foxnews.com infected?
Links: home · search · speed test · login · more ·
Links: Reply New Topic
Forums » Security » Security » foxnews.com infected?
page: 1 · 2 · 3 · 4 ...6 · 7 · 8
MGD @ 19th Apr 11:33PM:
Re: foxnews.com infected?
I can confirm what other recent posters have experienced today. I now categorize foxnews.com as infested. Remember that a user need only visit a page at foxnews.com to trigger the malware popup. It is not the result of clicking on any add.
While on this page at 16:57 EST »www.foxnews.com/story/0,2933,517084,00.html the following was generated:
quote:
19.04.2009 16:57:21 Network Shield: blocked access to malicious site 78.47.132.222/a12/index.php?url=http://truconv.com/?a=125&s=4a12 [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 3388 ) ]
Allowing the process to proceed generated this:
[att=1]
Then the page hijacking scan:
[att=2]
A download process of vsm_free_setup.exe also began from toppromooffer.com
[att=3]
While there are many who classify these fake AV programs as "Scareware", I disagree. While the the first phase of the process will involve charging a victim's card ~ $70, followed by numerous other charges in the following days and weeks. I have yet to see an infected system that did not have subsequent installs of key loggers, and back door trojans that turned it into a bot and enabled remote access. That observation is supported by the repeated analysis of these payload installs.
The downloaded file vsm_free_setup.exe was already in VrusTotal's database from a recent submit, and a fresh analysis of this file generated: »www.virustotal.com/analisis/26be···95f80e26 However if you review the related ThreatExpert analysis: »www.threatexpert.com/report.aspx···47a88f8f
Take note of the following excerpts:
------------------------------
Analysis of the file resources indicate the following possible countries of origin:
Russian Federation
Ukraine
------------------------------
Possible Security Risk
Attention! The following threat categories were identified:
•A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
•A program that downloads files to the local computer that may represent security risk
------------------------------
It is indeed disingenuous to only classify these as "Scareware", that undermines the severity of the crime.
The download location also hosts a benign page for the malware:
Many of the same locations as were listed in the earlier post are showing up once again. AS24940 HETZNER is a repeated cesspool for this genre of virus infections:
[att=4]
Added excerpt for emphasis:
quote:
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 85 site(s), including, for example, toppromooffer.com/, bestantimalwarelivescanner.com/, bonuspromooffer.com/, that infected 5596 other site(s), including, for example, portalby.net/, noreastcycling.com/, asiaspa.ie/.
Yes, that is: We found 85 site(s), including, for example, toppromooffer.com that infected 5,596 other site(s
Some more observations to follow.
MGD
Edit= Added text
reply
mysec @ 20th Apr 03:05AM:
Re: foxnews.com infected?
Thanks for the information!
The Fox News link you gave must be fixed - it didn't redirect anywhere; I used your malware links manually.
I get different results, depending on the browser.
said by MGD :
A download process of vsm_free_setup.exe also began from toppromooffer.com
Using Opera, all that happens is the display of a Prompt to Download, which maybe is what you meant:
[att=1]
The victim still has to initiate the download.
BTW - the exploit requires JavaScript to be enabled:
Without these files, nothing happens. To test, I disabled JavaScript in Opera and got a blank page.
Using IE6 with 78.47.132.... that you gave, the browser locked up and then an alert to a remote code execution exploit:
[att=2]
The Page Code has this (excerpt):
With some help from Wepawet:
The 3rd exploit (aka MS06-014) is the one I was served up. The clue is:
Special Folder 2 is code for the Temp folder and in the alert you can see that this file was not found because aff_12 was blocked from downloading and renaming to w32NOFJCyliz5mm5R.exe
According to the analysis, all exploits downloaded the same payload.
VirusTotal Result: 2/40
»www.virustotal.com/analisis/178d···a2f50448
It is rather common today that a malware site determines the browser and serves up exploits accordingly. All of these are IE6 exploits which would have no effect on other browsers.
This is the 3rd exploit I've seen recently where the exact same thing happens: IE6 gets served a batch of exploits looking for an unpatched vulnerability, Opera gets something else.
This shows a level of sophistication and efficiency on the part of the malware community these days.
I recently downloaded Firefox to test sites. This is what occurred with Javascript enabled in Options:
[att=3]
Even clicking "Ignore" would not load the page. It took me awhile to find the security setting.
Trying again, I'm served up a PDF exploit. From the code analysis:
[att=4]
But it requires the Acobe Acrobat Javascript plugin which I've removed:
[att=5]
Different browser, different exploit. And that might change at any time!
And so it goes...
Edit: added code excerpt
----
rich
reply
Cometcom1 @ 20th Apr 07:57AM:
Re: foxnews.com infected?
Just to confirm. Still being targeted here as well. Fake antivirus type redirection.
As I expected, there's likely a reinfection timer that checks when an IP was last infected to avoid reinfection over at least 24 hours. - My tests seem to indicate that this is not done with cookies.
reply
Sentinel @ 20th Apr 08:16AM:
Re: foxnews.com infected?
I still have no problems on FoxNews.com. I am using Firefox with NoScript and FlashBlock and I use a hosts file to block ads as well.
reply
Cometcom1 @ 20th Apr 09:41AM:
Re: foxnews.com infected?
Nothing against foxnews - it's their advertising that is acting up and spreading the malware. Likely without them even realizing this is going on.
I've now established contact with foxnews and they are looking into this very seriously.
Cometcom1
reply
anon @ 20th Apr 09:48AM:
Re: foxnews.com infected?
I left my Home Laptop on over night on Foxnews.com (Nothing Else open) and my Laptop Antivirus (Symantec) Picked Up Bloodhound.Exploit. Also, a user in my office was slammed with 3 different maleware issues (She claimed came from Foxnews) and after i cleaned them all I installed the latest Symantec EndPoint Protection and went back to Foxnews.com and sure enough it picked up 3 different maleware trojans. It stopped all three and I then removed any IE7 Add-Ons and went back to the site and nothing happened. There is something about that site.
reply
fatness @ 20th Apr 09:53AM:
Re: foxnews.com infected?
Maybe this will provide more of a push for Fox News to deal with this problem: »FoxNews.com Serving Up Infected Ads?
--
goodbye dad
reply
anon @ 20th Apr 10:01AM:
Re: foxnews.com infected?
