Last Updated on May 24, 2015

In the last few days I have received a couple of advises regarding the fact that some URL filter engines flagged several pages of my blog as malicious. One page in particular appears to have been inserted inside the category of Malicious sites.

Unfortunately so far I have not been able to identify the URL Filter technology that has categorized that page as malicious and. Of course, I would greatly appreciate if someone who encountered the same problem could be so kind to provide me some additional details. In any case I believe that the semantics of the site (probably full of long links and terms as “malware”, “hacking”, and so on) has tricked the content filter engine (why apparently just that specific page has been affected, is something I cannot explain right now).

In any case I want to give you a couple of useful suggestions to handle similar occurrences and to make reasonably sure that a web page does not hide web based exploits.

If you have any doubt about the content of a page or a link received inside a suspicious email message, I suggest you, before clicking, to submit it to Wepawet, a cloud-based service for detecting and analyzing web-based threats (iFrame injections, Drive-by, etc.) embedded in Flash objects, JavaScript code, and PDF files. You will probaly remember Wepawet because it was able to discover the (since then unknown) 0-day vulnerability behind Operation Aurora.

If you have similar doubts for unknown binaries, you can analogously submit them to Anubis (Analyzing Unknown Binaries), a cloud-based service with a sandbox for analyzing malware, which provides a complete and detailed report about malware activity (it executes the binary on-the-fly hence does not need a-priori knowledge). Anubis may also check if a certain URL is the vector for a possible drive-by download or similar attack, by showing the Activity of the page inside Internet Explorer.

Android APKs may be also submitted to its variant Andrubis, which runs them inside an Android sandbox providing a detailed report (the icon is really pretty cool isn’t it?).

All the above services are free for internal use and have been brought to the next level by Lastline, Inc., my current company, which has developed a commercial version of the same technologies in its advanced malware detection and mitigation solution.

Of course I checked the incriminated page of my blog with Wepawet, and I did not find any web-based exploit… At least so far… Meanwhile, if you encounter the same issue on one of my blog pages, I would greatly appreciate if you could notify me.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.