Malware? - SLUniverse Forums
Navigation » SLUniverse Forums > SLU Related > Forum Feedback » Malware?


 
Reply
 
LinkBack Thread Tools Display Modes
Old 06-02-2016, 04:03 PM   #1 (permalink)
...

*SLU Supporter*
 
Tengu Yamabushi's Avatar
Curmudgeon
 
Join Date: Jun 2007
Posts: 3,550
SL Join Date: 9/25/2005
Exclamation Malware?

Lately (the past week or so) I keep getting malware driveby download attempts - but only when viewing SLU (I use Privacy Badger for all other sites, but keep SLU whitelisted).

As I know SLU isn't a malware site (in and of itself) - could it be possible that the ad-feed on SLU is somehow serving bad stuff?

I'll load a page on SLU, and then after a second or so another browser window opens, and I'll see:



Windows defender almost immediately pops up a notice telling me it blocked/quarantined the driveby.

I don't allow the download/install (of course) and I then close the bogus browser window.

The WD details here are typical:



The actual payload (which flavor of malware) can vary (I've seen everything from the item listed above to outright ransomware), but it's invariably portrayed as a bogus Flash update (I don't have Flash installed at all, so there's no way it could be out of date ).

Am I the only one seeing this? Is it SLU, or is it me?
Attached Thumbnails
Malware?-slu_malware_feed.jpg   Malware?-slu_malware_wd_catch_large.jpg  
__________________
Quote:
Originally Posted by Kamilah Hauptmann View Post
What you have already basically says it all.
Quote:
Originally Posted by Aimee Weber View Post
Who would have thought WacoNegraUnpluged Resident would end up being a problem?
Quote:
Originally Posted by Cristiano View Post
I'm not going to go into the circular clusterfuck of doom with you.
Quote:
Originally Posted by Robble Rubble View Post
I'll admit it feels bizarre for me to say this but.... STOP FEEDING THE TROLL
Tengu Yamabushi is offline   Reply With Quote
Old 06-02-2016, 04:08 PM   #2 (permalink)
...

*SLU Supporter*
 
Tengu Yamabushi's Avatar
Curmudgeon
 
Join Date: Jun 2007
Posts: 3,550
SL Join Date: 9/25/2005
Additional note: I've run multiple system scans with both Malwarebytes and Windows Defender, since the first driveby attempt and after each additional try... they all come up clean.
Tengu Yamabushi is offline   Reply With Quote
Old 06-02-2016, 04:25 PM   #3 (permalink)
Senior Member
 
stora's Avatar
 
Join Date: Jan 2010
Posts: 1,416
My Mood:
SL Join Date: July 2003
Quote:
Originally Posted by Tengu Yamabushi View Post
Additional note: I've run multiple system scans with both Malwarebytes and Windows Defender, since the first driveby attempt and after each additional try... they all come up clean.
I don't have a solution but a quick google search for Hopadef came up with a lot of hits.
stora is offline   Reply With Quote
Old 06-02-2016, 04:26 PM   #4 (permalink)
Resident Clydesdale

*SLU Supporter*
 
Buck's Avatar
Cuteness level: 10
 
Join Date: Jan 2014
Location: Murica
Posts: 654
My Mood:
SL Join Date: 2/4/2011
Very odd. Does it do it with another browser? I'm not getting anything on my Windows 10 machine running Firefox. Also, I note that the address field for the supposed Flash download is not even close to being adobe.com.

ETA: I use AdBlock Plus, but have SLU whitelisted.

ETA2: I have Adobe Flash installed, but it is outdated (according to the incessant banners that appear in Firefox on nearly every site I visit). I may have given it permission to run on SLU.
Buck is offline   Reply With Quote
Old 06-02-2016, 04:52 PM   #5 (permalink)
...

*SLU Supporter*
 
Tengu Yamabushi's Avatar
Curmudgeon
 
Join Date: Jun 2007
Posts: 3,550
SL Join Date: 9/25/2005
This is on Firefox.

