I got the following from Kaspersky when attempting to navigate away from the purring thread (What does the term "purring" refer to? - In My Humble Opinion - Straight Dope Message Board) to General Questions.
12/24/2011 10:17:48 AM Firefox Denied: http: //knalds.com/news (analysis using the database of suspicious URLs) http ://knalds.com/news URL found in the database
Windows 7 SP1
Firefox 8.0.1
Virginia (thus, Eastern Standard Time)
I was logged in at the time, I believe.
Yeah, I just got that one too, and I wasn’t logged in. Norton has been catching these on a daily basis. I no longer bother to say anything about them.
Yesterday it was myrese.com/news, on the 22nd it was voctit.com/news, on the 20th it was remnas.com.
My history is cleared before that time but this is almost a daily occurance. I just vew the SDMB as a hostile environment and rely upon Norton for protection. I once a year or more ago, said I would sign up as a paying member if this problem were solved for 6 months but the Dope continues to loose that wager.
The subject of security on this web site, and on NONE of the others that I visit has been beaten to death here. The people in charge here to not seem to have the ability to identify or correct this recurring problem.
You will soon be told that this is your problem,** robert_columbia **because you are using the wrong browser, or are not using ad blocking software, or are not a paying member, or picked up the problem somewhere else and various other reasons why no one here cares to address this continual issue.
Note that the link in the OP’s post leads to an currently active exploit site and should not be visited. I reported the post so the link can be broken. It contains a Java exploit that infected a test VM running Windows XP and Java 1.6.0_26 with XP Internet Security 2012.
Actually no, you won’t be told that it’s your problem. It’s everybody’s problem and we want to know about it, want to stop it as soon as possible.
Thank you for reporting this. We need your information when you encounter these situations and we do take steps against this sort of thing when it happens as we find it based on the information we have. When this happens the site is victimized as well as our users.
I’m sorry, what information would be useful to help the board combat this problem?
The particular thread that is being viewed when the anti-virus alert goes off is not really useful because the ad that I might be viewing is not the same as the ad someone else may see while viewing at the same time. It is just tail chasing.
The attacking computer address’ at least today are 178.17.163.189 or 178.17.163.115 or some variant of those. And they change, and the .com address’ are spoofed. You won’t find anything to help.
The problem resides with the ad provider of the SDMB and Ed has stated that he is not going to change ad providers. That is why I no longer bother to report these things, and why you, TubaDiva, are wasting your time if you cannot convice Ed to change to a more reliable ad source.
Everything else is just pissing into the wind.
And just now it is pemarx.com/news, 178.17.163.189,80 same attack with at different fake .com address that doesn’t exist.
Labeled Malicious Tool Kit Website 9 by Norton.
Well, for a short-term fix, SDMB could block 178.17.163.*, since they seem to be coming from that block, and I doubt that we have many members in the Republic of Moldova.
Actually this is VERY helpful.
I have IP blocked 178.17 from the board.
So yes, you did us a big favor here, and we thank you.
ETA: Thank you very much, Musicat, for pointing this out as well. Every contribution is appreciated.
Just an FYI, I’m pretty sure blocking the IP within vbulletin isn’t going to do anything. All that does is prevent people from that IP from viewing or making posts. It won’t stop malware-filled ads from redirecting people to those addresses. Someone more network-savvy would have to speak to whether it’s possible to prevent that and if so, how.
I wonder if that is too heavy-handed? (I haven’t looked up that IP block in whois, but maybe it should be 178.17.163.*?)
And Giraffe might be right. My knowledge doesn’t go far enough to agree or disagree.
I don’t know either but as you see I’m willing to try it.
The IP ban list does keep anyone from that IP from accessing the message board, not sure if it would do anything for the rest of the site, not sure if it will block this malicious threat. In any event, no harm in trying.
Today’s threat comes from hedlio.com 178.18.243.189 just a minute ago while reading Great Debates, this thread; It is not necessary to reject a Creator in order to accept evolution - Great Debates - Straight Dope Message Board
So banning 178.17 didn’t solve the problem, they have just moved the address slightly.
Yes, this is correct. The ad is launching malware when it runs on users’ computers. Blocking IPs from vBulletin is useless.
Yes, this is the same pattern I saw when I captured a Fiddler trace of a malware attack on Dec 17. In that particular attack, Doubleclick (owned by Google) served an ad from a smaller ad platform zedo.com which rotates ads. Zedo choose an ad from a malicious site (spheredintparted.com) which in turn redirected to ashaph.com/news (in Moldova) which served the Java malware. These attacks are tricky to prevent because they are changing servers and using nested ad networks to hide their malware.
So, is there anything cost-effective that a low-budget website can do to effectively protect against malware?
I could be way off base, but it seems to me that expecting Creative Loafing to solve this is like expecting Costa Rica to solve the Global Warming situation.
Yeah, hard to do when their president is a chinchilla.
There are not a lot of good options. They can:
Complain vigorously to DoubleClick/Google and wait for them to eliminate the malware.
Stop using ad networks and host the ads themselves. This would eliminate the malware but it would take time, resources, and technical expertise they probably don’t have.
This is the only way to stay safe while visiting the SDMB. Though I have received many attack/alerts, I have never actually been troubled by anything getting through my defences.
You are visiting a site that has shown a general disregard for these continual malware reports over several years, and has done little or nothing to change, or respond. If I cared to spend the time to search, I could cite thread after thread, after thread, of these complaints.
Neither the will or the technical ability exist here to fix the problem.
You must protect yourself while visiting this site.
Since you seem to be getting a lot of these things, you’re in a good position to help us get to the bottom of this. Do us a favor and report all malware indications you receive. Also, if you’ll forgive my asking a possibly stupid question, what is your location? Are you in Dallas?