 siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17
 ·Bell Sympatico
1 edit | Mass Injection Compromises More Twenty-Thousand Web Sites Threat Type: Malicious Web Site / Malicious Code
Websense Security Labs™ Threatseeker™ Network has detected that a large compromise of legitimate Web sites is currently taking place around the globe. Thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites.
Yet: A simple HOSTS File Entry Fixes the Issue
127.0.0.1 google-analytics.cc
127.0.0.1 google-analistyc.net
127.0.0.1 google-analytlcs.com
127.0.0.1 googleanalytlcs.net
127.0.0.1 google-analyze.cn
127.0.0.1 google-analyze.org
--
siljaline
Here at Mountain View Chocolate, we’re committed to transparency and choice |
|
|
|
 scelliNative New YorkerPremium
join:1999-08-07
FLOT/FEBA
kudos:1 | Thanks for the HOSTS file tip!  |
|
siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 Reviews:
·Bell Sympatico
1 edit | said by scelli:Thanks for the HOSTS file tip! You're most welcome 
You might use a HOSTS Editor
--
siljaline
Here at Mountain View Chocolate, we’re committed to transparency and choice |
|
scelliNative New YorkerPremium
join:1999-08-07
FLOT/FEBA
kudos:1 | Actually, I'm running Vista Ultimate SP1 and just open up Notepad to edit the file. The trick with Vista is right-clicking on the app and running it as administrator or else the change to the HOSTS file won't save properly.
--
The maximum effective range of an excuse is ZERO meters! |
|
siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17
2 edits | Use HOSTS Vista |
|
 BuddelIf it ain't broke, don't fix it.Premium
join:2004-03-06
EU
kudos:3 | reply to siljaline
I use HostsMan. It updates my hosts files and automatically deletes duplicates.
quote:
HostsMan is a freeware application that lets you manage your Hosts file.
Includes an option to easily turn off the unneeded DNS Client Service.
This also has an option to update the existing HOSTS file when needed.
»www.mvps.org/winhelp2002/hostsfa···#Related
»www.abelhadigital.com/ |
|
 ironwalker World RenownedPremium,MVM
join:2001-08-31
Keansburg, NJ | reply to siljaline
google-analytics.* has been blocked long before vista appeared.
Thanks though. |
|
 nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7 | reply to siljaline
"noscript" with firefox protects me adequately. There's no need to add anything to my hosts file.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.10 |
|
| reply to siljaline
»PC-pwning infection hits 30,000 legit websites And counting |
|
siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 Reviews:
·Bell Sympatico
1 edit | reply to ironwalker
said by ironwalker:google-analytics.* has been blocked long before vista appeared. Thanks though.
Agreed but it's the spoofed Google Analytics domain names that are at issue here.
127.0.0.1 google-analytics.cc
127.0.0.1 google-analistyc.net
127.0.0.1 google-analytlcs.com
127.0.0.1 googleanalytlcs.net
127.0.0.1 google-analyze.cn
127.0.0.1 google-analyze.org
None of which are Legit 
--
siljaline
Here at Mountain View Chocolate, we’re committed to transparency and choice |
|
siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 Reviews:
·Bell Sympatico
| reply to Unknown_Poster
Saw that, it's a Reg Rip from the Websense Security Labs™ article.
--
siljaline
Here at Mountain View Chocolate, we’re committed to transparency and choice |
|
| said by siljaline: Saw that, it's a Reg Rip from the Websense Security Labs™ article. So?
Not that I much care one way or the other, but it seems a little pointless as well as redundant to have concurrent multiple threads about the same topic from ultimately the same linked story. |
|
4 edits | reply to siljaline
"A simple HOSTS File Entry Fixes the Issue"
yes, but i have not seen any mention of what specific fake google web addresses are being used, regarding this issue (and, so, it is not possible to add them to one's HOSTS file, not without knowing what the fake google web addresses are, that are being used).. |
|
siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 Reviews:
·Bell Sympatico
| said by redwolfe_98:edited uhg.. nevermind  i was confusing this thread with another one that was posted earlier, discussing this issue.. No prob It's Saturday Night, Man
--
siljaline
Here at Mountain View Chocolate, we’re committed to transparency and choice |
|
 DownTheShoreTag, you're itPremium
join:2003-12-02
Beautiful NJ
kudos:11 | reply to siljaline
Thanks, siljaline.
HostsXpert works nice for Vista.
»www.funkytoad.com/index.php?opti···4f60b298
--
Patriotism is not waving a flag, it is living the ideals
Today's GOP: a newt, a dick, and a rush |
|
 Its a SecretPlease speak into the microphonePremium
join:2008-02-23
Da wet coast
kudos:3 | reply to siljaline
Good thread. Interesting how some of those are just simple typos a person might make, or are unsure of .com or .net... |
|
 Doctor FourMy other vehicle is a TARDISPremium
join:2000-09-05
Dallas, TX
1 edit | reply to siljaline
Expect the spoofed URLs to show up in the MVPS and HPGuru hosts files upon the next update.
At least one of the URLs (google-analystic.net) is in the MDL (Malware Domain List). The IP associated with this URL is 212.117.163.162, and redirects to Luckysploit. The registrant is Oleg FATIN korobo4kin@list.ru
I seem to recall reading some opinions that the RBN were largely behind this attack.
Edit: of the rest, only the last 2 are in the MDL. In both of those, the IP address is 202.73.57.6, which is likely a botnet zombie. Like the other one, these also redirect to Luckysploit. The registrant for both is johnvernet@gmail.com.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
 JohnInSJPremium
join:2003-09-22
San Jose, CA
 ·PHONE POWER
 ·Comcast
| reply to siljaline
You know, in my more grumpy moments, I wonder why we even have the internet connected to some parts of the world.
Do we really need this crap? Really? Is the really nothing that can be done?
It just seems so pointless. What a waste. But then I guess we're hell bent on turning everything to poo as fast as possible, why not this too.
Sorry, carry on. Just a little down tonight I guess.
--
My place : »www.schettino.us |
|
| reply to siljaline
If you have a router or firewall that accepts wild card url string blocking, then adding the string "google-anal" is a one step temporary fix for blocking access to a wide range of real and/or fake google-anal*.* sites. |
|
mysecPremium
join:2005-11-29
kudos:4 | reply to JohnInSJ
said by JohnInSJ:Is the really nothing that can be done?
Actually there is: just keep scripting configured per site in your browser, and carry on with life!
OK, the hosts file takes care of this particular injection exploit, but it's a miniscule example of the thousands of injection exploits out there.
In the unlikely case you encounter one, and are redirected to a malicious site, not being able to execute the commands in the script nullify the exploit, whether PDF, fake AV scan, or whatever.
Here's an example still live of a rogue AV product:
The little placeholder is where the fake scan image would normally be. Without scripting enabled, the javascript files cannot execute to load the images:
script type="text/javascript" src="js/jquery.js"> /script>
script type="text/javascript" src="js/jquery-init.js"> /script>
script type="text/javascript" src="js/flist.js"> /script>
If I enable javascript, well, everyone knows the drill:
Here is a current PDF exploit when redirected to a malicious site.
With scripting disabled, a blank window:
Otherwise, (also with plug-ins enabled) the PDF is loaded into an i frame:
document. write('< i frame src="cache/readme.pdf"
said by JohnInSJ:Just a little down tonight I guess.
I can understand. Just relax with your favorite beverage, don't pay attention to the sensational headlines, keep your browser properly configured (scripting, plug-ins) and enjoy computing!
----
rich |
|