I don't run an ad-blocker - Privacy Badger is more of a tracker-blocker - but it winds up blocking most ads anyway as that's what most ads seem to do .

But this only happens when browsing SLU (I think I've seen it 4 or 5 times total over the past 2 or 3 weeks), nowhere else.
Tengu Yamabushi is offline   Reply With Quote
Old 06-02-2016, 06:33 PM   #6 (permalink)
Peeps Tsar
 
Cristiano's Avatar
#imalwayswithher
 
Join Date: Jun 2007
Location: Miami, FL
Posts: 35,438
My Mood:
SL Join Date: Dec 2002
Business: ANOmations
Client: Viewer 2
Blog Entries: 18
Send a message via Yahoo to Cristiano Send a message via Skype™ to Cristiano
I've done scans of SLU using the security tools I use and it is not finding any injected malware. I'll do some research, but I am not sure why it would be happening. If it keeps occurring, please let me know. If you also happen to notice any kind of pattern when it does happen, that would help too - the only external ads are from Amazon's ad network. I use Firefox as well and I've never encountered this.
__________________
"A certain darkness is needed to see the stars" ~ Osho




Cristiano is offline   Reply With Quote
1 User Said Thanks:
Old 06-02-2016, 06:42 PM   #7 (permalink)
...

*SLU Supporter*
 
Tengu Yamabushi's Avatar
Curmudgeon
 
Join Date: Jun 2007
Posts: 3,550
SL Join Date: 9/25/2005
Quote:
Originally Posted by Cristiano View Post
I've done scans of SLU using the security tools I use and it is not finding any injected malware. I'll do some research, but I am not sure why it would be happening. If it keeps occurring, please let me know. If you also happen to notice any kind of pattern when it does happen, that would help too - the only external ads are from Amazon's ad network. I use Firefox as well and I've never encountered this.
It may be Amazon's ad feed... I see their ads on SLU, but never anywhere else - probably due to my SLU Privacy Badger whitelist (SLU is the only whitelisted site).

If/when I see any more, I'll try to grab a screenshot of the Amazon ad(s) showing when it happens (they're usually offscreen at the bottom, which is why they didn't show in the one I posted today).

Thanks .
Tengu Yamabushi is offline   Reply With Quote
Old 06-02-2016, 06:49 PM   #8 (permalink)
Not a Supervillian
 
Veritable Quandry's Avatar
Quo.
 
Join Date: Aug 2010
Location: Caledon
Posts: 6,148
My Mood:
I have seen this on Chrome on Win 10. Had not picked up that it was malware because I automatically close any Adobe install prompts. It has been happening for maybe two weeks and only about 1 in 20 pages will redirect. And only when I open a thread in a new tab.
__________________
Winner of the First Annual Leslie Nielsen Memorial "Best Catch" Trophy.

Quote:
Originally Posted by TMTWNBBFN
I've got more in common with the bugger on my bayonette
Than the toff you's telling me to stick it in his guts.

The Men That Will Not Be Blamed for Nothing, Mutiny in the Common Soldiery
Veritable Quandry is offline   Reply With Quote
1 User Said Thanks:
Old 06-02-2016, 06:58 PM   #9 (permalink)
...

*SLU Supporter*
 
Tengu Yamabushi's Avatar
Curmudgeon
 
Join Date: Jun 2007
Posts: 3,550
SL Join Date: 9/25/2005
Ok, so maybe it's not just me (maybe good for me, but generally not very good overall).

I'm also on Windows 10, fwiw.

Thanks .

ETA: I almost always do a 'open link in new window' for every link (muscle memory, I suppose - plus I hate tabs).
Tengu Yamabushi is offline   Reply With Quote
Old 06-02-2016, 09:03 PM   #10 (permalink)
adorabilis!
 
AvaAdore's Avatar
plurk this
 
Join Date: Sep 2012
Posts: 5,519
My Mood:

Awards: 1
Special Achievement In Hello Kitty Trolling 
This is the thing I saw once or twice, Cristiano, and I was trying to get a screenshot of. I use Chrome. It happened before I switched to Windows 10, when I was still on 7 (Professional).
__________________
“I wish it need not have happened in my time," said Frodo.

