Topic 'Re: foxnews.com infected?' in forum 'Security'

Topic 'Re: foxnews.com infected?' in forum 'Security' - dslreports.com http://www.dslreports.com/forum/Re-foxnewscom-infected-22225362 en Fri, 24 May 2013 04:58:18 EDT Fri, 24 May 2013 04:58:18 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22367178
Please note people - you may think you removed it, but really did not. Malwarebytes and others do not detect Rootkits. You should run ROOTKITREVEALER. I thought I had cleaned this, and I had really not. There was a deep and nasty rootkit involved here. Only way to remove was to boot off a Windows CD, and delete hidden drivers. I would be willing to bet that half the people think they clean this stuff and its not really clean.]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22367178 Sun, 10 May 2009 12:53:16 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22343323 said by Doctor Four:

Although this sounds like a simple answer, it is really a case of throwing the baby out with the bathwater. And malvertisements aren't solely found on music streaming sites or those owned by Rupert Murdoch.

Any site that uses an advertiser which accepts an ad campaign on short notice without doing some investigation into the ad buyers can get hit by this; Google's Doubleclick ad network, one of the largest, got hit last year sometime.
I agree with you Doctor. I know of a few sites with similar issues lately (there was a recent article I found...from early April...about the same issue with Yahoo). It's interesting about the playlist.com thing. I use that site and will have to keep an eye on it. Anyway, we have a very large network where it would be a nightmare to migrate everyone to Firefox and train them to use no script. While I use the same setup at home and on my computers at work, it's not a viable solution in our environment.

However blocking ads is a great solution! Unfortunately, we are in the middle of working out how to block them (we used to block them through our web filtering provider..which has changed). They new web filtering provider can't/won't block ads. I suppose it's the nature of the provider, being a free service they advertise on their sites and thus don't want to provide ad blocking. Other options are hosts files (but maintaining them in a large network...ugh), not to mention sending Dequests to 127.0.0.1 take awhile to time out, and if put in a DNS server can seriously cripple it with many clients.

Anyway...the end result is for the time being, Fox News is blocked. We haven't seen issues from other sites at this point, and eventually it will be unblocked.

I think the real issue lies in the websites who allow advertising on their site. They need to take some responsibility in what they are displaying, whether it comes from their own servers or not. The end result is that Fox, Yahoo, Google and others are being poorly represented when someone browses to what they believe should be a solid, and trusted site, only to get a virus. Companies need to demand accountability from the ad providers that pay them to display ads.

In the meantime...to minimize risks we'll block any site that we have issues with, as well as research better alternative to blocking ads :)]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22343323 Tue, 05 May 2009 15:06:28 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22334835 said by fatness:

At least 2 people did earlier in this thread:

»foxnews.com infected?
»Re: foxnews.com infected?

Like you said, memory is the first thing to go. ;)
ahhh shaddup you old monkey. :D :D
--
You can chain my body to the earth, but still my spirit flies!

13,143 DEADLY TERROR ATTACKS SINCE 9/11]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22334835 Sun, 03 May 2009 21:59:47 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22334755
»foxnews.com infected?
»Re: foxnews.com infected?

Like you said, memory is the first thing to go. ;)
--
goodbye dad]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22334755 Sun, 03 May 2009 21:43:43 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22334218 http://www.dslreports.com/forum/Re-foxnewscom-infected-22334218 Sun, 03 May 2009 19:28:24 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22334126 said by karateckie:

Just a note to add:
We've had several users at our company affected by this same issue. Before today there were 3, and now as of today there were 2 more. This prompted us to temporarily block foxnews.com. Though we know the issue is not limited to Fox nor is it directly the fault of foxnews.com, all of our virus issues in the last week and a half have come from browsing to this site. Hours spent solving virus problems + ease of blocking Fox = no more foxnews.com.
Something similar happened last week at our company, though not with foxnews.com. There was a malvertisement at playlist.com (a music streaming site, I believe), which infected or attempted to infect several users. As a result, streaming audio sites are banned until IT can find a way to block the malicious ads that are hijacking users.

Although this sounds like a simple answer, it is really a case of throwing the baby out with the bathwater. And malvertisements aren't solely found on music streaming sites or those owned by Rupert Murdoch.

Any site that uses an advertiser which accepts an ad campaign on short notice without doing some investigation into the ad buyers can get hit by this; Google's Doubleclick ad network, one of the largest, got hit last year sometime.

