dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
56364
share rss forum feed

kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
reply to moonpuppy

Re: foxnews.com infected?

Click for full size
I built a VM with XP SP2 and no patches, and surfed FoxNews in it, and it didn't take long to pick up the Vundo.

I got it when I hit the "scitech" link. But since the ads are rotated, it's luck of the draw.

But now my VM is running a "virus scan" that shows infections of all sorts... tee hee hee..

Next challenge, remove this sucker!
--
To ISPs: Leave our ports alone! If I want ports blocked, I'll do it myself, thank you.
Expand your moderator at work


Cant Tell You

@204.211.193.x
reply to kpatz

Re: foxnews.com infected?

said by kpatz:

Next challenge, remove this sucker!
Start with ComboFix and follow with SuperAntiSpyware. Gets it everytime. I see this daily on machines that come into my shop.

The guys doing this are great. Its a shame their talents are put to use this way.

kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH

1 edit
reply to moonpuppy

This one didn't sink its hooks in very deep... I just killed the pav.exe process, deleted the file and the shortcut, removed the run entry from the registry and it's gone. Maybe if I let it lurk for a while it would download more of the hard-to-remove crap. Or maybe this is one of the "easy-to-remove" variants.

EDIT: Had to remove a BHO that was intercepting IE as well.
--
To ISPs: Leave our ports alone! If I want ports blocked, I'll do it myself, thank you.



Cant Tell You

@204.211.193.x

Five minutes is all it usually takes and your done. If you can catch it in the first couple of minutes then you can beat it. But, how many users have any clue on how to do that? Most of my customers tell me they finally brought it in when they just couldn't deal with it any longer. Some last a couple of days! I don't know how they do it. It blows my mind when I can't get the annoying IE or Firefox popup to go away in the initial attempt at getting you to click to download. I always try to kill it without killing the process. I refuse to give in to it.


kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH

1 edit

I re-infected my VM and will leave it on there a bit longer before attempting removal. I love challenges!

When I right-click the tray icon, it says "Open User Inteface". Malware makers never proofread their work...


moonpuppy

join:2000-08-21
Glen Burnie, MD
reply to kpatz

said by kpatz:

This one didn't sink its hooks in very deep... I just killed the pav.exe process, deleted the file and the shortcut, removed the run entry from the registry and it's gone. Maybe if I let it lurk for a while it would download more of the hard-to-remove crap. Or maybe this is one of the "easy-to-remove" variants.

EDIT: Had to remove a BHO that was intercepting IE as well.
I shut down my system as soon as I realized what was going on. This laptop has no AV but it is fully patched.

Glad I am not going crazy.

kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
reply to moonpuppy

I was playing around in the VM, emailing a friend of mine, and noting the crazy "warnings" that my cool new anti-virus has been warning me of.

Here's a couple:

quote:
Internet Explorers addon Shockwave Flash vs.3 found to be linking to the FormSpy website hosted at IP address 81.95.109.11 and installing FOrmSpy using an old VBS/Psyme exploit targeting Internet Explorer. These websites are believed to have been penetrated and modified by hackers. VBS/Psyme can be deleted proactively in Internet Explorer (IE). This is a detection for a malware that was discovered in the wild on July 24, 2009 (PST). Its installer was proactively detected as New Malware.ag (now Downloader-AXM). This addon tries to send your private information to attackers IP 72.95.109.11 (Malaysia)
So, they detect malware that won't be discovered for another 3+ months.
quote:
"Windows Meta File Vulnerability - Vulnerability"
"The vulnerability itself is regarded as extremely critical (the highest possible rating). As yet, there is no patch for this vulnerability. Exploit this vulnerability are Trojan-Downloaders, which install other Trojan programs on the victim machine. At the moment, Trojan programs are being downloaded from unionseek.com and iframeurl.biz. New modifications of these programs may appear".
I'll leave the VM running overnight and then see if it's harder to remove tomorrow.
--
To ISPs: Leave our ports alone! If I want ports blocked, I'll do it myself, thank you.


shopboss

@axeontech.com
reply to moonpuppy

Yeah, definitely infected. It's tried to hit he on two different PCs -just going to foxnews.com with IE7. No wonder we get so many cleanup jobs in our shop -a lot of wated talent there.


kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
reply to moonpuppy

Well, on the second infection, removal was even simpler than the first time. I just killed the process and ran Hijack This, and found that it didn't reinstall the BHO or even the Run entry in the registry. Perhaps there were traces left behind that fooled the installer.