I unfortunately had to ask my entire company to stop visiting FOXNEWS. We will probably end up blacklisting it today via OpenDNS. FOXNEWS better make this a huge priority as I'm certain we are not the first, nor will be the last company to do so. Vundo, Bloodhound, etc all have been blocked by Symantec AV, however others have crept in and Malewarebyte's AM was used in safemode as well as Symantec AV to scrub the little PITA's out.
Infection seems to occur via FF and IE7. I'm not in the mood to install adblockers or noscript company wide.
reply
evergreek @ 20th Apr 10:05AM:
Re: foxnews.com infected?
I received the same pop up yesterday! Scanned my pc, everything seems ok.
reply
anon @ 20th Apr 10:21AM:
msg deleted
deleted by a moderator
reply
Bobby_Peru @ 20th Apr 10:25AM:
Re: foxnews.com infected?
said by JsMOM :
Infection seems to occur via FF and IE7. I'm not in the mood to install adblockers or noscript company wide.
Once upon a time, pre Adblock (in it's actual block calling and downloading iteration), WebWasher had an application for central deployment that you might want to check out. Just a thought.
reply
anon @ 20th Apr 10:34AM:
Re: foxnews.com infected?
So how does this infection work and is it really such a big deal? How does it actually infect your system?
Doesn't it just exploit some vulnerabilities in the usual suspects (IE, Adobe Reader, Flash, Java etc) or try to cheat the user to first click yes to the download prompt and then execute their scamware executable? If your software is patched and you have smarts enough to not click yes to everything, is this thing any threat at all? Or ks this a problem just for that mass of people who run with unpatched IE under admin account...
Thanks.
reply
katarina @ 20th Apr 10:45AM:
Re: foxnews.com infected?
said by HowDoesItWork :
If your software is patched and you have smarts enough to not click yes to everything, is this thing any threat at all?
Since many users are not aware of the fact that if they try to tell the pop-up "no thanks" by clicking on the usual "close" or "Cancel" buttons they see on their screen, they will probably get the download/install anyway ... I would think that it is a threat to even those with patched machines.
Not everyone knows to use Task Manager or other methods to get out of its grasp.
reply
moonpuppy @ 20th Apr 10:55AM:
Re: foxnews.com infected?
said by HowDoesItWork :
So how does this infection work and is it really such a big deal? How does it actually infect your system?
Doesn't it just exploit some vulnerabilities in the usual suspects (IE, Adobe Reader, Flash, Java etc) or try to cheat the user to first click yes to the download prompt and then execute their scamware executable? If your software is patched and you have smarts enough to not click yes to everything, is this thing any threat at all? Or ks this a problem just for that mass of people who run with unpatched IE under admin account...
Thanks.
I thought my system was fully patched.
I will say that I did NOT initiate any download and I NEVER click on pop-ups or any ads. In fact, IF I see something I like, I will manually copy the link and Google it first.
reply
anon @ 20th Apr 11:09AM:
Re: foxnews.com infected?
quote:
Since many users are not aware of the fact that if they try to tell the pop-up "no thanks" by clicking on the usual "close" or "Cancel" buttons they see on their screen, they will probably get the download/install anyway ... I would think that it is a threat to even those with patched machines.
Not everyone knows to use Task Manager or other methods to get out of its grasp.
Shouldn't the browser still display a download dialog prompt, even if the popup is set to download anyway when you click on anything, including the no thanks button? Seems to me that it should, unless there's a serious flaw in the browser that makes it possible to download stuff without the user accepting the download. I mean, even if you click yes on the crapware popup, shouldn't there still be a download prompt from the browser, unless the browser is just insecure by design? Like this:
- you get served with the infected ad and popup
- you realize what's up and click on the X mark to close the popup
- the popup still tries to push the download on you
- your browser should alert you now that someone wants you to download something, and ask if you want to download the file, download and run it, or to just cancel the whole download
If it does work that way, then it's no threat to those who practice basic safe surfing. But I just don't know how this one works.
To moonpuppy, are you saying that you got infected by doing just browsing the site, not accepting any downloads, with a fully patched browser and fully patched plugins (flash, java, the usual)? If so, how does this thing do that? I'm confused.
reply
anon @ 20th Apr 11:21AM:
Re: foxnews.com infected?
This is and FYI to all. After I cleaned my users PC and upgraded to the newest version of Symantec End Point Protection. The only thing I did was open IE7, type www.foxnews.com, hit enter and immediately Symantec caught 3 different maleware files coming from the site. I didn't even have a chance to click. I am setting up another PC to test with to see if it was a combination of add-ons and IE7 or just IE7.
reply
Cometcom1 @ 20th Apr 11:31AM:
Re: foxnews.com infected?
The actual infection is pretty nicely covered with the existing comments here, but how does this malware actually hide?
The advertising is loaded from the advertising servers, i.e. it might be hosted there or it might be external contents that is injected in an iframe.
There are two ways that the fake av is initiated after this initial advertising loading.
Javascript redirect - done by hacking the server containing the ad and adding or modifying existing script files.
.htaccess redirect - done by hacking the server containing the ad and forcing a redirect based on the referrer. i.e. The ad can be displayed on multiple sites, but only if it is embedded in particular sites, will it trigger a redirect. - This is most often seen on search engine redirects.
reply
amungus @ 20th Apr 11:46AM:
Re: foxnews.com infected?
I am also interested in how it "hides" as well...
Last infection I got on one of my machines (first one in years), was likely due to an iframe. That, or the unlikely chance that an infected gmail "news ticker" (whatever its called above the inbox - which I've disabled since then...) did it.
iframes have also been forbidden in noscript ever since that.
Agree with a post earlier - this is why I have zero qualms about using adblockplus, and especially noscript. Two of the best plugins IMHO.
Was shocked, however, to still get an infection with these two plugins......
iFrames have only been "forbidden" on the one machine I saw the infection on. On others, I've left noscript at its default settings for the most part.
reply
MGD @ 20th Apr 11:58AM:
Re: foxnews.com infected?
said by HowDoesItWork :
... Shouldn't the browser still display a download dialog prompt, even if the popup is set to download anyway when you click on anything, including the no thanks button? Seems to me that it should, unless there's a serious flaw in the browser that makes it possible to download stuff without the user accepting the download. ...
Yes, for clarification, If you decline the scan, it will do the fake scan anyway and impose a full screen in your browser. If you then choose "cancel" for the recommended install, it will proceed with the download. The warning that the user will get is from their system alerting them to the dangers of allowing an .exe file to run. They should be able to use their system at that point to block the install. However, prior to that point, "cancel" and "no" means "Yes".
