Malware detected

Submitted by Bluestreak on

I know we have been having past issues with malware the past few days but per Brian's last post I thought we had a clean chit and no files were infected.

 

Today I got a popup saying that the website is infected with a Trojan. Anyone else had this experience today?

hart20

July 14th, 2011 at 1:04 AM ^

then don't come to this site. Brian runs this site for free, offering just as much, if not more information than the paysites. Why don't you pay him and then tell him what to do.

bluebyyou

July 14th, 2011 at 4:48 AM ^

You are kind new around here to be coming on so strong.  Some of us do assist Brian with financial support.  The OP has a legitimate concern.  Not all of us are computer engineers and want to make sure we don't end up with problems.  I use Bit Defender and hope that is adequate to deal with most threats, but if not, I have a big problem as I need my PC to get work done and it's not cheap to have someone wipe your PC for you to remove some of this nasty crap if you are attacked.

maizenbluedevil

July 14th, 2011 at 6:16 AM ^

Do you not know how the internet works??

The amount Brian gets paid is directly correlated to the amount of traffic he has on his site.  The larger his audience, the more he gets paid, thus, it behooves him to listen to his audience.  

The poster you replied to is merely expressing a viewpoint that is shared by a growing number of people in Brian's audience.

M-Wolverine

July 14th, 2011 at 9:37 AM ^

And more summer time spent making this place, you know, functional. Going on 6 months of off-season, and still can't go on at work? Not good for business.

Sac Fly

July 14th, 2011 at 1:04 AM ^

A screen capture of the warnings. If you do this we can avoid a panic and unnecessary virus scans just incase it's you and not the website.

hart20

July 14th, 2011 at 1:06 AM ^

I'm running PeerBlock, Norton, and a couple other security program and I haven't had any warning or seen any attempted connection blocked. I'm running Google Chrome btw.

Haxel Rose

July 14th, 2011 at 1:07 AM ^

serious question:

What's the deal with all these malware issues? I'm pretty technologically inclined but I know very little about malware and whatnot - I've always associated that sort of thing with shady websites based out of places where people speak with russian accents. Is Brian (or his readers, us) being targeted specifically? Is the code he uses bad? Is there a human behind this, or is it a self-propogating virus?

The other day during the malware issue Brian wrote a paragraph-long explanation that was gobbledeygook to me. So, for anyone out there who understands this stuff . . . can you answer any of my questions in non-techie speak?

JHendo

July 14th, 2011 at 2:35 AM ^

As far as I understand it,  like others have said, the issue is mostly within the dynamic ads on the site, which aren't hosted on Brian's servers, but in fact embedded from elsewhere.  Also, the site, if I'm not mistaken, is built with the application Drupal.  While its a decent program in itself and probably the best to use for what he's doing, its written in php, which is, alas, a hackers best friend.  A little over a year ago, a pretty big breakthrough was made in the hacker world on how to more easily compromise a php based site.  And while compromising php based sites was far from uncommon before that point, it really has exponentially increased since then, and it's not necessarily anything to do with sloppy site maintenance.

So basically, the combination of not being able to control what malicious coding may be hiding in the ads he can't really control and the fact he runs an app that he consistently has to run security patches on means Brian most likely has to spend an great deal of time just trying to keep the site clean.  I know malware sucks, but for a non-membership site with a shit ton of content, relax a little.  My professional opinion as a guy who works with this nonsense for a living is that instead of whining about it, do your part by providing Brian with detailed examples if you think part of the site may be hosting malware and keep your own security software up to date.

maizenbluedevil

July 14th, 2011 at 6:26 AM ^

I'm not a techie but based on what Brian says below it sounds like the malware is somehow coming from MGoBlog, not Google Ads.  

He doesn't refer to Google Ads at all, rather talks about the site (MGoBlog's) code.  

(Furthermore, so many sites run Google Ads....  It's really, really common.  But I've only ever heard of Malware issues of this nature here on this site, leading me to believe it's likely a problem with MGo rather than Google.)

It'd be great if someone could provide a definitive answer on this.  Is MGoBlog the source of the problem?  Or the Google Ads that appear on MGoBlog?  

I installed AdBlock on my Google Chrome, hoping this would mitigate any potential issues, but, if the source of the problem is MGoBlog and not the ads, then, AdBlock doesn't solve the problem.

AeonBlue

July 14th, 2011 at 8:52 AM ^

No sarcasm or condescension intended, if a malicious script was found in MGB code doesn't mean that it's not caused by the adds. As mentioned above, PHP is extremely vulnerable and especially so to a form of attack called cross-site scripting.