"So do I," said Gandalf, "and so do all who live to see such times. But that is not for them to decide. All we have to decide is what to do with the time that is given us.”
AvaAdore is offline   Reply With Quote
Old 06-02-2016, 10:34 PM   #11 (permalink)
Image is Everything
 
Evola's Avatar
Je suis slogan
 
Join Date: Sep 2008
Location: Outskirts of Cirque Du Hades
Posts: 4,009
My Mood:
SL Join Date: 2/29/2008

Awards: 1
SLU Creepy Avatar Competition 2014 Participant 
A google search on the url shows people are getting it elsewhere too, the thread here might be worth keeping an eye on

https://community.spiceworks.com/top...-in-spiceworks
__________________
To be men not destroyers. - Ezra Pound
Evola is offline   Reply With Quote
Old 06-04-2016, 05:18 PM   #12 (permalink)
...

*SLU Supporter*
 
Tengu Yamabushi's Avatar
Curmudgeon
 
Join Date: Jun 2007
Posts: 3,550
SL Join Date: 9/25/2005
Just hit it again - 6/4/2016, 2:23pm SL time

I opened up SLU (PR&S) and it just now hit again.

Different hosting domain this time - 'https://rooshpictureme.org', created just today according to whois - physical address is an intersection in Plano, TX., website seems to be a placeholder, generally phony-looking all around.

There's only one hit on Google for that domain, it's a posting by 'Fire-Mutt' on DeviantArt pointing people (Dating with Lovely (Contest entry) by Fire-Mutt on DeviantArt) to that domain, post is about 3 hours old:

Quote:
The final part is better understood if you see this first: rooshpictureme.org/96416567635…
Fishy, fishy stuff.

Screenshots and whois dump attached.

Note that there was no Amazon ad feed at the bottom at the time (second screenshot).

And I'm not seeing Amazon ads now, now that I think to look. I'm sure I was getting them the other day.

Well, that's the information I have (probably 45 minutes old as that's how long it took me to put this post together w/local interruptions).

ETA: second screenshot is a composite of multiple captures, so there may (will) be some merge lines. I wanted to make sure to capture every ad/link on the page that popped up when the drive-by happened.

ETA ETA: whois is no longer showing the details other day's host (eegiesaberia.org), but it seems to point to the same almost-empty webpage as rooshpictureme.org, so ... for whatever that's worth.
Attached Thumbnails
Malware?-slu_malware_again_0.jpg   Malware?-slu_malware_again_1.jpg   Malware?-slu_malware_again_2.jpg   Malware?-slu_malware_again_3.jpg  
Attached Files
File Type: txt slu_malware_again_whois.txt (1.7 KB, 85 views)

Last edited by Tengu Yamabushi; 06-04-2016 at 05:26 PM.
Tengu Yamabushi is offline   Reply With Quote
Old 06-04-2016, 05:33 PM   #13 (permalink)
Senior Discount
 
Casey Pelous's Avatar
Jesus is coming. Look busy!
 
Join Date: Feb 2011
Location: USA, Upper Left
Posts: 9,808
My Mood:
SL Join Date: August 21, 2007
Client: Anything But 2
Yep, I've gotten that thing, too, but not isolated to SLU, unless it can pop up when SLU's in the background. I'm on Chrome and Win 10. It coughs up all sorts of weird url's.

Same thing, detecting it, Tengu. Malwarebytes, Windows Defender, couple of other scanners all say,
__________________
"I am not more than a lossy Human being, and think that we all are equals..." - Wasted Engineer


U.S. Only
Casey Pelous is offline   Reply With Quote
1 User Said Thanks:
Old 06-04-2016, 05:39 PM   #14 (permalink)
...

*SLU Supporter*
 
Tengu Yamabushi's Avatar
Curmudgeon
 
Join Date: Jun 2007
Posts: 3,550
SL Join Date: 9/25/2005
Are you running an ad-blocker of any kind?