I'll have to revert to a pre-infection snapshot and try again.
--
To ISPs: Leave our ports alone! If I want ports blocked, I'll do it myself, thank you.



Go Tarheels
Premium
join:2006-01-05
Nashville, NC
kudos:1
reply to moonpuppy

Yep, I was prompted to download the AntiVir 2009 software which came while surfing Foxnews. I figured it was from one of the many ads.

On a side note, they really need someone to clean up that site. I feel like I am in 1999 when surfing that site. Old style pop-ups and banners everywhere...



Sentinel
Premium
join:2001-02-07
Florida
kudos:1
reply to moonpuppy

I have no problems ... but I do block all ads using a hosts file and I block all third party images using the Firefox block images setting. Doing that I have no problems on that site and I go there dozens of times a day.

Has anyone tried to notify the site admins about this? I am curious what their reply is. I'm guessing they have no idea what third party ad servers are dishing out in their name.

I got a virus on QVC.com once in an image.



Jaded

@sbcglobal.net
reply to moonpuppy

I got a popup (something trying to run) yesterday just by viewing the page at foxnews.com. Now again today.
Crap.


MGD
Premium,MVM
join:2002-07-31
kudos:9

2 recommendations

reply to moonpuppy

It must be several adds in rotation. About an hour ago while on this Foxnews.com page: »www.foxnews.com/story/0,2933,516877,00.html

This fake Anti Virus infection came up:




running from this link: >http://onlineproantispywarescannerv2.com/1/?id=2006-60&back=%3DzQ32TT5OQMNMI%3DM

Surprised that there are no search hits returns for the onlineproantispywarescannerv2.com domain, since it was registered back on 03/13

The assigned name server at the time of reg was NS1.S-HOSTING.BIZ & NS2.S-HOSTING.BIZ in the Ukraine. However when it went into infection action the NS was changed as follows:
-------------------------------------------
Authority records:

name class type data time to live:

onlineproantispywarescannerv2.com IN NS ns1.greatwallsupport.com 600s (10m)
onlineproantispywarescannerv2.com IN NS ns2.greatwallsupport.com 600s (10m)
onlineproantispywarescannerv2.com IN NS ns3.greatwallsupport.com 600s (10m)

Additional records
name class type data time to live
ns1.greatwallsupport.com IN A 85.17.254.136 600s (10m)
ns2.greatwallsupport.com IN A 203.174.83.75 600s (10m)
ns3.greatwallsupport.com IN A 115.126.5.10 600s (10m)
-------------------------------------------

Querying each of the name servers in order produced the folowing hosted IPs:

-------------------------------------------
ns1.greatwallsupport.com:

onlineproantispywarescannerv2.com IN A 78.47.91.153 600s (10m)
onlineproantispywarescannerv2.com IN A 94.76.213.227 600s (10m)
onlineproantispywarescannerv2.com IN A 94.247.3.40 600s (10m)
onlineproantispywarescannerv2.com IN A 78.47.172.66 600s (10m)
onlineproantispywarescannerv2.com IN A 92.62.98.20 600s (10m)

ns2.greatwallsupport.com:

onlineproantispywarescannerv2.com IN A 78.47.172.66 600s (10m)
onlineproantispywarescannerv2.com IN A 78.47.91.153 600s (10m)
onlineproantispywarescannerv2.com IN A 94.76.213.227 600s (10m)

ns3.greatwallsupport.com:

onlineproantispywarescannerv2.com IN A 78.47.91.153 600s (10m)
onlineproantispywarescannerv2.com IN A 94.76.213.227 600s (10m)
onlineproantispywarescannerv2.com IN A 78.47.172.66 600s (10m)
-------------------------------------------

MGD


amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
kudos:9
reply to moonpuppy

I just checked same page as you MGD See Profile and saw an I-frame attempt that Symantec corp intercepted. Closed the page and tried to get it to do it again for screenshot but it would not reproduce

Friday 1:05AM pacific
-amy-

--
Proud Member of ASAP
DSLR Phishtracker


moonpuppy

join:2000-08-21
Glen Burnie, MD
reply to MGD

That's what I saw MGD. That's the culprit.


