Really Weird: Archived Reuters page redirects to shady websites! (on clean PC)

[kurkosdr]

Okay, the weirdest thing in the world happened today. I tried visiting an archived old article from reuters.com (yes, the news agency), because the link didn't work on the live reuters.com website. Here is the link (replace hxxp with http obviously)

Code: [Select]

hxxp://web.archive.org/web/20110304111913/http://www.reuters.com/article/2007/05/29/idUSN2924142520070530

The article loaded for a second, and then I was redirected to a shady website. Then, I tried the link above again, shady website again. Here are the sites

Code: [Select]

First attempt at accessing the article, my browser went through those urls:

hxxp://zl.zeroredirect1.com/zcvisitor/2118c8b6-bfac-11e4-a8a6-0604825553da
hxxp://zl.zeroredirect2.com/zcredirect?visitid=2118c8b6-bfac-11e4-a8a6-0604825553da&type=js&browserWidth=1440&browserHeight=789&iframeDetected=false
hxxp://www.eezdownloads.com/pc/gr/alert/warning.html?osv=Windows%207&voluumdata=vid..00000003-2706-4b3d-8000-000000000000__vpid..e75b8000-bfa5-11e4-802c-f72dac6aec9b__caid..30f572d0-cfe5-4605-84c2-06424ca9a325__lid..46820350-8216-46c5-aee5-718f6ed3c576__rt..DJ__oid1..0f350935-e16c-4694-97ad-42ed1dad7dfc__var1..hotel-hep-Znpj570x__var4..NON-ADULT__var5..DOMAIN

Second attempt:
hxxp://y80pkn2ws1l8y6qb1lcsggi.apkoyunindir.net/index.php?z=ZHZ1a3ZvPWp3d2V2a3dnJnRpbWU9MTUwMzAxMDAzODgyNjA3MDAyMyZzcmM9NjMmc3VybD1qcy5wcm
9qZWN0aGFpbGUuY29tJnNwb3J0PTgwJmtleT0zNkE0RUFBNSZzdXJpPS8=
hxxp://y80pkn2ws1l8y6qb1lcsggi.apkoyunindir.net/VQBSARkHTgM.html

Seriously, I do not know what going on. My computer never, ever had problems with adware/malware/spyware ever since I installed the OS, no suspicious processes or anything like that. No suspicious pop-ups or redirects before and after visiting the (what should be an innocent) archived article ever. Not any suspicious sites where open in other tabls/windows when I visited the archived article. Adobe Flash and Adobe Reader are the only browser plug-ins I have on Firefox (plus the AdBlock Edge extension)

Do you guys get the same problem when visiting the link? (do it in a protected enviroment like a VM obviously).

PS: Either something happened with the adservers (although I have adblock), or archive.org pidgeonholed two hashes and deduplicated two files that weren't the same. I can't give any other explanation.

[Pondus]

it is not in your computer, it is on the website .... same happens with me

killmalware  http://killmalware.com/web.archive.org/web/20110304111913/http:/www.reuters.com/article/2007/05/29/idusn2924142520070530

VirusTotal
https://www.virustotal.com/en/file/aebd766a5e49bbbad19e133022a3b5aa26104cae33581aa31e3a9fe10a639731/analysis/1425200213/

the killmalware scan above was 446 days old, a new scan give clean
VT scan above is a scan of code sample found on site at that time.

There may still be some crap there as i am also redirected. Redirect URL seems to change with evry new try

[kurkosdr]

it is not in your computer, it is on the website .... same happens with me

killmalware  http://killmalware.com/web.archive.org/web/20110304111913/http:/www.reuters.com/article/2007/05/29/idusn2924142520070530

VirusTotal
https://www.virustotal.com/en/file/aebd766a5e49bbbad19e133022a3b5aa26104cae33581aa31e3a9fe10a639731/analysis/1425200213/

the killmalware scan above was 446 days old, a new scan give clean
VT scan above is a scan of code sample found on site at that time.

There may still be some crap there as i am also redirected. Redirect URL seems to change with evry new try

Thanks for the reply. Any ideas on how did this happen? How does archiving reuters.com results in the archiving of malicious code/scripts? Where did the malicious code/scripts got in? Anyone could analyze what html file I downloaded, and what is the malicious code?

I am interested in not having this happen again if I try to access -say- an archived version of cnn.com or another article from reuters.

PS: After some search, it may have to do with the LizaMoon malware (look it up on wikipedia). No more archived sites from September 2010 to all of 2011 for me.

[Pondus]

there are no safe sites on the net, safe today may be hacked tomorrow

[kurkosdr]

there are no safe sites on the net, safe today may be hacked tomorrow

True that. It shows why you should have the OS, browser, plugins and extensions updated, even if you use your PC only as a newspaper reader and only access "safe" sites.

And antiviruses aren't enough anymore, anyone going into the effort of hacking a website will go into the effort of moving things around in his malicious code so that it flies under the heuristics radar (easy hacks like lizamoon do not exist in 2015).

Being the security-paranoid user I am, I still fear the malicious link above may have used some kind of unpatched zero-day not-well-known exploit to get something into my system, or do an XSS on me. Is it possible for malware to be run or for the browser to be XSSed when you have all the latest updates with no known CVEs?

I run Firefox 36.0, Flash 16.0.0.35 and Adobe Reader 11.0.10.32 on fully updated Windows 7 32-bit -yes it's my older laptop). No known VCEs on those (as of 1st March obviously), but I am still worried.

You know how us paranoids are, we can't just step into the murkiest depths of the web, and continue living our lives normally.

[Pondus]

if you want essexboy to check your comp .... see instructions  https://forum.avast.com/index.php?topic=53253.0
attach requested logs