ZInkDude
@optonline.net
| reply to moonpuppy
Re: foxnews.com infected?
I got similar infection from DrudgeReport.com (on 2 different occasions); All IPs traced back to Ukraine.
Please note people - you may think you removed it, but really did not. Malwarebytes and others do not detect Rootkits. You should run ROOTKITREVEALER. I thought I had cleaned this, and I had really not. There was a deep and nasty rootkit involved here. Only way to remove was to boot off a Windows CD, and delete hidden drivers. I would be willing to bet that half the people think they clean this stuff and its not really clean. |
|
karateckie
join:2009-04-27
Kansas City, MO
| reply to Doctor Four
said by Doctor Four  :Although this sounds like a simple answer, it is really a case of throwing the baby out with the bathwater. And malvertisements aren't solely found on music streaming sites or those owned by Rupert Murdoch. Any site that uses an advertiser which accepts an ad campaign on short notice without doing some investigation into the ad buyers can get hit by this; Google's Doubleclick ad network, one of the largest, got hit last year sometime. I agree with you Doctor. I know of a few sites with similar issues lately (there was a recent article I found...from early April...about the same issue with Yahoo). It's interesting about the playlist.com thing. I use that site and will have to keep an eye on it. Anyway, we have a very large network where it would be a nightmare to migrate everyone to Firefox and train them to use no script. While I use the same setup at home and on my computers at work, it's not a viable solution in our environment.
However blocking ads is a great solution! Unfortunately, we are in the middle of working out how to block them (we used to block them through our web filtering provider..which has changed). They new web filtering provider can't/won't block ads. I suppose it's the nature of the provider, being a free service they advertise on their sites and thus don't want to provide ad blocking. Other options are hosts files (but maintaining them in a large network...ugh), not to mention sending Dequests to 127.0.0.1 take awhile to time out, and if put in a DNS server can seriously cripple it with many clients.
Anyway...the end result is for the time being, Fox News is blocked. We haven't seen issues from other sites at this point, and eventually it will be unblocked.
I think the real issue lies in the websites who allow advertising on their site. They need to take some responsibility in what they are displaying, whether it comes from their own servers or not. The end result is that Fox, Yahoo, Google and others are being poorly represented when someone browses to what they believe should be a solid, and trusted site, only to get a virus. Companies need to demand accountability from the ad providers that pay them to display ads.
In the meantime...to minimize risks we'll block any site that we have issues with, as well as research better alternative to blocking ads  |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
 ·Optimum Online
 ·Vonage
| reply to fatness
ahhh shaddup you old monkey. 
--
You can chain my body to the earth, but still my spirit flies!
13,143 DEADLY TERROR ATTACKS SINCE 9/11 |
|
fatness
subtle
Janitor
join:2000-11-17
fishing
 ·EarthLink
Host:
Earthlink DSL
TekSavvy
Forum Feature Requ..
Need Site Help?
Rants, Raves, and ..
| reply to La Luna
At least 2 people did earlier in this thread:
»foxnews.com infected?
»Re: foxnews.com infected?
Like you said, memory is the first thing to go. 
--
goodbye dad |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs: | reply to moonpuppy
So after all of this, is the site still infected? Did anyone let them know there was a problem? |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
| reply to karateckie
said by karateckie :Just a note to add: We've had several users at our company affected by this same issue. Before today there were 3, and now as of today there were 2 more. This prompted us to temporarily block foxnews.com. Though we know the issue is not limited to Fox nor is it directly the fault of foxnews.com, all of our virus issues in the last week and a half have come from browsing to this site. Hours spent solving virus problems + ease of blocking Fox = no more foxnews.com. Something similar happened last week at our company, though not with foxnews.com. There was a malvertisement at playlist.com (a music streaming site, I believe), which infected or attempted to infect several users. As a result, streaming audio sites are banned until IT can find a way to block the malicious ads that are hijacking users.
Although this sounds like a simple answer, it is really a case of throwing the baby out with the bathwater. And malvertisements aren't solely found on music streaming sites or those owned by Rupert Murdoch.
Any site that uses an advertiser which accepts an ad campaign on short notice without doing some investigation into the ad buyers can get hit by this; Google's Doubleclick ad network, one of the largest, got hit last year sometime.
