Jump to content

MBAM blocking GAOTD?

curvefan
 Share

Recommended Posts

curvefan

curvefan

Posted
Posted

Hey guys,

I just tried going to the giveawayoftheday site and MBAM threw up a balloon saying it had blocked a malicious IP and then it gave the IP number.

Apparently this is the IP address for GAOTD.

After awhile the site finished loading and I was successful in downloading today's offer.

My questions. If in fact MBAM blocked this IP address, why did the site load and how could I download the software?

Should I report this as a FP?

I did notice that GAOTD now has an association with stickr. Maybe that is the reason for the IP blocking alert.

Thanks

Link to post
Share on other sites
whatmeworry?

whatmeworry?

Posted
Posted

I was about to ask a similar question. The "malicious IP" that MBAM reported was 208.94.233.132. Since I'm able to access the GAOTD site and their download site, I assume that the MBAM warning refers to one of the MANY links on the page. But which? I wish there were some way to know. Searching WhoIs rarely tells me anything sufficiently specific. Is there an easy way to find out which of the dozens of links on the page MBAM is blocking?

Link to post
Share on other sites
mountaintree16

mountaintree16

Posted
Posted

I can't even get to it.

But I can pretty much say I probably wouldn't get the IP block since my HOSTS files blocks pretty much all ad's, at least the ones with pictures & links. I think I still get some ads, but just linked ones, not ones with the pictures as well.

Link to post
Share on other sites
Falkra

Falkra

Posted
Posted

Hello,

I checked things, and GAOTD's server IP is 208.88.224.199, it is the only IP for all the GAOTD domains (and localized domains).

The blocked IP is 208.94.233.132, and can be a remote server used for to display advertising, among other things. With Firefox and Adblock and NoScript, I had no IP blocking message at all. With ads displayed and JavaScript allowed, the IP is blocked randomly, and ads are the only random element. Anyway, GAOTD loads fine, even if MBAM blocks the second IP. MBAM blocks IP calls, not links or domains, but remote scripts, iframes or code can be blocked, if the website you are reading uses external content (like google-analytics, or advertising, hosted on other servers/IPs).

The html code reveals some scripting like this :

function InitLinkInformer(accountId) {
    var ref = document.referrer;
    if (isSelf(ref)) {
        return;
    }
    var currentTime = new Date().getTime();
    var r = new Array();
    r.push("VisitPage=");
    r.push(enc(document.URL));
    r.push("&Referrer=");
    r.push(enc(ref));
    r.push("&AccountId=");
    r.push(accountId);
    r.push("&Time=");
    r.push(currentTime);
    var url = "http://statistic.link.informer.com/WebGate/SaveStatistic.aspx?" + r.join('');
    var img = new Image()
    img.src = url;
    img.onload = function() { };
}
function isSelf(ref) {
    if ("0" == ref || "" == ref || "-" == ref || null == ref) return false;
    var i = 0, h;
    if ((i = ref.indexOf("://")) < 0) return false;
    h = ref.substring(i + 3, ref.length);
    if (h.indexOf("/") > -1) {
        h = h.substring(0, h.indexOf("/"));
    }
    if (h.indexOf(":") > -1) {
        h = h.substring(0, h.indexOf(":"));
    }
    h = h.toLowerCase();
    if (document.location.hostname.toLowerCase() == h) {
        return true;
    }
    return false;
}
function enc(o) {
    // return window.encodeURIComponent ? encodeURIComponent(o) : escape(o);
    return escape(o);
}

Link to post
Share on other sites
curvefan

curvefan

Posted
  • Author
Posted

I also use Firefox with Noscript and Adblock Plus.

I noticed that I was allowing all scripts to run on that page. I then disallowed scripts for that IP number and closed out.

When I tried the GAOTD site again, I did not receive the balloon alert from MBAM and it loaded fine.

Guess I don' need to report it as a FP.

Link to post
Share on other sites
whatmeworry?

whatmeworry?

Posted
Posted

Hi, curvefan. As others have said, it's not a FP but probably a response to one of the many linking ads on the GAOTD site. I'm really glad you raised the issue about MBAM's warning, though, since I too was wondering about it. I still wonder about the usefulness of having a popup when it doesn't apply to the site itself but just to some often hard-to-identify link on the page. I think it gives a misleading impression (i.e., that perhaps the site itself is the "malicious IP") without really serving any useful purpose. Why not just wait for someone to try to use the malicious link and then block him/her from doing so?