A better solution is using Firefox with a hosts file and NoScript. I do this on my home PC, and while I have encountered attempts at getting redirected by malvertisements, they have never succeeded due to that combination. The redirect usually ends up on a blank page.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22334126 Sun, 03 May 2009 19:03:58 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22328967 http://www.dslreports.com/forum/Re-foxnewscom-infected-22328967 Sat, 02 May 2009 12:12:07 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22327555 http://www.dslreports.com/forum/Re-foxnewscom-infected-22327555 Fri, 01 May 2009 23:54:51 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22303291 We've had several users at our company affected by this same issue. Before today there were 3, and now as of today there were 2 more. This prompted us to temporarily block foxnews.com. Though we know the issue is not limited to Fox nor is it directly the fault of foxnews.com, all of our virus issues in the last week and a half have come from browsing to this site. Hours spent solving virus problems + ease of blocking Fox = no more foxnews.com.]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22303291 Mon, 27 Apr 2009 15:50:17 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22298614 A poster stated that while on this foxnews.com page yesterday 04/24: »www.foxnews.com/story/0,2933,517738,00.html they then clicked the link to the full story at UK site of The Sun newspaper: >http://www.thesun.co.uk/sol/homepage/news/article2389814.ece?OTC-RSS&ATTR=News (several of the same adservers as foxnews.com), and Norton immediately flagged a bloodhound.pdf.10 virus. This will be dificult to duplicate because it depends on the rotating adds, probably flash, and the user config.

Though not a direct foxnews.com vector, the interesting issue is that the attempt matches a pdf exploit that mysec

documented in an earlier post.

I believe that this multiple opportunistic format, utilizing exploited adds on high traffic sites, will become an epidemic. Apparently it has not been established, or at least published, whether they are pushed by rogue advertisers within the system, or are from hacked exploited flash adds. There is no doubt that there are several ongoing campaigns to create massive botnets of infected machines. Though I posted the socks C&C for a global inventory of hijacked PCs "Socksps.ru", which was located on the call home IP of the pdf exploit that mysec

posted, the second of the three domains located there "stopgam.cn" is labeled "BOT" and also has a login:

[att=1]

See: »www.google.com/search?q=trojan.a···ive&sa=2

Incidentally, just mentioning the mere existence of "Socksps.ru" and its purpose, is a violation of their stated Rules / TOS.

[att=2]

MGD

]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22298614 Sun, 26 Apr 2009 15:04:11 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22292178 said by fatness:

Oops. Thank you for catching that.
It's ok, I know the eyes aren't what they used to be. :D
--
1/20/09 The Beginning of the End

13,100 DEADLY TERROR ATTACKS SINCE 9/11]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22292178 Fri, 24 Apr 2009 20:51:26 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22290276 http://www.dslreports.com/forum/Re-foxnewscom-infected-22290276 Fri, 24 Apr 2009 14:09:50 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22289441
Nasty thing.

I did combofix as well as Malwarebytes but honestly, the thing just crashed when I tried to run Superantispyware which they always work magically for me. not this time.]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22289441 Fri, 24 Apr 2009 11:28:22 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22288446 http://www.dslreports.com/forum/Re-foxnewscom-infected-22288446 Fri, 24 Apr 2009 05:54:21 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22288046 said by Graycode:

..Why no mention of adsonar.com ? The foxnews pages are splattered with scripting for them. Their script www.foxnews.com/js/adsonar.js is one that injects iframes into the pages being viewed. Foxnews also includes script hxxp://js.adsonar.com/js/adsonar.js and references ads.adsonar.com

I happen to block things from adsonar.com and they're also included in MVPS and HP_HOSTS.
Indeed, adsonar references are all over the fox pages.

adsonar lists Foxnews.com as one of the locations they have access to advertise on adsonar aka quigo.com Maybe the relationship is something other than a third part vendor.

MGD]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22288046 Fri, 24 Apr 2009 01:04:32 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22288008 said by La Luna:

Whether it's been cleaned up today, I don't know.
I have been monitoring random pages on foxnews on and off since early on 04/21, and have not experienced any incidence of the malware. Not a testimonial that it is clean, though I have not seen any other reports of malware either during that time.

