Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
 ·RoadRunner Cable
 ·AT&T Yahoo
|  Another WinFixer infiltration...this time on www.wfaa.com
About an hour and a half ago I was on WFAA's (a local ABC
affiliate) website, www.wfaa.com, looking for a story on
the noon news about caller ID spoofing being used for
phishing (vishing in this case) purposes. I was in the News 8
Investigates section of the site when my IE window got
resized to the bottom right very small, and a prompt asking
if I wanted to install and run something called PcTurboPro
popped up.
Since this had all the hallmarks of a drive-by download
attempt at getting spyware on my workstation, and it had
only TrendMicro OfficeScan and no hosts file, I killed IE6
with the task manager. I then went to SiteAdvisor where I
found out I had prevented a WinFixer infection on it.
Something on a third party ad network wfaa.com was using,
or their own ad network, BeloInteractive, appears to have
been infiltrated by WinFixer. I'm not sure what it was,
and didn't see anything in my ad filter's logs here on
this machine that looked suspicious, but it's there all
right - it left behind a tracking cookie on my workstation.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated. |
|
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland
| How can you - or anyone else - get infected by simply visiting a website? You must be using unpatched old browsers. I tryed to infect my system with Winfixer...just for fun...but I failed. I would have had to download and run .exe file to get infected.
--
My computer security & privacy related homepage »www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. |
|
sectionsix
Premium
join:2004-11-03
Tempe, AZ
1 edit | I looked around at hxxp://www.wfaa.com/localnews/investigates/ for a bit and didn't see anything, I used IE7 BTW. For security I'm running WinXP SP2 (all patches), NOD security suite beta, SandBoxIE, and IE-SPYAD. The only ugly thing I found at that site was the redirect "become a member" page. |
|
mysec
Premium
join:2005-11-29
1 edit | reply to jansson_mark
said by jansson_mark  :How can you - or anyone else - get infected by simply visiting a website? You must be using unpatched old browsers.
Only days after Apple released Mac OS X 10.4.10, it has also released Security Update 2007-006.
»news.com.com/8301-10784_3-973384···1_3-0-20
quote:
Both vulnerabilities involve surfing the Internet.
They affect the previous version of the OS. I wonder how quickly
MAC people patch|upgrade!
|
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse
·RoadRunner Cable
·AT&T Yahoo
1 edit | reply to Doctor Four
On the machines where I work at, IT hasn't gotten around to
upgrading to IE7 on.
As for the attempt, the furthest it got was a redirect from
the WFAA site to pcturbopro.com. I think it happened when
I clicked the back button from More News 8 Investigates page.
When I saw it pop up, I figured the easiest way to get rid
of it was to kill IE with the task manager.
I just tried it on another machine, one that doesn't have
a hosts file on it. It came up on the Local News page after
I reloaded it a couple of times. It was on Firefox on it, and
I got rid of the redirect by killing FF in the task manager.
Only this time it was Errorsafe. Not sure which ad is
triggering it, though.
Edit: I sent them an email through their online comment system
with links to SiteAdvisor pages on the WinFixer domains
that I encountered. Hopefully that will prevent a less
savvy user of the site who doesn't know what WinFixer is
or the domains associated with them avoid getting infected.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated. |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse
·RoadRunner Cable
·AT&T Yahoo
| reply to Doctor Four
An update: I tried going to the Local News section tonight
with my hosts file temporarily disabled and my ad filter
turned off. (Risky, I know, but I knew what to do should a
redirect occur.)
I reloaded the Local News page about 4-5 times (just short
of the point at which the site prompts for membership), but
couldn't get even one redirect. If their IT was on the ball
about it, they would have taken action on the complaint I
sent them through their email system. Hopefully they have.
WinFixer is a variant of one of the most common trojan
infections, Vundo. According to Sandi Hardmeier, who first
found they had infiltrated AOL's and MSN Messenger's ad
networks, the company responsible is Valueclick. They
claimed to have dropped Winfixer as a client, yet Sandi
has found that flash ads from a Valueclick domain,
adfarm.mediaplex.com, are still redirecting web surfers
to Winfixer domains:
»msmvps.com/blogs/spywaresucks/ar···/05.aspx
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated. |
|
amysheehan
Lakers Win
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
1 edit | reply to Doctor Four
Another ABC local to try
Does this ABC o/o station's article about the caller ID spoofing cause you any problems???
»abclocal.go.com/ktrk/story?secti···=3953183
Please let me know.
NOTE: The AP article published on KTRK in Houston is dated 3/1/06 and is not readily available on many ABC o/o websites.
