Author Topic: [Malware on Forum, iFrame tag] What does the forum use mediacount.net for ?  (Read 37012 times)

0 Members and 1 Guest are viewing this topic.

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
A forum member at Wilders suggested it would be a good idea for the Avast forum admin to send a mass email to all the forum users briefly explaining what happened, and offering the appropriate reassurance. (Or not  ;))
I agree with that thinking.http://www.wilderssecurity.com/showthread.php?t=183634&page=3
Windows 10,Windows Firewall,Firefox w/Adblock.

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48456
  • 63 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
An explanation in this Forum or on the Alwil website should be sufficient.  :)
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
A forum member at Wilders suggested it would be a good idea for the Avast forum admin to send a mass email to all the forum users briefly explaining what happened, and offering the appropriate reassurance. (Or not  ;))
I agree with that thinking.
I think like Bob. I'd rather an explanation (what was compromised by the exploit: our emails, our personal forum data, the posts themselves...) than a spam hysteria.
The best things in life are free.

mauserme

  • Guest
Glad things are up and running again.  And rather quickly, I think.

I'll also cast a vote in favor of an explanation - not so much of what happened.  That's rather obvious.  But the ramifications, the lasting effects ...

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2247
I never did get any malware warning, but I did get weird behavior here last night and this morning that, given the (coincidental?) timing, could very well have been tied into the same thing.

If I attempted to mark a forum as read, or in some cases simply returned to a forum after reading a topic, I got an error message to the effect that session verification had failed, try logging out and back in again.  But hitting the log-out button simply gave me the same error and left me logged in.

Whatever happened, it's nice to see everything's back up and running normally again.
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
I'm still experiencing deep lags using avast + Firefox + Comodo.
The lag does not occurs so deeply if I browse with Opera.
The lag disappears if I browso with Opera and WebShield disabled.
It's becoming a mystery...
The best things in life are free.

mauserme

  • Guest
I'm OK so far with Avant (an IE shell).

Yesterday I couldn't log in in Avant, Opera, or Firefox.  I kept getting an incorrect password error.  Couldn't create a new account either.

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2247
I'm still experiencing deep lags using avast + Firefox + Comodo.
The lag does not occurs so deeply if I browse with Opera.
The lag disappears if I browso with Opera and WebShield disabled.
It's becoming a mystery...

Odd ... if by Comodo you mean the firewall, I'm having no problems at all with the same combination (on dialup).

Maybe while you were sleeping, Brazil got moved to another planet so you now have a teensy bit of transmission lag?  ;)
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
An explanation in this Forum or on the Alwil website should be sufficient.  :)
Ok, agree with that, too. Don't mind which form it takes. p'raps a forum announcement would be preferable.
Windows 10,Windows Firewall,Firefox w/Adblock.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Firefox users may have ben exposed to malware not detected by avast. I picked this up in my Firefox cache:

(The malware was still infecting the Google cache of the forum as of yesterday evening.)

Antivirus     Version     Last Update     Result
AhnLab-V3   2007.8.25.0   2007.08.24   -
AntiVir   7.4.1.63   2007.08.25   HTML/Shellcode.Gen
Authentium   4.93.8   2007.08.25   -
Avast   4.7.1029.0   2007.08.25   -
AVG   7.5.0.484   2007.08.25   -
BitDefender   7.2   2007.08.26   -
CAT-QuickHeal   9.00   2007.08.25   -
ClamAV   0.91   2007.08.26   -
DrWeb   4.33   2007.08.26   VBS.Psyme.443
eSafe   7.0.15.0   2007.08.23   -
eTrust-Vet   31.1.5085   2007.08.24   -
Ewido   4.0   2007.08.25   Downloader.Psyme.kt
FileAdvisor   1   2007.08.26   -
Fortinet   2.91.0.0   2007.08.26   VBS/Agent.U!tr.dldr
F-Prot   4.3.2.48   2007.08.25   -
F-Secure   6.70.13030.0   2007.08.24   -
Ikarus   T3.1.1.12   2007.08.26   -
Kaspersky   4.0.2.24   2007.08.26   -
McAfee   5105   2007.08.24   -
Microsoft   1.2803   2007.08.26   -
NOD32v2   2484   2007.08.25   -
Norman   5.80.02   2007.08.24   -
Panda   9.0.0.4   2007.08.25   -
Prevx1   V2   2007.08.26   -
Rising   19.37.61.00   2007.08.26   -
Sophos   4.21.0   2007.08.25   Mal/JSShell-C
Sunbelt   2.2.907.0   2007.08.25   -
Symantec   10   2007.08.26   -
TheHacker   6.1.8.173   2007.08.26   -
VBA32   3.12.2.3   2007.08.26   -
VirusBuster   4.3.26:9   2007.08.25   -
Webwasher-Gateway   6.0.1   2007.08.26   Script.Shellcode.Gen

Seems to be an exploit so users of up-to-date Firefox were not at risk.

Still, a scan with Ewido/CureIT! might be in order.

EDIT: The write-up for this malware only states: 'Exploits system or software vulnerabilities', so I'm not sure if it was specifically aimed at Firefox. If it's a VBS as DrWeb and Fortinet suggest, it might also have been aimed at IE. Don't know why I found this one and not the ANI exploit.

http://www.sophos.com/security/analyses/maljsshellc.html
« Last Edit: August 26, 2007, 09:46:00 AM by FreewheelinFrank »
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Kilia

  • Guest
My goodness!  Seems I missed all the fun here lately!.

Glad that things are working ok now though and good job getting rid of the culprit.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33866
  • malware fighter
Hello malware fighters,

Do not give it to much attention. That is always the best policy. If no one was actually compromised. Again strange because this Iframe hacking in combination with a Storm worm variant happened to various other forums in 2004. It also happened to the site of The Register in the U.K. as I remember. So a security company should be aware of these things threatening their very forums.
On the other hand we could say that the very in browser security is far from ideal. If only script could be sandboxed really secure and this was brought in by default inside all kind of browsers, script kiddies and malware authors would not welcome that day. Hell no, they would have a troublesome time when NoScript was on in browsers for instance to launch their malicious attacks. But others would not welcome this very much because it would hamper their silent profiling, tracking and monitoring for what ever reason you could imagine. This is in a few words the actual crux of the big divide between easy and commercially interesting and secure and consumer friendly. So all solutions taken are still far from definitive, and the user has to bring in his own forms of protection, as you think of it really a shame.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
I had the same problem on friday I got a web shield warning and IE7 came up with a request for a remote connection Active-x to run.  To which I obviously said get lost .  I did a full check afterwards and was clean so my security and webshield worked

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88736
  • No support PMs thanks
Firefox users may have ben exposed to malware not detected by avast. I picked this up in my Firefox cache:
<snip>
Seems to be an exploit so users of up-to-date Firefox were not at risk.

Still, a scan with Ewido/CureIT! might be in order.
<snip>

I found that in my firefox cache too, when I ran avg-as scan afterwards. I have to admit I didn't check the creation date and time. I also did a VT scan and send the sample to avast.

Now perhaps people will realise how powerful iframe tags can be when so many are used in emails. Hence the avast suspect alerts when found in emails.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
So a security company should be aware of these things threatening their very forums.
Hmmm... what happened then? Do they sleep?
The best things in life are free.