topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Tuesday March 19, 2024, 3:05 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: A strange Hijack?  (Read 7046 times)

Giampy

  • Participant
  • Joined in 2009
  • *
  • Posts: 444
    • View Profile
    • Read more about this member.
    • Donate to Member
A strange Hijack?
« on: August 02, 2012, 06:22 AM »
Hail!
Every day I see dozens of websites without inconveniences. When I instead surf into a certain website (it shows Tv programs) I am sometimes redirected to other extraneous pages. I usually see a page that claims I got a virus and that page offers the way to delete that infection. Of course it's all false.
As far as I know such behavior is typical of an Hijack (or similar) but I have a doubt: is it possible/normal that a Hijack hits one website only and that website only?
Besides: such Hijack is affecting me or that website? Who should be worried, me or the owner of that website?
"A refrigerator without beer is like a body without soul"
« Last Edit: August 03, 2012, 07:44 AM by Giampy »

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: A strange Hijack
« Reply #1 on: August 02, 2012, 06:42 AM »
Welcome to the world of spammy ads~! :D

Most likely it's just JavaScripted ads. It's unlikely that you have anything to worry about.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: A strange Hijack
« Reply #2 on: August 02, 2012, 08:46 AM »
(Ahem) In the world of pr0n, there are a lot of page redirects similar to the one I think you are talking about. There's probably a few types of ways to code the concept, but basically one version is a kind of hot-rotator link that feeds the correct linked-to page say a third of the time, and the other two times it sends you to one of their "affiliates", presumably for ad revenue. I'm no expert so I'm probably describing it wrong but the links often look sorta like "spinbot.rotator.com?cgi="outputfeed"&affiliate="534856"&visitclickID="5428"


tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,958
    • View Profile
    • Donate to Member
Re: A strange Hijack
« Reply #3 on: August 02, 2012, 11:25 AM »
[...] such Hijack is affecting me or that website?

a couple of years ago (XP admin account), I was opening tabs in the background, from a google search. The antivirus blocked the webpage, but the virus (or whatever you want to call it) was able to run, IIRC it played a siren sound (!) and opened a manically flashing window telling me I had a virus. The window could not be closed normally. I'll quote from my report to the AV company:

The app was downloaded in the background and it disabled AntiVir & the
Windows firewall. It started itself, telling me I had a virus
and I should register to remove it.
I panicked at the time, so I dont remember the details exactly, but I do
remember it was difficult to kill. I removed at least one app from the
startup, found the app itself - it was installed in:
Documents and Settings\*User*\Application Data\Desktop Securities
2010\securitycenter.exe
It also had a bunch of files installed in the temp folder which I
securely erased (some of these had been running and one was in windows
startup) Unfortunately I have no record of them.

because I panicked a little, and started killing & deleting things left right and centre, I didnt keep a proper record of the url or the files.
 
The app also created four files within legitimate software installs (Filehamster/FARR/Softmaker/Cloudberry). It took a name from a (random?) file in the install, and created an exe file with the same name. These files were later reported by my AV (Avira AntiVir paid version) and I noticed that the created date for them all was exactly the same as the time I got the infection.

I guess my point is that you'll probably know if you have a virus. And using UAC &/or a non-admin account would probably help a lot...
Tom

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: A strange Hijack
« Reply #4 on: August 02, 2012, 02:56 PM »
Giampy, I wouldn't call those pop-up/pop-under advertisements hijacks, and they're not necessarily full of malware - the products they advertise are definitely snake-oil, though.

But if you visit sites of that... quality... where they use advertisements that are allowed to use those tactics? You really, really, really shouldn't be browsing without NoScript + AdBlockPlus. Heck, people who frequent that kind of warez/pr0n/stream-tv-shows sites should be doing so from a browser not just with NS+ABP, but preferably a sandboxed one, and it definitely wouldn't hurt running it from a VM.