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page..

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Those kinds of injections could, theoretically, be embedded in an advertisement, ran at the page level, and executed whenever a transaction happens between the client and server. It would be a really out of the way method of compromising a site but you could hit multiple sites simultaneously without the end-user knowing anything about it until it's too late.

Without going into much more detail because, unless you're a computer geek, it's all french anyway there's a hundred different ways you could compromise a weakly secured site or network with just a couple of lines of code embedded into an advertisement. The reason Brian is asking everyone to use adblock or a similar client is because he either suspects the vulnerability is through the ads or because the malware is being transmitted via javascript. Adblock will help you prevent against both of them although that doesn't guarantee anything.

maizenbluedevil

July 14th, 2011 at 10:12 AM ^

Thank you, this is a helpful clarification.

So basically if I understand you correctly....  What Brian thinks the problem is that something in the ads is altering the code of MGoBlog, which is then infecting people's computers.....yes??

So, if that's the case....and I'm running adblock...am I safe or is it still possible to get infected since the ads are essentially re-writing a portion of MGoBlog's code?

AeonBlue

July 14th, 2011 at 11:03 AM ^

There's always the possibility of getting infected anywhere you go on the internet. That's why you see posts of people saying "I'm running McAfee but I still got hit with adware and had to reboot in safe mode." The beauty about computers is that for every rule there is, there's 30 ways to break them. I feel relatively safe running these addons that block javascript because that's how a lot of malware is transfered but things can still happen. I'm never comfortable with 100% on anything.

The best thing you can do is make sure all of your antivirus software is up to date with the latest definitions, disable javascript in your browser unless you're at a "trusted" site that HAS to use it to function (youtube, facebook, etc.), and read EVERYTHING before you click yes or no on a popup message. If it's something you're not expecting and you've never seen it before, don't click on it. Especially don't click on it if it's a pop-up that says "OMG YOU'VE BEEN INFECTED LOL! CLICK HERE FOR FIXES!" because that's the malware popping that up.

EDIT: Brian says later in the page that it's an iframe exploit. For those unfamiliar, This is a fairly good article, although slightly outdated, and is most-likely what's happening, or a similar version of that type of attack. He mentioned that it was targeting a portion of the site's CSS (the styles that control what the font is, the background color, the way the buttons look, etc.) which I had no idea could be done but I trust he knows what he's doing.

I wish I lived back up in Michigan so I could help him with some of this stuff. I design and build web-aps for a living but I've never worked with an infected site before. I think it would be very interesting to dissect what code is running.

One Inch Woody…

July 14th, 2011 at 1:13 AM ^

I got hit by an infection and it's a nasty one... won't let you open up the task manager or internet or anything. I restarted my computer in safe mode and downloaded a scanning/quarantining software which managed to clear up everything. I think it has to do with a java applet in some way or another because java opens up on my computer and the virus is stemming from that. But then again... I don't know shit.

hart20

July 14th, 2011 at 1:32 AM ^

Why I don't seem to be getting hit? I haven't been hit by any of these malware scares. I'm using Chrome and windows. Just interested to find out why, and you seem technologically incline from what I've seen and remember from other threads.

Sac Fly

July 14th, 2011 at 1:40 AM ^

Chrome users for the most part have not been effected. Im a linux user so I havent seen what the codes look like, but I would assume that it is targeting an exploit in the firefox and IE browers. I would be careful though, because something coded in java or adobe will infect you no matter what browser or OS you're using.

theyellowdart

July 14th, 2011 at 9:18 AM ^

 

Yeah...  why do you think that Mac and Linux users are not immune?   Unless the trojan is cross-platform (it's not) it's going to affect Windows users only.

 

Also, just because something was written/expoits java, or uses an Adobe exploit doesn't mean that Linux and Mac are also at risk by anymeans.   It just means if those OSes also had the exploit that they could be at risk for being compromised using that exploit, if someone wrote something specifically for their OS.

Sac Fly

July 14th, 2011 at 8:27 PM ^

Every computer runs java. The file extension for javascript on windows, mac and linux is still .JS which means it doesn't matter what OS your on. The biggest reason malware is even being written in java is because of mac and linux.

theyellowdart

July 20th, 2011 at 12:17 PM ^

 

 Just because something was written in java doesn't mean it's written to compromise every OS it can.   it just means it can potentially be executed on any machine that has Java also installed on it.

 

 There is a huge huge difference there, and trying to imply that a virus can be written in java, and in-turn infect any OS on the market is either misleading, or ignorant.

