I was doing some malware analysis on a FakeAV trojan and ran into an odd situation with Surf Protection. I know that a poisoned web search result is redirecting to the FakeAV trojan, and that the trojan itself is hosted on a domain resolving to 204[d]152.214.173 (dangerous). The actual domain hosting the trojan keeps changing, but they're all hosted on that IP.
Often when I enter a suspect address into a legitimate site for additional research, Surf Protection sees the bad address in the URL and spits out a block page EVEN THOUGH that's not the site being accessed. For example here it says Malicious Sites not allowed:
hxxp://www.bfk.de/bfk_dnslogger.html?query=204.152.214.173
The problem is bfk.de is a completely harmless site. I'm using it to see if other malicious domains are hosted on that IP. Only the IP that I am looking up in that URL is malicious. I know I could just white-list the harmless research sites like bfk. My question is how come Astaro fails to block traffic when malware is being transferred from a DOMAIN hosted on an IP it knows is malicious? Doesn't Astaro do a DNS lookup to resolve the IP before the site can be accessed, and can't it block the request if the IP is categorized appropriately? Sometimes it's the only way stuff is going to get blocked because even in this case the bad guys just cycle through domains to evade filters.
For example in this case the actual malware would be something like (made up example):
hxxp://bad-domain.com/68efd41a6a49b3c/1/download
That would be allowed even though the domain resolves to the malicious IP. Only my attempt to look up the IP on a different website is actually blocked.
Often when I enter a suspect address into a legitimate site for additional research, Surf Protection sees the bad address in the URL and spits out a block page EVEN THOUGH that's not the site being accessed. For example here it says Malicious Sites not allowed:
hxxp://www.bfk.de/bfk_dnslogger.html?query=204.152.214.173
The problem is bfk.de is a completely harmless site. I'm using it to see if other malicious domains are hosted on that IP. Only the IP that I am looking up in that URL is malicious. I know I could just white-list the harmless research sites like bfk. My question is how come Astaro fails to block traffic when malware is being transferred from a DOMAIN hosted on an IP it knows is malicious? Doesn't Astaro do a DNS lookup to resolve the IP before the site can be accessed, and can't it block the request if the IP is categorized appropriately? Sometimes it's the only way stuff is going to get blocked because even in this case the bad guys just cycle through domains to evade filters.
For example in this case the actual malware would be something like (made up example):
hxxp://bad-domain.com/68efd41a6a49b3c/1/download
That would be allowed even though the domain resolves to the malicious IP. Only my attempt to look up the IP on a different website is actually blocked.