dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2776
brianiscool
join:2000-08-16
Tampa, FL

brianiscool

Member

0 day exploit from website

I found a website which infected my machine through Firefox without clicking on anything. I believe they are using a 0 day exploit. How do I go about reporting a website with malicious code?

therube
join:2004-11-11
Randallstown, MD

therube

Member

URL?
(But don't make it click-able).

Is it related to the current Java vulnerability?
Do you have Java installed? Which version?
Do you have Java enabled in FF?

What kind of infection did you get?

caffeinator
Coming soon to a cup near you..
Premium Member
join:2005-01-16
00000

1 recommendation

caffeinator to brianiscool

Premium Member

to brianiscool
Also, what plugins do ya use, and are them and FF up to date?

I'd bet that if you had NoScript/ABP it wouldn't have happened.
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98 to brianiscool

Premium Member

to brianiscool
brianiscool, for one thing, you could post the URL for the website here, but make it unclickable by replacing "http://", in the URL, with "hXXp://".. for example:

hXXp://www.blackholeexploitkit.info
brianiscool
join:2000-08-16
Tampa, FL
·Charter

brianiscool

Member

hxxp://www.skidrow-scene.net/ you don't have to click on anything it just installs. I was using firefox and had Avast running didn't detect anything. I have everything updated to the latest at the time. Java, Flash, Firefox all updated. I don't know how it got on my system. I had to format it took over my access rights and I did 16 hours of virus scanning. None of the applications were able to find it. I ran about 15 different rootkit finders, anti-virus and anti-malware applications. Also it damaged my TCP/IP stack and could not get back on the internet.
brianiscool

brianiscool

Member

A person on IRC posted the link and I clicked it. What a mistake that was.

KoRnGtL15
Premium Member
join:2007-01-04
Grants Pass, OR

KoRnGtL15 to brianiscool

Premium Member

to brianiscool
I wont be clicking the link. But, very possible if you are running the latest Java. You got hit with the latest zero day exploit from that.
redwolfe_98
Premium Member
join:2001-06-11

1 edit

redwolfe_98 to brianiscool

Premium Member

to brianiscool
brianiscool, there is no telling what happened.. you said you spent 16 hours scanning your computer, including scans for rootkits, and no malware was found..

google's "safe browsing" reports that they have not detected any malware at the URL that you posted..

it would be hard to report anything when no malware has been detected..

all we know is that you thought that there was a problem with your computer and, so, you reformatted.. it could have been something other than malware that caused the problems with your computer..
brianiscool
join:2000-08-16
Tampa, FL

brianiscool

Member

The infection was from Live Security Platinum

therube
join:2004-11-11
Randallstown, MD

3 edits

therube to brianiscool

Member

to brianiscool
Wonder if its might not have stemmed from some sort of WordPress exploit?
According to the source it is using v1.2.5 of WordPress SEO Plugin, where the latest version is 1.2.8.1?
(WordPress itself looks current, 3.4.1.)

Removal instructions for Live Security Platinum

There is code in there to check for Java:
navigator.javaEnabled()==1?EXjv="y":EXjv="n";
 
Looks like that part deals with HIT COUNTER CODE?

caffeinator
Coming soon to a cup near you..
Premium Member
join:2005-01-16
00000

2 edits

caffeinator to brianiscool

Premium Member

to brianiscool
Well, it's a warez site, so pretty good chance they'd have aggressive ads including some that might not be so nice. Skidrow is a well known "scene" group, no idea if this guy is actually affiliated with them or of it's just a ripoff site. (I didn't go to the site)

This link has the admin discussing his layout. Looks like some popups and fake download links that would be the installers. Normal fare to look out for I'm afraid.

They'll have a huge "DOWNLOAD NOW!!" link that's fake, then smaller ones for the real stuff...just banking on human nature.

Why I'd asked about NoScript/ABP...but of course if you allowed the site, well...
19579823 (banned)
An Awesome Dude
join:2003-08-04

19579823 (banned) to redwolfe_98

Member

to redwolfe_98

 

And i just scanned the link with ONLINELINKSCAN and it comes up ok also

»onlinelinkscan.com
brianiscool
join:2000-08-16
Tampa, FL

brianiscool

Member

Re: 0 day exploit from website

This whole site should be taken down having all of this malicious code. Who do you usually contact for a website that exploits your system?

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

1 recommendation

Kilroy to caffeinator

MVM

to caffeinator
said by caffeinator:

Well, it's a warez site

Just so I'm getting this straight. brianiscool See Profile click on a link from IRC that went to a warez site and got infected and is complaining? Futher proof that the weakest link in security is the user.

That is the danger you run if you are going to known questionable sites and/or trying to get something for nothing. My sympathy level is pretty low for this.

therube
join:2004-11-11
Randallstown, MD

1 edit

1 recommendation

therube

Member

I don't buy that argument at all.
When you click a link, any link, there is no way to know where you're going to end up or what is going to happen when you get there.