MGD
Premium,MVM
join:2002-07-31
kudos:9

said by moonpuppy:

That's what I saw MGD. That's the culprit.
Google has now picked up another post from last night of a user browsing foxnews.com

quote:
Disturbing spyware activity on Mac with 3.0.8 upgrade

Firefox version: 3.0.8 Operating system: OSX

While browsing on the web, An alert popped up claiming I had an infection and asked if I wanted the "PC" scanned and cleaned. I tried to close the alert but the screen starting showing something purporting to be a scanning operation so I shut Firefox down. I restarted Firefox and a screen saying I had now been upgraded to 3.0.8 came up followed by a restart of the "scanning" activity. I shut down the Mac and checked my Google web history using another PC. Google history shows me visiting foxnews.com and then onlineproantispywarescannerv2.com I have no idea how I could have gotten to that URL. A whois check shows that that URL is not even registered. I've been unsuccessful google searching for anything associated with this "url". Any ideas???

Added emphasis
Ref:»support.mozilla.com/tiki-view_fo···orumId=1

Though I saved that foxnews page sourcecode shortly afterwards, it is impossible to tell which of the various adservers were responsible for hoarding this attack script. Someone needs to clean up their act though, as this is apparently a persistent vector with a large potential for exposure.

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 recommendation

reply to moonpuppy

This appears to be a "stealth" infection operation. A few hours ago the authoritative NS for onlineproantispywarescannerv2.com ns1, 2, & 3.greatwallsupport.com began denying all knowledge of its existance.:

NsLookup
----------------------------------
domain: onlineproantispywarescannerv2.com

server: ns1.greatwallsupport.com [85.17.254.136] returned a non-authoritative response in 125 ms:

Query refused
----------------------------------

Within the past few minutes:

NsLookup
----------------------------------
onlineproantispywarescannerv2.com

server: ns1.greatwallsupport.com

Address lookup for ns1.greatwallsupport.com failed: Host not found
----------------------------------

I suspect that they are rotating in malicious ads with a pool of various domains hosting the infections. Each malware advertisement is only active for several hours to minimize exposure. Matching DNS services are set active during the exposure period, and are then withdrawn in an coordinated attempt to hide the trail.

While the infection vector was active on foxnews.com

The authoritative NS for onlineproantispywarescannerv2.com was

ns1.greatwallsupport.com at IP 85.17.254.136

ns2.greatwallsupport.com at IP 203.174.83.75

ns3.greatwallsupport.com at IP 115.126.5.10

During that active period the greatwallsupport.com name servers were directing request for onlineproantispywarescannerv2.com to the following IPs:

78.47.91.153 static.153.91.47.78.clients.your-server.de

[Prior history includes hosting: fullantispywareproscan.com/ "loader" &
securedradiostation.cn/soft.php "iframe" and more]

78.47.172.66 static.66.172.47.78.clients.your-server.de

[A sampling of prior history includes hosting: antivirus360-protection.com, securedantivirusonlinescanner.com, securedliveuploads.com, softwarforgoodusers.cn, trustedpaymentsystem.com, and more]

92.62.98.20 ns1.tallinnblog.org

[No priors, according to domaintools.com these domains are hosted there:
1. Blogcash.org
2. Help-now.org
3. Paul-schoenle.com
4. Tallinnblog.org ]

94.76.213.227 94-76-213-227.static.as29550.net

[Nefarious history of hosting similar malware according to Dancho Danchev's Blog and more]

94.247.3.40 hs.3-40.zlkon.lv

[Extensive prior history of similar Anti Virus malware hosting]

Though onlineproantispywarescannerv2.com and greatwallsupport.com were projected as being hosted at various places around the globe, and only while the infection was being actively pushed, the cyber birthplace of both criminal domains are in the Ukraine at S-HOSTING.BIZ on:

IP 194.54.83.78 [reverse DNS - server.s-hosting.biz]



