Virus attmpt via SDMB advertisment

[Tranquilis]

At 8:30 pm, US EST, whilst viewing the “What’s it like to sleep with someone?” thread in IMHO (link below), the SDMB browser session tried to download a trojan via one of the images in the advert playing on the page.

On attempt to cancel the action, the virus took control of the window and attempted to ‘run a scan’ on my computer, and download files to my system. My software stopped it, but was unable to capture the virus - I’m using Avast 4.8 (free version) on Win XP and IE 8.0.6x

What's it like to sleep with someone?

[Al_Bundy]

I’ve never had this problem running Foxfire and NOScript.

Glad your system stopped the threat.

Maybe it’s time to change browsers.

[BigT]

Of course you won’t have a problem with NoScript, assuming you also have it blocking Flash. That cuts off all the attack vectors. But NoScript is a bit of a pain to use, as you have to whitelist everythign manually, and most people will find Adblock Plus sufficient.

[Tranquilis]

Yanno, this wasn’t an ask for advice - I’d have posted that in GQ.

This is information for the Admins so they can deal with an ad server that’s serving up infected files.
But I thank you for your concern all the same.

[BlankSlate]

Was the fake AV scanner called AV8?

[Bearflag70]

Tranquilis:

Yanno, this wasn’t an ask for advice - I’d have posted that in GQ.

This is information for the Admins so they can deal with an ad server that’s serving up infected files.
But I thank you for your concern all the same.

Last I heard, they already know about it but made a business decision to let it happen anyway.

[Ed_Zotti]

We have forwarded the recent complaints about malware to our ad provider. They have been scrutinizing the ads sent to our site but so far have not been able to identify the offending advertiser. I’ve asked if there’s any specific information they need that would make it easier to get to the bottom of this. In the meantime, please provide as many details as you can when reporting malware - time/date of occurrence, what page you were looking at, exactly what happened, any messages or notices you received, etc. We apologize for the inconvenience.

[Tranquilis]

Thanks, Ed. 'Preciate.
Tried to do just that, so much as I had available.

BlankSlate:

Was the fake AV scanner called AV8?

Could be - Between my software and myself, we killed it so fast I didn’t get more than a glimpse, but that seems right.

[BrainGlutton]

This morning has to be fourth time in the past two weeks that my system has immediately disconnected me from the SDMB and warned of a Trojan horse blocked.

[BrainGlutton]

Ed_Zotti:

We have forwarded the recent complaints about malware to our ad provider. They have been scrutinizing the ads sent to our site but so far have not been able to identify the offending advertiser. I’ve asked if there’s any specific information they need that would make it easier to get to the bottom of this. In the meantime, please provide as many details as you can when reporting malware - time/date of occurrence, what page you were looking at, exactly what happened, any messages or notices you received, etc. We apologize for the inconvenience.

It occurs to me that, as soon as just a bit more information is available, the collective brainpower of the Doper community should be more than equal to the urgent task of tracing the malware to the live-meatspace location of its human originator and wreaking some vigilante justice of a nature to be determined later but definitely to involve lots of screaming.

Just a suggestion.

[Fear_Itself]

Tranquilis:

Could be - Between my software and myself, we killed it so fast I didn’t get more than a glimpse, but that seems right. .

if you open your antivirus/antispyware program, there should be a tab or link for viewing the scanning/removal logs, which will tell you what program was removed.

[Tranquilis]

Fear_Itself:

if you open your antivirus/antispyware program, there should be a tab or link for viewing the scanning/removal logs, which will tell you what program was removed.

I had my log settings too low, so I don’t have a record of the kill.

[Lynn_Bodoni]

BrainGlutton:

It occurs to me that, as soon as just a bit more information is available, the collective brainpower of the Doper community should be more than equal to the urgent task of tracing the malware to the live-meatspace location of its human originator and wreaking some vigilante justice of a nature to be determined later but definitely to involve lots of screaming.

Just a suggestion.

Don’t think that I haven’t been tempted to put out a Call to Action on various companies/people. If I can ever get a volume discount on Tasers, I might do it.

[The_Tao_s_Revenge]

I just had firefox warn me http://checkwinonline.com/fps/q=jy7lno3o was an attack site when I opened a thread in MPSIMS. An ad on the page must of had browser hijack code.

Posting in case that narrows down the search any.

[The_Tao_s_Revenge]

Also

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://checkwinonline.com/fps/q=jy7lno3o

Is the “why this page was blocked” info page.

What happened when Google visited this site?

Of the 3 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-11-25, and the last time suspicious content was found on this site was on 2010-11-25.

Malicious software includes 4 scripting exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 10 domain(s), including rltk.gen.in/, web-case.tk/, erpo.in/.

This site was hosted on 1 network(s) including AS35415 (WEBAZILLA).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, checkwinonline.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message

[AnalogSignal]

The_Tao_s_Revenge:

I just had firefox warn me http://checkwinonline.com/fps/q=jy7lno3o was an attack site when I opened a thread in MPSIMS. An ad on the page must of had browser hijack code.

I am getting the exact same warning about checkwinonline.com now and I originally got warned about this site on Nov. 25.

[Guinastasia]

BigT:

… most people will find Adblock Plus sufficient.

This. I cannot reccomend it enough.
Seriously, this has been going on for what, almost a year now? Is there ANY serious talk of dumping rubicon?

[withaK]

The_Tao_s_Revenge:

I just had firefox warn me http://checkwinonline.com/fps/q=jy7lno3o was an attack site when I opened a thread in MPSIMS. An ad on the page must of had browser hijack code.

Posting in case that narrows down the search any.

I’ve just had Chrome warn me about this site while opening the “Was Jane Austen black?” thread in Great Debates.

[Lord_Ashtar]

Chrome just gave me the following error when getting ready to reply to this thread:

The website at checkwinonline.com appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that hosts malware can infect your computer.
For detailed information about the problems with this site, visit the Google Safe Browsing diagnostic page for checkwinonline.com.
Learn more about how to protect yourself from harmful software online.

Please fix this.

[AnalogSignal]

checkwinonline.com is still going strong on day 3 of activity.

Don’t bother reporting the thread. The ads are rotated randomly and are not thread specific. I seem to get it on about 5% of the pages viewed.

The SDMB is an excellent vector of attack for malware purveyors considering how many people look at the site, how often malware ads are served, and how many days known malware ads are allowed to remain on the site.