MGD]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22288008 Fri, 24 Apr 2009 00:48:44 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22287768 http://www.dslreports.com/forum/Re-foxnewscom-infected-22287768 Thu, 23 Apr 2009 23:26:39 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22287179 said by fatness:

....The article says Fox got rid of it.

quote:
............a brief analysis of the campaign which now appears to have been removed by FoxNews.

That article was posted on 4/15...I think we know from this thread that the problem was still going on even in the last day or two.

Whether it's been cleaned up today, I don't know.
--
1/20/09 The Beginning of the End

13,100 DEADLY TERROR ATTACKS SINCE 9/11]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22287179 Thu, 23 Apr 2009 21:24:39 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22286594
1. It's called scareware because, the infection scheme is to trick the unwary user into enabling the malware to get into his/her machine by scaring them with an message that appears legit. It informs them of bogus problems found on their computer. Click 'here' to fix this problem. That click leads to a successful infection of the computer.
What can happen varies, from a simple browser homepage hijack to worse. Usually the scheme wants the user to buy some bogus security software, which is usually malware as well.
2. Hard to say where your trojans came from. One helpful tool for updating all of your SW is secunia PSI available here:
»secunia.com/vulnerability_scanning/personal/
Java seems to be a special case where updating to current version will not remove older vulnerable version(s). They need to be removed via add remove programs.
3. Real experts have posted on this thread and given me sufficient reason to block foxnews.com in avast.
Until a consensus (here) shows the site to be clean, the block remains (FWIW, this is a personal choice, others should do as they are comfortable with). Based on reports it seems that major news sites (CNN etc) seem to be experiencing these problems more frequently, so apply caution when visiting these sites.
A little OT, but I hope helpful.]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22286594 Thu, 23 Apr 2009 19:28:55 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22286237 said by fatness:

The article says Fox got rid of it.

quote:
............a brief analysis of the campaign which now appears to have been removed by FoxNews.

Fatness,I think people need to still be careful of that site i won't trust it.
--
Visit-
www.liveleak.com/view?i=e32_1231680425]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22286237 Thu, 23 Apr 2009 18:17:12 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22282664
1. Do they call it scareware because it just scares you and nothing can happen?

2. I posted my hijack log in Security Cleanup and I had some trojans? in Java. Would this have come from that popup on Fox? Or I picked it up somewhere else? [My Java was not up to date]

3. I've read this whole thread, those links (and the znet one) and it's all gibberish to me. I know that article states fox got rid of the virus (or whatever it's called) but have you brave folks checked it out yourselves? I would like to go there but want to be sure it's gone.

Thanks so much for your time.]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22282664 Thu, 23 Apr 2009 01:12:32 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22279238 blogs.zdnet.com/security/?p=3140
Apparently it was reported on other sites as well as this one.

»whiskeyfire.typepad.com/whiskey_···ite.html
»www.wilderssecurity.com/showthre···=1444510

The article says Fox got rid of it.

quote:
............a brief analysis of the campaign which now appears to have been removed by FoxNews.

--
goodbye dad]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22279238 Wed, 22 Apr 2009 14:09:06 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22275424
»updates.zdnet.com/tags/malvertising.html]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22275424 Tue, 21 Apr 2009 21:12:34 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22274609 http://www.dslreports.com/forum/Re-foxnewscom-infected-22274609 Tue, 21 Apr 2009 18:50:54 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22272190 said by MGD:

Foxnews.com offers a comprehensive list of advertiser options: »advertise.foxnews.com/creative-specs/ and also the following Approved Third Party Vendors:

Atlas
Doubleclick
Eyeblaster
Eyewonder
Klipmart
Pointroll
Unicast
Zedo

Ref: »advertise.foxnews.com/creative-s···vendors/
Why no mention of adsonar.com ? The foxnews pages are splattered with scripting for them. Their script www.foxnews.com/js/adsonar.js is one that injects iframes into the pages being viewed. Foxnews also includes script hxxp://js.adsonar.com/js/adsonar.js and references ads.adsonar.com

I happen to block things from adsonar.com and they're also included in MVPS and HP_HOSTS.]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22272190 Tue, 21 Apr 2009 12:13:13 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22271850 said by planet:

quote:
1) Scripting disabled. (Javascript, not Java).

Wow, so in this case scripting is disabled. I thought javascript would be needed.
Ooops - a booboo - that should be reversed, of course! Thanks for noticing that!

Javascript is required, and with it disabled, none of those exploits at Foxnews work.

