Last week I had to deal with the following situation: some of my users complained that they got emails telling them that their computers are infected and they should go to a certain site for a free scan. Further investigation revealed that the site in question is a typical malware spreading site: it displays a fake scan window and tricks the inexperienced users into downloading a trojan.
By pinging the domain, I've got the IP address of that site. A whois on that IP revealed to me the hosting company that hosted the malware site. I've emailed their abuse team pointing them at that site. They choosed to ignore my email and the malware site is still up and running ATM.
Of course I'm upset by such attitude. I'd like to hear from you how you deal with such situations. I'd also like you to comment my strategy.
My users access the Internet over a proxy server. That malware site is blocked now. But I want to go one step further. I want to find out all sites that hosting company is hosting and block them. Can you suggest a workflow and tools for performing this research?
You can find out their net-range and block it off, but keep in mind that the results on a whois don't necessarily represent the company hosting the said website. You could find results for a dedicated server provider's net-range which will be relatively large, and blocking it off will also block many legitimate websites. Chances are there is a smaller hosting company with one of these dedicated servers hosting a client that has this malware website, which itself might not be intentional, and in fact the result of a security breach.
You should contact abuse e-mails, but don't expect a reply, especially not a quick one. Things need to go down the chain of command, so a server provider will contact their customer and their customer will have to deal with the said website.
If you want to add more complexity to your setup you could use Google's safe browsing check: http://www.google.com/safebrowsing/diagnostic?site=http://malware.testing.google.test/testing/malware/ and pull info off of it and then decide whether to allow the user to visit the website or not.
At this point I'm fairly ambivalent to providers that allow malware to be hosted on an IP within the class that they control. If you issue a complaint give them a little time to respond. I've seen positive results in cases like yours.
I rely on OpenDNS pretty heavily for filtering malware sites. They know a lot more about malware sites than I do and are continually updating their databases.
It's free and you can adjust their prebuilt filters and create you own. They also provide a nice graphical representation of what sites have been blocked based on time and location. This works well for us since we have offices spread throughout the United States.
www.opendns.com