174.192 IP address which is currently housing a Command and Control (C2) server for the Locky file encrypting ransomware. Malwarebytes Anti-Malware is therefore blocking the IP address based on this. Unfortunately, Wikipedia/Wikimedia also makes use of this IP address.

If you wish to circumvent the block, you can add the IP address as an exclusion within Malwarebytes Anti-Malware. For Home users, this can be done as follows: 

  • Open Malwarebytes Anti-Malware.
  • Click the SETTINGS tab.
  • Click Web Exclusions.
  • Click Add IP.
  • Enter 91.198.174.192 and click OK.
     

Once the Locky C2 server is cleaned up on the 91.198.174.192 IP address, the block will be removed. 

Thanks, that did the trick.

Share this post


Link to post
Share on other sites

Many thanks to LiquidTension for the info. I'll survive without wikipedia until the problem is cleared.

I vaguely remember there was something on breakfast news this morning about ransomware causing £2million worth of damage last year (I think. I was half asleep when I heard it!).

Share this post


Link to post
Share on other sites

Sorry if the answer to this question is a bit obvious but just want a quick sanity check. Presumably in it self unblocking the affected IP address is not a problem as the C2 server is only issuing instruction to infected machines, not actually distributing Locky. However, should you be unlucky enough to be infected by the variant that is connecting back to this C2 server having unblocked the address you are going to be in trouble where as with the address blocked despite the malicious code running on a workstation you may be OK. Is that a reasonable summary?

We have customers wanting to get to Wikipedia and I need to be sure that I am giving the correct advice before allowing access.

Having been identified as a C2 server is there any guestimate at how long it may before this is taken down and the IP address allowed again? Days, weeks, months?

Thanks.

Share this post


Link to post
Share on other sites
9 minutes ago, ynysygwas said:

Many thanks to LiquidTension for the info. I'll survive without wikipedia until the problem is cleared.

I vaguely remember there was something on breakfast news this morning about ransomware causing £2million worth of damage last year (I think. I was half asleep when I heard it!).

You're very welcome. Unfortunately, the number is more likely in the billions now. 
 

2 minutes ago, JPK said:

Sorry if the answer to this question is a bit obvious but just want a quick sanity check. Presumably in it self unblocking the affected IP address is not a problem as the C2 server is only issuing instruction to infected machines, not actually distributing Locky. However, should you be unlucky enough to be infected by the variant that is connecting back to this C2 server having unblocked the address you are going to be in trouble where as with the address blocked despite the malicious code running on a workstation you may be OK. Is that a reasonable summary?

We have customers wanting to get to Wikipedia and I need to be sure that I am giving the correct advice before allowing access.

Having been identified as a C2 server is there any guestimate at how long it may before this is taken down and the IP address allowed again? Days, weeks, months?

Thanks.

Yes, that summary is correct. Adding the IP address as an exclusion and accessing the Wikipedia website will not result in exposure to Locky. However, if a machine is exposed to the online variant of Locky through other unrelated means, the exclusion will allow the malware to communicate with the C2 server and implement encryption. 

As for how long until the C2 server is cleared - I'm not able to speculate, I'm afraid.

Share this post


Link to post
Share on other sites

Thankfully I found this as I am experiencing the same thing. I have an additional question, though. I keep getting the popup even though I am not visiting Wikipedia. I might be browsing Reddit and it tells me that it's been blocked. Any insight into that?

Thank you.

Share this post


Link to post
Share on other sites
12 minutes ago, UmnyeniKH said:

Thankfully I found this as I am experiencing the same thing. I have an additional question, though. I keep getting the popup even though I am not visiting Wikipedia. I might be browsing Reddit and it tells me that it's been blocked. Any insight into that?

Thank you.

We can look further into other blocks as they may be unrelated. I've sent you a PM with instructions. 

Share this post


Link to post
Share on other sites

I was experiencing the same problem this morning - but just updated my database to v2016.11.28.11 and the block on Wikipedia associated IPs has disappeared

I assume this is intended.  If so, nice work guys.  :-)

Edited by Griffin_UK

Share this post


Link to post
Share on other sites
10 minutes ago, Griffin_UK said:

I was experiencing the same problem this morning - but just updated my database to v2016.11.28.11 and the block on Wikipedia associated IPs has disappeared

I assume this is intended.  If so, nice work guys.  :-)

I can confirm that fixed it for me too, I was a little worried I'd been infected with something when Wikipedia of all places was blocked.

Share this post


Link to post
Share on other sites

Another question. If we were vulnerable to Locky... would Malwarebytes not pick it up? I run BitDefender and MalwareBytes. I assume one of the two would get it, right?

Share this post


Link to post
Share on other sites
43 minutes ago, TejSingh said:

Ok Thanks, Any idea until when this block will stay.

The IP block will be removed once the Locky C2 server is dealt with. 

 

15 minutes ago, UmnyeniKH said:

Another question. If we were vulnerable to Locky... would Malwarebytes not pick it up? I run BitDefender and MalwareBytes. I assume one of the two would get it, right?

Malwarebytes Anti-Malware Premium will indeed protect you from Locky variants. The blocking of C2 servers is another method of protection against the effects of (online) file encrypting ransomware.

Share this post


Link to post
Share on other sites
5 hours ago, UmnyeniKH said:

Thankfully I found this as I am experiencing the same thing. I have an additional question, though. I keep getting the popup even though I am not visiting Wikipedia. I might be browsing Reddit and it tells me that it's been blocked. Any insight into that?

Thank you.

Are you possibly using Firefox and the tiles for quickly accessing websites through the "New Tab" tab?

If so, that's the "problem". As long as there is a "New Tab" tab open and you move your mouse cursor over Wikipedia tile, the message will pop up (only on the first try though) - I guess that's because of the preview image. For me it even does it sometimes while I'm currently browing a different website in the same Firefox window but move the cursor over where my Wikipedia tile would be.

If you're using a different browser, it's still possible that any of the "quick access"/bookmark buttons (I know that they exist in IE and Chrome) cause the message to pop up too.

Share this post


Link to post
Share on other sites
9 minutes ago, LiquidTension said:

Hello everyone,

The Locky C2 server on 91.198.174.192 has been dealt with. With the latest definitions update, the block will no longer occur. 

 
 

Which definitions update is it? My MalwareBytes premium shows I have v2016.11.28.17 with no available updates. Am I good?

 

Edit: Wikipedia loaded so I must be?

Edited by UmnyeniKH

Share this post


Link to post
Share on other sites

My partner and I have each our own computer with the same Malwarebytes software on it. But on his computer Malware blocked Wikkipedia, but my computer didn't.
How is that possible? Should I worry when I go to Wikkipedia?

Share this post


Link to post
Share on other sites
11 hours ago, UmnyeniKH said:

Which definitions update is it? My MalwareBytes premium shows I have v2016.11.28.17 with no available updates. Am I good?

 

Edit: Wikipedia loaded so I must be?

Correct.
 

1 hour ago, Sherakaja said:

My partner and I have each our own computer with the same Malwarebytes software on it. But on his computer Malware blocked Wikkipedia, but my computer didn't.
How is that possible? Should I worry when I go to Wikkipedia?

Please confirm both machines are running the same Malwarebytes Anti-Malware definitions. To do this, hover your cursor over the blue Malwarebytes Anti-Malware Notification Area icon (next to the clock) and check the Database version. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.