Sorry for the confusion. I changed that in my post.

said by planet:

So, if the pdf loads in the browser window, then a software FW configured properly should request permission for adobe to access the net, is this correct?

That is correct.

said by planet:

And, what if you are using the latest adobe reader, 9.1, is this exploit still possible?

No, nor are any of the exploits against IE possible if patched.

The problem, of course, is that many exploits go unpatched for a while after they are released in the wild. The recent PDF exploit, if you remember: it was several weeks before a patch was released.

Patching, updating, are certainly preventative measures. Someone mentioned using a Hosts file. The important thing is that everyone understand what they are protecting against and insure that their security setup provides appropriate preventative measures.

This is not always easy because often advisories about a new exploit don't give a lot of information, so you have to do some research.

said by Sentinel:

I have Firefox with NoScript and I also don't have Adobe PDF Reader installed on my PC at all. I also have KPF but it does not register anything trying to get in or out.

This exploit works only against the PDF reader, so even if the PDF file loaded in the browser, nothing would happen without the Adobe Reader being installed.

You may remember the most recent PDF exploit used some type of image rendering engine in the Adobe Reader. Foxit also uses something similar and there was concern amongst Foxit readers that they might be vulnerable. Foxit support insured users on their forum that Foxit uses a different engine and was not susceptible to the current exploit.

----
rich]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22271850 Tue, 21 Apr 2009 11:10:31 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22271329
I have Firefox with NoScript and I also don't have Adobe PDF Reader installed on my PC at all. I also have KPF but it does not register anything trying to get in or out.]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22271329 Tue, 21 Apr 2009 09:39:35 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22271026 quote:

1) Scripting disabled. (Javascript, not Java).

If I enable Javascript in Firefox's Options and in Opera's Preferences, nothing happens: this exploit (and the WinAntiVirus exploit) fails at this point.

Wow, so in this case scripting is disabled. I thought javascript would be needed.

So, if the pdf loads in the browser window, then a software FW configured properly should request permission for adobe to access the net, is this correct?

And, what if you are using the latest adobe reader, 9.1, is this exploit still possible?]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22271026 Tue, 21 Apr 2009 08:25:00 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22270715 said by Comment by Anita in VA :

April 18th, 2009 at 6:52 am
Good morning fellow bloggers–

I have a quick question–have any of you experience, when first accessing the Greenroom Blog, a Windows Explorer popup windows, saying you need to run a virus scan on your computer?...

jimmy/all–yes, that was actually the FakeAlert Trojan–

other bloggers–if you also got that popup, run a REAL virus scan of your computer,

even if you X’d out of it. You’re probably now infected with the FakeAvAlert Trojan

This is just wrong since it's pretty much agreed that the user/victim has to click in the download box to get the trojan onto the system.

Am I interpreting correctly her statement? If so, how misleading and unnecessarily fear-provoking such a statement is for her readers.

This notion came up last year when new exploits of WinAntiVirus surfaced, and in a long thread, bcastner made it clear that this is not a drive-by download exploit.

Much has been written and commented on concerning the much feared drive-by download. From my viewpoint, these types of exploits are very easy to prevent when proper security is in place. Most of the time they need to bypass several security measures before achieving success.

By the way, the term "drive-by" limits the exploits to web sites. Notice that Microsoft uses the more comprehensive phrase, "Remote Code Execution:"

»www.microsoft.com/technet/securi···014.mspx

The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer

»www.microsoft.com/technet/securi···009.mspx

The vulnerabilities could allow remote code execution if the user opens a specially crafted Excel file.

In both cases, malicious code executes "remotely" - automatically.

PDF exploits in the wild fall into both categories:

•the one on the Fox News site is web-based

•others arrive by email where the user/victim decides to open the file.

The end result is the same: code in the PDF file calls out to a server hosting malware which is then downloaded to the user/victim's computer.

The Fox News PDF web-based exploit is a good example of remote code execution. In order for it to succeed, 4 requirements must be in place. I'll summarize from previous posts.

1) Scripting enabled. (Javascript, not Java).

If I disable Javascript in Firefox's Options and in Opera's Preferences, nothing happens: this exploit (and the WinAntiVirus exploit) fails at this point.

2) The PDF file must load into the browser. If the browser is configured to Prompt for a Download...

[att=1]

... the user is in the same position as with the WinAntiVirus exploit: to be victimized, the user must consent to download.

