If you’ve been hit by malware while reading the SDMB and would like to help us identify the offending advertiser(s), the following procedure is recommended by the tech support people at Rubicon Project, our ad provider:
Open Fiddler and it will start logging call info. Surf around the webpage(s) where you have seen the issue occur.
Every few page loads, hit Ctrl+A then Delete in Fiddler to delete the old data that has been captured. This will help keep the final log to a manageable file size so you can email it.
Once you are able to recreate the issue, wait until Fiddler has stopped recording data, the hit Ctrl+A and go to File->Save->Selected Sessions->as Text (Headers only). This will save a text file with most of the relevant info.
Then, while all sessions are still selected, go to File->Save->Selected Sessions->in ArchiveZip. This will save all of the information so we can go back to it in case we can’t get what we need from the Text doc. It is a much larger file though, so you don’t want to send it unless we need you to.
Send the Text doc to us and we’ll forward it to Rubicon Project for review.
The problem with the above procedure is that the log file quickly grows to an unwieldy size unless you regularly clear it, as described in Step 3. If that’s too much trouble, an alternative for Firefox users is to download the Firebug add-on. This enables you to capture the HTML for the current page, and includes an “Inspect Element” feature so you can capture the HTML for specific ads or phony virus alerts. This is a manual procedure that requires some patience, but if you’re game, the following is worth a try:
If you receive a phony virus alert, capture the HTML for the alert using Firebug. Then clear the alert. Do NOT give permission to scan your computer, quarantine viruses, or perform any similar function.
Once the alert has been cleared, scroll the page looking for the ads that were displaying at the time and capture the HTML for them. In addition, capture the script preceding the ad - this will include the name of the ad provider, either Rubicon or Google. (We deal with both.)
Save the captured code as a text file and send it to us.
Long shot I know, but if anyone manages to do this we’ll be greatly appreciative.
I emailed you the Text Headers captured in Fiddler of an attempted malware attack by checkwinonline.com. I sent it to your aol.com email address. The subject is “Fiddler capture.” Sorry for the large file size. I have the full archive if needed.
I don’t think people who have been hit by malware are going to understand how to safely capture this info in Fiddler. You need geeks that understand sandboxing/virtual machines who are interested in helping out.
Great. I hope Rubicon can figure it out. Please make sure they know that checkwinonline.com (which redirects to viverprotect30.com) at the very end of the log is the source of the malware. The big question is what brings us to checkwinonline.com. I spent some time analyzing the log and couldn’t figure it out. I tried to intentionally trigger the malware by opening all of the Flash ads and links in the log but was unsuccessful. I suspect the malware is clever and behaves differently depending on the context it was called in.
I got hit by winonline just now. Again. Fucking Russian sons of bitches. No harm done to me, but this is the second time I had to deal with those mal bastards. It only happens with Rubicon. Rubicon sucks.
ED, GET A NEW AD PROVIDER!
I just looked at the Fiddler log again and noticed that the ad campaign info for the malware is embedded in a label for a GIF. It looks like this is the culprit:
**labels:"Campaign.5036,Plan.28130,Publisher.1102,Spot.5653,Channel.8244
**
I just communicated this to Rubicon who emailed me earlier. Let’s see if they can confirm this.
After consultation with tech support at Rubicon, one of our ad providers, plus helpful input from AnalogSignal, we think we’ve got the source of the malware virus alert blocked. If you continue to get fake virus alerts when visiting the SDMB, please tell us immediately, providing as many details as you can, including screen shots if possible. The block was put in place recently, so please limit reports to attacks from today (Wed., 12-8-2010) forward.
Here’s what been happening and what we think we’ve got blocked:
Firefox users would see a Reported Attack Page like this:
This alert was bogus. If you clicked “Remove all,” a real virus would be installed on your computer.
AnalogSignal, who was attacked repeatedly, was able to log the incoming code. We sent this log to Rubicon, which used it to identify the ad network that sent us the bad ad. Rubicon has now blocked this network from sending anything further to our site. We hope this solves the problem.
A caution: blocking this network doesn’t mean we’ll never again get malware. Malware attacks come from hackers who figure out ways to sneak their stuff past the filters used by ad providers. Please let us know immediately if you encounter malware when visiting our site. We regret the problems this episode has caused our users and will work diligently to combat any future attacks.
Heartfelt thanks to AnalogSignal for assisting us in getting to the bottom of this (we hope). As a token of our appreciation we’ll be awarding him Member status.
If I am a paying member (and I am) who doesn’t see ads, does that mean that I won’t be able to experience the [del]joy[/del] heartbreak of being attacked by malware?
We discussed that very point. As long as he reads without logging in, he’ll see ads. I don’t log in a lot of the time for just reason, so I can feel the pain of the common folk.
Hopefully we can resolve this more quickly next time there is an outbreak. I know how to capture the details with Fiddler now and Rubicon shut off the bad network pretty quickly once we sent them the logs.
Just a heads-up: someone posted on my site that they had been infected with malware while visiting the SDMB today. Unfortunately their computer is hosed and they are pretty fed up with the site, so I doubt they’ll be able or willing to provide much data on the infection source, but I figured I’d give a heads-up that the viruses are popping their ugly heads up again.
I just spent 45 minutes reloading SDMB pages, seeing a lot of ads, and capturing everything in Fiddler. I was not served any malware in that time. Let’s see if there are any other malware complaints. If so, I will try again tomorrow night.
I noted that the person in your link didn’t have any protection on her computer because, to quote her husband:
There’s a chance that the malware didn’t even come from visiting the SDMB, because that computer became a bug collector the instant her husband “fixed” it.
I’m not defending the husband (in this case), but he does make a good point. I did the same thing, for the same reasons, because my “real life” programs were running like shit with the security software running, or even installed. However, I don’t really use the internet that much, so in my case I am reasonably safe as long as I take other precautions.