Link to post
Share on other sites
curvefan

curvefan

Posted
  • Author
Posted

whatmeworry,

I see what you're saying.

I thought that MBAM was blocking the GAOTD site. I thought the IP number that it said it was blocking belonged to GAOTD.

MBAM should probably give you a name to go along with the IP number to verify things a little more. Don' know if that's even possible, but it would sure help.

Thanks

Link to post
Share on other sites
Falkra

Falkra

Posted
Posted

MBAM blocks IP, not domains. In fact, this is the logical way for the protection module to work. It blocked a blacklisted IP (not GAOTD's one), not because of a link on gaotd's webpage, but because of data loaded from another server, from a banned IP range.This way, the legitimate domain and server could be accessed, but the unwanted server could not load data : your computer was not able to display data from that server.

Servers have an IP and can host multiple domain names, including legitimate and malicious contents. MBAM blocks IP, that is to say entire servers/machines, not specific domains.

Link to post
Share on other sites
whatmeworry?

whatmeworry?

Posted
Posted

Falkra, I understand that MBAM blocks IPs, not specific sites. What I don't understand or find useful is what I encountered when I went to the GAOTD site (and others). The GAOTD site isn't blocked. It apparently does not have a problematic IP address. It does have lots of links to other sites. Somewhere in that large mass of links is apparently one whose IP address is problematic, but what good does it do to tell me this? I have no idea which of the many links triggered MBAM's "malicious IP" balloon message, nor is it important unless I happen to click on that link. Wouldn't it make better sense to block my access to a site with a problematic IP and put up the balloon message if and only if I click on the actual link? In addition to being of no use to me except under those circumstances, having the pop-up alert at other times can cause misunderstanding and confusion among inexperienced users of MBAM, who fear that the site they've just gone to is infected and perhaps has infected them.

Link to post
Share on other sites
  • Staff
TeMerc

TeMerc

Posted
  • Staff
Posted
Falkra, I understand that MBAM blocks IPs, not specific sites. What I don't understand or find useful is what I encountered when I went to the GAOTD site (and others). The GAOTD site isn't blocked. It apparently does not have a problematic IP address. It does have lots of links to other sites. Somewhere in that large mass of links is apparently one whose IP address is problematic, but what good does it do to tell me this? I have no idea which of the many links triggered MBAM's "malicious IP" balloon message, nor is it important unless I happen to click on that link. Wouldn't it make better sense to block my access to a site with a problematic IP and put up the balloon message if and only if I click on the actual link? In addition to being of no use to me except under those circumstances, having the pop-up alert at other times can cause misunderstanding and confusion among inexperienced users of MBAM, who fear that the site they've just gone to is infected and perhaps has infected them.
Hi.

What you fail to realize here is that we cannot block that IP because it is loading from the site you want to visit. In order to block it, we have to block the site or you'd just get infected. Then how upset would you be? I imagine very much.

The prudent think to do is to alert the owner of the site to see if they can pin down the source of the IP, typically a banner ad or whatever.

Link to post
Share on other sites
whatmeworry?

whatmeworry?

Posted
Posted
What you fail to realize here is that we cannot block that IP because it is loading from the site you want to visit. In order to block it, we have to block the site or you'd just get infected. Then how upset would you be? I imagine very much.

The prudent think to do is to alert the owner of the site to see if they can pin down the source of the IP, typically a banner ad or whatever.

Hi, Tom. I think I may not have explained the situation clearly. MBAM is not blocking the site on which the malicious IP link appears. In other words, site A has ads and links on it, and one of those ads or links is to malicious site B; you seem to be under the impression that MBAM is blocking my access to site A. That's not the case. I can access site A with no problem. All that happens is when I go to site A, MBAM issues a pop-up message telling me that it is blocking malicious IP B. This information is of no use to me, since there are zillions of links on site A, and I haven't the foggiest idea which one has the problematic IP address. All I'm saying is that rather than MBAM telling me ahead of time that it's blocking access to some mysterious malicious IP address that means nothing to me, it should wait to tell me until I click on the problematic ad or link; when I do that, it should prevent my accessing the ad or link's site and it should have the pop-up tell me that it's blocking my access to a malicious IP.