In both cases, the reaction should be: Hey, I didn't go looking for this. CANCEL. With the fake antivirus exploit, the suggestion is to close the browser process in Task Manager.

3) The 3rd requirement for the PDF exploit by remote code execution is that the Acrobat Reader must connect out to the internet to retrieve the malware. Outbound firewall monitoring will permit only those applications previously authorized by the user. The PDF Reader, of course, should not be given free access to the internet:

[att=2]

4) Finally, the trojan must be able to download/install without anything blocking it. The most secure protection for these types of exploits is some type of White Listing which blocks ALL unauthorized executable files that attempt to download/install:

[att=3]

File load.exe received on 04.17.2009 08:39:38 (CET)
Sunbelt 3.2.1858.2 2009.04.17 InfoStealer.Snifula.a (v)

Other solutions include running in a non-Administrator account; configuring Software Restriction Policies.

If this malicious PDF arrived by email and the user opened it, note that proper security at steps 3) and 4) would block the exploit from succeeding.

I hope you can see why Remote Code Execution Exploits should be the easiest to prevent. Look at all of the hurdles necessary to jump before the exploit is successful.

While something certainly needs to be done about stopping the occurrence of exploits on web pages, nonetheless for people with proper security protection and policies in place, they are an annoying nuisance rather than a threat.

----
rich

]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22270715 Tue, 21 Apr 2009 04:10:59 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22270302 said by FiOS Dan:

said by Sentinel:

...I use a hosts file to block ads as well.

Methinks that's the ticket.
That may be one of several reasons why some users were never exposed, nor triggered any other alerts. I spent some time checking the add rotations and noticed that several of the domains showed up as blocked in several hosts files. As a first line of defense, that may have prevented many AV, and script blockers from barking.

Foxnews.com offers a comprehensive list of advertiser options: »advertise.foxnews.com/creative-specs/ and also the following Approved Third Party Vendors:

Atlas
Doubleclick
Eyeblaster
Eyewonder
Klipmart
Pointroll
Unicast
Zedo

Ref: »advertise.foxnews.com/creative-s···vendors/

I spent several hours reviewing the top banner adds, many are flash, but not all. One issue that I noted is that there were several complaints of infection attempts while on blogs.foxnews.com which appears to have less adds than the other pages.

For example, posters on "FOX News Blogs » Alisyn in the Greenroom" noted the following on 04/18

quote:
Comment by Anita in VA
April 18th, 2009 at 6:52 am
Good morning fellow bloggers–

I have a quick question–have any of you experience, when first accessing the Greenroom Blog, a Windows Explorer popup windows, saying you need to run a virus scan on your computer?

I had it happened last saturday, when on work travel, from my work computer, and then again this morning, from my home computer.

Comment by Jimmy
April 18th, 2009 at 6:54 am
yes Anita…..it a shame…ran my program…no infections….they bother you to try to grt you to buy their program….do not load the program

Comment by Anita in VA
April 18th, 2009 at 6:59 am
jimmy/all–yes, that was actually the FakeAlert Trojan–

other bloggers–if you also got that popup, run a REAL virus scan of your computer, even if you X’d out of it. You’re probably now infected with the FakeAvAlert Trojan

Alisyn/Foxnews–
Please scan your website pages, it was definitely a link/ad on your pages that produced the popup that infects with the FakeAVAlert Trojan.

Ref: »greenroom.blogs.foxnews.com/2009···ning-15/

I hope that Fox comes forward and informs the public of its findings. I believe it is important that the exploit vector is made public so that everyone can be aware of the methods that are used.

This epidemic has affected many high traffic sites, irrespective of the content. Cybercriminals are not selective. However, the compromising of such a high value target warrants some disclosure of the facts, in order to mitigate additional potentil targets, and address issues with third party advertisers.

Fox's own stats list:

13.5 Million Unique users per month

615 Million Page views per month

That is a significant potential exposure. One can debate how many visitors come from fully patched updated systems, and are savvy enough to weave through the fake screens if exposed.

One interesting side note, while vetting the top banner adds last night, a non flash advertisement came up for E*TRADE. There was absolutely no nefarious activity associated with it. However, it was impossible to perform any vetting of the source. The properties of the add appeared to link to a subdirectory of Lorentrio.com which is hosted in Holland on a Leaseweb IP 94.75.216.152

The initial concern was the entire anonymonity of the set up.