Paranoia? Only slightly. Even if the sites themselves aren't sleazy enough to serve you malware, their banner advertisement affiliates might be - and even if they aren't, they're nice goals for hackers to inject malware into.
- carpe noctem

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: A strange Hijack
« Reply #5 on: August 02, 2012, 03:10 PM »
Do be careful about which "AdBlock" you use though. There are like 50 trillion of them out there with the same name, and some really suck and will grind your browser to a halt. Check for reviews about them. (And I mean 5 minutes to load a page - literally...)
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

fenixproductions

  • Honorary Member
  • Joined in 2006
  • **
  • Posts: 1,186
    • View Profile
    • Donate to Member
Re: A strange Hijack
« Reply #6 on: August 02, 2012, 03:17 PM »
a couple of years ago (XP admin account), I was opening tabs in the background, from a google search.
Thread just in time?
I had similar issue 2 days ago on my PC: some Java applet (or Uplay I forgot to disable) started in background tab and created crappy application in my TEMP folder. Comodo reacted immediately but I was unable to do anything because intruder showed fullscreen window (white with 404 page) on top of everything. Since it was constantly putting itself on top of everything I couldn't even kill it from Task Manager. Live Security Premium fake AV was running and I thought nothing can be done. Although second screen was unchanged I couldn't even close my system so… hard reset into Admin mode.

Luckily: such crap did not start automatically. I've cleared TEMP folder completely, managed to find and disable bad stuff with Autoruns, and run couple of helpful applications (including HijackThis). After full system scan it appeared that manual play with DEL button and Autoruns was enough and only some trash in browser cache was additionally removed.

BUT now my believe in having clean system decreased… and browsing with browsers plugins disabled is not as comfortable as with them.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: A strange Hijack
« Reply #7 on: August 02, 2012, 03:24 PM »
a couple of years ago (XP admin account), I was opening tabs in the background, from a google search.
Thread just in time?
I had similar issue 2 days ago on my PC: some Java applet (or Uplay I forgot to disable) started in background tab and created crappy application in my TEMP folder.
-fenixproductions (August 02, 2012, 03:17 PM)
Whoa, people still have the Java plugin in their browsers? :-O

We're forced to use Java applets in .dk because of the whole "NemID" scandal (enforced "digital signatures" that's really just a defunct Single-Sign-On mechanism that's open to a lot of abuse, including MITM) - but since that's the only use I have for Java applets, and since Java is one of the biggest security holes for several years... it's delegated to a virtual machine with a browser that's only used for official sites + webbanking, and has NoScript+AdBlockPlus+CertificatePatrol.
- carpe noctem

Giampy

  • Participant
  • Joined in 2009
  • *
  • Posts: 444
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: A strange Hijack
« Reply #8 on: August 02, 2012, 04:36 PM »
But if you visit sites of that... quality... where they use advertisements that are allowed to use those tactics? You really, really, really shouldn't be browsing without NoScript + AdBlockPlus. Heck, people who frequent that kind of warez/pr0n/stream-tv-shows sites should be doing so from a browser not just with NS+ABP, but preferably a sandboxed one, and it definitely wouldn't hurt running it from a VM.

I want to clarify that website is not of that kind. It's more serious. It shows the list of Tv programs just like http://au.tv.yahoo.com/tv-guide for example.
"A refrigerator without beer is like a body without soul"

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: A strange Hijack
« Reply #9 on: August 02, 2012, 06:04 PM »
But if you visit sites of that... quality... where they use advertisements that are allowed to use those tactics? You really, really, really shouldn't be browsing without NoScript + AdBlockPlus. Heck, people who frequent that kind of warez/pr0n/stream-tv-shows sites should be doing so from a browser not just with NS+ABP, but preferably a sandboxed one, and it definitely wouldn't hurt running it from a VM.
I want to clarify that website is not of that kind. It's more serious. It shows the list of Tv programs just like http://au.tv.yahoo.com/tv-guide for example.
Ah, fair enough.

But still, if it shows banner ads of that kind? It's definitely in the danger zone. Heck, even totally reputable sites using (as) reputable (as they come) banner services have ended up serving malware because the banner servers were hacked.

It's really not safe surfing the web without NS+ABP, and you definitely don't want the Java plugin installed in your day-to-day browser either.
- carpe noctem