Another WinFixer infiltration...this time on www.wfaa.com in Security

said by mysec

They affect the previous version of the OS. I wonder how quickly
MAC people patch|upgrade! [/BQUOTE :

MACs are inherently secure, and don't need to be patched or updated because they are impervious to exploits/viruses/hacking, aren't they? :D

LOL]]> http://www.dslreports.com/forum/remark,18564216 Mon, 25 Jun 2007 13:48:17 EDT Re: Another WinFixer infiltration...this time on www.wfaa.com http://www.dslreports.com/forum/remark,18564149 sivran : WFAA's site serving up malware ads AGAIN? Excuse me while I go block their site entirely. The one single infection my network's experienced was through a bad ad on that site several months ago.
--
Think outside the fox...Seamonkey]]> http://www.dslreports.com/forum/remark,18564149 Mon, 25 Jun 2007 13:31:58 EDT Re: Another WinFixer infiltration...this time on www.wfaa.com http://www.dslreports.com/forum/remark,18563051 Doctor Four : It happened again just now, but this time on
intellicast.com. I had loaded the 1km radar page
for DFW to see where the storms we're supposed to be
getting today were at when I got redirected to errorsafe.

Since I had put all the Winfixer domains in the restricted
sites, it couldn't do anything - and the page was blank.
(This was on my work machine, BTW.)

A previous visit to the same radar page had a flash ad
served by Zedo. I think you're on to something here with
the Winfixer-Zedo connection Just Bob

.

Edit: it is a Zedo ad on WFAA that is likely doing this -
I have them in the restricted sites zone as well - this
seemed to have prevented a redirect to any Winfixer sites.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated.]]> http://www.dslreports.com/forum/remark,18563051 Mon, 25 Jun 2007 10:03:34 EDT Re: Another ABC local to try http://www.dslreports.com/forum/remark,18560701 Doctor Four : Nothing that looks like it would be suspicious in my ad
filter's HTTP logs - only the normal tracking services.

The ones that I noticed were hitbox, adsonar, serving-sys,
tacoda and imrworldwide. All of which are in the hosts file.
The serving-sys one looked like it would generate the kind of
transparent popup ad superimposed over the main page that
I've seen sometimes on weather.com. -edit - those are called
eyeblaster ads.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated.]]> http://www.dslreports.com/forum/remark,18560701 Sun, 24 Jun 2007 19:22:06 EDT Re: Another WinFixer infiltration...this time on www.wfaa.com http://www.dslreports.com/forum/remark,18559889 Just Bob : I took a look at the source and found zedo. That seemed to ring a bell, as they haven't always had a sterling reputation.

The old zedo:
»209.85.165.104/search?q=cache:u-···=3&gl=us

The new zedo:
»en.wikipedia.org/wiki/ZEDO

It seems they have grown up a bit and are now the third largest company in their market. As the first and second companies have been acquired, I would think they are trying very hard to clean up their image and would be very sensitive to any suggestion of impropriety.

Nonetheless, I was able to find what sounds like a similar problem on the travelpod web site. It's a long thread, but very informative. It seems zedo serves ads in rotation and when they have exhausted their supply, they serve google ads through the zedo servers. In this case it seems to have been a google ad that was hijacked.
»www.travelpod.com/forums/lofiver···403.html]]> http://www.dslreports.com/forum/remark,18559889 Sun, 24 Jun 2007 15:53:42 EDT Re: Another WinFixer infiltration...this time on www.wfaa.com http://www.dslreports.com/forum/remark,18557304 norwegian : Not sure what is happening there, on the News 8 page, but it is shutting down the server of Hostsman.

Seems the ads are the same as the home page, and no issues with the server running for that.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

]]> http://www.dslreports.com/forum/remark,18557304 Sat, 23 Jun 2007 23:00:15 EDT Another ABC local to try http://www.dslreports.com/forum/remark,18557163 amysheehan : Does this ABC o/o station's article about the caller ID spoofing cause you any problems???
»abclocal.go.com/ktrk/story?secti···=3953183

Please let me know.

NOTE: The AP article published on KTRK in Houston is dated 3/1/06 and is not readily available on many ABC o/o websites.
-amy-
:)
--
DSLR Phishtracker]]> http://www.dslreports.com/forum/remark,18557163 Sat, 23 Jun 2007 22:17:00 EDT Re: Another WinFixer infiltration...this time on www.wfaa.com http://www.dslreports.com/forum/remark,18557125 Doctor Four : An update: I tried going to the Local News section tonight
with my hosts file temporarily disabled and my ad filter
turned off. (Risky, I know, but I knew what to do should a
redirect occur.)

I reloaded the Local News page about 4-5 times (just short
of the point at which the site prompts for membership), but
couldn't get even one redirect. If their IT was on the ball
about it, they would have taken action on the complaint I
sent them through their email system. Hopefully they have.