There are 10 domains hosted on IP 94.75.216.152:

01. Alitasis.com
02. Idatrinity.com
03. Junstring.com
04. Kemerlane.com
05. Lacoste-ads.com
06. Lorentrio.com
07. Mosdao.com
08. Namlean.com
09. Nokia-corp.com
10. Tornadomb.com

One would assume that "Nokia" could be a copyright issue. The eyebrow raiser is that all of these domains were registered within the last month or so. All appeared to be registered using ICANN Registrar:

DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A
PUBLICDOMAINREGISTRY.COM

In addition, they were all registered using a cloaking service PrivacyProtect.org:

Such as:

quote:
Registration Service Provided By: REGISTER SERVICES
Contact: +001.8882106539

Domain Name: LORENTRIO.COM

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 29-Mar-2009
Expiration Date: 29-Mar-2010

Again, nothing appeared wrong with the add, however, in most other circumstances the above criteria would be cause for concern. Though not necessarily unusual in these circumstances, but all the domains contain a "deny all" robots.txt file. Who are these people ??

As Cometcom1

noted to me, and I believe it was also mentioned in Dancho Danev's blog, Google's safe browsing diagnostic of foxnews.com notes the site as not suspicious. It is somewhat ambiguous as they do note that:

quote:
"Malicious software is hosted on 3 domain(s), including 2mdn.net/, s3.wordpress.com/, llnwd.net/."

»www.google.com/safebrowsing/diag···news.com
Snapped 2009-04-21 00:45:11

If you check Google's analysis of one of the above three:
s3.wordpress.com, it shows:

quote:
Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 1 domain(s), including foxnews.com/.

»www.google.com/safebrowsing/diag···ess.com/
Snapped 2009-04-21 00:44:54

I hope the focus can remain on the current stage of this epidemic and systemic organized cyber crime, and not on what the content of the infested high traffic website du-jour is. This problem will continue to invade the entire internet until concerted efforts are made to go after the money, and the commercial and financial systems that are utilized to support it.

MGD]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22270302 Tue, 21 Apr 2009 00:49:29 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22270016
»blog.mxlab.be/2008/08/04/cnn-dai···malware/

Apparently no one is immune when it comes from the outside rather than within (which has been foolishly implied here).
--
1/20/09 The Beginning of the End

13,079 DEADLY TERROR ATTACKS SINCE 9/11]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22270016 Mon, 20 Apr 2009 23:32:20 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22269808 said by milvos :

.... I have been getting this up with the fake virus scan for a few days now. And want to know whether it is something on my computer or whether this is coming from sites I am visiting. When I leave my computer idle for while it seems to come up.

Any help appreciated.
One rudimentary test is to disconnect the internet connection from the computer. Restart it, open your web browser and see if the popups still come up. You may not even have to open a web browser. If popups come up, or your browser attempts to connect to another website, then it is likely that malware is present in your computer.

MGD]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22269808 Mon, 20 Apr 2009 22:54:13 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22269315 said by Sentinel:

...I use a hosts file to block ads as well.Methinks that's the ticket.
--
Courage is being scared to death but saddling up anyway.
]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22269315 Mon, 20 Apr 2009 21:24:57 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22268686
I have been getting this up with the fake virus scan for a few days now. And want to know whether it is something on my computer or whether this is coming from sites I am visiting. When I leave my computer idle for while it seems to come up.

Any help appreciated.]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22268686 Mon, 20 Apr 2009 19:32:16 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22267539
Now when i go to the Site it gives me a Red screen Blocked by Administrator.
--
Visit-
www.liveleak.com/view?i=e32_1231680425]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22267539 Mon, 20 Apr 2009 16:28:05 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22267451 said by mysec:

....
Note that this is an Acrobat Reader exploit, not a browser exploit. The browser just loads the PDF file. This exploit works in all browsers. Be sure and configure your file types to Prompt for Download, or "Always Ask"
..
----
rich
Great write up !

I was particularily interested in this driveby:

quote:
[Adobe Reader 6.0 from your computer wants to
connect to plathost.ru [78.109.25.217], port 80]

as that location has come to my attention on several occasions.

