Author Topic: Safari (PC Malware?) attack - anyone else experienced this? (Read 6408 times)

Paddy · « **on:** January 28, 2008, 08:50:59 AM »

Over the last couple of days, at Excite's Money site, I've had the nasty experience of clicking on a chart and being confronted by a demand to check for viruses etc. that took over my entire screen, despite having pop-ups disabled etc. I don't have any weird plug-ins for Safari or add-ons.

See this thread at Apple - I'm not the only one experiencing this:

http://discussions.apple.com/thread.jspa?m...6458874#6458874

BTW - no DNS Changer trojan - did the scan.

Apparently banner ads at Excite are the culprit: http://blog.washingtonpost.com/securityfix...ads_at_mys.html

The guy who started the thread on the Apple forums was visiting the NYT site.

Xairbusdriver · « **Reply #1 on:** January 28, 2008, 09:44:28 AM »

Got a link to the specific page? Their home page is nothing but a platform for javascripts and Flash 'content.'

Paddy · « **Reply #2 on:** January 28, 2008, 10:53:58 AM »

Jim - think the entire site is that way! But yes - it's in the Money section - when you ask for charts related to various stock symbols.

http://money.excite.com/jsp/qt/full.jsp?sy...amp;x=0&y=0

Start there - then ask for the 6 month chart, or a comparison to the NASDAQ or something - that's when it happened. The other person on the Apple forum with the issue had it occur on the New York Times site. It's random - does NOT happen every time by any means or even very often, so you might think it was a fluke. However, I've been doing a fair bit of stock research in the last couple of days and it's happened at least 3 or 4 times.

This is probably a redirect of some sort - to get around the pop-up blocker - but it's not happening consistently, which makes it hard to deal with.

Xairbusdriver · « **Reply #3 on:** January 28, 2008, 11:01:17 AM »

Well, I've got FF secured so well I don't see the link for a chart of any kind while lokking at the page I navigated to on my own. I haven't used your link yet. However, While looking for the chart link/button, I saw the screen automatically update itself. Don't see that too often, may be the "news" sites that would want to do that. Anyway, that may be another way this redirect could be happening. There may be a cookie showing how long since you started the session and when it reaches a critical value, the page updates. There may be another cookie or another value in some cookie that records the last time you got that 'malware' page.

Then again, there may be a 'random' number stored and used to send you there.

I'll use your link in FF and Safari (which is totally unsecured except for blocking pop ups) and see what happens.

Later...
Nothing, of course. Except I found a place to set a minimum text size in FF.

Paddy · « **Reply #4 on:** January 28, 2008, 11:08:43 AM »

Yeah - I wondered about that too. My next move is to go and dump my cookies and the cache.

pendragon · « **Reply #5 on:** January 28, 2008, 11:34:55 AM »

Paddy, I just tried the money chart/link and no problem. I then turned off Safari's Pop-up blocker and even disabled Pith Helmet. Alas, I can't replicate the issue.

While hardly a consolation, I have read of it.

Sorry my help is not-

Mayo · « **Reply #6 on:** January 28, 2008, 12:28:53 PM »

Paddy, technically-speaking what you are describing is not malware. As far as I know there is no malware that can infect Macs.

Paddy · « **Reply #7 on:** January 28, 2008, 01:18:44 PM »

You're right Mayo - I was in a hurry and just copied the title from the Apple thread!! I KNOW that there is no malware out there for Macs.

I have amended the title of the thread.

However, I'm pretty sure that the intent for the PC part of the browsing public is not benign - a lot of these so-called "virus-scanners" are scare-ware designed to scaring you into buying something, and there are a few that in fact install spyware. On PCs running Windows, of course.

http://newsletters.hagerman.com/newsletters/ebul51-WP.htm

The one that really cracks me up is the SpamThru trojan that not only hijacks the computer, but installs a pirated version of the Kaspersky anti-virus program to rid the computer of any rivals!

http://www.eweek.com/c/a/Security/Spam-Tro...iVirus-Scanner/

The pity of course is that someone clever enough to write this rather sophisticated piece of software is toiling away on the criminal end of the spectrum...there's got to be a pile of money in it somewhere.

Paddy · « **Reply #8 on:** January 28, 2008, 08:31:12 PM »

Guess what - it's not just Safari! Had the exact same thing happen in Firefox just now. Truly annoying. Try to cancel the popup and you get taken here: http://antispywaresuite.com/data/index.php. Try to leave that page (maybe not with the regular, pruned URL - but certainly with the one I got which had a zillion numbers and letters after it) and it asks you if you want to bookmark it!! ARGH. That's not the only site you end up at either - there are others, including one that shrinks your original window to the size of a postage stamp, and when you try to cancel the popup telling you that you need anti-virus software, opens a new window which takes up the ENTIRE screen.

