Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Mon 22 Sep 2014, 00:26
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Alpha Anti-Virus hijack attempt
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 2 of 2 Posts_count   Goto page: Previous 1, 2
Author Message
nubc


Joined: 23 Jan 2007
Posts: 1050
Location: USA

PostPosted: Thu 05 Nov 2009, 18:52    Post_subject:  

I ran updated AVG 8.5 and latest Malwarebytes Anti-Malware, both report my computer is clean. I searched the C-drive for "alpha", nada. I visit maybe 15 sites on a typical day, Linux news, email, YouTube, etc, but Puppy Forums is the only place I get this popup for Alpha AV. Of course I can use FF 3.5.4 instead, or just use Puppy liveCD, or upgrade IE7 to IE8. I can do a workaround from my end, no problem. Sooner or later, the antivirus industry is gonna clean out Alpha AV, spic and span.
Question: Why does this occur only on Puppy Forums? I close the IE7 browser, up comes the popup. Okay, it's an IE7 exploit. So then something is exploiting IE7 and I only experience the exploit here.
Back to top
View user's profile Send_private_message 
muggins

Joined: 20 Jan 2006
Posts: 6687
Location: lisbon

PostPosted: Fri 06 Nov 2009, 00:03    Post_subject:  

Why on earth would anyone still be using IE?
Back to top
View user's profile Send_private_message 
nubc


Joined: 23 Jan 2007
Posts: 1050
Location: USA

PostPosted: Fri 06 Nov 2009, 01:35    Post_subject:  

IE users: 60% of all computers, newbies (potential converts to Linux), office workers, techs who service Windows
http://en.wikipedia.org/wiki/Usage_share_of_web_browsers

Edited_times_total
Back to top
View user's profile Send_private_message 
SirDuncan


Joined: 09 Dec 2006
Posts: 836
Location: Ohio, USA

PostPosted: Fri 06 Nov 2009, 12:27    Post_subject:  

@nubc:
Well, I haven't had any problems when visiting with my Win7RC install. Not that this really means anything since I surf in FF. My first piece of advice is to upgrade IE7 to IE8. They fixed a ton of security flaws between the two. Even if you don't use IE for surfing, merely having it on the computer can still allow some exploits, so get the most secure version of it. The second piece of advice is to get your Win install fully upgraded. Third piece of advice is to use a different browser. If you go with FF/SeaMonkey, install adblock plus and consider installing noscript (I think noscript works with SeaMonkey).

@all:
Multiple people have seen this happen while on the forums. This leads me to believe that it is a cross scripting attack coming from an ad on the site. Has anyone noticed what ad was being shown when the attack happened? Also, if this is being initiated by Adobe Flash (as Aitch says above), why has the popup not presented itself to people running Puppy? Or has it and no one has said anything? Flash is crossplatform, so even if it couldn't get the download initiated on its own, it shouldn't have any problem creating a popup.

This is certainly not the way we want to greet potential new users (or old users visiting from their game/legacy/etc. system). We need to confirm where it is coming from and take steps to get rid of it.

_________________
Be brave that God may help thee, speak the truth even if it leads to death, and safeguard the helpless. - A knight's oath
Back to top
View user's profile Send_private_message Visit_website 
nubc


Joined: 23 Jan 2007
Posts: 1050
Location: USA

PostPosted: Fri 06 Nov 2009, 15:07    Post_subject:  

Housecall found and fixed 3 rootkits and 3 trojans. When I upgraded AVG to version 9, it complained that the following program should be removed before proceeding:
{B5AB638F-D76C-A8F2-F3CEAC50212}
A search did not find this key in registry. Possible malware: AproposMedia, URLSearchHook. Seeq
Furthermore, 27 Windows XP / IE7 updates became immediately available after the above changes.
Before I hear a chorus of "I told you so's", none of the above points conclusively to a source, nor does it explain why popups occur only on Puppy Forums. But I am inclined to think this laptop had some preconditions for the current problems.