IP 78.109.25.217

appears to be hosting 3 domains: »whois.domaintools.com/78.109.25.217

1. Nevervhudo.ru »whois.domaintools.com/nevervhudo.ru

2. Socksps.ru »whois.domaintools.com/Socksps.ru

3. Stopgam.cn »whois.domaintools.com/Stopgam.cn

Due to the name, Socksps.ru aroused some curiosity, however, the main page only offers a log in:

[att=1]

If one can overcome that restriction an account holder can purchase the use of compromised machines around the globe to use as a secure proxy:

[att=2]

This may be where some of the compromised victim machines are leveraged for additional income:

The master list of available for rent machines is several pages long:

[att=3]

You can sort the available hijacked machines by country, and then buy access, daily or monthly to mask your true origin for any nefarious purpose:

USA:

[att=4]

UK:

[att=5]

Iran:

[att=6]

Note the banner add for "carding Conference" at cashing.cc:

This may be where the compromised extracted financial data ends up for sale:

[att=7]

It appears that the only way to obtain a log in account in order to use the services of Socksps.ru is to contact ICQ 431278403

Or you can resond directly to his promotion on forum.zloy.org a cyber criminals one stop shop for carding, hacking exploits, money transfers, banking etc.

His translated add posting on the forum.zloy.org for Socksps.ru services is here:

»translate.google.com/translate?h···6hl%3Den
Snapped 2009-04-20 16:11:32

The main zloy.org page is translated here:

»translate.google.com/translate?j···_state0=
Snapped 2009-04-20 16:13:50

MGD

]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22267451 Mon, 20 Apr 2009 16:14:27 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22267252 said by kpatz:

Internet Explorers addon Shockwave Flash vs.3 found to be linking to the FormSpy website hosted at IP address 81.95.109.11 This addon tries to send your private information to attackers IP 72.95.109.11 (Malaysia)

quote:
IP address country: 81.95.109.11
IP address country flag Czech Republic
IP address state: Hlavni Mesto Praha
IP address city: Praha

quote:
IP address 72.95.109.11
IP country code: US
IP address country: flag United States
IP address state: Maine
IP address city: Orono
IP address latitude: 44.879101
IP address longitude: -68.733002
ISP of this IP [?]: Fairpoint Communications
Organization: Fairpoint Communications

--
Visit-
www.liveleak.com/view?i=e32_1231680425]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22267252 Mon, 20 Apr 2009 15:37:31 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22267195 quote:

The fake antivirus exploit prompts for a download in IE, Opera, and Firefox because the download is an executable file for which these browsers prompt by default. I showed Opera in a previous post.

Ok, so there is a download prompt and you get a chance to cancel the whole thing, in those cases where it attempts to make you download an exe file instead of serving a browser or plugin exploit. That is good news. :)

quote:
The other exploits I found are automatically triggered (drive-by download):

IE exploits against the browser as I showed in the previous post.

PDF exploit in Firefox. This is from a previous exploit. Note that it is Acrobat calling out for the trojan and not Firefox:

Note that this is an Acrobat Reader exploit, not a browser exploit. The browser just loads the PDF file. This exploit works in all browsers. Be sure and configure your file types to Prompt for Download, or "Always Ask"

Ok, so the actual drive-by downloads (no user consent required) of this badware are based on exploits in either the browser or some other related program like PDF viewers, as usual. And the PDF exploits you can stop just by having the browser prompt for download of pdf files instead of opening them in the proper program, or even just by not giving the PDF viewer permission to go online when your firewall prompts for it. Good news, again!

Thanks for all the advice, guys, I think I understand how this thing operates now. If I got it right, this thing is not a threat as long as you
- have your browser set to prompt for download for exes, pdfs etc instead of having the browser run them at once, and cancel any suspicious, unwanted downloads, and
- have a fully patched browser that isn't vulnerable to the browser exploits this thing tries, such as the latest Opera version.

Or in other words, it's a pretty basic baddie. Sounds like I'm good to go, and have nothing to worry about this malware. It should be easy to avoid this thing: just keep the browser patched (and preferably use Opera) and have it set to prompt for downloading stuff, or disable all the pointless plugins we don't need like Adobe Reader etc.

Still, Foxnews should get their ads cleaned right the F now. It's inexcusable for a big outfit like that to serve crapware via ads. I wonder if a popup blocker would help against these things. ]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22267195 Mon, 20 Apr 2009 15:29:09 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22267114 quote:

Be sure and configure your file types to Prompt for Download, or "Always Ask"

You can also disable the plugin for all browsers from Reader's “Edit->Preferences->Internet->Display PDF in browser” option, or use a different PDF reader that doesn't install a plugin. (Who wants to read a PDF stuck inside a browser window anyway?)

