phising sites mbam version 3

[boombastik]

I found an interesting bug.

The malware-bytes  ip protection don't always block phishing sites.

For example the site: hxxps://www.windowsphoneinfo.com/

Is a phishing site. The IP protection works  for malicious sites every time but for phishing not every time.

For example yesterday this phishing site is blocked as phishing and today this time i write it not.

 

 

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

1. Download Malwarebytes Support Tool
2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
3. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
4. Place a checkmark next to Accept License Agreement and click Next
5. You will be presented with a page stating, "Get Started!"
6. Click the Advanced tab
   
    
7. Click the Gather Logs button
   
    
8. A progress bar will appear and the program will proceed with getting logs from your computer
   
    
9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
   
    
10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
       

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[David H. Lipman]

How is this a "bug" and how is "windowsphoneinfo.com" a Phishing site ?

A bug is usually a software coding error that produces unintended consequences.

A Phishing site is a web site that emulates another entity to specifically be a masquerade of the real site and in most cases, harvest the masqueraded site login credentials.

If a site is not blocked, and it should, then that is not a bug.  That site should be submitted.  If a site is submitted and it is still not blocked then that site may not fit Malwarebytes' criteria for being blocked.

[exile360]

If you wish to report a site as malicious, please read the pinned topic located here and then create a new thread in that part of the forums by clicking here and include the requested info in the format described in the pinned topic I linked to and a member of the Web Research team for Malwarebytes will investigate the site and add it to the Malwarebytes block list if it meets their criteria for blocking.

You also might consider installing the Malwarebytes browser extension beta.  It's available for Chrome (and other Chromium based browsers such as SRWare Iron, Vivaldi and Microsoft's upcoming replacement for Edge based on Chromium) as well as Mozilla Firefox.  It has enhanced blocking capabilities beyond the Web Protection component in Malwarebytes 3 including behavior based blocking of new/unknown malicious sites of certain types, particularly tech support scam sites among others.  It also has additional block lists for blocking many ads and tracking servers to protect your privacy and speed up your web browsing experience.  It's fully compatible with Malwarebytes 3 including the Web Protection component so you may use both of them together without issues.

The extension is currently in beta and available for free, at least for the time being (this may change in the future; I'm not sure; it's also possible that it could someday be integrated as a component of Malwarebytes 3) and you can learn more and download it from the following links:

Chrome
Firefox

If there's anything else we might assist you with or if you have any further comments, feedback or suggestions please don't hesitate to let us know.

Thanks

[boombastik]

The site is already submitted and already blocked before one moth before and continue to be blocked  by malware researcher MacteryCFM of mbam .

He prompted me to do a bug report.

@David H. Lipman i don't have many time to analyze why this site is phishing you can read the thread below.

I find your post rude and you don't even know how many bugs i have reported in internet community in general. And i am not speaking about malware bytes forum which i have offered very little.

-

[exile360]

Ah, that explains it, thanks for including that additional info.  Now I understand the problem.

To investigate this issue, if you would, please do the following so that we may take a closer look at your Malwarebytes installation and current system configuration.  This will aid the Malwarebytes QA and Dev teams in attempting to replicate and track down the cause of this issue in order to get it corrected:

1. Download and run the Malwarebytes Support Tool
2. Accept the EULA and click Advanced tab on the left (not Start Repair)
3. Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply
   

Thanks

[boombastik]

I Meet this problem 2 times with the same results:

I left my PC powered up for 2 days to download from steam. After i test , the IP protection it block successfully malware sites but failed to block this phishing site.

After a restart it solved it.

Again i leaved my PC powered up to download from origin and steam. After 1 and a half day again i tried the IP protection. It blocked successfully the ip test but failed to block this phishing site after a lot of retries.

Now i restarted my machine and it blocked successfully. My thought is that after you leave a PC for many hours it lost the ability to block phishing sites.

The upload fail and it is only 9 mb.

 

 

[boombastik]

Ok here is the logs:

mbst-grab-results.zip

[exile360]

Based on your description of events it sounds like perhaps it has to do with some kind of caching issue and/or number of connections since you were downloading from your game clients each time.  That's a lot of traffic going through your internet connection and it all also goes through the Web Protection component in Malwarebytes as it checks every connection, both inbound and outbound, to/from every program on your PC to look for malicious sites to block.  That's just a guess though, as it isn't something I've ever seen before.  It could be something completely unrelated.

Either way, we'll try a few things to troubleshoot first and hopefully one of them will fix it, but if not then we'll get a member of the Malwarebytes Support team involved to dig deeper as they'll be able to get more detailed info from the Research team, including how each site is being blocked in the database because it could be a problem with URL/domain blocking vs IP/server blocking since the test block address at iptest.malwarebytes.com is blocked based on its IP I believe, and I suspect the phishing site you mentioned is probably being blocked based on its URL/domain name.

So to begin, please try doing the following and then over the next couple of days whenever you have time, please try replicating the issue again and let us know if it still occurs or not:

1. Run the Malwarebytes Support Tool
2. Accept the EULA and click Advanced tab on the left (not Start Repair)
3. Click the Clean button, and allow it to restart your system and then reinstall Malwarebytes, either by allowing the tool to do so when it offers to on restart, or by downloading and installing the latest version from here
   

That will at least eliminate the possibility of a corrupt Malwarebytes installation as that is certainly one possible cause.

[boombastik]

I forget to say that i tried with zero downloads also and it didn't blocked.

I Think that the malwares IP protection is locally in databases and the phishing protection is server based.

 

[boombastik]

OK i recreated it. It always block IP addresses and fail to block domains.  50 minute after last restart.

 

 

[boombastik]

@exile360 i clean installed it with malware-bytes support tool and it blocked the phishing site successfully.

After i run ipconfig /flushdns   It always block IP addresses and fail to block domains.

[exile360]

Thanks for the info, that gives us more clues as to what is happening.  Just for info, all of the sites that Malwarebytes blocks are stored in local databases; none of them are stored online/in the cloud, however there are a few things that could affect blocking.  For example, if you use any kind of proxy, VPN, web filter (other than Malwarebytes, of course), alternate DNS (this one is less likely, but still could possibly affect it) or any other sort of tool for modifying how your system connects to the internet.

I don't know if you use anything like that, but it is worth testing if you do to see if removing it corrects the issue.  In the meantime I have an idea on how to get more details about what is occurring when the sites don't get blocked vs when they do.

Please use Wireshark to log the connection attempt to the phishing site, once when it is blocked and once when it is not and then ZIP and attach the logs to your next reply.  Details on how to use Wireshark to capture internet traffic can be found in this article from How-To Geek.

Please give that a try and hopefully it will reveal more about how and why this is happening.

Thanks

[boombastik]

@exile360  i captured with wireshark when it can not block this phishing site.  In the second capture (in the same windows session without restart after one minute from the first capture)  i visit mbam ip test site and the ip protection worked, then i re-visit this phishing site and it blocked successfully(so it started to block it successfully after i visit mbam ip test).

My nic card is Intel i218-v(2) with driver 12.18.8.9 (24/1/2019) from Microsoft update catalog with rss load balancing profile NUMAscalingstatic.

I uploaded the 2 files to we transfer:

-https://we.tl/t-hR7RM0YaII

 

 

 

 

 

 

 

[LiquidTension]

Hi @boombastik,

Thanks for reporting the issue.

I can reproduce the behaviour you're experiencing. We are investigating the issue further and will provide an update as soon as possible.

[David H. Lipman]

My apologies @boombastik you have indeed found a "bug".  KUDOS !

[boombastik]

@LiquidTension i will wait for more news.

@David H. Lipman no problem 😊