And so what, it is a warez site, big deal.
And so what, it is a porn site, big deal.
And so what, it is a security discussion site, big deal.
Why shouldn't you be able to access it - safely.

If you had JavaScript disabled (like Is turning off Javascript really necessary any more?, unheard of IMO), most likely nothing would have happened if you happened upon that site - by desire or not.

Now once there, you allow JavaScript, you are apt to be less safe, but probably still so. Download something, a RAR with an .exe inside, or an .exe directly & no telling, but at that point you are outside your browsers realm & need another set of protections.

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy

MVM

said by therube:

I don't but that argument at all.

Really? You don't think that your web browsing habits have anything to do with your machine becoming infected? That's like saying that having sex with prostitutes shouldn't result in an STD.
said by therube:

Why shouldn't you be able to access it - safely.

Because this is the web in 2012, NOT 1990. There is money to be made by infecting computers.

therube
join:2004-11-11
Randallstown, MD

1 edit

1 recommendation

therube

Member

I didn't say to leave your willy dangling around for all to grab on to.

But, if done safely, with precaution, there is no reason that you should not be able to visit any web site, without being concerned of infection.

What is to determine what a "safe" web site is?
What is to determine when a "safe" web site is safe, or is no longer safe?
Is dslreports safe? Is facebook safe?
I would venture to say the porn & warez sites I visit are far safer then facebook.

IOW, approach things as if no site is safe (none are ) & then go from there.
brianiscool
join:2000-08-16
Tampa, FL

brianiscool

Member

I reported the site to the RIAA.
redwolfe_98
Premium Member
join:2001-06-11

1 edit

redwolfe_98

Premium Member

brianiscool, you said that you use "firefox".. you should use the "noscript" addon with "firefox", to make "firefox" more secure.. that will help to protect your computer from "driveby" malware..

you also could use the "adblock plus" addon, which also might help to make your computer more secure, though it is not the same as using the "noscript" addon..

you also could uninstall "java".. that also would help to make your computer more secure.. if you don't want to uninstall "java", you could disable it and then enable it, temporarily, when needed..

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 edit

Name Game to brianiscool

Premium Member

to brianiscool
said by brianiscool:

The infection was from Live Security Platinum

Did the thing claim to be a McAfee product ? or use another name.

»www.forbes.com/sites/joh ··· m-virus/
Name Game

1 edit

Name Game to therube

Premium Member

to therube
I know where therube is coming from on this one and I think he is right..If you have a vulnerable version of Java, Adobe Flash or non-updated Windows version, you risk to get Live Security Platinum rogue. In some cases this parasite can use trojans for infection too.
The malware is currently distributed using Blackhole exploit kits. "Blackhole is just a framework for malware distribution that allows the groups running it to keep metrics on their distribution and success rates. They ultimately determine what is also distributed via their installation of Blackhole. Since it is sold to those who want to purchase and utilize it there really is an infinite possibility of what kind of crapware could get pumped out by it. Some instances of the kit may be distributing crap like FakeAlerts and others might be pushing ZeuS/Citadel/GameOver/Spyeye or some other banking trojan and others could very well be pushing out far more severe infections like rootkits, bootkits and ransomware applications (depending on what kind of ransomware, some are piss poor others encrypt your entire document folder/desktop which is just plain evil)"

»blog.seculert.com/2012/0 ··· ing.html

It also depends what kind of privileges the logged on user has and the exploit it successfully runs when determining the severity (privilege escalation vs running at user level privileges) of the infection in most cases. The exploit running does not necessarily determine what kind of infection will be dropped but rather how much access it has to gain control of the system it is infecting.
Java is a favorite target..
»www.cvedetails.com/versi ··· &trc=431

Most of the Live Security Platinum infections I have seen hit the user when they first boot up a PC..the PC having been infected from a previous time on the internet or something they previously download and is now active...but other have been infected right away.
Name Game

Name Game to therube

Premium Member

to therube
said by therube:

URL?
(But don't make it click-able).

Is it related to the current Java vulnerability?
Do you have Java installed? Which version?
Do you have Java enabled in FF?

What kind of infection did you get?

Here is the latest javascript unpacker from that site just submitted.
»jsunpack.jeek.org/?repor ··· 6a9d6f75
Name Game

Name Game to Kilroy

Premium Member

to Kilroy
said by Kilroy:

said by therube:

I don't but that argument at all.

Really? You don't think that your web browsing habits have anything to do with your machine becoming infected? That's like saying that having sex with prostitutes shouldn't result in an STD.
said by therube:

Why shouldn't you be able to access it - safely.

Because this is the web in 2012, NOT 1990. There is money to be made by infecting computers.

In Mich it might mean money to be made with a bonus for good behaviour. Can't trust those Buckeyes.