-amy-
--
DSLR Phishtracker |
|
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
| reply to Doctor Four
Re: Another WinFixer infiltration...this time on www.wfaa.com
Not sure what is happening there, on the News 8 page, but it is shutting down the server of Hostsman.
Seems the ads are the same as the home page, and no issues with the server running for that.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke |
|
Just Bob
Premium
join:2000-08-13
Spring Hill, FL
1 edit | reply to Doctor Four
I took a look at the source and found zedo. That seemed to ring a bell, as they haven't always had a sterling reputation.
The old zedo:
»209.85.165.104/search?q=cache:u-···=3&gl=us
The new zedo:
»en.wikipedia.org/wiki/ZEDO
It seems they have grown up a bit and are now the third largest company in their market. As the first and second companies have been acquired, I would think they are trying very hard to clean up their image and would be very sensitive to any suggestion of impropriety.
Nonetheless, I was able to find what sounds like a similar problem on the travelpod web site. It's a long thread, but very informative. It seems zedo serves ads in rotation and when they have exhausted their supply, they serve google ads through the zedo servers. In this case it seems to have been a google ad that was hijacked.
»www.travelpod.com/forums/lofiver···403.html |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse
·RoadRunner Cable
·AT&T Yahoo
1 edit | reply to amysheehan
Re: Another ABC local to try
Nothing that looks like it would be suspicious in my ad
filter's HTTP logs - only the normal tracking services.
The ones that I noticed were hitbox, adsonar, serving-sys,
tacoda and imrworldwide. All of which are in the hosts file.
The serving-sys one looked like it would generate the kind of
transparent popup ad superimposed over the main page that
I've seen sometimes on weather.com. -edit - those are called
eyeblaster ads.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated. |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse
·RoadRunner Cable
·AT&T Yahoo
2 edits | reply to Doctor Four
Re: Another WinFixer infiltration...this time on www.wfaa.com
It happened again just now, but this time on
intellicast.com. I had loaded the 1km radar page
for DFW to see where the storms we're supposed to be
getting today were at when I got redirected to errorsafe.
Since I had put all the Winfixer domains in the restricted
sites, it couldn't do anything - and the page was blank.
(This was on my work machine, BTW.)
A previous visit to the same radar page had a flash ad
served by Zedo. I think you're on to something here with
the Winfixer-Zedo connection Just Bob .
Edit: it is a Zedo ad on WFAA that is likely doing this -
I have them in the restricted sites zone as well - this
seemed to have prevented a redirect to any Winfixer sites.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated. |
|
sivran
God Save The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| reply to Doctor Four
WFAA's site serving up malware ads AGAIN? Excuse me while I go block their site entirely. The one single infection my network's experienced was through a bad ad on that site several months ago.
--
Think outside the fox...Seamonkey |
|
youveshutmedown
@sbcglobal.net
| reply to mysec
said by mysec
They affect the previous version of the OS. I wonder how quickly
MAC people patch|upgrade! [/BQUOTE :MACs are inherently secure, and don't need to be patched or updated because they are impervious to exploits/viruses/hacking, aren't they?  LOL |
|
Just Bob
Premium
join:2000-08-13
Spring Hill, FL
| reply to sivran
said by sivran :WFAA's site serving up malware ads AGAIN? Excuse me while I go block their site entirely. The one single infection my network's experienced was through a bad ad on that site several months ago. I suppose I should mention again that it was Google ads served by Zedo that caused the problems on the travelpod website.But since there's no way to predict the source of the ads, you would have wider protection if you were to block Zedo, rather than WFAA.
Here's all the sites I could glean from my hosts file:
127.0.0.1 undertonenetworks.com #[zedo.com][IE-SpyAd]
127.0.0.1 www.undertonenetworks.com
127.0.0.1 zedo.com #[SecuritySpace.WebBug]
127.0.0.1 ads.zedo.com #[McAfee.Cookie-Zedo]
127.0.0.1 c1.zedo.com #[a1979.g.akamai.net]
127.0.0.1 c2.zedo.com #[SpySweeper.Spy.Cookie]
127.0.0.1 c3.zedo.com
127.0.0.1 c4.zedo.com #[zedo.vo.llnwd.net]
127.0.0.1 c5.zedo.com
127.0.0.1 c6.zedo.com
127.0.0.1 c7.zedo.com
127.0.0.1 c8.zedo.com #[zedo.vo.llnwd.net]
127.0.0.1 freeze.zedo.com
127.0.0.1 g.zedo.com #[zedo.live365.com]
127.0.0.1 gw.zedo.com
127.0.0.1 l1.zedo.com #[a1101.g.akamai.net]
127.0.0.1 l2.zedo.com
127.0.0.1 l3.zedo.com
127.0.0.1 l4.zedo.com #[Panda.Spyware:Cookie/Zedo]
127.0.0.1 l5.zedo.com
127.0.0.1 l6.zedo.com #[a515.g.akamai.net][Tenebril.Tracking Cookie]
127.0.0.1 l7.zedo.com
127.0.0.1 l8.zedo.com
127.0.0.1 simg.zedo.com #[zedo.vo.llnwd.net][a556.g.akamai.net]
127.0.0.1 ss1.zedo.com
127.0.0.1 ss2.zedo.com
127.0.0.1 xads.zedo.com
127.0.0.1 www.zedo.com #[Adware.RaxSearch] |
|
sivran
God Save The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| Thanks for the list. The wfaa block is a stop-gap measure until I get proper filters in place. Heck, my dad surfs porn when I'm not around, and yet it was wfaa that got him. What is the world coming to? 
