|
0 day exploit from websiteI found a website which infected my machine through Firefox without clicking on anything. I believe they are using a 0 day exploit. How do I go about reporting a website with malicious code? |
|
therube join:2004-11-11 Randallstown, MD |
therube
Member
2012-Aug-30 12:41 pm
URL? (But don't make it click-able). Is it related to the current Java vulnerability? Do you have Java installed? Which version? Do you have Java enabled in FF? What kind of infection did you get? |
|
caffeinatorComing soon to a cup near you.. Premium Member join:2005-01-16 00000
1 recommendation |
to brianiscool
Also, what plugins do ya use, and are them and FF up to date?
I'd bet that if you had NoScript/ABP it wouldn't have happened. |
|
|
to brianiscool
brianiscool, for one thing, you could post the URL for the website here, but make it unclickable by replacing "http://", in the URL, with "hXXp://".. for example:
hXXp://www.blackholeexploitkit.info |
|
·Charter
|
hxxp://www.skidrow-scene.net/ you don't have to click on anything it just installs. I was using firefox and had Avast running didn't detect anything. I have everything updated to the latest at the time. Java, Flash, Firefox all updated. I don't know how it got on my system. I had to format it took over my access rights and I did 16 hours of virus scanning. None of the applications were able to find it. I ran about 15 different rootkit finders, anti-virus and anti-malware applications. Also it damaged my TCP/IP stack and could not get back on the internet. |
|
brianiscool |
A person on IRC posted the link and I clicked it. What a mistake that was. |
|
KoRnGtL15 Premium Member join:2007-01-04 Grants Pass, OR |
to brianiscool
I wont be clicking the link. But, very possible if you are running the latest Java. You got hit with the latest zero day exploit from that. |
|
1 edit |
to brianiscool
brianiscool, there is no telling what happened.. you said you spent 16 hours scanning your computer, including scans for rootkits, and no malware was found..
google's "safe browsing" reports that they have not detected any malware at the URL that you posted..
it would be hard to report anything when no malware has been detected..
all we know is that you thought that there was a problem with your computer and, so, you reformatted.. it could have been something other than malware that caused the problems with your computer.. |
|
|
The infection was from Live Security Platinum |
|
therube join:2004-11-11 Randallstown, MD 3 edits |
to brianiscool
Wonder if its might not have stemmed from some sort of WordPress exploit? According to the source it is using v1.2.5 of WordPress SEO Plugin, where the latest version is 1.2.8.1? (WordPress itself looks current, 3.4.1.) Removal instructions for Live Security PlatinumThere is code in there to check for Java: navigator.javaEnabled()==1?EXjv="y":EXjv="n";
Looks like that part deals with HIT COUNTER CODE? |
|
|
caffeinatorComing soon to a cup near you.. Premium Member join:2005-01-16 00000 2 edits |
to brianiscool
Well, it's a warez site, so pretty good chance they'd have aggressive ads including some that might not be so nice. Skidrow is a well known "scene" group, no idea if this guy is actually affiliated with them or of it's just a ripoff site. (I didn't go to the site) This link has the admin discussing his layout. Looks like some popups and fake download links that would be the installers. Normal fare to look out for I'm afraid. They'll have a huge "DOWNLOAD NOW!!" link that's fake, then smaller ones for the real stuff...just banking on human nature. Why I'd asked about NoScript/ABP...but of course if you allowed the site, well... |
|
19579823 (banned)An Awesome Dude join:2003-08-04 |
to redwolfe_98
And i just scanned the link with ONLINELINKSCAN and it comes up ok also » onlinelinkscan.com |
|
|
Re: 0 day exploit from websiteThis whole site should be taken down having all of this malicious code. Who do you usually contact for a website that exploits your system? |
|
Kilroy MVM join:2002-11-21 Saint Paul, MN
1 recommendation |
to caffeinator
Just so I'm getting this straight. brianiscool click on a link from IRC that went to a warez site and got infected and is complaining? Futher proof that the weakest link in security is the user. That is the danger you run if you are going to known questionable sites and/or trying to get something for nothing. My sympathy level is pretty low for this. |
|
therube join:2004-11-11 Randallstown, MD 1 edit
1 recommendation |
therube
Member
2012-Aug-31 11:33 am