Be aware that as mysec points out, the initial popup redirect will also avail of the opportunity to look for several available exploits in the users system configuration.
The IP 78.47.132.222 also contains a frame that sources from: >http://redirectclicks.com/?accs=845&tid=338
redirectclicks.com is associated with multiple malware:
»www.google.com/search?hl=en&q=%2···o.com%22
Redirectclicks.com is hosted once again on Hetzner Online AG (AS24940) at IP 88.198.69.115 [static.88-198-69-115.clients.your-server.de] alongside Traffic-go.com »www.google.com/search?hl=en&q=%2···G=Search
Both of those criminal domains have infected thousands of sites. While the current focus is on the exploitation of foxnews.com. This is a global problem that infects users every where:
[att=1][att=2]
Fox needs to quickly identify the responsible advertiser/s and remove and suspend them. You can find victim reports of infection attacks from Fox going back well over a month.
Incidentally, while wading through the cesspools of cyberspace following the trail of toppromooffer.com I bumped into our friend "Cactus" from Moscow. Small world!!
MGD
reply
moonpuppy @ 20th Apr 12:33PM:
Re: foxnews.com infected?
said by HowDoesItWork :
To moonpuppy, are you saying that you got infected by doing just browsing the site, not accepting any downloads, with a fully patched browser and fully patched plugins (flash, java, the usual)? If so, how does this thing do that? I'm confused.
Fully patched OS, IE, Java, FLASH, etc. I saw multiple popups and I did not click no but the "X" of the window. When I realized what was happening, I immediately shut the laptop down HARD. I pressed the power button until it shut off completely and restarted the system with the wi-fi off. When I saw no activity, I turned the wi-fi back on and immediately headed here to do some cleaning and that's when I found the issues I mentioned earlier. I then posted here about it.
reply
anon @ 20th Apr 12:42PM:
Re: foxnews.com infected?
I'm curious. Not interested in knocking MS, but is this limited to windows? Any reports from mac or linux users? Thnx.
reply
Dude111 @ 20th Apr 01:08PM:
Re: foxnews.com infected?
Well if FOX knows about this and does nothing,they really do suck!!
reply
anon @ 20th Apr 01:41PM:
Re: foxnews.com infected?
quote:
Yes, for clarification, If you decline the scan, it will do the fake scan anyway and impose a full screen in your browser. If you then choose "cancel" for the recommended install, it will proceed with the download. The warning that the user will get is from their system alerting them to the dangers of allowing an .exe file to run. They should be able to use their system at that point to block the install. However, prior to that point, "cancel" and "no" means "Yes".
Now I feel a little stupid, but I still don't understand how it works. It's business as usual that the popup has a bogus cancel button and the X close window button, and it tries to make you download their crapware anyway. But unless the browser does something completely wrong, there should eventually be a download prompt and you should then be able to cancel the whole thing, so it can't infect your system. If this isn't the case with this particular crapware, I would sure like to know how it accomplishes this feat, technically. There are exploits, but unless it uses an unknown, unpatched zero day vulnerability, that shouldn't work against a fully patched browser and plugins...
quote:
Fully patched OS, IE, Java, FLASH, etc. I saw multiple popups and I did not click no but the "X" of the window. When I realized what was happening, I immediately shut the laptop down HARD. I pressed the power button until it shut off completely and restarted the system with the wi-fi off. When I saw no activity, I turned the wi-fi back on and immediately headed here to do some cleaning and that's when I found the issues I mentioned earlier. I then posted here about it.
So it could infect you without requiring any form of consent from the user? Now that is weird. For IE, I wouldn't be surprised, but if Firefox or Opera would do the same, that would be strange. I'm further confused because mysec on the previous page posted that with Opera, it does pop up a download prompt, and if you cancel the download, it can't infect you.
So, is there something in Opera that prevents this thing from insta-infection without any user consent that doesn't exist in IE or even Firefox? Hate to ask that many questions, but I don't understand the technique that this thing could possibly use to infect you instantly without you accepting a download, and then executing that download... aside from unpatched vulnerabilities. I wonder if the people infected by this were running as admin...
reply
Carnivore @ 20th Apr 02:11PM:
Re: foxnews.com infected?
I got this popup last night when I visited foxnews.com with IE8, and the fake virus scan began in a new window.
I forced the browser closed as quickly as I could with task manager, and ran a real scan with AVG 8.5 which appeared to be clean.
Does anyone know if AVG effectively detects this infection, and/or what other steps should be taken to ensure this thing didn't get its tentacles into my system?
reply
moonpuppy @ 20th Apr 02:19PM:
Re: foxnews.com infected?
said by HowDoesItWork :
So it could infect you without requiring any form of consent from the user? Now that is weird. For IE, I wouldn't be surprised, but if Firefox or Opera would do the same, that would be strange. I'm further confused because mysec on the previous page posted that with Opera, it does pop up a download prompt, and if you cancel the download, it can't infect you.
Part of the infection can be done with PDF documents. Adobe even put out a warning that they wouldn't have a fix for a month.
reply
mysec @ 20th Apr 02:20PM:
Re: foxnews.com infected?
The fake antivirus exploit prompts for a download in IE, Opera, and Firefox because the download is an executable file for which these browsers prompt by default. I showed Opera in a previous post. Here are IE and Firefox:
[att=1]
[att=2]
The other exploits I found are automatically triggered (drive-by download):
IE exploits against the browser as I showed in the previous post.
PDF exploit in Firefox. This is from a previous exploit. Note that it is Acrobat calling out for the trojan and not Firefox:
[att=3]
Note that this is an Acrobat Reader exploit, not a browser exploit. The browser just loads the PDF file. This exploit works in all browsers. Be sure and configure your file types to Prompt for Download, or "Always Ask"
Opera:
[att=4]
Firefox:
[att=5]
----
rich
reply
Airborne29th @ 20th Apr 02:27PM:
Re: foxnews.com infected?
Has this been cleaned? Ive gone all through foxnews on our test computer to see if our antivirus will catch it, and nothing is coming up.. Either that or its silently being stopped, tried with adblock plus and without, IE and Firefox.
reply
anon @ 20th Apr 02:44PM:
Re: foxnews.com infected?