--
Think outside the fox...Seamonkey |
|
DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT
 ·magicjack.com
·Stephouse Networks
·EarthLink
| reply to Doctor Four
Thanks for the hosts file entries. I've seen zedo hits elsewhere on the 'net, and I'll bet this will propagate to other sites before it's stopped. I generally block advertisers as a rule. This case is an operational definition of my reasoning for doing so. |
|
Just Bob
Premium
join:2000-08-13
Spring Hill, FL
| I highly recommend the use of a hosts file. Personally I use the MVSP file:
»www.mvps.org/winhelp2002/hosts.htm
Remember the good old days when the justification for the hosts file was a privacy issue rather than a security issue? |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
1 edit | reply to Just Bob
Looks like the current MVPS Hosts file! 
Edit: Well looks like you posted as I was. My reply was to your earlier post with the MVPS entries. |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse
·RoadRunner Cable
·AT&T Yahoo
| reply to Doctor Four
Winfixer hosts entries (from the June 14th MVPS hosts file):
# [Innovative Marketing Group][NSCACHE.NET][SetupAHost]
127.0.0.1 adnetserver.com
127.0.0.1 www.adnetserver.com
127.0.0.1 adserver.affiliatemg.com
127.0.0.1 amaena.com
127.0.0.1 www.amaena.com #[IE-SpyAd][Trojan.TrustedZone]
127.0.0.1 www.amxtravel.com
127.0.0.1 www.antivirus-comparison.com
127.0.0.1 www.antivirusproshop.com
127.0.0.1 ads2desk.com
127.0.0.1 www.bestofonlinesearch.com
127.0.0.1 www.bestsearchnet.com
127.0.0.1 betbonus.com
127.0.0.1 www.betbonus.com
127.0.0.1 www.billingcomplete.com
127.0.0.1 billingnow.com #[Trojan.TrustedZone]
127.0.0.1 secure.billingnow.com
127.0.0.1 www.billingnow.com
127.0.0.1 stats.bookmyfares.com
127.0.0.1 www.bookmyfares.com
127.0.0.1 www.cannis.org
127.0.0.1 www.casinoaceking.com
127.0.0.1 www.clickwwwsearch.com
127.0.0.1 www.completebilling.com
127.0.0.1 www.computershield.com
127.0.0.1 locator.contentsvc.com
127.0.0.1 www.creditsecretguide.com
127.0.0.1 cdn.downloadcontrol.com #[setuphost.vo.llnwd.net][Win32/Adware.WinFixer]
127.0.0.1 drivecleaner.com #[McAfee.FakeAlert-I]
127.0.0.1 cdn.drivecleaner.com
127.0.0.1 dynamique.drivecleaner.com
127.0.0.1 freeware.updates.drivecleaner.com
127.0.0.1 go.drivecleaner.com #[eTrust.Win32/Beenut]
127.0.0.1 jsp.drivecleaner.com
127.0.0.1 secure.drivecleaner.com
127.0.0.1 stats.drivecleaner.com
127.0.0.1 www.drivecleaner.com #[Symantec.DriveCleaner]
127.0.0.1 www.driveprotector.com
127.0.0.1 www.enhanceyourbust.com
127.0.0.1 www.epinioncash.com
127.0.0.1 errorprotector.com #[SunBelt.ErrorProtector][secure.winsoftware.com]
127.0.0.1 bin.errorprotector.com #[Downloader.Win32.WinFixer.l]
127.0.0.1 go.errorprotector.com #[Google Warning]
127.0.0.1 report.errorprotector.com
127.0.0.1 www.errorprotector.com #[HJTH.Downloader.Agent]
127.0.0.1 errorsafe.com #[Downloader.Win32.Agent.d]
127.0.0.1 br.errorsafe.com
127.0.0.1 de.errorsafe.com
