MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to milvos
Re: foxnews.com infected?
said by milvos :
.... I have been getting this up with the fake virus scan for a few days now. And want to know whether it is something on my computer or whether this is coming from sites I am visiting. When I leave my computer idle for while it seems to come up.
Any help appreciated.
One rudimentary test is to disconnect the internet connection from the computer. Restart it, open your web browser and see if the popups still come up. You may not even have to open a web browser. If popups come up, or your browser attempts to connect to another website, then it is likely that malware is present in your computer.
MGD |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
 ·Optimum Online
 ·Vonage
| reply to moonpuppy
It seems that CNN was affected with a malware issue just last summer:
»blog.mxlab.be/2008/08/04/cnn-dai···malware/
Apparently no one is immune when it comes from the outside rather than within (which has been foolishly implied here).
--
1/20/09 The Beginning of the End
13,079 DEADLY TERROR ATTACKS SINCE 9/11 |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to FiOS Dan
said by FiOS Dan  :said by Sentinel :...I use a hosts file to block ads as well. Methinks that's the ticket. That may be one of several reasons why some users were never exposed, nor triggered any other alerts. I spent some time checking the add rotations and noticed that several of the domains showed up as blocked in several hosts files. As a first line of defense, that may have prevented many AV, and script blockers from barking.
Foxnews.com offers a comprehensive list of advertiser options: »advertise.foxnews.com/creative-specs/ and also the following Approved Third Party Vendors:
Atlas
Doubleclick
Eyeblaster
Eyewonder
Klipmart
Pointroll
Unicast
Zedo
Ref: »advertise.foxnews.com/creative-s···vendors/
I spent several hours reviewing the top banner adds, many are flash, but not all. One issue that I noted is that there were several complaints of infection attempts while on blogs.foxnews.com which appears to have less adds than the other pages.
For example, posters on "FOX News Blogs » Alisyn in the Greenroom" noted the following on 04/18
quote:
Comment by Anita in VA
April 18th, 2009 at 6:52 am
Good morning fellow bloggers–
I have a quick question–have any of you experience, when first accessing the Greenroom Blog, a Windows Explorer popup windows, saying you need to run a virus scan on your computer?
I had it happened last saturday, when on work travel, from my work computer, and then again this morning, from my home computer.
Comment by Jimmy
April 18th, 2009 at 6:54 am
yes Anita…..it a shame…ran my program…no infections….they bother you to try to grt you to buy their program….do not load the program
Comment by Anita in VA
April 18th, 2009 at 6:59 am
jimmy/all–yes, that was actually the FakeAlert Trojan–
other bloggers–if you also got that popup, run a REAL virus scan of your computer, even if you X’d out of it. You’re probably now infected with the FakeAvAlert Trojan
Alisyn/Foxnews–
Please scan your website pages, it was definitely a link/ad on your pages that produced the popup that infects with the FakeAVAlert Trojan.
Ref: »greenroom.blogs.foxnews.com/2009···ning-15/
I hope that Fox comes forward and informs the public of its findings. I believe it is important that the exploit vector is made public so that everyone can be aware of the methods that are used.
This epidemic has affected many high traffic sites, irrespective of the content. Cybercriminals are not selective. However, the compromising of such a high value target warrants some disclosure of the facts, in order to mitigate additional potentil targets, and address issues with third party advertisers.
Fox's own stats list:
13.5 Million Unique users per month
615 Million Page views per month
That is a significant potential exposure. One can debate how many visitors come from fully patched updated systems, and are savvy enough to weave through the fake screens if exposed.
One interesting side note, while vetting the top banner adds last night, a non flash advertisement came up for E*TRADE. There was absolutely no nefarious activity associated with it. However, it was impossible to perform any vetting of the source. The properties of the add appeared to link to a subdirectory of Lorentrio.com which is hosted in Holland on a Leaseweb IP 94.75.216.152
The initial concern was the entire anonymonity of the set up.
