Malware in the Pit

njtt · January 6, 2010, 10:43am

I opened up The Pit a few minutes ago and, before I got to opening any threads, I saw the Firefox download manager very briefly pop up and download something. I have Firefox set to put all downloads on my desktop, and I found the file there, with a very long gibberish filename. I deleted it immediately and I think I have avoided actual infection (at any rate a quick scan with Malwarebytes did not detect anything), but I thought people ought to know.

According to the download manager, the file came from eicyxtaecun.com. That is not a site I have ever visited, but Whois says it is registered in Florida.

Is this getting in via ads? I did not see any ads on the Pit page, but I did not scroll down. I use Flashblock anyway, so I don’t think it could have been done through a flash ad.

TubaDiva · January 6, 2010, 3:09pm

I’m going to copy what Ed asked before when people reported this problem – we need your help to weed out offenders here.

At this point with just this report we can’t ascertain if this is something you picked up outside of here that got triggered by a call in the ad software on our pages or something that is hidden inside an ad. We need more information to assess the situation accurately.

If it’s a rogue ad there’s usually some web traffic on it but I’m not finding anything on your mystery file here – at least not yet. Can’t discount the idea that this might be something brand new and you’re the first but again, we need more information.

Ed said:

We’re not sure what’s up here. The ads that led to the previous round of problems have not resumed - this is something new.

If an ad on the SDMB has given you problems, please provide the following info if possible:

Time/date of occurrence.
Screenshot of the questionable ad (on PCs you can do this with Alt-Print Screen, then copy into Word, Paint, etc.), or a description of the ad.
Description of what happened. Did you click anything? If you were redirected, what URL were you directed to? Describe any related window or pop-up.
What page or thread were you on when this happened? What was the URL of the thread?

Send to edzotti at aol.com. Also tubadiva at aol.com.

Thanks. Sorry for any inconvenience.

Spoons · January 6, 2010, 4:47pm

I got hit with … something yesterday (Tuesday, January 5, at about 3:00 pm MST) while surfing the SDMB, using Windows IE7. Unfortunately, I didn’t collect any of the information Tuba mentioned above–I was at work and when things went wonky, I got our systems guy working on it. Anyway, FWIW, here’s what I can remember.

As a member, I don’t see ads, but my computer started acting funny after I clicked a link in the Awesome lawyer letter thread in MPSIMS. The link was supposed to go to one of the letters that the posters were talking about. The window opened, but nothing appeared. What also happened was that a bunch of windows appeared and disappeared, so quickly as to have a strobe effect. They eventually stopped and I went back to work.

Shortly after that, Google searches worked fine, but much of the time, clicking on the top search result or two redirected me to unfamiliar search sites. A few examples would be argylecomm (dot) com, zanuga (dot) com, toseeka (dot) com, freshdeals (dot) com, casearch (dot) ca, and a number of others whose names I cannot remember.

One thing I have noticed is that what I click seems to be redirected through a second URL in order to get to the final one. For example, suppose I search for something I need to research (such as “canada federal acquisition regulation”) and click the top result, which purports to be a Canadian government page, and whose URL (which appears at the bottom of my browser window) is also that of a government page. Here’s what happens:

– The URL at the bottom of the window changes to 9237242 (dot) cn followed by a slash then a bunch of seemingly-random numbers and letters. (No “www,” by the way.)

– Then the url at the bottom changes to something innocent-sounding: like lindachapin (dot) com (some kind of business?), or kickbright (dot) com (who knows?), or irajunction (dot) com (some kind of investment page?). These pages do not appear.

– Then the unwanted target page appears–this is the argylecomm, zanuga, etc. pages mentioned above.

A look through the “Recent Pages” history shows that the browser may have been redirected through two to four innocent URLs before arriving at the unwanted target. Other entries in the Recent Pages state simply “redirect” or “jump.”

I don’t know if any of this helps, or whether the SDMB is related to this problem; but as I said, it started occurring after the problems I had with that linked window in the Lawyer’s Letter page. And our systems guy is working on the problem here. But for what it’s worth, this is what’s been happening to me.

Muffin · January 6, 2010, 8:45pm

My mind is like that if I wake up too early in the morning.

Too much caffeine?

njtt · January 6, 2010, 8:54pm

Like I said, I just went into the Pit and it happened. I did not click on any threads or anything else, or see any ads, but I suppose there may have been an ad there if I had scrolled down. The time was about 20 minutes before the time of my post (I am on Pacific time). I do not think I actually got infected (knock on wood), perhaps because I am using Firefox.

I am not blaming you guys, just trying to be helpful here.

Is there not some way to check out the domain eicyxtaecun.com?

TubaDiva · January 6, 2010, 10:10pm

From now on please report all suspected incidents of malware to this address: sdmb-tech@googlegroups.com

TubaDiva · January 6, 2010, 10:11pm

“DNS error - cannot find server” is the message I get. We’ll continue looking into this.

xash · January 6, 2010, 10:12pm

I clicked on every link in that thread, and did not see any link that returned such behavior.

Could you please specify the link you clicked? If it is a link in that thread, I will delete it. If not, it’s probably something you picked up from elsewhere.

Thanks.

-xash
Administrator

TubaDiva · January 6, 2010, 10:19pm

But I also see:

Domain Name: EICYXTAECUN.COM
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS3.CNMSN.COM
Name Server: NS4.CNMSN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 04-jan-2010
Creation Date: 04-jan-2010
Expiration Date: 04-jan-2011

However, when I look at “http://www.bizcn.com” it likewise says “DNS error – cannot find server.” Doubtless this is some sort of matryoshka doll-like apparatus of bogus names and etc.

Hmm . . .

Crap.

We’ll go see what all this means and get back to you - - I think no good, though.

Spoons · January 6, 2010, 10:33pm

It’s the link in post 24. Oddly, it’s working for me today, so maybe it was something picked up somewhere else.

ETA: Thanks for looking into it, xash! I do appreciate your effort.

njtt · January 7, 2010, 7:11am

Well, I found some info on eicyxtaecun.com at the Whois at DNSSTUFF.COM. Name, email, street address and everything (though i guess they may be fake). I guess I ought not to post those publicly here, so I will email to the address you gave above.

njtt · January 7, 2010, 7:36am

Well, I tried to email. I got a delivery failure notification back from sdmb-tech@googlegroups.com

Did you mean gmail.com maybe?

TubaDiva · January 7, 2010, 4:32pm

Yes.

sdmbtech@gmail.com, actually.

:smack:

srzss05 · January 7, 2010, 5:49pm

The DNS for bizcn.com is 218.5.77.28

MannyL · January 10, 2010, 12:44am

OpenDNS found some trhings in a search

http://guide.opendns.com/?url="http%3A%2F%2Fwww.bizcn.com&client=ff

(link is safe)