Popups and Trojans

[j_ung 0]

Quote

Quote

Quote

Quote

The Bonfire thread:

http://www.dropzone.com/cgi-bin/forum/gforum.cgi?do=post_lock;redo=post_view_flat;so=ASC;sb=post_latest_reply;root_id=3421639;post=3421883;

Hey, that link has been deleted. I'd like to read what others have experienced with this.

My Mac was slow, but not compromised. Seems that Mac's using Safari weren't affected?

ltdiver

No, it's still there. I locked it to keep the discussion contained in a single thread. There's a little info from users on Rockclimbing.com, too:

http://www.rockclimbing.com/cgi-bin/forum/gforum.cgi?post=2037976;

May be there for you, but not for me.

ltdiver

Hmm... something's wrong with the link. The thread is still in Bonfire, stuck to the top.

[shermanator 3]

yeah, athat porn icon.. I saw it, and thought "sh*&%, my wife is going to kill me"

CLICK HERE! new blog posted 9/21/08
CSA #720

[rwieder 0]

I eradicated it by going to my Internet Explorer Icon ( The Blue E ) Right clicking and going all the way down to Security where it offers you the SSL 2.0, SSL, The SSL 3.0 & The TLS 1.0. Disable, or uncheck the TLS 1.0, if it is checked, and insure the two SSL 2.0, and 3.0 are enabled. ( See The Attached PDF File ) Restart your CPU, End of problem. See the PDF files i created when i was experiencing while the cute little virus was jerking me around. Finished up by running Windows Defender, the program contained it, and i canned it. No Mas~!

-Richard-
"You're Holding The Rope And I'm Taking The Fall"

[ianmdrennan 2]

Quote

Quote

Quote

Thanks to everyone for figuring this out so quickly!

And, just one more reason not to drink COORS LIGHT.

Before today, I didn't think my opinion of Coors Light could be any lower. Those were the days.

I don't think you can blame this on Coors Light.

And I don't think you can blame anyone but the virus makes for the virus.

Performance Designs Factory Team

[CSpenceFLY 1]

maybe we can test these ads on your shit before they are put on the site.

[PhreeZone 15]

The steps you took have nothing to due with the issue that occurred here except Windows Defender cleaned it. The root cause is a vulnerability in Acrobat Reader/Professional that needs to be patched. Disalbing TLS 1.0 is something you better know what you are doing and the impacts that will cause you before you do it.

http://www.itproportal.com/articles/2008/11/05/adobe-releases-major-security-patch-acrobat-reader/

Yesterday is history
And tomorrow is a mystery

Parachutemanuals.com

[ianmdrennan 2]

Quote

maybe we can test these ads on your shit before they are put on the site.

Whatever Chris, it's clear you have no real understanding on how ad-rotators, or websites in general work.

Now, if you have something constructive to add, please by all means do so, but right now that's clearly not the case.

Ian

Performance Designs Factory Team

[CSpenceFLY 1]

Sorry but someone somewhere should be testing this stuff before it is turned loose on us. You're right I don't have a understanding as to how all this stuff works. From the looks of thinks there were a few people that didn't know how things were working. Is that a fair statement?

So far what I have gotten from this is I should go out and spend more money so I can safely use this site. A site,I might add, that use to be safe to use.

And before anyone goes down the "if you don't like it leave" road. Just remember it's the users that made this site profitable enough for HH to sell it and someone want to but it.

[j_ung 0]

Quote

Sorry but someone somewhere should be testing this stuff before it is turned loose on us.

Dropzone has always been vulnerable to this, and to some extent or another, every website is. But you certainly have a point. I'll be with the other NM folk this week to talk about steps we can take to keep this from happening again. Now I'll ask for your patience and understanding while I try to make that goal a reality.

Thanks Chris.
J

[DSE 3]

Quote

Sorry but someone somewhere should be testing this stuff before it is turned loose on us. You're right I don't have a understanding as to how all this stuff works. From the looks of thinks there were a few people that didn't know how things were working. Is that a fair statement?

So far what I have gotten from this is I should go out and spend more money so I can safely use this site. A site,I might add, that use to be safe to use.

And before anyone goes down the "if you don't like it leave" road. Just remember it's the users that made this site profitable enough for HH to sell it and someone want to but it.

No one can test for this. Apparently you still don't understand. The ad could be tested, it would show clean. The people serving up the ad can test, it can show clean. The source of the ad can change it at any time.
FYI, this is going on ALL over the web. If you like having unprotected sex, then have at it. Browsing the web without protection isn't much different. I get the same stuff you get by being on this site, but I also know how to protect myself (and didn't spend a dime in the process).
It would seem a lack of knowledge is your defense at either side of the discussion.
DZ.com can test, but won't necessarily (and likely won't) find the problem. ALL subscribing sites to an ad vendor have to have a level of trust in their partners.
*You* can run any number of software tools (most of which are free) to protect yourself from these sorts of hassles.
No one to blame here for the instance except for the creeps that inserted the code, least of all DZ.com.