There are 10 domains hosted on IP 94.75.216.152:
01. Alitasis.com
02. Idatrinity.com
03. Junstring.com
04. Kemerlane.com
05. Lacoste-ads.com
06. Lorentrio.com
07. Mosdao.com
08. Namlean.com
09. Nokia-corp.com
10. Tornadomb.com
One would assume that "Nokia" could be a copyright issue. The eyebrow raiser is that all of these domains were registered within the last month or so. All appeared to be registered using ICANN Registrar:
DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A
PUBLICDOMAINREGISTRY.COM
In addition, they were all registered using a cloaking service PrivacyProtect.org:
Such as:
quote:
Registration Service Provided By: REGISTER SERVICES
Contact: +001.8882106539
Domain Name: LORENTRIO.COM
Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Creation Date: 29-Mar-2009
Expiration Date: 29-Mar-2010
Again, nothing appeared wrong with the add, however, in most other circumstances the above criteria would be cause for concern. Though not necessarily unusual in these circumstances, but all the domains contain a "deny all" robots.txt file. Who are these people ??
As Cometcom1 noted to me, and I believe it was also mentioned in Dancho Danev's blog, Google's safe browsing diagnostic of foxnews.com notes the site as not suspicious. It is somewhat ambiguous as they do note that:
quote:
"Malicious software is hosted on 3 domain(s), including 2mdn.net/, s3.wordpress.com/, llnwd.net/."
If you check Google's analysis of one of the above three:
s3.wordpress.com, it shows:
quote:
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1 domain(s), including foxnews.com/.
I hope the focus can remain on the current stage of this epidemic and systemic organized cyber crime, and not on what the content of the infested high traffic website du-jour is. This problem will continue to invade the entire internet until concerted efforts are made to go after the money, and the commercial and financial systems that are utilized to support it.
MGD |
|
mysec
Premium
join:2005-11-29
2 edits | said by Comment by Anita in VA :
April 18th, 2009 at 6:52 am
Good morning fellow bloggers–
I have a quick question–have any of you experience, when first accessing the Greenroom Blog, a Windows Explorer popup windows, saying you need to run a virus scan on your computer?...
jimmy/all–yes, that was actually the FakeAlert Trojan–
other bloggers–if you also got that popup, run a REAL virus scan of your computer,
even if you X’d out of it. You’re probably now infected with the FakeAvAlert Trojan
This is just wrong since it's pretty much agreed that the user/victim has to click in the download box to get the trojan onto the system.
Am I interpreting correctly her statement? If so, how misleading and unnecessarily fear-provoking such a statement is for her readers.
This notion came up last year when new exploits of WinAntiVirus surfaced, and in a long thread, bcastner made it clear that this is not a drive-by download exploit.
Much has been written and commented on concerning the much feared drive-by download. From my viewpoint, these types of exploits are very easy to prevent when proper security is in place. Most of the time they need to bypass several security measures before achieving success.
By the way, the term "drive-by" limits the exploits to web sites. Notice that Microsoft uses the more comprehensive phrase, "Remote Code Execution:"
»www.microsoft.com/technet/securi···014.mspx
The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer
»www.microsoft.com/technet/securi···009.mspx
The vulnerabilities could allow remote code execution if the user opens a specially crafted Excel file.
In both cases, malicious code executes "remotely" - automatically.
PDF exploits in the wild fall into both categories:
•the one on the Fox News site is web-based
•others arrive by email where the user/victim decides to open the file.
The end result is the same: code in the PDF file calls out to a server hosting malware which is then downloaded to the user/victim's computer.
The Fox News PDF web-based exploit is a good example of remote code execution. In order for it to succeed, 4 requirements must be in place. I'll summarize from previous posts.
1) Scripting enabled. (Javascript, not Java).
If I disable Javascript in Firefox's Options and in Opera's Preferences, nothing happens: this exploit (and the WinAntiVirus exploit) fails at this point.
2) The PDF file must load into the browser. If the browser is configured to Prompt for a Download...
... the user is in the same position as with the WinAntiVirus exploit: to be victimized, the user must consent to download.
In both cases, the reaction should be: Hey, I didn't go looking for this. CANCEL. With the fake antivirus exploit, the suggestion is to close the browser process in Task Manager.
3) The 3rd requirement for the PDF exploit by remote code execution is that the Acrobat Reader must connect out to the internet to retrieve the malware. Outbound firewall monitoring will permit only those applications previously authorized by the user. The PDF Reader, of course, should not be given free access to the internet:
4) Finally, the trojan must be able to download/install without anything blocking it. The most secure protection for these types of exploits is some type of White Listing which blocks ALL unauthorized executable files that attempt to download/install:
File load.exe received on 04.17.2009 08:39:38 (CET)
Sunbelt 3.2.1858.2 2009.04.17 InfoStealer.Snifula.a (v)
Other solutions include running in a non-Administrator account; configuring Software Restriction Policies.