Domain Name: S-HOSTING.BIZ
Domain ID: D17077428-BIZ
Sponsoring Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD.
D/B/A PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID: 303
Domain Status: ok
Registrant ID: DI_5578081
Registrant Name: Nikolay Tabakov
Registrant Organization: Stephani hosting
Registrant Address1: Topolevaya str. 17, app.6
Registrant City: Odessa
Registrant State/Province: Odessa Oblast
Registrant Postal Code: 65009
Registrant Country: Ukraine
Registrant Country Code: UA
Registrant Phone Number: +380.487198431
Registrant Facsimile Number: +380.964635373
Registrant Email: admin@stephani.od.ua
Administrative Contact ID: DI_5578081
Administrative Contact Name: Nikolay Tabakov
Administrative Contact Organization: Stephani hosting
Administrative Contact Address1: Topolevaya str. 17, app.6
Administrative Contact City: Odessa
Administrative Contact State/Province: Odessa Oblast
Administrative Contact Postal Code: 65009
Administrative Contact Country: Ukraine
Administrative Contact Country Code: UA
Administrative Contact Phone Number: +380.487198431
Administrative Contact Facsimile Number: +380.964635373
Administrative Contact Email: admin@stephani.od.ua
Billing Contact ID: DI_5578081
Billing Contact Name: Nikolay Tabakov
Billing Contact Organization: Stephani hosting
Billing Contact Address1: Topolevaya str. 17, app.6
Billing Contact City: Odessa
Billing Contact State/Province: Odessa Oblast
Billing Contact Postal Code: 65009
Billing Contact Country: Ukraine
Billing Contact Country Code: UA
Billing Contact Phone Number: +380.487198431
Billing Contact Facsimile Number: +380.964635373
Billing Contact Email: admin@stephani.od.ua
Technical Contact ID: DI_5578081
Technical Contact Name: Nikolay Tabakov
Technical Contact Organization: Stephani hosting
Technical Contact Address1: Topolevaya str. 17, app.6
Technical Contact City: Odessa
Technical Contact State/Province: Odessa Oblast
Technical Contact Postal Code: 65009
Technical Contact Country: Ukraine
Technical Contact Country Code: UA
Technical Contact Phone Number: +380.487198431
Technical Contact Facsimile Number: +380.964635373
Technical Contact Email: admin@stephani.od.ua
Name Server: NS1.S-HOSTING.BIZ
Name Server: NS2.S-HOSTING.BIZ
Created by Registrar: ESTDOMAINS INC
Last Updated by Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD.
D/B/A PUBLICDOMAINREGISTRY.COM
Last Transferred Date: Mon Dec 01 13:54:54 GMT 2008
Domain Registration Date: Wed Mar 28 15:23:46 GMT 2007
Domain Expiration Date: Sat Mar 27 23:59:59 GMT 2010
Domain Last Updated Date: Fri Mar 20 23:52:33 GMT 2009

.
Questions
name class type
greatwallsupport.com IN ANY

Answer records
name class type data time to live
greatwallsupport.com IN NS ns1.s-hosting.biz 826s
greatwallsupport.com IN NS ns2.s-hosting.biz 826s
.
194.54.83.78 [reverse DNS - server.s-hosting.biz]
.

IP Information for 194.54.83.78
IP Location: Ukraine Realon Service Llc
Resolve Host: server.s-hosting.biz
IP Address: 194.54.83.78
Reverse IP: 242 other sites hosted on this server.
Blacklist Status: Clear
.
Whois Record
inetnum: 194.54.80.0 - 194.54.83.255
netname: REALON-UA
descr: Realon Service LLC
remarks: www.server.ua
country: UA
org: ORG-BEAR1-RIPE
admin-c: PRO-RIPE
tech-c: PRO-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: SERVER-MNT
mnt-routes: SERVER-MNT
mnt-domains: SERVER-MNT
source: RIPE # Filtered
.
organisation: ORG-BEAR1-RIPE
org-name: Realon Service LLC
org-type: OTHER
address: 54001, PBOX 297, Mykolayiv - 001
address: UA, Mykolayiv, Mykolaiv Oblast
e-mail:
mnt-ref: SERVER-MNT
mnt-by: SERVER-MNT
source: RIPE # Filtered
.
person: Alexey Provorny
address: 54001, PBOX 297, Mykolayiv - 001
address: Mykolayiv, Ukraine
phone: +380 512 71-18-36
phone: +380 44 360-00-44
fax-no: +380 512 71-18-36
nic-hdl: PRO-RIPE
mnt-by: RX-MNT
source: RIPE # Filtered
.
route: 194.54.80.0/22
descr: SERVER UA UKRAINE DEDICATED SERVICE
origin: AS41671
mnt-by: BEARNET-MNT
mnt-by: SERVER-MNT
source: RIPE # Filtered