It may be that the reason I'm only getting hits on it from SLU is that SLU is the only site I have (Privacy Badger) white-listed.
Tengu Yamabushi is offline   Reply With Quote
Old 06-04-2016, 05:45 PM   #15 (permalink)
Senior Discount
 
Casey Pelous's Avatar
Jesus is coming. Look busy!
 
Join Date: Feb 2011
Location: USA, Upper Left
Posts: 9,808
My Mood:
SL Join Date: August 21, 2007
Client: Anything But 2
No ad blocker -- that's somewhere on my "I wuz gonna git around to it" list.

Casey Pelous is offline   Reply With Quote
1 User Said Thanks:
Old 06-04-2016, 06:53 PM   #16 (permalink)
...

*SLU Supporter*
 
Tengu Yamabushi's Avatar
Curmudgeon
 
Join Date: Jun 2007
Posts: 3,550
SL Join Date: 9/25/2005
That's actually good information...

I run an ad-whatsit everywhere but SLU, and I get hit with this only on SLU (the only site where I tell my ad-whatsit to 'let everything through').

You don't run an ad-whatsit at all, and you get hit by this on multiple sites (including SLU).

Perhaps (naively) on my part - this implies to me (applying scientific logic of science) that the bad thing is, in fact, being fed through SLU, and it's something that an ad-whatsit would catch... meaning that the bad thing is being fed through the ad feed (or 'something else' that an ad-catcher would monitor/filter).

Past that I'll defer to security/malware/web-hosting gurus, as that's not anywhere near my area of expertise.

Last edited by Tengu Yamabushi; 06-04-2016 at 07:17 PM.
Tengu Yamabushi is offline   Reply With Quote
Old 06-04-2016, 07:48 PM   #17 (permalink)
...

*SLU Supporter*
 
Tengu Yamabushi's Avatar
Curmudgeon
 
Join Date: Jun 2007
Posts: 3,550
SL Join Date: 9/25/2005
I'm now getting Amazon ad-feeds on SLU again (they'd stopped for awhile).

Just another datapoint.

ETA: I may be mistaken, Amazon ads don't feed on every page (like the PR&S landing page) - they do feed when reading individual posts. Cristiano would know what pages feed and what don't, so I'll stop muddying the waters there .

Last edited by Tengu Yamabushi; 06-04-2016 at 09:20 PM.
Tengu Yamabushi is offline   Reply With Quote
Old 06-04-2016, 11:44 PM   #18 (permalink)
子猫女王
 
Katheryne Helendale's Avatar
(Loading...)
 
Join Date: Oct 2009
Location: Right... behind... you...
Posts: 5,001
My Mood:
SL Join Date: 5/20/2008
Client: LL Viewer V3

Awards: 1
SLU Creepy Avatar Competition 2014 Participant 
For what it's worth, I have not been getting any kind of malware drive-bys, that I know of. That might help (or possibly confuse) efforts to root out the problem.

I run Chrome on Windows 10, with Adblock Plus (all SLU pages are whitelisted), and Avast! Free antivirus.

I would try Edge, to see if that makes a difference, but... eww!
__________________
When the power of love overcomes the love of power,
the world will know peace.
-J. Hendrix

Katheryne Helendale is offline   Reply With Quote
Old 06-05-2016, 04:41 AM   #19 (permalink)
I don't do stupid.
 
Lance Corrimal's Avatar
mean old man
 
Join Date: Feb 2010
Posts: 2,350
My Mood:
SL Join Date: 2006-06-09
Business: My!
Client: Dolphin Viewer 3
Send a message via Yahoo to Lance Corrimal
I have not seen any malware at all so far... globally speaking

- FireFox with µBlock Origin (SLU is whitelisted of course)
- Squid proxy with c-icap module feeding evey download through clamav and AVG
- avira where applicable (as in, not on linux)
__________________
Lance Corrimal is offline   Reply With Quote
Old 06-05-2016, 05:17 AM   #20 (permalink)
Junior Member
 
Join Date: Jun 2016
Posts: 1
Ok so, first off--I'm not a Second Life user, but I wanted to add to this thread for the sake of catching whatever malware this is.