If this malicious PDF arrived by email and the user opened it, note that proper security at steps 3) and 4) would block the exploit from succeeding.
I hope you can see why Remote Code Execution Exploits should be the easiest to prevent. Look at all of the hurdles necessary to jump before the exploit is successful.
While something certainly needs to be done about stopping the occurrence of exploits on web pages, nonetheless for people with proper security protection and policies in place, they are an annoying nuisance rather than a threat.
----
rich |
|
planet
join:2001-11-05
Olmsted Falls, OH
·Cox HSI
| quote:
1) Scripting disabled. (Javascript, not Java).
If I enable Javascript in Firefox's Options and in Opera's Preferences, nothing happens: this exploit (and the WinAntiVirus exploit) fails at this point.
Wow, so in this case scripting is disabled. I thought javascript would be needed.
So, if the pdf loads in the browser window, then a software FW configured properly should request permission for adobe to access the net, is this correct?
And, what if you are using the latest adobe reader, 9.1, is this exploit still possible? |
|
Sentinel
Premium
join:2001-02-07
Florida
| I wonder if this could be another thing I am doing that blocks this behavior.
I have Firefox with NoScript and I also don't have Adobe PDF Reader installed on my PC at all. I also have KPF but it does not register anything trying to get in or out. |
|
mysec
Premium
join:2005-11-29
| reply to planet
said by planet : quote:
1) Scripting disabled. (Javascript, not Java).
Wow, so in this case scripting is disabled. I thought javascript would be needed.
Ooops - a booboo - that should be reversed, of course! Thanks for noticing that!
Javascript is required, and with it disabled, none of those exploits at Foxnews work.
Sorry for the confusion. I changed that in my post.
said by planet :So, if the pdf loads in the browser window, then a software FW configured properly should request permission for adobe to access the net, is this correct?
That is correct.
said by planet :And, what if you are using the latest adobe reader, 9.1, is this exploit still possible?
No, nor are any of the exploits against IE possible if patched.
The problem, of course, is that many exploits go unpatched for a while after they are released in the wild. The recent PDF exploit, if you remember: it was several weeks before a patch was released.
Patching, updating, are certainly preventative measures. Someone mentioned using a Hosts file. The important thing is that everyone understand what they are protecting against and insure that their security setup provides appropriate preventative measures.
This is not always easy because often advisories about a new exploit don't give a lot of information, so you have to do some research.
said by Sentinel :I have Firefox with NoScript and I also don't have Adobe PDF Reader installed on my PC at all. I also have KPF but it does not register anything trying to get in or out.
This exploit works only against the PDF reader, so even if the PDF file loaded in the browser, nothing would happen without the Adobe Reader being installed.
You may remember the most recent PDF exploit used some type of image rendering engine in the Adobe Reader. Foxit also uses something similar and there was concern amongst Foxit readers that they might be vulnerable. Foxit support insured users on their forum that Foxit uses a different engine and was not susceptible to the current exploit.
----
rich |
|
Graycode
join:2006-04-17
·net2phone
| reply to MGD
Why no mention of adsonar.com ? The foxnews pages are splattered with scripting for them. Their script www.foxnews.com/js/adsonar.js is one that injects iframes into the pages being viewed. Foxnews also includes script hxxp://js.adsonar.com/js/adsonar.js and references ads.adsonar.com
I happen to block things from adsonar.com and they're also included in MVPS and HP_HOSTS. |
|
Worried123
@pacbell.net | reply to moonpuppy
When running Vista with UAC off and IE sandbox off, can surfing foxnews infect the system directly, with no clicks on the banner window? I am patched up to a month ago. With Firefox? |
|
tdrake2175ds
join:2009-03-01
Alpharetta, GA | reply to moonpuppy
There was a story on ZDNet about Fox News being hit by malvertising ads:
»updates.zdnet.com/tags/malvertising.html |
|
fatness
subtle
Janitor
join:2000-11-17
fishing
 ·EarthLink
Host:
Earthlink DSL
TekSavvy
Forum Feature Requ..
