Last week I tried to access the web site of a company that a few of my former Microsoft colleagues work for and was shocked when Norton DNS blocked my access. Upon further investigation I realized the company’s site was hosted by Microsoft’s Windows Azure and that Symantec (aka Norton) had blocked all of Azure’s cloudapp.net domain. Why? Well as best I can tell one of the subdomain’s on cloudapp.net had been used by another Azure customer to host malware. Symantec hadn’t just blocked the subdomain though, it had blocked the top-level domain. Readers of this blog know that I advocate implementing “Ghost Protocol” on those who host malicious user-generated content, but only if they fail to remove it when notified and fail to take adequate steps to prevent this from being a persistent problem. It seems like Symantec didn’t read the second part of the memo. I let a Microsoft executive know about this and they worked with Symantec to unblock cloudapp.net.
Of course this isn’t the first time I’ve noticed a legitimate site being used maliciously. You may recall that a few months back I found links to Tumblr being used in a lot of SPAM. While Tumblr didn’t host malware directly, it allowed the creation of sites that were nothing more than redirects to malicious sites. After I, and perhaps others, reported this to Tumblr they must have made some changes because I stopped seeing them being used in this way. But if Tumblr hadn’t made those changes then I was advocating implementing Ghost Protocol on them.
I had a very similar experience with a German web hosting company, where for a while a lot of SPAM contained links that pointed to subdomains on their site. I reported them all, and for a while they weren’t responding (to the point that I actually did start advocating that services such as Web of Trust (WOT) should start blocking them). But eventually they responded and I haven’t seen links to them in SPAM for a while.
I’ve also seen the occasional link to malicious content on Amazon AWS and other cloud services that host user-generated content. On WOT you can find many legitimate sites that have less than stellar rankings because users have found malicious content on them at some point in time. If you host content then it just goes with the territory.
Today comes word that Chinese hosting site 3322.org has been taken down in an operation by Microsoft’s Digital Crimes Unit for hosting a botnet and other malware. How big is this? Well Kaspersky Labs reports that 40% of malware connects to 3322.org. 40%! Wow, taking this site down is a huge win for Internet users.
Of course 3322.org was hosting legitimate content as well as malicious content, and so there are no doubt many Chinese companies and their customers that are hurting right now. And the real problem here is that, although 3322.org may have had policies prohibiting its use for hosting malicious content, the site’s owner did little to remove or block malicious content when he was notified of it. That, in my mind, does warrant blocking the domain in URL Filters and DNS, and even a take down like the one Microsoft pursued.
As more and more content, both consumer and business, is hosted in the cloud it is critical that the providers of Cloud Services keep those services free of malicious content. Failure to do so endangers web users in general (as in the 3322.org case), but more specifically endangers all users of their service. Imagine hosting your personal documents on iCloud, Skydrive, Dropbox, Google Drive, etc. and having them become inaccessible because those domains were blocked for hosting malware. Or imagine your company’s website blocked because Azure, AWS, Google Cloud Platform, etc. domains were blocked.
The Cloud brings many benefits, but it also brings downsides. This is little different from the centralization/de-centralization tension that has existed on-premise for decades. Centralization brings efficiencies at the cost of the entire user community being subjected to the limits and failings of the central organization. The Cloud means all users of a service will share in the failings of that service provider. And if one of those is a failure to police their service for malicious content, then the penalty imposed on users could be quite severe.
“Symantec (aka Norton) had blocked all of Azure’s cloudapp.net domain”
You mean the ip adresses under that domain?
You wouldn’t use mycompanywebsite.cloudapp.net, but use your own domain name, linked to those ip-nrs?
Or do I not understand the situation?
Looks like it did some kind of redirect to mycompanywebsite.cloudapp.net
Pingback: @WinObs Tweeted Links for September 13, 2012 WindowsObserver.com