Does this malware require java ? No Java = no infection?
reply
anon @ 20th Apr 02:56PM:
msg deleted
deleted by a moderator
reply
bobince @ 20th Apr 03:12PM:
Re: foxnews.com infected?
quote:
Be sure and configure your file types to Prompt for Download, or "Always Ask"
You can also disable the plugin for all browsers from Reader's “Edit->Preferences->Internet->Display PDF in browser” option, or use a different PDF reader that doesn't install a plugin. (Who wants to read a PDF stuck inside a browser window anyway?)
As always, if you aren't using a plugin, remove it, and you'll reduce the attack surface of your browser and the number of things you have to worry about keeping updated. Do you really need PDF, Java, QuickTime and Real plugins? Probably not.
reply
anon @ 20th Apr 03:29PM:
Re: foxnews.com infected?
quote:
The fake antivirus exploit prompts for a download in IE, Opera, and Firefox because the download is an executable file for which these browsers prompt by default. I showed Opera in a previous post.
Ok, so there is a download prompt and you get a chance to cancel the whole thing, in those cases where it attempts to make you download an exe file instead of serving a browser or plugin exploit. That is good news. :)
quote:
The other exploits I found are automatically triggered (drive-by download):
IE exploits against the browser as I showed in the previous post.
PDF exploit in Firefox. This is from a previous exploit. Note that it is Acrobat calling out for the trojan and not Firefox:
Note that this is an Acrobat Reader exploit, not a browser exploit. The browser just loads the PDF file. This exploit works in all browsers. Be sure and configure your file types to Prompt for Download, or "Always Ask"
Ok, so the actual drive-by downloads (no user consent required) of this badware are based on exploits in either the browser or some other related program like PDF viewers, as usual. And the PDF exploits you can stop just by having the browser prompt for download of pdf files instead of opening them in the proper program, or even just by not giving the PDF viewer permission to go online when your firewall prompts for it. Good news, again!
Thanks for all the advice, guys, I think I understand how this thing operates now. If I got it right, this thing is not a threat as long as you
- have your browser set to prompt for download for exes, pdfs etc instead of having the browser run them at once, and cancel any suspicious, unwanted downloads, and
- have a fully patched browser that isn't vulnerable to the browser exploits this thing tries, such as the latest Opera version.
Or in other words, it's a pretty basic baddie. Sounds like I'm good to go, and have nothing to worry about this malware. It should be easy to avoid this thing: just keep the browser patched (and preferably use Opera) and have it set to prompt for downloading stuff, or disable all the pointless plugins we don't need like Adobe Reader etc.
Still, Foxnews should get their ads cleaned right the F now. It's inexcusable for a big outfit like that to serve crapware via ads. I wonder if a popup blocker would help against these things.
reply
acid343211 @ 20th Apr 03:37PM:
Re: foxnews.com infected?
said by kpatz :
Internet Explorers addon Shockwave Flash vs.3 found to be linking to the FormSpy website hosted at IP address 81.95.109.11 This addon tries to send your private information to attackers IP 72.95.109.11 (Malaysia)
quote:
IP address country: 81.95.109.11
IP address country flag Czech Republic
IP address state: Hlavni Mesto Praha
IP address city: Praha
quote:
IP address 72.95.109.11
IP country code: US
IP address country: flag United States
IP address state: Maine
IP address city: Orono
IP address latitude: 44.879101
IP address longitude: -68.733002
ISP of this IP [?]: Fairpoint Communications
Organization: Fairpoint Communications
--
Visit-
www.liveleak.com/view?i=e32_1231680425
reply
MGD @ 20th Apr 04:14PM:
Re: foxnews.com infected?
said by mysec :
....
Note that this is an Acrobat Reader exploit, not a browser exploit. The browser just loads the PDF file. This exploit works in all browsers. Be sure and configure your file types to Prompt for Download, or "Always Ask"
..
----
rich
Great write up !
I was particularily interested in this driveby:
quote:
[Adobe Reader 6.0 from your computer wants to
connect to plathost.ru [78.109.25.217], port 80]
as that location has come to my attention on several occasions.
IP 78.109.25.217
appears to be hosting 3 domains: »whois.domaintools.com/78.109.25.217
1. Nevervhudo.ru »whois.domaintools.com/nevervhudo.ru
2. Socksps.ru »whois.domaintools.com/Socksps.ru
3. Stopgam.cn »whois.domaintools.com/Stopgam.cn
Due to the name, Socksps.ru aroused some curiosity, however, the main page only offers a log in:
[att=1]
If one can overcome that restriction an account holder can purchase the use of compromised machines around the globe to use as a secure proxy:
[att=2]
This may be where some of the compromised victim machines are leveraged for additional income:
The master list of available for rent machines is several pages long:
[att=3]
You can sort the available hijacked machines by country, and then buy access, daily or monthly to mask your true origin for any nefarious purpose:
USA:
[att=4]
UK:
[att=5]
Iran:
[att=6]
Note the banner add for "carding Conference" at cashing.cc:
This may be where the compromised extracted financial data ends up for sale:
[att=7]
It appears that the only way to obtain a log in account in order to use the services of Socksps.ru is to contact ICQ 431278403
Or you can resond directly to his promotion on forum.zloy.org a cyber criminals one stop shop for carding, hacking exploits, money transfers, banking etc.
His translated add posting on the forum.zloy.org for Socksps.ru services is here:
The main zloy.org page is translated here:
MGD
reply
acid343211 @ 20th Apr 04:28PM:
Re: foxnews.com infected?
Easy Fix block the site and Disable Downloading on your PC.
Now when i go to the Site it gives me a Red screen Blocked by Administrator.
--
Visit-
www.liveleak.com/view?i=e32_1231680425
reply
anon @ 20th Apr 07:32PM:
Re: foxnews.com infected?
I have been reading all this and maybe am no great with virus, adware, spyware etc.
I have been getting this up with the fake virus scan for a few days now. And want to know whether it is something on my computer or whether this is coming from sites I am visiting. When I leave my computer idle for while it seems to come up.
Any help appreciated.
reply
FiOS Dan @ 20th Apr 09:24PM:
Re: foxnews.com infected?
said by Sentinel :
...I use a hosts file to block ads as well.
Methinks that's the ticket.
--
Courage is being scared to death but saddling up anyway.
reply
anon @ 20th Apr 10:38PM:
msg deleted
deleted by a moderator
reply
MGD @ 20th Apr 10:54PM:
Re: foxnews.com infected?
said by milvos :
.... I have been getting this up with the fake virus scan for a few days now. And want to know whether it is something on my computer or whether this is coming from sites I am visiting. When I leave my computer idle for while it seems to come up.