As always, if you aren't using a plugin, remove it, and you'll reduce the attack surface of your browser and the number of things you have to worry about keeping updated. Do you really need PDF, Java, QuickTime and Real plugins? Probably not.]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22267114 Mon, 20 Apr 2009 15:12:16 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22266943 http://www.dslreports.com/forum/Re-foxnewscom-infected-22266943 Mon, 20 Apr 2009 14:44:13 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22266827 http://www.dslreports.com/forum/Re-foxnewscom-infected-22266827 Mon, 20 Apr 2009 14:27:45 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22266791
[att=1]

[att=2]

The other exploits I found are automatically triggered (drive-by download):

IE exploits against the browser as I showed in the previous post.

PDF exploit in Firefox. This is from a previous exploit. Note that it is Acrobat calling out for the trojan and not Firefox:

[att=3]

Note that this is an Acrobat Reader exploit, not a browser exploit. The browser just loads the PDF file. This exploit works in all browsers. Be sure and configure your file types to Prompt for Download, or "Always Ask"

Opera:

[att=4]

Firefox:

[att=5]

----
rich

]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22266791 Mon, 20 Apr 2009 14:20:11 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22266785 said by HowDoesItWork :

So it could infect you without requiring any form of consent from the user? Now that is weird. For IE, I wouldn't be surprised, but if Firefox or Opera would do the same, that would be strange. I'm further confused because mysec on the previous page posted that with Opera, it does pop up a download prompt, and if you cancel the download, it can't infect you.
Part of the infection can be done with PDF documents. Adobe even put out a warning that they wouldn't have a fix for a month. ]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22266785 Mon, 20 Apr 2009 14:19:21 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22266731
I forced the browser closed as quickly as I could with task manager, and ran a real scan with AVG 8.5 which appeared to be clean.

Does anyone know if AVG effectively detects this infection, and/or what other steps should be taken to ensure this thing didn't get its tentacles into my system?]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22266731 Mon, 20 Apr 2009 14:11:07 EDT Re: foxnews.com infected? http://www.dslreports.com/forum/Re-foxnewscom-infected-22266556 quote:

Yes, for clarification, If you decline the scan, it will do the fake scan anyway and impose a full screen in your browser. If you then choose "cancel" for the recommended install, it will proceed with the download. The warning that the user will get is from their system alerting them to the dangers of allowing an .exe file to run. They should be able to use their system at that point to block the install. However, prior to that point, "cancel" and "no" means "Yes".

Now I feel a little stupid, but I still don't understand how it works. It's business as usual that the popup has a bogus cancel button and the X close window button, and it tries to make you download their crapware anyway. But unless the browser does something completely wrong, there should eventually be a download prompt and you should then be able to cancel the whole thing, so it can't infect your system. If this isn't the case with this particular crapware, I would sure like to know how it accomplishes this feat, technically. There are exploits, but unless it uses an unknown, unpatched zero day vulnerability, that shouldn't work against a fully patched browser and plugins...

quote:
Fully patched OS, IE, Java, FLASH, etc. I saw multiple popups and I did not click no but the "X" of the window. When I realized what was happening, I immediately shut the laptop down HARD. I pressed the power button until it shut off completely and restarted the system with the wi-fi off. When I saw no activity, I turned the wi-fi back on and immediately headed here to do some cleaning and that's when I found the issues I mentioned earlier. I then posted here about it.

So it could infect you without requiring any form of consent from the user? Now that is weird. For IE, I wouldn't be surprised, but if Firefox or Opera would do the same, that would be strange. I'm further confused because mysec on the previous page posted that with Opera, it does pop up a download prompt, and if you cancel the download, it can't infect you.

So, is there something in Opera that prevents this thing from insta-infection without any user consent that doesn't exist in IE or even Firefox? Hate to ask that many questions, but I don't understand the technique that this thing could possibly use to infect you instantly without you accepting a download, and then executing that download... aside from unpatched vulnerabilities. I wonder if the people infected by this were running as admin...]]> http://www.dslreports.com/forum/Re-foxnewscom-infected-22266556 Mon, 20 Apr 2009 13:41:24 EDT