Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: What? No URL? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What? No URL?
The scenario goes something like this:  We get information that there is a potentially malicious site doing some not so nice things.  After investigating and working to figure out what is going on, we finally post an entry to let people know that there is an evil site out there and exactly what you will get if you visit that site. (Yes we also report it to try to get it taken down) Well, for most people, that's enough, but for others there is an insatiable urge to know exactly where that site is located which prompts an email to us asking that very question.   There are all sorts of reasons for why people want to know where the site is and my reasons for writing this are not to be little any of them as many of them are valid.   Its actually to try to set the record straight on why we try to avoid posting the URL to sites that are doing malicious things.  Here are a couple of reasons:

First, for some unknown reason, it is in our human nature to want to click on anything clickable!  Maybe its the rebel in us all, a form of expression.  Regardless of who you are, we all click on URLS, especially on sites that we trust.  How many viruses have you had to fight off at your organization from users clicking on links in email they got?  Well, we don't want to contribute to that infection rate.  However, if you are one of the very few, probably could be counted on one hand, who actually types every single URL, my hats off to you!!  But for the rest of us, we don't post the URL to malicious sites to help protect folks from themselves and that insatiable urge to click on things.     If we were to point users to a URL which has malware on it like http://82.165.161.37/vir_r00tk1t.html (Don't click on that link) then there is a chance a security minded user could accidently click the link while copying it to an email or another window.  Whether your a newbie or an oldie, accidents do happen.

Second (you'll need to think devious), if you are a bad guy and you want to stay up on some of the latest exploits or if you have done some exploiting and wonder if someone is on to you, where would you look?  Well, major security sites with forums would be a good start.  A place where you can see what are the latest happenings as they are posted.   Since good guys as well bad guys visit our site,  we don't post the links to keep the "bad guys" from getting their hands on new malware or pointers to the latest exploit code.   The last thing we want to do is to help further their endevors.  Sure, if they want it they can probably find it, but we're not going to make it easy for them and they'll have to get it some where else.  We all need to be responsible with what we post and make available.  Things that can be used for good can be used for evil as well.

Hopefully this cleared up things for folks as to why we don't post the full URL to malicious sites or post the links to exploit code for that matter.  We really enjoy helping everyone and part of that is protecting everyone who visits the site.
Lorna

165 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!