Stop Microsoft
Operating Systems => macOS => Topic started by: davidnix71 on 19 March 2009, 04:43
-
//get-tube-porn.com/promo3/?aid=561&vname=protect
DON'T go here on a pc!!!!!
The image here is a screen cap. I'm on a Mac using Firefox and my browser uses an honest user-agent string, so they have to know this isn't a pc.
(http://s269.photobucket.com/albums/jj62/dnix71/th_fakescan.jpg)
I read a story about some college student in Colorado who was pinned against a pump at a 7-11 and burned to death. Googling her name and Colorado got me a link Google said would harm my computer. a17newsu.co is part of the url
When I went to that site to read, a script interrupted the page load, so I allowed the script (using NoScript in Firefox). That redirected to the get-porn site, which attempted a fake scan.
It's so new that only one of Jotti's vendors flagged it as a "possible" trojan, based on heuristics.
" Scan taken on 19 Mar 2009 04:04:24 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found Sus/Behav-113, Troj/FakeAle-MO (probable variant)
VirusBuster
Found nothing
VBA32
Found nothing
"
-
With that tiny picture and 404'd link, this post isn't very much fun.
-
Reminds me of GNAA's Last Measure ;)
-
I couldn't get the embedded pic any larger last night. It's in my photobucket account and much larger than that.
I just noticed the "th_" in the url on the original link. That must mean thumbnail.
(http://s269.photobucket.com/albums/jj62/dnix71/fakescan.jpg)
This should be better.
-
Here are working urls if you are not running Windows.
http://a17newsu.co.cc/index.php?p=whitney-hendrickson (http://a17newsu.co.cc/index.php?p=whitney-hendrickson) was the infected site. It seems to be cleaned up
Google these three words and look for sites with the "this site may harm your computer" warning > whitney hendrickson colorado <
liveleak.com/view?i=d95_1237428991 was where I started reading about it. LiveLeak is clean afaik. I had to remove the http://www. from the LiveLeak address because it would have embedded the video.
This is getting fun. The cleaned up site has links to other sites that look like it. After going down the rabbit hole a bit I came across this: http://scandata4.com/22/?uid=12900 (Again, not for Windows).
-
You're too slow - these are cleaned up long before I get a chance to experience them. However, I have seen the sites that spoof Windows graphics.
Here's Firefox running with the Camifox theme on my Mac:
http://www.triple-bypass.net/download/stupidhackers.jpg (http://www.triple-bypass.net/download/stupidhackers.jpg)
-
If you go to scandata4.com today they fake being Google. (6) (6) (6)
(http://s269.photobucket.com/albums/jj62/dnix71/1fakeGooglepage.jpg)
the link to iGoogle in the upper right is the malware again, but they are using Google search, so you get the "harm your computer warning"
These guys should just get a real job. As good as they are, they're wasting their talents.
-
Today their back at get-tube-porn.com/promo3 which redirects to turbo-tube-uploaderz.com/promo3
(http://s269.photobucket.com/albums/jj62/dnix71/2fake_scan.jpg)
-
heres what i see:
(http://img22.imageshack.us/img22/7269/blocked.th.png) (http://img22.imageshack.us/my.php?image=blocked.png)
-
I get that too PiratePenguin, even on my 'Doze box
-
I get that too PiratePenguin, even on my 'Doze box
Of course, its a firefox feature.
You can get past it by clicking the link in the bottom right.
-
Obviously, that's what you get AFTER somebody reports the site to Firefox. Or rather, the service that Firefox uses to gather this information.
-
Obviously, but I never sat back to appreciate it much before.
-
They are finally out of business.
(http://s269.photobucket.com/albums/jj62/dnix71/scan4dataclosed.jpg)
-
I wouldn't say that now!
-
PiratePenguin you are unfortunately right. How they steal FTP passwords is explained here: http://www.rsa.com/blog/blog_entry.aspx?id=1378
http://www.sophos.com/security/blog/2008/11/2038.html (http://www.sophos.com/security/blog/2008/11/2038.html)
http://malware-web-threats.blogspot.com/2009/03/web-poisoning-search-engine-ranking.html (http://malware-web-threats.blogspot.com/2009/03/web-poisoning-search-engine-ranking.html) just above the sample code is a link to a pdf that is an interesting read. Depeering servers breaks the web in a way, but it is sometimes necessary.
http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus-p2.html (http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus-p2.html)
There are thousands of sites just like that one. Blocking javascript blocks the attack, but too many sites use it, so I use a scriptblocker and if I really want in, I'll make an exception for that site.