Need Site Help?
Rants, Raves, and ..
| reply to tdrake2175ds
Re: foxnews.com infected?
Thanks for posting that. Here's the direct link to the story: »blogs.zdnet.com/security/?p=3140
Apparently it was reported on other sites as well as this one.
»whiskeyfire.typepad.com/whiskey_···ite.html
»www.wilderssecurity.com/showthre···=1444510
The article says Fox got rid of it.
quote:
............a brief analysis of the campaign which now appears to have been removed by FoxNews.
--
goodbye dad |
|
jadedkisses
join:2009-04-19
Austin, TX
2 edits | reply to moonpuppy
I am a novice and would like to ask some questions if I may. I was on Foxnews and had the popup appear days ago. I didn't click on anything. I was just reading the front page (Foxnews.com)
1. Do they call it scareware because it just scares you and nothing can happen?
2. I posted my hijack log in Security Cleanup and I had some trojans? in Java. Would this have come from that popup on Fox? Or I picked it up somewhere else? [My Java was not up to date]
3. I've read this whole thread, those links (and the znet one) and it's all gibberish to me. I know that article states fox got rid of the virus (or whatever it's called) but have you brave folks checked it out yourselves? I would like to go there but want to be sure it's gone.
Thanks so much for your time. |
|
acid343211
Hallo lisa Aus Amerika
Premium
join:2001-08-31
Byron, GA
| reply to fatness
said by fatness :The article says Fox got rid of it. quote:
............a brief analysis of the campaign which now appears to have been removed by FoxNews.
Fatness,I think people need to still be careful of that site i won't trust it.
--
Visit-
www.liveleak.com/view?i=e32_1231680425 |
|
secured655
@rr.com
| reply to moonpuppy
jadedkisses, I'm no expert, but I'll try to answer your questions.
1. It's called scareware because, the infection scheme is to trick the unwary user into enabling the malware to get into his/her machine by scaring them with an message that appears legit. It informs them of bogus problems found on their computer. Click 'here' to fix this problem. That click leads to a successful infection of the computer.
What can happen varies, from a simple browser homepage hijack to worse. Usually the scheme wants the user to buy some bogus security software, which is usually malware as well.
2. Hard to say where your trojans came from. One helpful tool for updating all of your SW is secunia PSI available here:
»secunia.com/vulnerability_scanning/personal/
Java seems to be a special case where updating to current version will not remove older vulnerable version(s). They need to be removed via add remove programs.
3. Real experts have posted on this thread and given me sufficient reason to block foxnews.com in avast.
Until a consensus (here) shows the site to be clean, the block remains (FWIW, this is a personal choice, others should do as they are comfortable with). Based on reports it seems that major news sites (CNN etc) seem to be experiencing these problems more frequently, so apply caution when visiting these sites.
A little OT, but I hope helpful. |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
·Optimum Online
·Vonage
| reply to fatness
Re: foxnews.com infected?
said by fatness :....The article says Fox got rid of it. quote:
............a brief analysis of the campaign which now appears to have been removed by FoxNews.
That article was posted on 4/15...I think we know from this thread that the problem was still going on even in the last day or two.
Whether it's been cleaned up today, I don't know.
--
1/20/09 The Beginning of the End
13,100 DEADLY TERROR ATTACKS SINCE 9/11 |
|
fatness
subtle
Janitor
join:2000-11-17
fishing | Oops. Thank you for catching that. |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to La Luna
said by La Luna :Whether it's been cleaned up today, I don't know. I have been monitoring random pages on foxnews on and off since early on 04/21, and have not experienced any incidence of the malware. Not a testimonial that it is clean, though I have not seen any other reports of malware either during that time.
MGD |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to Graycode
said by Graycode :..Why no mention of adsonar.com ? The foxnews pages are splattered with scripting for them. Their script www.foxnews.com/js/adsonar.js is one that injects iframes into the pages being viewed. Foxnews also includes script hxxp://js.adsonar.com/js/adsonar.js and references ads.adsonar.com I happen to block things from adsonar.com and they're also included in MVPS and HP_HOSTS. Indeed, adsonar references are all over the fox pages.
adsonar lists Foxnews.com as one of the locations they have access to advertise on adsonar aka quigo.com Maybe the relationship is something other than a third part vendor.
MGD |
|