A better solution is using Firefox with a hosts file and NoScript. I do this on my home PC, and while I have encountered attempts at getting redirected by malvertisements, they have never succeeded due to that combination. The redirect usually ends up on a blank page.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
Oleg
Bellsouth Fastaccess
Premium
join:2003-12-08
Birmingham, AL |  reply to moonpuppy
For those who got hit does it affects Firefox with adbock plus or just IE? |
|
riverking
@comcast.net
| reply to moonpuppy
my mom recently played a video on fox news and soon after a virus installed itself onto our comp. my security center says it was from the ip 72.95.109.11(Malaysia)... she was watching a vid about teens hijacking a car. i dont know the direct link but when i searched the ip in wich where the trojan came from i found this forum...leve my IP alone you mean malasians!!!!! |
|
karateckie
join:2009-04-27
Kansas City, MO
| reply to moonpuppy
Just a note to add:
We've had several users at our company affected by this same issue. Before today there were 3, and now as of today there were 2 more. This prompted us to temporarily block foxnews.com. Though we know the issue is not limited to Fox nor is it directly the fault of foxnews.com, all of our virus issues in the last week and a half have come from browsing to this site. Hours spent solving virus problems + ease of blocking Fox = no more foxnews.com. |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
1 edit | reply to moonpuppy
Re: foxnews.com infected?
Interesting report on the norton.com forums, which has a link back to this thread. A poster stated that while on this foxnews.com page yesterday 04/24: »www.foxnews.com/story/0,2933,517738,00.html they then clicked the link to the full story at UK site of The Sun newspaper: >http://www.thesun.co.uk/sol/homepage/news/article2389814.ece?OTC-RSS&ATTR=News (several of the same adservers as foxnews.com), and Norton immediately flagged a bloodhound.pdf.10 virus. This will be dificult to duplicate because it depends on the rotating adds, probably flash, and the user config.
Though not a direct foxnews.com vector, the interesting issue is that the attempt matches a pdf exploit that mysec documented in an earlier post.
I believe that this multiple opportunistic format, utilizing exploited adds on high traffic sites, will become an epidemic. Apparently it has not been established, or at least published, whether they are pushed by rogue advertisers within the system, or are from hacked exploited flash adds. There is no doubt that there are several ongoing campaigns to create massive botnets of infected machines. Though I posted the socks C&C for a global inventory of hijacked PCs "Socksps.ru", which was located on the call home IP of the pdf exploit that mysec posted, the second of the three domains located there "stopgam.cn" is labeled "BOT" and also has a login:
See: »www.google.com/search?q=trojan.a···ive&sa=2
Incidentally, just mentioning the mere existence of "Socksps.ru" and its purpose, is a violation of their stated Rules / TOS.
MGD |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
·Optimum Online
·Vonage
| reply to fatness
said by fatness :Oops. Thank you for catching that. It's ok, I know the eyes aren't what they used to be.
--
1/20/09 The Beginning of the End
13,100 DEADLY TERROR ATTACKS SINCE 9/11 |
|
byrddog
@comcast.net
| reply to moonpuppy
I am interested in removal, the infection runs pretty deep. I am sitting here in safe mode xp_sp3. I can delete the rundll references in regedit (hklm/sw/m/cv/run/), hit refresh and they appear again. To me that says one of the main windows components is infected. Could this lead to lsas being compromised? |
|
Bill G
join:2008-11-10
Glenside, PA
1 edit | reply to moonpuppy
My parents PC was infested by this. It actually caused it to crash. Thankfully I was able to recover all of their files using Ghost.
Nasty thing.
I did combofix as well as Malwarebytes but honestly, the thing just crashed when I tried to run Superantispyware which they always work magically for me. not this time. |
|
jadedkisses
join:2009-04-19
Austin, TX | reply to secured655
Thank you secured655! I appreciate your time. |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to Graycode
said by Graycode :..Why no mention of adsonar.com ? The foxnews pages are splattered with scripting for them. Their script www.foxnews.com/js/adsonar.js is one that injects iframes into the pages being viewed. Foxnews also includes script hxxp://js.adsonar.com/js/adsonar.js and references ads.adsonar.com I happen to block things from adsonar.com and they're also included in MVPS and HP_HOSTS. Indeed, adsonar references are all over the fox pages.
adsonar lists Foxnews.com as one of the locations they have access to advertise on adsonar aka quigo.com Maybe the relationship is something other than a third part vendor.
MGD |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to La Luna
said by La Luna :Whether it's been cleaned up today, I don't know. I have been monitoring random pages on foxnews on and off since early on 04/21, and have not experienced any incidence of the malware. Not a testimonial that it is clean, though I have not seen any other reports of malware either during that time.
MGD |
|
fatness
subtle
Janitor
join:2000-11-17
fishing | reply to La Luna
Oops. Thank you for catching that. |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
·Optimum Online
·Vonage
| reply to fatness
said by fatness :....The article says Fox got rid of it. quote:
............a brief analysis of the campaign which now appears to have been removed by FoxNews.
That article was posted on 4/15...I think we know from this thread that the problem was still going on even in the last day or two.
Whether it's been cleaned up today, I don't know.
--
1/20/09 The Beginning of the End
13,100 DEADLY TERROR ATTACKS SINCE 9/11 |
|
