UPDATE 2014-08-07: Websense emailed me to say that the site has been reviewed and found to be safe. It may take some time for all of their products to receive the updated classification.
Quite a few emails and IRC messages hit my screen today about icanhazip.com being blocked by Websense products. The report on Websense’s site claims shows that the site is part of a bot network: The URL analyzed is currently compromised to serve malicious content to visitors.
Here are some screenshots from the report:
I reached out to Websense on Twitter and via their site. In the report I sent to them, I explained how the site works, gave them a link to the FAQ, and directed them to several blog posts from this site about icanhazip.com. This response from Websense hit my inbox late today:
The site you submitted has been reviewed and determined to pose security risk. At this time, the site is not safe for browsing and is appropriately classified under the following category:
hxxp://icanhazip.com/ - Bot Networks
Researcher Notes: according to our findings, this site in question is embedded with Dyzap campaign malware.
For additional details related to this threat, please refer to the following source: https://www.bluecoat.com/security-blog/2014-08-01/dyzap-campaign-employs-freshly-minted-domains-and-other-tricks
The site will resume its content-based categorization, once it has been determined to no longer be a security risk.
For further investigation, please contact the website administrator.
If you have any questions and/or need any additional information, please let us know.
Thank you for your inquiry,
Here’s what I know:
- The application that serves up the icanhazip services is not compromised
- The virtual machine on which the application resides is not compromised
- The application is returning valid data with no evidence of serving malware
If Websense wishes to claim that the site is being used by malware, I can certainly believe that. However, if they claim the site is serving malicious content or actively participating in attacks in any way, I’ve found no evidence that supports that claim.
I’ll be reaching out to Websense again for additional details and to clear up the report listing on the website. If anyone knows of a way for me to identify this malware traffic and block it from accessing icanhazip.com, please let me know. My GPG key is available.