Link to post
Share on other sites
  • Staff
TeMerc

TeMerc

Posted
  • Staff
Posted
All I'm saying is that rather than MBAM telling me ahead of time that it's blocking access to some mysterious malicious IP address that means nothing to me, it should wait to tell me until I click on the problematic ad or link; when I do that, it should prevent my accessing the ad or link's site and it should have the pop-up tell me that it's blocking my access to a malicious IP.
Thanks for clearing that up, but one thing, you seem to be nuder the impression we can block IPs before we can detect them loading. We can only block it once it begins to load. When you see the alert, that's when the IP is trying to load something. You don't need to click on anything, classic drive by download scenario and what we're trying to prevent from happening.

If we wait, you get hit.

Link to post
Share on other sites
whatmeworry?

whatmeworry?

Posted
Posted
Thanks for clearing that up, but one thing, you seem to be nuder the impression we can block IPs before we can detect them loading. We can only block it once it begins to load. When you see the alert, that's when the IP is trying to load something. You don't need to click on anything, classic drive by download scenario and what we're trying to prevent from happening.

If we wait, you get hit.

Thanks, Tom, for explaining this further. What you say makes good sense. I wonder, though, whether there's a way for MBAM to block the IP as soon as it begins to load but issue the pop-up warning only if/when the user actually tries to access the malicious IP site. That way, the user will know which ad/link is the malicious one. I'd find that helpful, and probably so too would some webmasters who would like to remove the rotten apples but may have no easy way to identify them if the site includes many ads/links. Having the pop-up only appear when the user tries to access the malicious IP might also lessen the confusion of inexperienced MBAM users who now misunderstand the warning.

Again, many thanks to you and Ron for clarifying the issue for me.

Link to post
Share on other sites
mountaintree16

mountaintree16

Posted
Posted

If I may just step in here (and please staff if I am incorrect please feel free to correct me),

whatmeworry?:

The point that TeMerc is making is simply this:

The malicious IP (in this case an advertisement) is ALREADY being accessed, hence the IP block. If it was not already being accessed, there wouldn't be the need for an IP block.

Edit: Exile said it much better than I could :) I hope that things are cleared up for you now :)

Link to post
Share on other sites
exile360

exile360

Posted
Posted
Thanks, Tom, for explaining this further. What you say makes good sense. I wonder, though, whether there's a way for MBAM to block the IP as soon as it begins to load but issue the pop-up warning only if/when the user actually tries to access the malicious IP site. That way, the user will know which ad/link is the malicious one. I'd find that helpful, and probably so too would some webmasters who would like to remove the rotten apples but may have no easy way to identify them if the site includes many ads/links. Having the pop-up only appear when the user tries to access the malicious IP might also lessen the confusion of inexperienced MBAM users who now misunderstand the warning.

Again, many thanks to you and Ron for clarifying the issue for me.

When the IP block happens that site is already trying to access your PC through your browser. You don't have to click a link for malicious content to be able to load through your browser. If a malicious ad containing exploit code loads in a safe webpage you can be infected simply by viewing the ad, not just clicking it. There are known vulnerabilities in Flash and other plugins that allow the execution of malicious code without any action on the part of the user, that's why MBAM needs to work the way it does. It can't simply screen blocked IP's and determine in realtime whether the content coming from the malicious IP is actually harmful or not, it can only block all content from that IP.

Link to post
Share on other sites
whatmeworry?

whatmeworry?

Posted
Posted

Thanks very much, mountaintree16 and exile360, for helping me understand the malicious IP problem more fully. I now see that the suggestion I made was impractical. I just wish there were some way for the user--and the person responsible for the site--to know which of the many ads and links on a given site has triggered MBAM's pop-up. Some people have asked that the URL be identified, not the IP number. I understand why that won't work, but I think they and I are all wishing we could better identify the specific malicious sources.

At any rate, thanks again to all who helped me understand this better. I will now crawl back under my rock :)

Link to post
Share on other sites
  • Staff
TeMerc

TeMerc

Posted
  • Staff
Posted
Is there a way to stop the same bubble from continually popping up (for the same IP)?

It's like it keeps telling me that it blocked access to a particular IP

and I'm glad that it did

but then it keeps telling me.

Is there an "Okay, thank you, I hear you and I very much appreciate it" button?

:)

Please see the link below which contains our FAQ's on this feature for more information:

http://www.malwarebytes.org/forums/index.p...t=0#entry107310

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.