Any help appreciated.
One rudimentary test is to disconnect the internet connection from the computer. Restart it, open your web browser and see if the popups still come up. You may not even have to open a web browser. If popups come up, or your browser attempts to connect to another website, then it is likely that malware is present in your computer.
MGD
reply
La Luna @ 20th Apr 11:32PM:
Re: foxnews.com infected?
It seems that CNN was affected with a malware issue just last summer:
»blog.mxlab.be/2008/08/04/cnn-dai···malware/
Apparently no one is immune when it comes from the outside rather than within (which has been foolishly implied here).
--
1/20/09 The Beginning of the End
13,079 DEADLY TERROR ATTACKS SINCE 9/11
reply
MGD @ 21st Apr 12:49AM:
Re: foxnews.com infected?
said by FiOS Dan :said by Sentinel :
...I use a hosts file to block ads as well.
Methinks that's the ticket.
That may be one of several reasons why some users were never exposed, nor triggered any other alerts. I spent some time checking the add rotations and noticed that several of the domains showed up as blocked in several hosts files. As a first line of defense, that may have prevented many AV, and script blockers from barking.
Foxnews.com offers a comprehensive list of advertiser options: »advertise.foxnews.com/creative-specs/ and also the following Approved Third Party Vendors:
Atlas
Doubleclick
Eyeblaster
Eyewonder
Klipmart
Pointroll
Unicast
Zedo
Ref: »advertise.foxnews.com/creative-s···vendors/
I spent several hours reviewing the top banner adds, many are flash, but not all. One issue that I noted is that there were several complaints of infection attempts while on blogs.foxnews.com which appears to have less adds than the other pages.
For example, posters on "FOX News Blogs » Alisyn in the Greenroom" noted the following on 04/18
quote:
Comment by Anita in VA
April 18th, 2009 at 6:52 am
Good morning fellow bloggers–
I have a quick question–have any of you experience, when first accessing the Greenroom Blog, a Windows Explorer popup windows, saying you need to run a virus scan on your computer?
I had it happened last saturday, when on work travel, from my work computer, and then again this morning, from my home computer.
Comment by Jimmy
April 18th, 2009 at 6:54 am
yes Anita…..it a shame…ran my program…no infections….they bother you to try to grt you to buy their program….do not load the program
Comment by Anita in VA
April 18th, 2009 at 6:59 am
jimmy/all–yes, that was actually the FakeAlert Trojan–
other bloggers–if you also got that popup, run a REAL virus scan of your computer, even if you X’d out of it. You’re probably now infected with the FakeAvAlert Trojan
Alisyn/Foxnews–
Please scan your website pages, it was definitely a link/ad on your pages that produced the popup that infects with the FakeAVAlert Trojan.
Ref: »greenroom.blogs.foxnews.com/2009···ning-15/
I hope that Fox comes forward and informs the public of its findings. I believe it is important that the exploit vector is made public so that everyone can be aware of the methods that are used.
This epidemic has affected many high traffic sites, irrespective of the content. Cybercriminals are not selective. However, the compromising of such a high value target warrants some disclosure of the facts, in order to mitigate additional potentil targets, and address issues with third party advertisers.
Fox's own stats list:
13.5 Million Unique users per month
615 Million Page views per month
That is a significant potential exposure. One can debate how many visitors come from fully patched updated systems, and are savvy enough to weave through the fake screens if exposed.
One interesting side note, while vetting the top banner adds last night, a non flash advertisement came up for E*TRADE. There was absolutely no nefarious activity associated with it. However, it was impossible to perform any vetting of the source. The properties of the add appeared to link to a subdirectory of Lorentrio.com which is hosted in Holland on a Leaseweb IP 94.75.216.152
The initial concern was the entire anonymonity of the set up.
There are 10 domains hosted on IP 94.75.216.152:
01. Alitasis.com
02. Idatrinity.com
03. Junstring.com
04. Kemerlane.com
05. Lacoste-ads.com
06. Lorentrio.com
07. Mosdao.com
08. Namlean.com
09. Nokia-corp.com
10. Tornadomb.com
One would assume that "Nokia" could be a copyright issue. The eyebrow raiser is that all of these domains were registered within the last month or so. All appeared to be registered using ICANN Registrar:
DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A
PUBLICDOMAINREGISTRY.COM
In addition, they were all registered using a cloaking service PrivacyProtect.org:
Such as:
quote:
Registration Service Provided By: REGISTER SERVICES
Contact: +001.8882106539
Domain Name: LORENTRIO.COM
Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Creation Date: 29-Mar-2009
Expiration Date: 29-Mar-2010
Again, nothing appeared wrong with the add, however, in most other circumstances the above criteria would be cause for concern. Though not necessarily unusual in these circumstances, but all the domains contain a "deny all" robots.txt file. Who are these people ??
As Cometcom1 noted to me, and I believe it was also mentioned in Dancho Danev's blog, Google's safe browsing diagnostic of foxnews.com notes the site as not suspicious. It is somewhat ambiguous as they do note that:
quote:
"Malicious software is hosted on 3 domain(s), including 2mdn.net/, s3.wordpress.com/, llnwd.net/."
If you check Google's analysis of one of the above three:
s3.wordpress.com, it shows:
quote:
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1 domain(s), including foxnews.com/.
I hope the focus can remain on the current stage of this epidemic and systemic organized cyber crime, and not on what the content of the infested high traffic website du-jour is. This problem will continue to invade the entire internet until concerted efforts are made to go after the money, and the commercial and financial systems that are utilized to support it.
MGD
reply
mysec @ 21st Apr 04:10AM:
Re: foxnews.com infected?
said by Comment by Anita in VA :
April 18th, 2009 at 6:52 am
Good morning fellow bloggers–
I have a quick question–have any of you experience, when first accessing the Greenroom Blog, a Windows Explorer popup windows, saying you need to run a virus scan on your computer?...
jimmy/all–yes, that was actually the FakeAlert Trojan–
other bloggers–if you also got that popup, run a REAL virus scan of your computer,
even if you X’d out of it. You’re probably now infected with the FakeAvAlert Trojan
This is just wrong since it's pretty much agreed that the user/victim has to click in the download box to get the trojan onto the system.