I don't buy that argument at all. When you click a link, any link, there is no way to know where you're going to end up or what is going to happen when you get there. And so what, it is a warez site, big deal. And so what, it is a porn site, big deal. And so what, it is a security discussion site, big deal. Why shouldn't you be able to access it - safely. If you had JavaScript disabled (like Is turning off Javascript really necessary any more?, unheard of IMO), most likely nothing would have happened if you happened upon that site - by desire or not. Now once there, you allow JavaScript, you are apt to be less safe, but probably still so. Download something, a RAR with an .exe inside, or an .exe directly & no telling, but at that point you are outside your browsers realm & need another set of protections. |
|
Kilroy MVM join:2002-11-21 Saint Paul, MN |
Kilroy
MVM
2012-Aug-31 12:41 pm
said by therube:I don't but that argument at all. Really? You don't think that your web browsing habits have anything to do with your machine becoming infected? That's like saying that having sex with prostitutes shouldn't result in an STD. said by therube:Why shouldn't you be able to access it - safely. Because this is the web in 2012, NOT 1990. There is money to be made by infecting computers. |
|
therube join:2004-11-11 Randallstown, MD 1 edit
1 recommendation |
I didn't say to leave your willy dangling around for all to grab on to. But, if done safely, with precaution, there is no reason that you should not be able to visit any web site, without being concerned of infection. What is to determine what a "safe" web site is? What is to determine when a "safe" web site is safe, or is no longer safe? Is dslreports safe? Is facebook safe? I would venture to say the porn & warez sites I visit are far safer then facebook. IOW, approach things as if no site is safe (none are ) & then go from there. |
|
|
I reported the site to the RIAA. |
|
1 edit |
brianiscool, you said that you use "firefox".. you should use the "noscript" addon with "firefox", to make "firefox" more secure.. that will help to protect your computer from "driveby" malware..
you also could use the "adblock plus" addon, which also might help to make your computer more secure, though it is not the same as using the "noscript" addon..
you also could uninstall "java".. that also would help to make your computer more secure.. if you don't want to uninstall "java", you could disable it and then enable it, temporarily, when needed.. |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI 1 edit |
to brianiscool
said by brianiscool:The infection was from Live Security Platinum Did the thing claim to be a McAfee product ? or use another name. » www.forbes.com/sites/joh ··· m-virus/ |
|
Name Game 1 edit |
to therube
I know where therube is coming from on this one and I think he is right..If you have a vulnerable version of Java, Adobe Flash or non-updated Windows version, you risk to get Live Security Platinum rogue. In some cases this parasite can use trojans for infection too. The malware is currently distributed using Blackhole exploit kits. "Blackhole is just a framework for malware distribution that allows the groups running it to keep metrics on their distribution and success rates. They ultimately determine what is also distributed via their installation of Blackhole. Since it is sold to those who want to purchase and utilize it there really is an infinite possibility of what kind of crapware could get pumped out by it. Some instances of the kit may be distributing crap like FakeAlerts and others might be pushing ZeuS/Citadel/GameOver/Spyeye or some other banking trojan and others could very well be pushing out far more severe infections like rootkits, bootkits and ransomware applications (depending on what kind of ransomware, some are piss poor others encrypt your entire document folder/desktop which is just plain evil)" » blog.seculert.com/2012/0 ··· ing.htmlIt also depends what kind of privileges the logged on user has and the exploit it successfully runs when determining the severity (privilege escalation vs running at user level privileges) of the infection in most cases. The exploit running does not necessarily determine what kind of infection will be dropped but rather how much access it has to gain control of the system it is infecting. Java is a favorite target.. » www.cvedetails.com/versi ··· &trc=431Most of the Live Security Platinum infections I have seen hit the user when they first boot up a PC..the PC having been infected from a previous time on the internet or something they previously download and is now active...but other have been infected right away. |
|
Name Game |
to therube
said by therube:URL? (But don't make it click-able).
Is it related to the current Java vulnerability? Do you have Java installed? Which version? Do you have Java enabled in FF?