.

ns1.greatwallsupport.com IP 85.17.254.136 [no reverse DNS set]

----------------------------------
IP Information for 85.17.254.136
IP Location: Netherlands Amsterdam Leaseweb
IP Address: 85.17.254.136
Blacklist Status: Clear

Whois Record
inetnum: 85.17.0.0 - 85.17.255.255
org: ORG-OB3-RIPE
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
netname: NL-LEASEWEB-20050311
descr: LeaseWeb B.V.
country: NL
status: ALLOCATED PA
remarks: Please send email to for complaints
remarks: regarding portscans, DoS attacks and spam.
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: LEASEWEB-MNT
mnt-routes: LEASEWEB-MNT
source: RIPE # Filtered

organisation: ORG-OB3-RIPE
org-name: LeaseWeb B.V.
org-type: LIR
address: Ocom B.V.
P.O. Box 93054
1090 BB Amsterdam
Netherlands
phone: +31 30 2369745
fax-no: +31 20 4889458
admin-c: SPW1-RIPE
admin-c: gj907-ripe
admin-c: LSW1-RIPE
mnt-ref: OCOM-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

person: RIP Mean
address: P.O. Box 93054
address: 1090BB AMSTERDAM
address: Netherlands
phone: +31 20 3162880
fax-no: +31 20 3162890
abuse-mailbox:
nic-hdl: LSW1-RIPE
mnt-by: OCOM-MNT
source: RIPE # Filtered

route: 85.17.0.0/16
descr: LEASEWEB
origin: AS16265
remarks: LeaseWeb
mnt-by: OCOM-MNT
source: RIPE # Filtered
----------------------------------

ns2.greatwallsupport.com IP 203.174.83.75 [reverse DNS - 203-174-83-75.rev.ne.com.sg]

----------------------------------
IP Information for 203.174.83.75
IP Location: Singapore Singapore Newmedia Express Pte Ltd Singapore Web Hosting Provider
Resolve Host: 203-174-83-75.rev.ne.com.sg
IP Address: 203.174.83.75
SSL Cert: 2001-10-20 SSL Certificate has expired.
Blacklist Status: Clear

Whois Record
inetnum: 203.174.80.0 - 203.174.87.255
netname: NEWMEDIAEXPRESS-AP
descr: NewMedia Express Pte Ltd, Singapore Web Hosting Provider
descr: Singapore
country: SG
admin-c: SW640-AP
tech-c: SW640-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-SG-NEWMEDIAEXPRESS
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: 20060426
source: APNIC

person: Shian Loong Woo
nic-hdl: SW640-AP
e-mail:
address: 20 Ayer Rajah Crescent
address: #08-12
address: Singapore 139964
phone: +65 68730128
fax-no: +65 68730129
country: SG
changed: 20060401
mnt-by: MAINT-SG-NEWMEDIAEXPRESS
source: APNIC
----------------------------------

ns3.greatwallsupport.com IP 115.126.5.10 [no reverse DNS set]

----------------------------------
IP Information for 115.126.5.10
IP Location: Hong Kong Hong Kong Hkntcm-291-091pvt
IP Address: 115.126.5.10
Blacklist Status: Clear

Whois Record
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: >whois://whois.apnic.net

NetRange: 115.0.0.0 - 115.255.255.255
CIDR: 115.0.0.0/8
NetName: APNIC-115
NetHandle: NET-115-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS-SEC.RIPE.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
RegDate: 2007-10-29
Updated: 2007-11-12

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail:

== Additional Information From whois://whois.apnic.net ==

inetnum: 115.126.5.0 - 115.126.5.255
netname: HKNTCM-291-091PVT
country: HK
descr: hknetcom.biz
admin-c: BA144-AP
tech-c: BA144-AP
status: ALLOCATED NON-PORTABLE
changed: 20081224
mnt-by: MAINT-HK-FNCL
source: APNIC

route: 115.126.0.0/17
descr: Forewin Telecom Group Limited, ISP at HK
origin: AS38186
mnt-by: MAINT-HK-FTG
changed: hostmaster@hkt.cc 20090306
source: APNIC

person: Shian Loong Woo
nic-hdl: BA144-AP
e-mail:
address: No. 400 Post Office Tuen Mun N
address: Hong Kong
phone: +852-3597-9799
country: HK
changed: 20081224
mnt-by: MAINT-HK-FNCL
source: APNIC
----------------------------------