Am I interpreting correctly her statement? If so, how misleading and unnecessarily fear-provoking such a statement is for her readers.
This notion came up last year when new exploits of WinAntiVirus surfaced, and in a long thread, bcastner made it clear that this is not a drive-by download exploit.
Much has been written and commented on concerning the much feared drive-by download. From my viewpoint, these types of exploits are very easy to prevent when proper security is in place. Most of the time they need to bypass several security measures before achieving success.
By the way, the term "drive-by" limits the exploits to web sites. Notice that Microsoft uses the more comprehensive phrase, "Remote Code Execution:"
»www.microsoft.com/technet/securi···014.mspx
The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer
»www.microsoft.com/technet/securi···009.mspx
The vulnerabilities could allow remote code execution if the user opens a specially crafted Excel file.
In both cases, malicious code executes "remotely" - automatically.
PDF exploits in the wild fall into both categories:
•the one on the Fox News site is web-based
•others arrive by email where the user/victim decides to open the file.
The end result is the same: code in the PDF file calls out to a server hosting malware which is then downloaded to the user/victim's computer.
The Fox News PDF web-based exploit is a good example of remote code execution. In order for it to succeed, 4 requirements must be in place. I'll summarize from previous posts.
1) Scripting enabled. (Javascript, not Java).
If I disable Javascript in Firefox's Options and in Opera's Preferences, nothing happens: this exploit (and the WinAntiVirus exploit) fails at this point.
2) The PDF file must load into the browser. If the browser is configured to Prompt for a Download...
[att=1]
... the user is in the same position as with the WinAntiVirus exploit: to be victimized, the user must consent to download.
In both cases, the reaction should be: Hey, I didn't go looking for this. CANCEL. With the fake antivirus exploit, the suggestion is to close the browser process in Task Manager.
3) The 3rd requirement for the PDF exploit by remote code execution is that the Acrobat Reader must connect out to the internet to retrieve the malware. Outbound firewall monitoring will permit only those applications previously authorized by the user. The PDF Reader, of course, should not be given free access to the internet:
[att=2]
4) Finally, the trojan must be able to download/install without anything blocking it. The most secure protection for these types of exploits is some type of White Listing which blocks ALL unauthorized executable files that attempt to download/install:
[att=3]
File load.exe received on 04.17.2009 08:39:38 (CET)
Sunbelt 3.2.1858.2 2009.04.17 InfoStealer.Snifula.a (v)
Other solutions include running in a non-Administrator account; configuring Software Restriction Policies.
If this malicious PDF arrived by email and the user opened it, note that proper security at steps 3) and 4) would block the exploit from succeeding.
I hope you can see why Remote Code Execution Exploits should be the easiest to prevent. Look at all of the hurdles necessary to jump before the exploit is successful.
While something certainly needs to be done about stopping the occurrence of exploits on web pages, nonetheless for people with proper security protection and policies in place, they are an annoying nuisance rather than a threat.
----
rich
reply
planet @ 21st Apr 08:25AM:
Re: foxnews.com infected?
quote:
1) Scripting disabled. (Javascript, not Java).
If I enable Javascript in Firefox's Options and in Opera's Preferences, nothing happens: this exploit (and the WinAntiVirus exploit) fails at this point.
Wow, so in this case scripting is disabled. I thought javascript would be needed.
So, if the pdf loads in the browser window, then a software FW configured properly should request permission for adobe to access the net, is this correct?
And, what if you are using the latest adobe reader, 9.1, is this exploit still possible?
reply
Sentinel @ 21st Apr 09:39AM:
Re: foxnews.com infected?
I wonder if this could be another thing I am doing that blocks this behavior.
I have Firefox with NoScript and I also don't have Adobe PDF Reader installed on my PC at all. I also have KPF but it does not register anything trying to get in or out.
reply
mysec @ 21st Apr 11:10AM:
Re: foxnews.com infected?
said by planet : quote:
1) Scripting disabled. (Javascript, not Java).
Wow, so in this case scripting is disabled. I thought javascript would be needed.
Ooops - a booboo - that should be reversed, of course! Thanks for noticing that!
Javascript is required, and with it disabled, none of those exploits at Foxnews work.
Sorry for the confusion. I changed that in my post.
said by planet :
So, if the pdf loads in the browser window, then a software FW configured properly should request permission for adobe to access the net, is this correct?
That is correct.
said by planet :
And, what if you are using the latest adobe reader, 9.1, is this exploit still possible?
No, nor are any of the exploits against IE possible if patched.
The problem, of course, is that many exploits go unpatched for a while after they are released in the wild. The recent PDF exploit, if you remember: it was several weeks before a patch was released.
Patching, updating, are certainly preventative measures. Someone mentioned using a Hosts file. The important thing is that everyone understand what they are protecting against and insure that their security setup provides appropriate preventative measures.
This is not always easy because often advisories about a new exploit don't give a lot of information, so you have to do some research.
said by Sentinel :
I have Firefox with NoScript and I also don't have Adobe PDF Reader installed on my PC at all. I also have KPF but it does not register anything trying to get in or out.
This exploit works only against the PDF reader, so even if the PDF file loaded in the browser, nothing would happen without the Adobe Reader being installed.
You may remember the most recent PDF exploit used some type of image rendering engine in the Adobe Reader. Foxit also uses something similar and there was concern amongst Foxit readers that they might be vulnerable. Foxit support insured users on their forum that Foxit uses a different engine and was not susceptible to the current exploit.
----
rich
reply
Graycode @ 21st Apr 12:13PM:
Re: foxnews.com infected?
Why no mention of adsonar.com ? The foxnews pages are splattered with scripting for them. Their script www.foxnews.com/js/adsonar.js is one that injects iframes into the pages being viewed. Foxnews also includes script hxxp://js.adsonar.com/js/adsonar.js and references ads.adsonar.com
I happen to block things from adsonar.com and they're also included in MVPS and HP_HOSTS.
reply
anon @ 21st Apr 06:50PM:
Re: foxnews.com infected?
When running Vista with UAC off and IE sandbox off, can surfing foxnews infect the system directly, with no clicks on the banner window? I am patched up to a month ago. With Firefox?
reply
tdrake2175ds @ 21st Apr 09:12PM:
Re: foxnews.com infected?
