said by Florida Dan:said by Sentinel:...I use a hosts file to block ads as well.
Methinks that's the ticket.
That may be one of several reasons why some users were never exposed, nor triggered any other alerts. I spent some time checking the add rotations and noticed that several of the domains showed up as blocked in several hosts files. As a first line of defense, that may have prevented many AV, and script blockers from barking.
Foxnews.com offers a comprehensive list of advertiser options: »
advertise.foxnews.com/cr ··· e-specs/ and also the following Approved Third Party Vendors:
Atlas
Doubleclick
Eyeblaster
Eyewonder
Klipmart
Pointroll
Unicast
Zedo
Ref: »
advertise.foxnews.com/cr ··· vendors/I spent several hours reviewing the top banner adds, many are flash, but not all. One issue that I noted is that there were several complaints of infection attempts while on
blogs.foxnews.com which appears to have less adds than the other pages.
For example, posters on "FOX News Blogs » Alisyn in the Greenroom" noted the following on 04/18
quote:
Comment by Anita in VA
April 18th, 2009 at 6:52 am
Good morning fellow bloggers
I have a quick questionhave any of you experience, when first accessing the Greenroom Blog, a Windows Explorer popup windows, saying you need to run a virus scan on your computer?
I had it happened last saturday, when on work travel, from my work computer, and then again this morning, from my home computer.
Comment by Jimmy
April 18th, 2009 at 6:54 am
yes Anita
..it a shame
ran my program
no infections
.they bother you to try to grt you to buy their program
.do not load the program
Comment by Anita in VA
April 18th, 2009 at 6:59 am
jimmy/allyes, that was actually the FakeAlert Trojan
other bloggersif you also got that popup, run a REAL virus scan of your computer, even if you Xd out of it. Youre probably now infected with the FakeAvAlert Trojan
Alisyn/Foxnews
Please scan your website pages, it was definitely a link/ad on your pages that produced the popup that infects with the FakeAVAlert Trojan.
Ref: »
greenroom.blogs.foxnews. ··· ning-15/I hope that Fox comes forward and informs the public of its findings. I believe it is important that the exploit vector is made public so that everyone can be aware of the methods that are used.
This epidemic has affected many high traffic sites, irrespective of the content. Cybercriminals are not selective. However, the compromising of such a high value target warrants some disclosure of the facts, in order to mitigate additional potentil targets, and address issues with third party advertisers.
Fox's own stats list:
13.5 Million Unique users per month
615 Million Page views per month
That is a significant potential exposure. One can debate how many visitors come from fully patched updated systems, and are savvy enough to weave through the fake screens if exposed.
One interesting side note, while vetting the top banner adds last night, a non flash advertisement came up for E*TRADE. There was absolutely no nefarious activity associated with it. However, it was impossible to perform any vetting of the source. The properties of the add appeared to link to a subdirectory of Lorentrio.com which is hosted in Holland on a Leaseweb IP 94.75.216.152
The initial concern was the entire anonymonity of the set up.
There are 10 domains hosted on IP 94.75.216.152:
01. Alitasis.com
02. Idatrinity.com
03. Junstring.com
04. Kemerlane.com
05. Lacoste-ads.com
06. Lorentrio.com
07. Mosdao.com
08. Namlean.com
09. Nokia-corp.com
10. Tornadomb.com
One would assume that "Nokia" could be a copyright issue. The eyebrow raiser is that all of these domains were registered within the last month or so. All appeared to be registered using ICANN Registrar:
DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A
PUBLICDOMAINREGISTRY.COM
In addition, they were all registered using a cloaking service PrivacyProtect.org:
Such as:
quote:
Registration Service Provided By: REGISTER SERVICES
Contact: +001.8882106539
Domain Name: LORENTRIO.COM
Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Creation Date: 29-Mar-2009
Expiration Date: 29-Mar-2010
Again, nothing appeared wrong with the add, however, in most other circumstances the above criteria would be cause for concern. Though not necessarily unusual in these circumstances, but all the domains contain a "deny all" robots.txt file. Who are these people ??
As Cometcom1
noted to me, and I believe it was also mentioned in Dancho Danev's blog, Google's safe browsing diagnostic of foxnews.com notes the site as not suspicious. It is somewhat ambiguous as they do note that:
quote:
"Malicious software is hosted on 3 domain(s), including 2mdn.net/, s3.wordpress.com/, llnwd.net/."
If you check Google's analysis of one of the above three:
s3.wordpress.com, it shows:
quote:
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1 domain(s), including foxnews.com/.
I hope the focus can remain on the current stage of this epidemic and systemic organized cyber crime, and not on what the content of the infested high traffic website du-jour is. This problem will continue to invade the entire internet until concerted efforts are made to go after the money, and the commercial and financial systems that are utilized to support it.
MGD