127.0.0.1 download.errorsafe.com #[Prevx.Rogue.ErrorSafe]
127.0.0.1 go.errorsafe.com
127.0.0.1 kb.errorsafe.com
127.0.0.1 nl.errorsafe.com
127.0.0.1 se.errorsafe.com #[SiteAdvisor.errorsafe.com]
127.0.0.1 secure.errorsafe.com
127.0.0.1 utils.errorsafe.com #[winfixer.com]
127.0.0.1 www.errorsafe.com #[Symantec.ErrorSafe]
127.0.0.1 www.ezmp3downloads.com
127.0.0.1 www.fileprotector.com
127.0.0.1 genericscanner.com #[Rogue/Suspect]
127.0.0.1 www.genericscanner.com
127.0.0.1 getfreecar.com
127.0.0.1 www.getfreecar.com
127.0.0.1 gomyron.com #[Malicious Links]
127.0.0.1 jsp.gomyron.com
127.0.0.1 members.us.homecs.com
127.0.0.1 www.homecs.com #[ripoffreport.com]
127.0.0.1 locator.imagesrvr.com
127.0.0.1 locator1.cdn.imagesrvr.com #[setuphost.vo.llnwd.net]
127.0.0.1 www.incrediseek.com
127.0.0.1 innovativemarketing.com #[Trojan.Vundo.B][TROJ_CRYPT.N]
127.0.0.1 www.innovativemarketing.com
127.0.0.1 internetantispy.com #[Rogue/Suspect]
127.0.0.1 www.internetantispy.com
127.0.0.1 www.jobdrill.com
127.0.0.1 www.kpremium.com
127.0.0.1 www.matchservice.com
127.0.0.1 www.maxkb.com
127.0.0.1 www.mcafeereview.com #[locator.imagesrvr.com]
127.0.0.1 mp3u.com
127.0.0.1 download.mp3u.com
127.0.0.1 www.mp3u.com
127.0.0.1 www.mp3asap.com
127.0.0.1 www.mp3asap.net
127.0.0.1 www.multimediafixer.com
127.0.0.1 www.mysurvey4u.com
127.0.0.1 www.nortoncomparison.com
127.0.0.1 content.onerateld.com #[setuphost.vo.llnwd.net]
127.0.0.1 www.onestoponlineshop.net
127.0.0.1 www.pcsupercharger.com
127.0.0.1 pcturbopro.com
127.0.0.1 www.pcturbopro.com
127.0.0.1 popupavenger.com
127.0.0.1 www.popupavenger.com
127.0.0.1 images.popupguard.com
127.0.0.1 www.popupguard.com
127.0.0.1 stats1.reliablestats.com #[TR/Dldr.FakeAv.C]
127.0.0.1 stats2.reliablestats.com
127.0.0.1 www.review-software.com
127.0.0.1 www.ringtonegold.com #[LURHQ.IFrame.Exploit]
127.0.0.1 search42.com
127.0.0.1 www.search42.com
127.0.0.1 www.searchfindsearch.com
127.0.0.1 setupahost.net
127.0.0.1 noc.setupahost.net
127.0.0.1 www.setupahost.net
127.0.0.1 www.sexbuddies.com
127.0.0.1 sexprofit.com
127.0.0.1 go.sexprofit.com
127.0.0.1 jsp.sexprofit.com
127.0.0.1 sxp.sexprofit.com
127.0.0.1 www.sexprofit.com
127.0.0.1 www.smax.us #[Innovative Marketing Ukraine]
127.0.0.1 smileydistrict.com
127.0.0.1 softwareprofit.com
127.0.0.1 go.softwareprofit.com
127.0.0.1 www.softwareprofit.com
127.0.0.1 www.symantecreview.com
127.0.0.1 sysprotect.com
127.0.0.1 download.sysprotect.com
127.0.0.1 scanner.sysprotect.com
127.0.0.1 utils.sysprotect.com
127.0.0.1 www.sysprotect.com #[McAfee.SysProtect]
127.0.0.1 systemdoctor.com #[HJTH.Downloader.Agent]
127.0.0.1 de.systemdoctor.com
127.0.0.1 download.systemdoctor.com #[Win32/Adware.WinFixer]
127.0.0.1 es.systemdoctor.com
127.0.0.1 fr.systemdoctor.com
127.0.0.1 go.systemdoctor.com #[Symantec.SystemDoctor]
127.0.0.1 instlog.systemdoctor.com
127.0.0.1 px.systemdoctor.com
127.0.0.1 www.systemdoctor.com #[Downloader.Win32.WinFixer.l]
127.0.0.1 www.tattoobitches.com
127.0.0.1 www.theringtonesource.com