There was a story on ZDNet about Fox News being hit by malvertising ads:
»updates.zdnet.com/tags/malvertising.html
reply
anon @ 22nd Apr 01:18PM:
msg deleted
deleted by a moderator
reply
fatness @ 22nd Apr 02:09PM:
Re: foxnews.com infected?
Thanks for posting that. Here's the direct link to the story: »blogs.zdnet.com/security/?p=3140
Apparently it was reported on other sites as well as this one.
»whiskeyfire.typepad.com/whiskey_···ite.html
»www.wilderssecurity.com/showthre···=1444510
The article says Fox got rid of it.
quote:
............a brief analysis of the campaign which now appears to have been removed by FoxNews.
--
goodbye dad
reply
jadedkisses @ 23rd Apr 01:12AM:
Re: foxnews.com infected?
I am a novice and would like to ask some questions if I may. I was on Foxnews and had the popup appear days ago. I didn't click on anything. I was just reading the front page (Foxnews.com)
1. Do they call it scareware because it just scares you and nothing can happen?
2. I posted my hijack log in Security Cleanup and I had some trojans? in Java. Would this have come from that popup on Fox? Or I picked it up somewhere else? [My Java was not up to date]
3. I've read this whole thread, those links (and the znet one) and it's all gibberish to me. I know that article states fox got rid of the virus (or whatever it's called) but have you brave folks checked it out yourselves? I would like to go there but want to be sure it's gone.
Thanks so much for your time.
reply
acid343211 @ 23rd Apr 06:17PM:
Re: foxnews.com infected?
said by fatness :The article says Fox got rid of it.
quote:
............a brief analysis of the campaign which now appears to have been removed by FoxNews.
Fatness,I think people need to still be careful of that site i won't trust it.
--
Visit-
www.liveleak.com/view?i=e32_1231680425
reply
anon @ 23rd Apr 07:28PM:
Re: foxnews.com infected?
jadedkisses, I'm no expert, but I'll try to answer your questions.
1. It's called scareware because, the infection scheme is to trick the unwary user into enabling the malware to get into his/her machine by scaring them with an message that appears legit. It informs them of bogus problems found on their computer. Click 'here' to fix this problem. That click leads to a successful infection of the computer.
What can happen varies, from a simple browser homepage hijack to worse. Usually the scheme wants the user to buy some bogus security software, which is usually malware as well.
2. Hard to say where your trojans came from. One helpful tool for updating all of your SW is secunia PSI available here:
»secunia.com/vulnerability_scanning/personal/
Java seems to be a special case where updating to current version will not remove older vulnerable version(s). They need to be removed via add remove programs.
3. Real experts have posted on this thread and given me sufficient reason to block foxnews.com in avast.
Until a consensus (here) shows the site to be clean, the block remains (FWIW, this is a personal choice, others should do as they are comfortable with). Based on reports it seems that major news sites (CNN etc) seem to be experiencing these problems more frequently, so apply caution when visiting these sites.
A little OT, but I hope helpful.
reply
anon @ 23rd Apr 08:24PM:
msg deleted
deleted by a moderator
reply
La Luna @ 23rd Apr 09:24PM:
Re: foxnews.com infected?
said by fatness :....The article says Fox got rid of it.
quote:
............a brief analysis of the campaign which now appears to have been removed by FoxNews.
That article was posted on 4/15...I think we know from this thread that the problem was still going on even in the last day or two.
Whether it's been cleaned up today, I don't know.
--
1/20/09 The Beginning of the End
13,100 DEADLY TERROR ATTACKS SINCE 9/11
reply
fatness @ 23rd Apr 11:26PM:
Re: foxnews.com infected?
Oops. Thank you for catching that.
reply
MGD @ 24th Apr 12:48AM:
Re: foxnews.com infected?
said by La Luna :
Whether it's been cleaned up today, I don't know.
I have been monitoring random pages on foxnews on and off since early on 04/21, and have not experienced any incidence of the malware. Not a testimonial that it is clean, though I have not seen any other reports of malware either during that time.
MGD
reply
MGD @ 24th Apr 01:04AM:
Re: foxnews.com infected?
said by Graycode :
..Why no mention of adsonar.com ? The foxnews pages are splattered with scripting for them. Their script www.foxnews.com/js/adsonar.js is one that injects iframes into the pages being viewed. Foxnews also includes script hxxp://js.adsonar.com/js/adsonar.js and references ads.adsonar.com
I happen to block things from adsonar.com and they're also included in MVPS and HP_HOSTS.
Indeed, adsonar references are all over the fox pages.
adsonar lists Foxnews.com as one of the locations they have access to advertise on adsonar aka quigo.com Maybe the relationship is something other than a third part vendor.
MGD
reply
jadedkisses @ 24th Apr 05:54AM:
Re: foxnews.com infected?
Thank you secured655! I appreciate your time.
reply
Bill G @ 24th Apr 11:28AM:
Re: foxnews.com infected?
My parents PC was infested by this. It actually caused it to crash. Thankfully I was able to recover all of their files using Ghost.
Nasty thing.
I did combofix as well as Malwarebytes but honestly, the thing just crashed when I tried to run Superantispyware which they always work magically for me. not this time.
reply
anon @ 24th Apr 02:09PM:
Re: foxnews.com infected?
I am interested in removal, the infection runs pretty deep. I am sitting here in safe mode xp_sp3. I can delete the rundll references in regedit (hklm/sw/m/cv/run/), hit refresh and they appear again. To me that says one of the main windows components is infected. Could this lead to lsas being compromised?
reply
La Luna @ 24th Apr 08:51PM:
Re: foxnews.com infected?
said by fatness :
Oops. Thank you for catching that.
It's ok, I know the eyes aren't what they used to be. :D
--
1/20/09 The Beginning of the End
13,100 DEADLY TERROR ATTACKS SINCE 9/11
reply
MGD @ 26th Apr 03:04PM:
Re: foxnews.com infected?
Interesting report on the norton.com forums, which has a link back to this thread. A poster stated that while on this foxnews.com page yesterday 04/24: »www.foxnews.com/story/0,2933,517738,00.html they then clicked the link to the full story at UK site of The Sun newspaper: >http://www.thesun.co.uk/sol/homepage/news/article2389814.ece?OTC-RSS&ATTR=News (several of the same adservers as foxnews.com), and Norton immediately flagged a bloodhound.pdf.10 virus. This will be dificult to duplicate because it depends on the rotating adds, probably flash, and the user config.
Though not a direct foxnews.com vector, the interesting issue is that the attempt matches a pdf exploit that mysec documented in an earlier post.