Tacopants

July 14th, 2011 at 2:18 AM ^

Now I'm on my phone. Malware was identified every time I tried to load a page. It kept identifying a "rangetours.ce.ms" URL. I don't feel like continuously exposing my computer to it, so no screens.

T-town Wolv

July 14th, 2011 at 2:32 AM ^

the more likely it is to be exposed to different types of web viruses. I run Rockmelt, which is very similar to chrome and uses some chrome apps and gadgets. Malware, trojans, and other malicious bugs are something internet users should become used to. Just download/ buy software to protect yourself from the most harmful stuff. Run regular checks and don't click suspicioius links or pop-ups. Don't freak out every time this happens, just relax because in due time it will most likely get fixed.

Brian

July 14th, 2011 at 2:37 AM ^

Our status:

  1. We dis-aggregated the JS to make them static, which cleared the JS.
  2. The iframe exploit moved to CSS, which I didn't even know was possible. It only does this every once in a while, like about once a day.
  3. We have the server checking the main css file constantly for the exploit and deleting it if found.
  4. We are still looking for the vulnerability.

#2 and #3 should mean there is a very brief window, maybe 30 seconds per day, where the site serves something bad. We are working as fast as possible to close this window and have found a couple of possibilities; nothing untoward has happened since and it's possible we are clear. I'm just as frustrated as everyone else.

Tater

July 14th, 2011 at 3:08 AM ^

My free Avast antivirus tells me not to visit, so I wait until later.  It's really just a minor inconvenience if your antivirus program is running.

aManNamedBrady

July 14th, 2011 at 4:20 AM ^

Two different machines. At home (Win7/64 & Firefox 4.latest) got Avast warning two days ago and I simply made mgoblog an exception. Today at work (WinXP & Firefox 4.latest), Avast reports:

Object: 1546054079/loading.class

Infection: URL:Mal

Process: C:\Program Files\Java\ire6\bin\new_plugin\npip2.dll

Long-time lurker. I made this account just to report in to see if this helps.

 

umich1

July 14th, 2011 at 6:02 AM ^

Malware, took me all night to clean it out. Unfortunately, Internet browser and antivirus are selected by work, not by me. Second time this has happened in a month, I'm going to resort to mgoblog iPhone app only going forward.

Griff88

July 14th, 2011 at 7:04 AM ^

good free antivirus, like Avast will stop the malicious script from executing. For those that use Firefox, install the noscript addon found here:

https://addons.mozilla.org/en-US/firefox/addon/noscript/

With the addon installed, only you will decide what executes for any site you visit. If your already infected, run malwarebytes along with antivirus to clean your system. Malwarebytes is free, and should clean up anything you have picked up.

Lofter4

July 14th, 2011 at 7:38 AM ^

I use Chrome and my avast had popped up the last 2 days saying malware was detected, but today I can view the site again. Hopefully it's on the way out for everyone else too.

anthem_1

July 14th, 2011 at 8:27 AM ^

i posted this last night in the last 'malware' thread - pretty sure nobody saw it - but -

>>>>>>>>>

i would have started my own thread on this but lost some of my privileges from expiring points

don't know if anyone else has been getting this today - seems like a malicious .exe is trying to load itself everytime i visit mgoblog - possibly via java?  i'm computer literate to a point, but don't know how to explain exactly what it's trying to do. 

here is the pertinent info from my firewall log

i am using comodo firewall 3.11 in case that matters to anyone else out there

applications:

\AppData\Local\Temp\0.8495793354581269.exe

\AppData\Local\Temp\0.48823716269609074.exe

destination IPs :

192.150.16.117

92.38.233.191

64.131.75.19

>>>>>>>>>

there have been more as of this morning - and MSE detected them as a Kargany.A trojan downloader this morning - don't really know if that means anything to anyone more knowledgeable.

 

MH20

July 14th, 2011 at 8:31 AM ^

Symantec on my work laptop was giving me all sorts of notifications last nite, but today my work desktop has not popped anything up at me.  Maybe I should surf mgoblog on the iMac in my work area.

Damn infected ads.

KC Wolve

July 14th, 2011 at 8:53 AM ^

Can someone post (in normal person language) things not computer engineers should or shouldn't do? I do appreciate Brian and the site, but I have no interest in becoming a script expert to view the site. I am a computer DA. I use a Mac and click Safari and read the site or use the iPhone app. If I am going to get Internet herpes from the site by using these 2 methods, can someone please just let me know? Again, I don't know how to do anything else, but click the app or safari and have little interest in workarounds.
<br>
<br>Thanks