This malware is absolutely from a malicious ad. Yesterday I was on a manga reading website, MangaStream, and I turned off my adblocker there because I wanted to support the site. This was the first time I'd ever turned off my adblocker in a long, long time--several months. Within five minutes, boom--redirected to rooshpictureme.org, bogus flash installer, tried to download an .exe, made Windows Defender pop up and everything. ETA: Unfortunately I didn't get a good look at whatever ad it was that made the redirect but I recall seeing ads for Sears, Amazon, and Netflix. Additionally, the page deleted itself from my history after I closed the tab it was in. Definitely up to no good.

Scans with Defender, MBAM, and Avira bring up nothing (but some false-positives I already had) but it's still worrying.

Only posting here because this is literally the only hit for rooshpictureme.org on Google that isn't that same DeviantArt page above.

Again, to reiterate--this is not exclusive to this forum. It's from a malicious advertisement.

If it's against the rules for a non-SL user to post here, I apologize, but just wanted to say my piece.
tempuser is offline   Reply With Quote
Old 06-05-2016, 05:30 AM   #21 (permalink)
Some Bird
 
Cuckoo's Avatar
 
Join Date: Apr 2016
Posts: 733
Quote:
Originally Posted by tempuser View Post
If it's against the rules for a non-SL user to post here, I apologize, but just wanted to say my piece.
It's not against the rules, thanks from a random member.
Cuckoo is offline   Reply With Quote
Old 06-05-2016, 04:26 PM   #22 (permalink)
...

*SLU Supporter*
 
Tengu Yamabushi's Avatar
Curmudgeon
 
Join Date: Jun 2007
Posts: 3,550
SL Join Date: 9/25/2005
whois now shows 'rooshpictureme.org' as available.

Looks like it got zapped. (?)
Tengu Yamabushi is offline   Reply With Quote
Old 06-15-2016, 11:19 AM   #23 (permalink)
...

*SLU Supporter*
 
Tengu Yamabushi's Avatar
Curmudgeon
 
Join Date: Jun 2007
Posts: 3,550
SL Join Date: 9/25/2005
It's been 10 days, and I've not seen this problem again.




I hope I haven't just jinxed it.
Tengu Yamabushi is offline   Reply With Quote
2 Users Said Yay!:
Old 06-15-2016, 12:18 PM   #24 (permalink)
Waits and listens
 
Ivanova's Avatar
Frustracted
 
Join Date: Feb 2011
Location: Oregon
Posts: 163
Client: LL, Firestorm, Black Dragon
I use an ad blocker, uBlock. I have SLU whitelisted. On three separate occasions, when opening a thread in a new tab, I've had a popup appear urging me to download FirefoxPatch.exe. It didn't occur to me to try a screengrab of any of them, and I quickly closed each one without downloading anything.
__________________
Ivanova is made of lime, Jazz, and moonlight. With a dash of Oregon Trail.

Fire resistant
Ivanova is offline   Reply With Quote
Old 06-15-2016, 12:21 PM   #25 (permalink)
...

*SLU Supporter*
 
Tengu Yamabushi's Avatar
Curmudgeon
 
Join Date: Jun 2007
Posts: 3,550
SL Join Date: 9/25/2005
Quote:
Originally Posted by Ivanova View Post
I use an ad blocker, uBlock. I have SLU whitelisted. On three separate occasions, when opening a thread in a new tab, I've had a popup appear urging me to download FirefoxPatch.exe. It didn't occur to me to try a screengrab of any of them, and I quickly closed each one without downloading anything.
Was the latest incident any more recent than 10 days ago?

I'm asking because it may be that Amazon (or whoever) may have found the source and nixed them.
Tengu Yamabushi is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are On
Refbacks are On




SEO by vBSEO