I reloaded the page about 6 times and it did it again. Think it's something along the lines of the infected banner ad at Expedia mentioned here:

http://msmvps.com/blogs/spywaresucks/default.aspx

The problem is that the second the page starts to load, the anti-virus page takes over - I wasn't able to actually SEE the banner causing the problem on the Excite page!! Using the back button didn't help either, of course - just got a different banner and an ok page.

Xairbusdriver · « **Reply #9 on:** January 28, 2008, 09:10:19 PM »

Maybe that linked page has a nice group of domain names to add to the Adblock Blacklist?

Since they all seem to redirect to the same site, I'll try using that "http://www.robtex.com/" one.

Well, it may not stop the pop ups, but I won't have to view any of those PC virus 'protection' ads. Just a clean page saying the site has been blocked by Adblock.

I will assume (I know, I know) that those sites will not even be seeing my cable address.

Xairbusdriver · « **Reply #10 on:** December 01, 2008, 09:16:50 PM »

Apparently, Apple has been suggesting that we use anti-virus software!!

FIRE! Run for your lives!

Those sharp-eyed sleuths at C|Net have found the latest incarnation of the advice, of course.

Well, they actually they just have someone who reads a blog by Brian Krebs on <The Washington Post> web site. If you visit the Apple Support page, you'll notice that the article is noted as "Old Article: 4454." It's now listed as <"HT2550">. Who knows how long this has been "suggested" by Apple? They have offered a couple of anti-virus apps on their On-line Store for some time.

Paddy · « **Reply #11 on:** December 01, 2008, 09:52:56 PM »

As many of the readers commented on the CNET article, this is an OLD Apple article, simply renumbered on Nov. 21. No news, nothing to report...but good ole' anti-Mac CNET can't resist spinning it into a story.

Personally, I wouldn't install any of those three um...viruses...suggested by Apple on my Mac. ClamXAV if I was feeling paranoid maybe, but until there is an actual virus around to worry about, I think I know enough to avoid the trojans and other scams out there. I don't need some $70 program (that causes kernel panics and system slowdowns) to yell "danger Will Robinson" at me. The trojans all rely on social engineering - there is nothing out there that doesn't require some action by the user.

Highmac · « **Reply #12 on:** December 02, 2008, 07:12:41 AM »

Someone on a UK site, commenting on the Apple site notice, observed that the company was simply covering itself against possible class-action litigation when the first real virus does eventually appear

tacit · « **Reply #13 on:** December 02, 2008, 11:12:43 AM »

OK, here's the scoop.

What you saw was a poisoned banner ad. Poisoned banner ads are becoming common. The malware writers create a fake company, usually in Russia or Latvia, with a real business license and everything. They set up a Web site for this fake company, and they create banner ads for the fake company.

The banner ads contain special Flash code. The Flash code looks at the IP address of the computer that sees the banner ad. If it is the IP address of the place where they are buying the ad from, it goes to the fake site. If it is a different IP address, it goes to a site that tries to download computer viruses disguised as fake antivirus software.

So let's say they buy the ads from Excite.com. If the ads are viewed from any computer inside Exite's offices, they do not go to the malware sites. So the people at Excite check out the ad, and it works fine, no problem. They put the ad up. Then you see the ad (or more likely, you don't see the ad--tit redirects the instant it is shown) and it takes you to a place that tries to infect your computer.

You complain to Excite. They bring up the ad. It works fine, no malware--it just goes to what looks like an ordinary business site. So they say "You're nuts, there's nothing wrong!" and they keep showing the ad.

That's the way it works. These ads are the responsibility of the Russian malware gangs, who go to incredible lengths to make the ads appear legitimate to the folks they buy ad space from; they can even show business licenses and everything.

This particular malware is 100% harmless on Macs; the fake antivirus software only works on Windows. But it is annoying.

There is malware out there that can affect Macs, though; the same people who do these fake antivirus programs are also responsible for the Mac DNSchanger malware.

Paddy · « **Reply #14 on:** December 02, 2008, 11:39:14 AM »

Yes, we figured all that out about 10 months ago.

And yes, as I already stated, there is malware that can affect Macs - trojans such as the DNSChanger trojan - but they all require some action(installation) by the user in order to wreak their havoc.

Jim revived this thread with the "news" of Apple's suggestion to install AV software.

News:

Author Topic: Safari (PC Malware?) attack - anyone else experienced this? (Read 6408 times)