Edited_time_total
Back to top
View user's profile Send_private_message 
Aitch


Joined: 04 Apr 2007
Posts: 6825
Location: Chatham, Kent, UK

PostPosted: Sat 07 Nov 2009, 09:25    Post_subject:  

nubc

glad to see you have tracked down rootkits/trojans on your system

I recommend, if you are to continue using IE, installing WOT

http://www.mywot.com/en/download/ie

as it will warn of malware/bad sites - most times, accurately

see earlier and herein repeated sandboxIE message

For general info, and to put people's minds at rest, I just verified using XP SP2 & a deliberately vulnerable IE6, by trapping any likely malware in a sandbox [as suggested earlier - SandboxIE] - There was NO viral activity from the forum despite nubc's assertions

Keep it clean! Use Puppy/any other browser than IE!!

Good post, Chris, as usual Wink

Aitch Smile
Back to top
View user's profile Send_private_message 
nubc


Joined: 23 Jan 2007
Posts: 1050
Location: USA

PostPosted: Sat 07 Nov 2009, 23:31    Post_subject:  

The forum for the other site I mentioned is now getting reports of rogue antivirus hijack attempts. I am gonna let this issue ride for several days, then mark this thread SOLVED. Thanks for all feedback. (Fingers crossed)
Back to top
View user's profile Send_private_message 
Patriot


Joined: 15 Jan 2009
Posts: 734

PostPosted: Sun 08 Nov 2009, 22:35    Post_subject:  

Hmmm .....

Occasionally, I would have to troubleshoot a system with an infected malware ... Most of the time, I had to do it manually .... The minor to medium malware infection can be cleared up in about an hour ... The bad a*ss ones could take up to 3-4 hours ...

One of the symptoms that you're having a bad a*ss malware is when you've attempted all sorts of software assisted disinfection methods and yet you still get "hijacked" ... This is what I call the hocrux effect ... A piece of malware with the ability to split itself/link/service and hide it into several windows objects using the dark arts ... The real smart bad a*ss will definitely do a hidden system service that's tough to remove ... An attempt to kill it will just make it spawn a new one in the background ...

Such a malware have a timer or counter mechanism that triggers an activity ... You could be at Disney's website and still get such an activity ... Many people failed to understand that software assisted malware cleaning is not 100% effective. A cocktail of malware cleaners does help but is still less than 100% effective ...

Hocrux hunting is also a difficult art to master itself ... Whenever I encounter a new malware, it could take me hours to find and destroy all the hocrux ... The only cure to such an infection for the layman is prevention ... Even a fresh re-install from zero does not guarantee a no-reinfection if it has spread to your broom flying pen drives or other external storages .... A suitable antivirus from a trusted source can definitely help (ie. I do recommend Comodo for those who really cannot afford yearly licenses).

Unfortunately, I haven't encounter this AlphaAV malware thus I am unable to say where to find its roots .....


Rgds
Back to top
View user's profile Send_private_message 
James C


Joined: 26 Mar 2009
Posts: 5757
Location: Kentucky

PostPosted: Tue 10 Nov 2009, 21:47    Post_subject:  

I was using my XP box earlier this afternoon when I suffered one of the fake anti-virus hijack attempts.I rebooted so fast I didn't even notice the name, but after Malwarebytes, SuperAntispyware And Avira scans my computer luckily wasn't infected.

And I was using Firefox 3.5.5 by the way, so its not just the IE users who need to be careful.
Back to top
View user's profile Send_private_message 
Pence

Joined: 30 Jul 2005
Posts: 201

PostPosted: Mon 16 Nov 2009, 11:55    Post_subject:  

Our Library blocked the link to Barry's Blog for awhile, but it's now working again.
Back to top
View user's profile Send_private_message 
Display_posts:   Sort by:   
Page 2 of 2 Posts_count   Goto page: Previous 1, 2
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » Off-Topic Area » Security
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0758s ][ Queries: 12 (0.0130s) ][ GZIP on ]