»hosted.ap.org/dynamic/st ··· 10-32-58
brianiscool
join:2000-08-16
Tampa, FL

1 recommendation

brianiscool to Name Game

Member

to Name Game
It looks like a anti-virus program, but it isn't one.

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb to brianiscool

Premium Member

to brianiscool
Click for full size
Picture #1
Click for full size
Picture #2
I'm the kind of the person who will click on links to see what will happen. I do have backups, and can restore my system in about 5 hours without any problem. So, sometimes I'm up to take a risk.

With that being said, I think the OP is not telling the whole story here. Let me explain....

When I pasted his link, and modified it to be correct (replaced the xx with tt), I got what is shown in the first picture. Looks like a "normal" webpage. I did not click on anything, I just sat there looking at the page.

About 30 seconds later, the web page changed, and I was re-directed to what is shown in my second picture. The first time I did this, the "download now" box came up, and it asked me if I wanted to download something. I did not click on that. I just closed my browser, and tried it again.

The 2nd time, it did not happen. Apparently, some cookie was set. I cleared my cookies, and did the test again, and sure enough, same behavior, except that the 2nd time, I did not get the automatic prompt to download anything once I got re-directed.

So, here is what I think really happened with the OP.

OP is in a chat room, talking to people. Someone says to the OP "Hey..I want to send you this cool thing (game, song, etc). Here's the link to download it. "

OP then clicks the link, goes to the page, gets re-directed, and downloads whatever the pop-up tells him.

OP runs it, thinking that it is whatever the person in the chat room says it is. When, in reality, its not.

Now, if I'm wrong, I'm wrong and I fully apologize. However, from what I can tell, nothing installs on its own, without the end user doing something first.

And, I will also report that I'm running Waterfox 15.0. I have no scrip blockers, ad-blockers, or anything running. I just have 3 plug-ins: Java, Flash, and Silverlight. So, if something nasty was going to happen, it would have happened to me.

I do have McAfee Virus Scanner Enterprise V 8.5.1 running, but I did not get any warnings from it.

--Brian

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member

Click for full size
I got all that too, except the window didn't get past adf.ly top section in Opera

But in IE9, the image shows the page loaded.
norwegian

1 edit

norwegian

Premium Member

This is the only code for adfly?

<img border="0" src="http://www.skidrow-scene.net/wp-content/themes/yoo_streamline_wp/images/BANNER.gif" >
</div></div></aside>
 
 
</div></div></div>
<!-- main end -->
 
 
 
<footer id="footer" class="grid-block">
 
<a id="totop-scroller" href="#page"></a>
 
<div class="module   deepest">
 
<script>
var adfly_id = 1345444;
var adfly_advert = 'int';
var frequency_cap = 5;
var frequency_delay = 5;
var init_delay = 3;
</script>
<script src="http://adf.ly/js/entry.js"></script> 
</div>Powered by <a href="http://www.yootheme.com">Warp Theme Framework</a>
</footer>
 
</div>
 
 
</div>
 
</body>
</html>
 

document.write('<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js"></script>');     
document.write('<script type="text/javascript"> jQuery.noConflict() </script>');
document.write('<script type="text/javascript" src="http://cdn.adf.ly/js/jquery.cookie.js"></script>');     
document.write('<script type="text/javascript" src="http://cdn.adf.ly/js/entry_scriptV1.1.js"></script>');  
 

Denied from databases:
Internet Explorer?k=8x9sajbttz3h&t=Skidrow%20Scene%20-%20Full%20Version%20Pc%20Games%20%2B%20Xbox%20360%20Free%20Download%20-%20NETLOAD%20-%20UPLOA&c=s&y=&a=0&r=681944Denied: http://whos.amung.us/pingjs/?k=8x9sajbttz3h&t=Skidrow%20Scene%20-%20Full%20Version%20Pc%20Games%20%2B%20Xbox%20360%20Free%20Download%20-%20NETLOAD%20-%20UPLOA&c=s&y=&a=0&r=6819442/09/2012 3:45:08 PM
 
King Grub
join:2011-01-26

King Grub to caffeinator

Member

to caffeinator
said by caffeinator See ProfileSkidrow is a well known "scene" group, no idea if this guy is actually affiliated with them or of it's just a ripoff site. [/BQUOTE :

It is a ripoff site. Skidrow does not have a website. That would be very foolish of them in fact.


Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 recommendation

Name Game to norwegian

Premium Member

to norwegian
Posted this already..here is all the code for the site

»jsunpack.jeek.org/?repor ··· 6a9d6f75

therube
join:2004-11-11
Randallstown, MD

1 recommendation

therube to King Grub

Member

to King Grub
> "scene" group

The Warez scene, mostly referred to as The Scene is an underground community of people that specialize in the distribution of copyrighted material, including television shows and series, movies, music, music videos, games (all platforms), applications (all platforms), ebooks, and pornography.

Oh, OK, then anything other then Disney .