Social Engineering and drive-by downloads

[Farelf]

Ah, it's a sorry story. Browsing for a source of a nifty quote

It should be noted that no ethically-trained software engineer would ever consent to write a DestroyBaghdad procedure. Basic professional ethics would instead require him to write a DestroyCity procedure, to which Baghdad could be given as a parameter.

Yes, Function DestroyCity(), sounds good to me. Found it on quotetimes.com but while idly scanning through other quotes in the same section ("Software Engineer", I guess) I came across this shocker -

For 'Tis the sport to have the engineer hoisted with his own petard.

, attributed to the Bible and supposedly sourced via

quotationsbook.com

(just don't go there yet!). WRONG on so many levels. Like a red rag to a bull.

So of course I went there for an explanation. And was immediately jumped by multiple drive-by exploits. The most noticeable was what I learned is called Trojan.Lameshield by Malwarebytes Anti Malware. Download progress screen, impossibly fast "scan" dire warnings popping up, Windows Task Manager somehow disabled (wouldn't hold focus), gratuitous icons appearing in the taskbar, browser refusing to close - and, seemingly, total indifference from MSE, still smugly proclaiming "PC status: Protected". Anyway, MSE finally kicked into life, the two extra icons disappeared, the pop-ups disappeared, MSE History showed "something" very bad caught but not appearing in quarantine so I just deleted it and allowed a report to MSE about something else it didn't like. MBAM scan showed the "Lameshield" trojan, Superantispyware found trojan agent "Gen-nullo (short)" a full scan with MSE found nothing extra and bitdefender.com free online scan found nothing extra. But, who knows?

So, what would be the odds of the attributed source of a (new) wonky quote just happening to be (newly) infected? I'm betting the same hacker who corrupted quotationsbook.com also seeded the quote in that other site. E-mailed Amit, the site owner (refering to the Internet Archive for an old cached copy of the site for the address) and got a nice reply - he'd been fighting the thing all morning long and thinks he might have killed it. I'm waiting for someone better able than myself to confirm that before going back. Bet I don't find that wonky quote there when I do. Of the (currently) 29 scan engines consulted by VirusTotal, only Google Safebrowsing had picked up the malware at that site URL - virtually "zero day" I guess.

Yes, yes, browsing without noscript enabled and without running dropmyrights is just plain stupid. {sigh} I'll probably do it again, sometime, if the hackers haven't first cleaned out my bank account and left me penniless. Anyone up to checking out quotationsbook.com?

[rconner]

Anyone up to checking out quotationsbook.com?

I "curled" it and saw a lot of java scri_pt, but this may be benign (?) marketing web-buggery. I next loaded it in my OmniWeb browser for mac, and noted nothing unusual. Of course, if there is any malware there it might easily sniff out that I am using an "ineligible" platform and withhold the goods.

-- rick

[Farelf]

Thanks Rick ... it's sounding hopeful. I looked at the Google cached version and yes, apparently there are "normally" some advertising pop-ups and the like there, which seem benign (well, they don't behave as if they're determined to incorporate one into the collective anyway).

Looked at my event viewer and I see the one that MSE caught was what they call Rogue:Win32/Winwebsec. Reading the documentation, it was the "Security Shield" variant.

My PC keeps scanning clean now (just tried a manual full scan with MRT - the "built in" Microsoft Malicious Software Removal Tool - seems I have none of the 216 "prevalent" nasties covered by the current, June 2012, distribution version). The other tools scan for many, many more of course, still it's nice to know my centrifuges are not going to spool up and self-destruct or anything (yes, two of the 216 are Stuxnet iterations).

[petzl]

Thanks Rick ... it's sounding hopeful. I looked at the Google cached version and yes, apparently there are

My PC keeps scanning clean now (just tried a manual full scan with MRT - the "built in" Microsoft Malicious Software Removal Tool - seems I have none of the 216 "prevalent" nasties covered by the current, June 2012, distribution version). The other tools scan for many, many more of course, still it's nice to know my centrifuges are not going to spin up and self-destruct or anything (yes, two of the 216 are Stuxnet iterations).

A good spyware scanner for windows is "Search & Destroy" right click program and run as administrator.

Often picks up malicious software other virus scanners don't

[Geek]

Just a warning, there is a cross-platform version of this too.

I noticed it as far back as 2007. surfing places like Deviantart or many of my Chinese electronic wholesalers, less than scrupulous advertisers use the adbar IFRAME exploit to drop JS into Firefox or Opera locking up the mouse focus so bad I had to Ctrl-Alt-Backspace out of the GUI (I use Linux). Same with my Mac I had for a while.

It also leaves a little JS "egg" in the cache and homepage, so unless you clean the cache and check your homepage settings, as soon as you re-login and restart the browser, you're right back at that page.

Cheers!

[Farelf]

Thanks guys. I installed and ran Spybot S&D - all clear. I revisited the site (as Admin) - no attack (and the Google cache copy is up-to-date so no risk from that either). Google Safebrowsing now says "Safe site". Looks like Amit got on top of it, just as he thought. Will run a few more scans and off to McAfee Site Advisor to rescind the caution I left there.

And yes, that misquote is there (and no doubt hotly debated) but NOT attributed to the Bible. "... O, 'tis most sweet/ When in one line two crafts directly meet," but seemingly not on this occasion.