WinFixer is a variant of one of the most common trojan
infections, Vundo. According to Sandi Hardmeier, who first
found they had infiltrated AOL's and MSN Messenger's ad
networks, the company responsible is Valueclick. They
claimed to have dropped Winfixer as a client, yet Sandi
has found that flash ads from a Valueclick domain,
adfarm.mediaplex.com, are still redirecting web surfers
to Winfixer domains:

»msmvps.com/blogs/spywaresucks/ar···/05.aspx
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated.]]> http://www.dslreports.com/forum/remark,18557125 Sat, 23 Jun 2007 22:07:54 EDT Re: Another WinFixer infiltration...this time on www.wfaa.com http://www.dslreports.com/forum/remark,18552619 Doctor Four : On the machines where I work at, IT hasn't gotten around to
upgrading to IE7 on.

As for the attempt, the furthest it got was a redirect from
the WFAA site to pcturbopro.com. I think it happened when
I clicked the back button from More News 8 Investigates page.

When I saw it pop up, I figured the easiest way to get rid
of it was to kill IE with the task manager.

I just tried it on another machine, one that doesn't have
a hosts file on it. It came up on the Local News page after
I reloaded it a couple of times. It was on Firefox on it, and
I got rid of the redirect by killing FF in the task manager.
Only this time it was Errorsafe. Not sure which ad is
triggering it, though.

Edit: I sent them an email through their online comment system
with links to SiteAdvisor pages on the WinFixer domains
that I encountered. Hopefully that will prevent a less
savvy user of the site who doesn't know what WinFixer is
or the domains associated with them avoid getting infected.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated.]]> http://www.dslreports.com/forum/remark,18552619 Fri, 22 Jun 2007 21:39:08 EDT Re: Another WinFixer infiltration...this time on www.wfaa.com http://www.dslreports.com/forum/remark,18552441 mysec :

said by jansson_mark

:

How can you - or anyone else - get infected by simply visiting a website? You must be using unpatched old browsers.

Only days after Apple released Mac OS X 10.4.10, it has also released Security Update 2007-006.

»news.com.com/8301-10784_3-973384···1_3-0-20

quote:
Both vulnerabilities involve surfing the Internet.

They affect the previous version of the OS. I wonder how quickly
MAC people patch|upgrade!

]]> http://www.dslreports.com/forum/remark,18552441 Fri, 22 Jun 2007 20:57:01 EDT Re: Another WinFixer infiltration...this time on www.wfaa.com http://www.dslreports.com/forum/remark,18551871 sectionsix : I looked around at hxxp://www.wfaa.com/localnews/investigates/ for a bit and didn't see anything, I used IE7 BTW. For security I'm running WinXP SP2 (all patches), NOD security suite beta, SandBoxIE, and IE-SPYAD. The only ugly thing I found at that site was the redirect "become a member" page.]]> http://www.dslreports.com/forum/remark,18551871 Fri, 22 Jun 2007 18:59:04 EDT Re: Another WinFixer infiltration...this time on www.wfaa.com http://www.dslreports.com/forum/remark,18551814 jansson_mark : How can you - or anyone else - get infected by simply visiting a website? You must be using unpatched old browsers. I tryed to infect my system with Winfixer...just for fun...but I failed. I would have had to download and run .exe file to get infected.
--
My computer security & privacy related homepage »www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy.]]> http://www.dslreports.com/forum/remark,18551814 Fri, 22 Jun 2007 18:47:09 EDT Another WinFixer infiltration...this time on www.wfaa.com http://www.dslreports.com/forum/remark,18551684 Doctor Four : About an hour and a half ago I was on WFAA's (a local ABC
affiliate) website, www.wfaa.com, looking for a story on
the noon news about caller ID spoofing being used for
phishing (vishing in this case) purposes. I was in the News 8
Investigates section of the site when my IE window got
resized to the bottom right very small, and a prompt asking
if I wanted to install and run something called PcTurboPro
popped up.

Since this had all the hallmarks of a drive-by download
attempt at getting spyware on my workstation, and it had
only TrendMicro OfficeScan and no hosts file, I killed IE6
with the task manager. I then went to SiteAdvisor where I
found out I had prevented a WinFixer infection on it.

Something on a third party ad network wfaa.com was using,
or their own ad network, BeloInteractive, appears to have
been infiltrated by WinFixer. I'm not sure what it was,
and didn't see anything in my ad filter's logs here on
this machine that looked suspicious, but it's there all
right - it left behind a tracking cookie on my workstation.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated.]]> http://www.dslreports.com/forum/remark,18551684 Fri, 22 Jun 2007 18:16:09 EDT