Recently, I have started to notice an increase in unnatural behaviour on many sites that I visit. More than once I’ve even been blocked with a Captcha, that I had to enter prior to being granted further access. The last drop was a full ban on Google when trying to do any search query. So, here’s a story how I dealt with the problem, along with some thoughts on failing security techniques.
If you ever had such problem, you’d know that this is a serious thing to worry about. So, I decided to check my IP in some antispam bases. Unsurprisingly it popped up in a few. There’s a number of lists with antispam bases where you can check your IP, here’s one for example: http://www.dnsbl.info/dnsbl-database-check.php It gives a general idea of how much The Internet hates you right now 🙂
One particularly helpful site is The Composite Blocking List. Besides telling you if you’re listed, it also tells you the time of your last offence and what you actually “appear to be infected with” – quite a loose term if you ask me, but whatever. In my case it told me I had Conficker worm, which turned out to be one of late 00’s big Internet threats, but since then every major antivirus company published a number of patches and tools to deal with it. Here’s a few in case you might need them:
- AVG tool to remove Conficker
- McAfee Stinger – free tool to scan and remove different malware, (see description on their site for more info)
- McAfee even gone the length of creating a special tool to scan your network for Conficker infected machines, which is really cool, also free
- There are some places where you can check if you’re infected with Conficker online, though I don’t think it’s really reliable – like here and here
- University of Bonn done some research on Conficker and gathered it under the title “Containing Conficker“
- Conficker Working Group is a big site dedicated to this threat
- Detecting Conficker with Nmap is a useful article @sans.org
- Of course, Symantec is here too with “Killing Conficker: How to Eradicate W32.Downadup for Good” thriller and a bit more useful NortonTM Power Eraser to do the actual job – for free. Note that it helps with other stuff too, not just Conficker
- Kaspersky also got one tool to remove this worm and if you run it from command line and give it -f as an argument, it will scan all your drives (check some official docs on it for more info)
- F-Secure got something too
And the list goes on, there are many more ways to detect and remove this worm from your system. You can even try to do some stuff manually, like this article suggests.
I started with a few tools and they found nothing on my system, so I pressed on and soon after reading all this and running all sorts of scans on my system and even used Wireshark to log everything and then check for possible connections to Conficker sinkhole IP that The CBL base would give me. Everything was clean, no worm activity. After all that I felt pretty confident and was about to remove myself from the ban list (they give you such option, but don’t abuse it). However, during my antivirus crusade I didn’t notice that my IP changed, when I learned about it and checked the base again it showed me very recent worm activity on my former IP when it was no longer mine! Plus, on my new IP it showed the same, but a day ago. It got me thinking, so I decided to check few other IPs from my ISP’s subnet. Bingo! all kinds of stuff – not only Conficker, but a host of different worms and botnets and what not. I was never infected to start with, it’s the damn IP that someone used before me!
Moral of the story: always do some more research before jumping to conclusions. Like “what if my IP is dynamic?” In my case I wasn’t aware of it, because I was told it’s static and didn’t check it myself. And of course, in my case it’s useless to ask ISP to do something, because the problem is with their host of infected clients and they don’t really give a shit about it, easier to change the ISP.
Generally speaking, it’s like you’re the one normal person living in a house full of active criminals and each time you want to go the city you’re given an ID from common pile of documents of this house inhabitants, needless to say, when police pulls you over and checks it with the database, you are identified as some criminal and proceeded accordingly to that data. It leads me to a conclusion that these methods are imperfect. Sure there has to be some way to battle the botnets and worms like Conficker, but blocking people just like that? And all those Captcha things that even Google puts in front of you – they don’t tell a thing about infection, they’re just there irritating people, asking them “are you a robot?” It’s no wonder some people are pissed about it, while researching this topic I found a few articles about how to bypass this blocking by using anonymizers, they never mentioned even a possibility of infection, their logic is something like “oh yeah, now half of the sites on the internet don’t like me? maybe cause im from insert-any-country-name-here?!” and you can’t blame them, because there is NO INFO for them – even on the block screens, at least not enough, they’re just getting blocked. Most people that have real worms and botnet clients on their computers don’t have the kind of tech knowledge to do the thinking here and get to the point of spam/botnet bases check, many of them don’t even know what IP is and the lack of information for them plus this block-by-IP thing isn’t helping to really cure the Web, instead, it’s leading people to wrong conclusions like using anonymizers, good job whoever came up with the idea (sarcasm). It’s all really sad.