127.0.0.1 vantagesoftware.com #[Rogue/Suspect]
127.0.0.1 billing.vantagesoftware.com
127.0.0.1 www.vantagesoftware.com #[SiteAdvisor.vantagesoftware.com]
127.0.0.1 www.viptravelagent.com
127.0.0.1 www.virusguard.com
127.0.0.1 virussoftwarereview.com
127.0.0.1 purchase.virussoftwarereview.com
127.0.0.1 www.virussoftwarereview.com
127.0.0.1 www.virussw.com
127.0.0.1 http.edge.vru4.com #[McAfee.Adware-Apropos]
127.0.0.1 www.wantprofit.com
127.0.0.1 www.webinvestigator.com
127.0.0.1 go.winadblocker.com
127.0.0.1 secure.winadblocker.com
127.0.0.1 www.winadblocker.com
127.0.0.1 secure.winantispam.com
127.0.0.1 www.winantispam.com
127.0.0.1 secure.winantispy.com
127.0.0.1 www.winantispy.com
127.0.0.1 winantivirus.com #[Google Warning]
127.0.0.1 br.winantivirus.com
127.0.0.1 de.winantivirus.com
127.0.0.1 es.winantivirus.com
127.0.0.1 fr.winantivirus.com
127.0.0.1 go.winantivirus.com
127.0.0.1 kb.winantivirus.com
127.0.0.1 hk.winantivirus.com
127.0.0.1 instlog.winantivirus.com
127.0.0.1 purchase.winantivirus.com
127.0.0.1 secure.winantivirus.com #[SiteAdvisor.winantivirus.com]
127.0.0.1 support.winantivirus.com
127.0.0.1 ulog.winantivirus.com
127.0.0.1 utils.winantivirus.com
127.0.0.1 www.winantivirus.com #[Rogue/Suspect][TR/Dldr.FakeAV.A.6]
127.0.0.1 winantivirus.co.uk
127.0.0.1 www.winantivirus.co.uk
127.0.0.1 www.win-anti-virus-pro.com
127.0.0.1 www.win-virus-pro.com
127.0.0.1 winantispyware.com #[Symantec.WinAntiSpyware]
127.0.0.1 download.winantispyware.com
127.0.0.1 go.winantispyware.com #[SiteAdvisor.winantispyware.com]
127.0.0.1 www.winantispyware.com #[Rogue/Suspect]
127.0.0.1 kb.winantiviruspro.com
127.0.0.1 www.winantiviruspro.com #[SpySweeper.Spy.Cookie]
127.0.0.1 wincontentfilter.com
127.0.0.1 download.wincontentfilter.com
127.0.0.1 secure.wincontentfilter.com
127.0.0.1 download.windrivecleaner.com
127.0.0.1 www.windrivecleaner.com
127.0.0.1 www.windrivesafe.com
127.0.0.1 winfirewall.com
127.0.0.1 www.winfirewall.com
127.0.0.1 winfixer.co.uk
127.0.0.1 br.winfixer.com #[SiteAdvisor.winfixer.com]
127.0.0.1 download.winfixer.com #[Symantec.WinFixer]
127.0.0.1 fr.winfixer.com
127.0.0.1 winnanny.com #[Trojan.TrustedZone]
127.0.0.1 www.winnanny.com
127.0.0.1 www.winpluspak.com
127.0.0.1 ls.winpopupguard.com
127.0.0.1 www.winpopupguard.com
127.0.0.1 winprivacyguard.com
127.0.0.1 www.winprivacyguard.com
127.0.0.1 www.winproductions.com
127.0.0.1 activate.winsoftware.com
127.0.0.1 download.cdn.winsoftware.com #[setuphost.vo.llnwd.net][Win32/Adware.WinFixer]
127.0.0.1 updates.winsoftware.com
127.0.0.1 secure.winsoftware.com
127.0.0.1 trial.updates.winsoftware.com
127.0.0.1 www.winsoftware.com
127.0.0.1 uk.workhomecenter.com
127.0.0.1 www.workhomecenter.com
Not every one of these will be encountered.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated. |
|
Just Bob
Premium
join:2000-08-13
Spring Hill, FL | Wow!
BTW, Sandi has seen this thread. Keep an eye on her blog.
»msmvps.com/blogs/spywaresucks/default.aspx |
|