A copy of the page source code of >http://www.foxnews.com/story/0,2933,516877,00.html http://www.foxnews.com/story/0,2933,516877,00.html from where the malware popup originated at was taken within a few minutes of the event:

downloadFoxnewsSourc···code.txt 71158 bytes


However, it is inconclusive if any of the embedded links were responsible.

MGD


buttoni
Premium
join:2005-08-16
Temple, TX
reply to moonpuppy

So now that you guys have proven something's up with Foxnews.com who's gonna contact Foxnews.com so their tech folks can clean it up?



DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT
kudos:1

Fox News isn't necessarily serving the infected ad. Their techs might be able to take it out of rotation on the site, but to take the ad down the originating server needs to be identified and disinfected.



CajunTek
Insane Cajun
Premium,MVM
join:2003-08-08
Arlington, TX

3 recommendations

reply to buttoni

said by buttoni:

So now that you guys have proven something's up with Foxnews.com who's gonna contact Foxnews.com so their tech folks can clean it up?
I did, and I also reported it to stopbadware.org as well...

Hopefully it'll be cleaned up by now.
--
da Cajun Darn I hate Malware

Cometcom1

join:2009-04-18
denmark

1 edit

1 recommendation

I can confirm there is an infection of the site.

The site is infected through ads and it is these that cause the problem. There can be numerous ads involved, but I have singled out one for sure.



fatness
subtle
Premium,ex-mod 01-13
join:2000-11-17
fishing
kudos:14
reply to CajunTek

said by CajunTek:

said by buttoni:

So now that you guys have proven something's up with Foxnews.com who's gonna contact Foxnews.com so their tech folks can clean it up?
I did, and I also reported it to stopbadware.org as well...

Hopefully it'll be cleaned up by now.
Thank you.
--
goodbye dad


buttoni
Premium
join:2005-08-16
Temple, TX
reply to moonpuppy

Great, CajunTek. Glad someone took care of that little matter. Thanks.


Cometcom1

join:2009-04-18
denmark

1 recommendation

With the deepest respect for dslreports.com. I've got no problems with not telling who I am, or what connection I have with the reporting. - I work with and am connected with stopbadware.org/www.consumerwebwatch.org - through one of their mutual sites. - We're not here to steal your users, but rather to offer our help when need be.

dslreports has always been one of the best resources of the web, and I hope it stays that way.

That said - I'm working to get to the bottom of this, and have identified the possible advertising partner involved. However, I have not received any response from foxnews.com about the issue. I will be investigating this a little more in depth later and give you all a full disclosure of what has been found.

dslreports.com is the cause for the stopbadware community becoming interested in this issue.

Cometcom1



Robotics
See You On The Dark Side
Premium
join:2003-10-23
Louisa, VA

I'm sure we all have our fingers crossed this can be corrected/caught in good time.

Thanks for your all's help, and nice to met you


Cometcom1

join:2009-04-18
denmark
reply to moonpuppy

I have now managed to obtain a proxy log and a tcp dump of the infection taking place. This should enable us to say what exactly is happening.

I still haven't heard from foxnews.com, if any of you have them on the line, please let them know that I have some of the information required to fix the issue.

Cometcom1



fatness
subtle
Premium,ex-mod 01-13
join:2000-11-17
fishing
kudos:14

1 recommendation

reply to moonpuppy

»badwarebusters.org/main/itemview/2772


moonpuppy

join:2000-08-21
Glen Burnie, MD
reply to moonpuppy

All this fuss over my laptop almost getting infected.


Cometcom1

join:2009-04-18
denmark
reply to moonpuppy

It seems that the infection emanating from foxnews.com has stopped. I haven't been able to verify any malware from the site today.

If anyone is still experiencing this, please let us know either here at dslreports or through the link fatness provided. (thanks fatness)

I still haven't heard from foxnews but perhaps they can enlighten us later with their response.

Cometcom1