Quote

A site,I might add, that use to be safe to use.

The entire INTERNET used to be safe to use.
Things change. Change with them or deal with the consequences.

[CSpenceFLY 1]

Thanks J.

[skymama 35]

Quote

So far what I have gotten from this is I should go out and spend more money so I can safely use this site.

Not true. I was on the site last night and this morning, and never saw the ad. I only know what it looks like because Amazon posted a picture of it. I use AVG and SuperAnti Spyware on my machine and both of them were free downloads.

She is Da Man, and you better not mess with Da Man,
because she will lay some keepdown on you faster than, well, really fast. ~Billvon

[labrys 0]

Hey... I'd be happy to help you find and install any of the free software that mitigates this kind of risk. The risk isn't just here, it just happened to manifest here.

Owned by Remi #?

[Heatmiser 0]

Thanks for working so hard to get rid of the culprit. This site rocks.

What you say is reflective of your knowledge...HOW ya say it is reflective of your experience. Airtwardo

Someone's going to be spanked! Hopefully, it will be me. Skymama

[tdog 0]

Quote

No one can test for this. Apparently you still don't understand. The ad could be tested, it would show clean. The people serving up the ad can test, it can show clean. The source of the ad can change it at any time.

Not true. Google Chrome - the web browser - knew that the content was unsafe and gave me a warning I posted the screenshot of.

Google ads have virus protection.

There are tools website operators can use to make sure 3rd party content is clean...

[PhreeZone 15]

Google Ads have very limited protection, the largest is they are text based only. They link to bad sites all the time, if you want to see proof of it in FireFox or IE download the SiteAdvisor.com plugin and then go do some Google searches. A portion of the paid ads are linking to questionable sites that either host malware/are hijacked/spam users.

Yesterday is history
And tomorrow is a mystery

Parachutemanuals.com

[DSE 3]

had a wordy response, but Phree put it more succinctly.
There are few means of reasonably testing.
You're invited to my store. I let you in because I trust you and you're paying for the experience. You come in regularly, we get to know each other as reasonable acquaintences.
You come in one day when I'm having lunch and trash the place.
That's oversimplification, but somewhat similar.

This is happening to *many* websites that are *much* bigger, broader, and more trafficked than DZ.com.
It can happen anywhere, anytime, to anyone. Sucks that it happened here, as mods several of us have spent a fair amount of private time helping folks that got bitten by it.
Maybe DZ.com should be like Facebook and say "tough shit, you signed a TOS when you signed up?" That's not likely going to ever happen here.
Based on conversations and posts with J_ung, I feel we can all feel more comfortable knowing that steps are being taken to look out for this relatively new form of threat, which is more than a few significantly larger websites are doing.
Apple is now recommending users install antivirus and malware protection. Apple. The same people that brought you ads saying they're impervious to virus'.

[mnskydiver688 0]

Impervious because no one owns them... Haha, I own a Mac. It is only a matter of time before people really start writing more viruses for Macs. In this particular case it just stopped me from going to forums. I just closed safari and stopped going to dz.com for a while.

Sky Canyon Wingsuiters

[rwieder 0]

Quote

The steps you took have nothing to due with the issue that occurred here except Windows Defender cleaned it

All i was doing is sharing what worked for me. I didn't say it would work for everybody. The TLS 1.0 wasn't checked before i got the virus. I keep up with things like that. In either event i unchecked the TLS 1.0 restarted my system and it worked fine. Running Windows Defender was improvised after the fact. I observed that it caught and quarintened and i deleted it.

In the future, if you disagree with something i say, or do i would apprecite it if you didn't speak to me in a condescending fasion i would appreciate it very much. Thank You.

-Richard-
"You're Holding The Rope And I'm Taking The Fall"

[j_ung 0]

Hi all,
Just an update. I'm between meetings on this right now. I'll probably have info to post around lunch.
J

[PhreeZone 15]

I just might actually have some experience in the area of malware detection.

This backdoor had no interaction with TLS, infact no active malware right now does since its not worth the time to break the transport layer security since its way faster just to send the data in clear text since at the point the system was compromised the TLS is taken out of the equation.

If you are going to post "advice" on how to remove malware then it better be correct since a lot of steps if they are incorrect can actually cause more issues then the original malware was. TLS is one of those things that if the sites you are sending data to uses and you disable it you end up crippling the usability of the site.

The restart of your system is what cleared the issue since it removed the running process from memory and due to a flaw in the code it was not always set to hook correctly to run on reboot. Windows Defender would have picked up any dropped files once that scan was ran.

Yesterday is history
And tomorrow is a mystery

Parachutemanuals.com

[j_ung 0]

FYI: I Just posted an Announcement.

Quote

If you haven't been around for a few days, you may not know that, starting Friday, we had a particularly bad ad running. It is worth noting that the ad was using the Coors brand, but wasn’t connected with the company in any way. The ad messed up the way the site loaded for a lot of people and attempted to prompt users to download a malware program. The fact that the ad launched on the weekend made it more difficult to isolate and fix. We responded as soon as possible, but the ad was intermittently visible to users between Friday evening and Saturday afternoon.