What kind of infection did you get? Here is the latest javascript unpacker from that site just submitted. » jsunpack.jeek.org/?repor ··· 6a9d6f75 |
|
Name Game |
to Kilroy
said by Kilroy:said by therube:I don't but that argument at all. Really? You don't think that your web browsing habits have anything to do with your machine becoming infected? That's like saying that having sex with prostitutes shouldn't result in an STD. said by therube:Why shouldn't you be able to access it - safely. Because this is the web in 2012, NOT 1990. There is money to be made by infecting computers. In Mich it might mean money to be made with a bonus for good behaviour. Can't trust those Buckeyes. » hosted.ap.org/dynamic/st ··· 10-32-58 |
|
1 recommendation |
to Name Game
It looks like a anti-virus program, but it isn't one. |
|
plencnerb Premium Member join:2000-09-25 53403-1242 |
to brianiscool
Picture #1 | Picture #2 |
I'm the kind of the person who will click on links to see what will happen. I do have backups, and can restore my system in about 5 hours without any problem. So, sometimes I'm up to take a risk. With that being said, I think the OP is not telling the whole story here. Let me explain.... When I pasted his link, and modified it to be correct (replaced the xx with tt), I got what is shown in the first picture. Looks like a "normal" webpage. I did not click on anything, I just sat there looking at the page. About 30 seconds later, the web page changed, and I was re-directed to what is shown in my second picture. The first time I did this, the "download now" box came up, and it asked me if I wanted to download something. I did not click on that. I just closed my browser, and tried it again. The 2nd time, it did not happen. Apparently, some cookie was set. I cleared my cookies, and did the test again, and sure enough, same behavior, except that the 2nd time, I did not get the automatic prompt to download anything once I got re-directed. So, here is what I think really happened with the OP. OP is in a chat room, talking to people. Someone says to the OP "Hey..I want to send you this cool thing (game, song, etc). Here's the link to download it. " OP then clicks the link, goes to the page, gets re-directed, and downloads whatever the pop-up tells him. OP runs it, thinking that it is whatever the person in the chat room says it is. When, in reality, its not. Now, if I'm wrong, I'm wrong and I fully apologize. However, from what I can tell, nothing installs on its own, without the end user doing something first. And, I will also report that I'm running Waterfox 15.0. I have no scrip blockers, ad-blockers, or anything running. I just have 3 plug-ins: Java, Flash, and Silverlight. So, if something nasty was going to happen, it would have happened to me. I do have McAfee Virus Scanner Enterprise V 8.5.1 running, but I did not get any warnings from it. --Brian |
|
norwegian Premium Member join:2005-02-15 Outback |
I got all that too, except the window didn't get past adf.ly top section in Opera But in IE9, the image shows the page loaded. |
|
norwegian 1 edit |
This is the only code for adfly? <img border="0" src="http://www.skidrow-scene.net/wp-content/themes/yoo_streamline_wp/images/BANNER.gif" >
</div></div></aside>
</div></div></div>
<!-- main end -->
<footer id="footer" class="grid-block">
<a id="totop-scroller" href="#page"></a>
<div class="module deepest">
<script>
var adfly_id = 1345444;
var adfly_advert = 'int';
var frequency_cap = 5;
var frequency_delay = 5;
var init_delay = 3;
</script>
<script src="http://adf.ly/js/entry.js"></script>
</div>Powered by <a href="http://www.yootheme.com">Warp Theme Framework</a>
</footer>
</div>
</div>
</body>
</html>
document.write('<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js"></script>');
document.write('<script type="text/javascript"> jQuery.noConflict() </script>');
document.write('<script type="text/javascript" src="http://cdn.adf.ly/js/jquery.cookie.js"></script>');
document.write('<script type="text/javascript" src="http://cdn.adf.ly/js/entry_scriptV1.1.js"></script>');
Denied from databases:
Internet Explorer?k=8x9sajbttz3h&t=Skidrow%20Scene%20-%20Full%20Version%20Pc%20Games%20%2B%20Xbox%20360%20Free%20Download%20-%20NETLOAD%20-%20UPLOA&c=s&y=&a=0&r=681944Denied: http://whos.amung.us/pingjs/?k=8x9sajbttz3h&t=Skidrow%20Scene%20-%20Full%20Version%20Pc%20Games%20%2B%20Xbox%20360%20Free%20Download%20-%20NETLOAD%20-%20UPLOA&c=s&y=&a=0&r=6819442/09/2012 3:45:08 PM
|
|
|
to caffeinator
said by caffeinator Skidrow is a well known "scene" group, no idea if this guy is actually affiliated with them or of it's just a ripoff site. [/BQUOTE :It is a ripoff site. Skidrow does not have a website. That would be very foolish of them in fact. |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI
1 recommendation |
to norwegian
Posted this already..here is all the code for the site » jsunpack.jeek.org/?repor ··· 6a9d6f75 |
|
therube join:2004-11-11 Randallstown, MD
1 recommendation |
to King Grub
> "scene" group The Warez scene, mostly referred to as The Scene is an underground community of people that specialize in the distribution of copyrighted material, including television shows and series, movies, music, music videos, games (all platforms), applications (all platforms), ebooks, and pornography. Oh, OK, then anything other then Disney . |
|