I believe that this multiple opportunistic format, utilizing exploited adds on high traffic sites, will become an epidemic. Apparently it has not been established, or at least published, whether they are pushed by rogue advertisers within the system, or are from hacked exploited flash adds. There is no doubt that there are several ongoing campaigns to create massive botnets of infected machines. Though I posted the socks C&C for a global inventory of hijacked PCs "Socksps.ru", which was located on the call home IP of the pdf exploit that mysec posted, the second of the three domains located there "stopgam.cn" is labeled "BOT" and also has a login:
[att=1]
See: »www.google.com/search?q=trojan.a···ive&sa=2
Incidentally, just mentioning the mere existence of "Socksps.ru" and its purpose, is a violation of their stated Rules / TOS.
[att=2]
MGD
reply
anon @ 26th Apr 03:18PM:
msg deleted
deleted by a moderator
reply
karateckie @ 27th Apr 03:50PM:
Re: foxnews.com infected?
Just a note to add:
We've had several users at our company affected by this same issue. Before today there were 3, and now as of today there were 2 more. This prompted us to temporarily block foxnews.com. Though we know the issue is not limited to Fox nor is it directly the fault of foxnews.com, all of our virus issues in the last week and a half have come from browsing to this site. Hours spent solving virus problems + ease of blocking Fox = no more foxnews.com.
reply
anon @ 1st May 11:54PM:
Re: foxnews.com infected?
my mom recently played a video on fox news and soon after a virus installed itself onto our comp. my security center says it was from the ip 72.95.109.11(Malaysia)... she was watching a vid about teens hijacking a car. i dont know the direct link but when i searched the ip in wich where the trojan came from i found this forum...leve my IP alone you mean malasians!!!!!
reply
Oleg @ 2nd May 12:12PM:
Re: foxnews.com infected?
For those who got hit does it affects Firefox with adbock plus or just IE?
reply
Doctor Four @ 3rd May 07:03PM:
Re: foxnews.com infected?
said by karateckie :
Just a note to add:
We've had several users at our company affected by this same issue. Before today there were 3, and now as of today there were 2 more. This prompted us to temporarily block foxnews.com. Though we know the issue is not limited to Fox nor is it directly the fault of foxnews.com, all of our virus issues in the last week and a half have come from browsing to this site. Hours spent solving virus problems + ease of blocking Fox = no more foxnews.com.
Something similar happened last week at our company, though not with foxnews.com. There was a malvertisement at playlist.com (a music streaming site, I believe), which infected or attempted to infect several users. As a result, streaming audio sites are banned until IT can find a way to block the malicious ads that are hijacking users.
Although this sounds like a simple answer, it is really a case of throwing the baby out with the bathwater. And malvertisements aren't solely found on music streaming sites or those owned by Rupert Murdoch.
Any site that uses an advertiser which accepts an ad campaign on short notice without doing some investigation into the ad buyers can get hit by this; Google's Doubleclick ad network, one of the largest, got hit last year sometime.
A better solution is using Firefox with a hosts file and NoScript. I do this on my home PC, and while I have encountered attempts at getting redirected by malvertisements, they have never succeeded due to that combination. The redirect usually ends up on a blank page.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
reply
La Luna @ 3rd May 07:28PM:
Re: foxnews.com infected?
So after all of this, is the site still infected? Did anyone let them know there was a problem?
reply
fatness @ 3rd May 09:43PM:
Re: foxnews.com infected?
At least 2 people did earlier in this thread:
»foxnews.com infected?
»Re: foxnews.com infected?
Like you said, memory is the first thing to go. ;)
--
goodbye dad
reply
La Luna @ 3rd May 09:59PM:
Re: foxnews.com infected?
ahhh shaddup you old monkey. :D :D
--
You can chain my body to the earth, but still my spirit flies!
13,143 DEADLY TERROR ATTACKS SINCE 9/11
reply
karateckie @ 5th May 03:06PM:
Re: foxnews.com infected?
said by Doctor Four :
Although this sounds like a simple answer, it is really a case of throwing the baby out with the bathwater. And malvertisements aren't solely found on music streaming sites or those owned by Rupert Murdoch.
Any site that uses an advertiser which accepts an ad campaign on short notice without doing some investigation into the ad buyers can get hit by this; Google's Doubleclick ad network, one of the largest, got hit last year sometime.
I agree with you Doctor. I know of a few sites with similar issues lately (there was a recent article I found...from early April...about the same issue with Yahoo). It's interesting about the playlist.com thing. I use that site and will have to keep an eye on it. Anyway, we have a very large network where it would be a nightmare to migrate everyone to Firefox and train them to use no script. While I use the same setup at home and on my computers at work, it's not a viable solution in our environment.
However blocking ads is a great solution! Unfortunately, we are in the middle of working out how to block them (we used to block them through our web filtering provider..which has changed). They new web filtering provider can't/won't block ads. I suppose it's the nature of the provider, being a free service they advertise on their sites and thus don't want to provide ad blocking. Other options are hosts files (but maintaining them in a large network...ugh), not to mention sending Dequests to 127.0.0.1 take awhile to time out, and if put in a DNS server can seriously cripple it with many clients.
Anyway...the end result is for the time being, Fox News is blocked. We haven't seen issues from other sites at this point, and eventually it will be unblocked.
I think the real issue lies in the websites who allow advertising on their site. They need to take some responsibility in what they are displaying, whether it comes from their own servers or not. The end result is that Fox, Yahoo, Google and others are being poorly represented when someone browses to what they believe should be a solid, and trusted site, only to get a virus. Companies need to demand accountability from the ad providers that pay them to display ads.
In the meantime...to minimize risks we'll block any site that we have issues with, as well as research better alternative to blocking ads :)
reply
anon @ 10th May 12:53PM:
Re: foxnews.com infected?
I got similar infection from DrudgeReport.com (on 2 different occasions); All IPs traced back to Ukraine.
Please note people - you may think you removed it, but really did not. Malwarebytes and others do not detect Rootkits. You should run ROOTKITREVEALER. I thought I had cleaned this, and I had really not. There was a deep and nasty rootkit involved here. Only way to remove was to boot off a Windows CD, and delete hidden drivers. I would be willing to bet that half the people think they clean this stuff and its not really clean.
reply
Thank you for using lo-fi dslreports.com - report bugs
© 99-2009 silver matrix LLC