As always, it's a good idea to make sure your antivirus software and computer settings are up to date to block this sort of thing if it squeaks through the defenses of whatever websites you visit. If you are concerned that your computer may have been affected by the ads, it's probably a good idea to go here and follow the directions:

http://www.bleepingcomputer.com/malware-removal/remove-extra-antivir

Going forward, I and the Namemedia geeks are doing a few things to prevent similar problematic ads from making it to the site in the future:

1. The ad folks at Namemedia are beefing up their tools for detecting ads that contain adware/malware/spyware.
2. New ad campaigns from new advertisers will no longer be launched late in the day, especially on Friday. This will ensure that the right people are available if there’s a problem.
3. We’ll be installing an emergency ad-kill switch that will allow me (and a couple other select folks) to quickly remove ads if a similar problem comes to our attention.

Okay, that's about all I have, except for this. The buck has to stop at somebody, and on Dropzone.com, that's me. I promise I'll do my best to stop it from happening again.

Thanks folks,
Jay

[Scrumpot 1]

Quote

No one can test for this. Apparently you still don't understand. The ad could be tested, it would show clean. The people serving up the ad can test, it can show clean. The source of the ad can change it at any time.

Real simple solution - once an ad has been put into the ad-revolver rotation, add a checksum based off of its ORIGINAL tested and approved source. That source changes - Ad no longer pops up and is omitted from the revolver queue until it is RE-VERIFIED. Problem solved.

There is no need to simply tolerate ad sources that would allow their source-base to change or be "dynamic" at any time, during the contract term that their ad(s) is (are) scheduled to run. Stand up and REFUSE ad sources that choose not to adhere to well established and KNOWN appropriate security protocols in the 1st place! Just saying that "this sort of stuff happens all the time" and shrugging it off too - should also not be acceptable.

Not that our site owners here have done that - but your statement as such could be taken by some still, to imply that.

I know "we've" learned from this experience, and the admins are now taking the appropriate steps and trying to do all the right things. Don't get me wrong - I'm not saying they're not. I just too, would not totally dismiss or even discount some of the input you've gotten from some of the folks in here, as a result of this either is all. I think they are right to expect a reasonably "safe" browsing experience via their participation in here. No need to get reactionary (not directed specifically at you, Douglas) towards them for it.

Thanks HH & admins - for no doubt putting in some "overtime" to both quickly recognize, and then take the steps needed to address this one, as you clearly now, have.

coitus non circum - Moab Stone

[PhreeZone 15]

Here is an interesting article to read if you think this is isolated to Dropzone.com:

http://www.pcworld.com/businesscenter/article/155448/cyberscams_slide_onto_social_networks.html This same type of attack has been targeted against some of the largest social sites online including Facebook and Myspace and it works on them despite them using security techniques similar to what you have described.

Yesterday is history
And tomorrow is a mystery

Parachutemanuals.com

[Scrumpot 1]

I never said it was isolated to just dropzone.com, as quite clearly and obviously, it is not. I'm also not trying to be argumentative either, so please don't take my input as such, incorrectly. Yes - your link provided also gives some other good background and further information which any of those who do doubt, should probably read. I've seen that article before too.

None of it means though, that we still should not be ever diligent. In fact, I'm sure you will agree, it only means we probably should be even MORE-so is all.

I think we're on the same page here, and again - I will compliment Jay and others, for clearly stepping up, taking action, and ...taking accountability. You take me wrong if you think I am casting aspersions. I am instead - actually quite pleased and positively impressed!

It's just a shame we had to be one of those actually affected first (as so many others already had been - granted), before taking some of the steps we are now - that we quite easily could have, before it happened, if we were a little more pro-active is all. But that is all now also "water under the bridge". I think we've ALL now learned something from this. I was simply addressing one particular comment, that I thought could have been interpreted as simply "accepting it" - because clearly, it is something otherwise, that just "happens all the time". Collateral damage that is to be expected with any on-line forum experience. But it does not necessarily have to be that way. Our site has chosen to become a commercial venture, or be part of a commercial venture. As such, they should accept, and we (as "consumers" to the site) I think, have a right therefore to demand some accountability for that. Again - don't get me wrong, because Jay has CLEARLY accepted (and even stated it himself) that accountability. I do think that some of the users to this site though, until Jay did step in, from what I saw - on some level felt they were either getting dismissed, taken lightly, or somehow being "put down" though, when they voiced their concerns. You're going to get some people just grumble over the underlying fact that this site has "gone commercial" in of itself, and by itself though. Unfortnately, some of THAT also seemed to seep into this.

I'm rambling now. We're on the same page though (I think). No, Dropzone.com is not magically immune from many of the issues that can (and do) plague many other sites upon the internet. But as a (especially now) commercial site - I think some will also simply expect - and not wrongfully so, that added due dilligence in return for that "commercialism" should be expected. it comes with the territory.

And with that... I'm out.
Blue Skies!
-Grant

coitus non circum - Moab Stone