Welcome Guest.   Make a donation to an author on the site October 02, 2014, 07:30:45 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
View the new Member Awards and Badges page.
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: A strange Hijack?  (Read 2035 times)
Giampy
Participant
*
Posts: 317


View Profile Read user's biography. Give some DonationCredits to this forum member
« on: August 02, 2012, 06:22:49 AM »

Hail!
Every day I see dozens of websites without inconveniences. When I instead surf into a certain website (it shows Tv programs) I am sometimes redirected to other extraneous pages. I usually see a page that claims I got a virus and that page offers the way to delete that infection. Of course it's all false.
As far as I know such behavior is typical of an Hijack (or similar) but I have a doubt: is it possible/normal that a Hijack hits one website only and that website only?
Besides: such Hijack is affecting me or that website? Who should be worried, me or the owner of that website?
« Last Edit: August 03, 2012, 07:44:21 AM by Giampy » Logged

"A refrigerator without beer is like a body without soul"
Renegade
Charter Member
***
Posts: 11,452



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #1 on: August 02, 2012, 06:42:18 AM »

Welcome to the world of spammy ads~! cheesy

Most likely it's just JavaScripted ads. It's unlikely that you have anything to worry about.
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
TaoPhoenix
Supporting Member
**
Posts: 3,510



0 - 60 ... then back to 0 again!

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #2 on: August 02, 2012, 08:46:35 AM »

(Ahem) In the world of pr0n, there are a lot of page redirects similar to the one I think you are talking about. There's probably a few types of ways to code the concept, but basically one version is a kind of hot-rotator link that feeds the correct linked-to page say a third of the time, and the other two times it sends you to one of their "affiliates", presumably for ad revenue. I'm no expert so I'm probably describing it wrong but the links often look sorta like "spinbot.rotator.com?cgi="outputfeed"&affiliate="534856"&visitclickID="5428"

Logged
tomos
Charter Member
***
Posts: 8,554



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #3 on: August 02, 2012, 11:25:07 AM »

[...] such Hijack is affecting me or that website?

a couple of years ago (XP admin account), I was opening tabs in the background, from a google search. The antivirus blocked the webpage, but the virus (or whatever you want to call it) was able to run, IIRC it played a siren sound (!) and opened a manically flashing window telling me I had a virus. The window could not be closed normally. I'll quote from my report to the AV company:

Quote
The app was downloaded in the background and it disabled AntiVir & the
Windows firewall. It started itself, telling me I had a virus
and I should register to remove it.
I panicked at the time, so I dont remember the details exactly, but I do
remember it was difficult to kill. I removed at least one app from the
startup, found the app itself - it was installed in:
Documents and Settings\*User*\Application Data\Desktop Securities
2010\securitycenter.exe
It also had a bunch of files installed in the temp folder which I
securely erased (some of these had been running and one was in windows
startup) Unfortunately I have no record of them.

because I panicked a little, and started killing & deleting things left right and centre, I didnt keep a proper record of the url or the files.
 
The app also created four files within legitimate software installs (Filehamster/FARR/Softmaker/Cloudberry). It took a name from a (random?) file in the install, and created an exe file with the same name. These files were later reported by my AV (Avira AntiVir paid version) and I noticed that the created date for them all was exactly the same as the time I got the infection.

I guess my point is that you'll probably know if you have a virus. And using UAC &/or a non-admin account would probably help a lot...
Logged

Tom
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #4 on: August 02, 2012, 02:56:37 PM »

Giampy, I wouldn't call those pop-up/pop-under advertisements hijacks, and they're not necessarily full of malware - the products they advertise are definitely snake-oil, though.

But if you visit sites of that... quality... where they use advertisements that are allowed to use those tactics? You really, really, really shouldn't be browsing without NoScript + AdBlockPlus. Heck, people who frequent that kind of warez/pr0n/stream-tv-shows sites should be doing so from a browser not just with NS+ABP, but preferably a sandboxed one, and it definitely wouldn't hurt running it from a VM.

Paranoia? Only slightly. Even if the sites themselves aren't sleazy enough to serve you malware, their banner advertisement affiliates might be - and even if they aren't, they're nice goals for hackers to inject malware into.
Logged

- carpe noctem
Renegade
Charter Member
***
Posts: 11,452



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #5 on: August 02, 2012, 03:10:39 PM »

Do be careful about which "AdBlock" you use though. There are like 50 trillion of them out there with the same name, and some really suck and will grind your browser to a halt. Check for reviews about them. (And I mean 5 minutes to load a page - literally...)
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
fenixproductions
Honorary Member
**
Posts: 1,169



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #6 on: August 02, 2012, 03:17:02 PM »

a couple of years ago (XP admin account), I was opening tabs in the background, from a google search.
Thread just in time?
I had similar issue 2 days ago on my PC: some Java applet (or Uplay I forgot to disable) started in background tab and created crappy application in my TEMP folder. Comodo reacted immediately but I was unable to do anything because intruder showed fullscreen window (white with 404 page) on top of everything. Since it was constantly putting itself on top of everything I couldn't even kill it from Task Manager. Live Security Premium fake AV was running and I thought nothing can be done. Although second screen was unchanged I couldn't even close my system so… hard reset into Admin mode.

Luckily: such crap did not start automatically. I've cleared TEMP folder completely, managed to find and disable bad stuff with Autoruns, and run couple of helpful applications (including HijackThis). After full system scan it appeared that manual play with DEL button and Autoruns was enough and only some trash in browser cache was additionally removed.

BUT now my believe in having clean system decreased… and browsing with browsers plugins disabled is not as comfortable as with them.
Logged

Надо было учиться, а не камни в школу бросать...
--
When I am bored I write for displaynone smiley
--
f0dder is my personal hero smiley
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: August 02, 2012, 03:24:29 PM »

a couple of years ago (XP admin account), I was opening tabs in the background, from a google search.
Thread just in time?
I had similar issue 2 days ago on my PC: some Java applet (or Uplay I forgot to disable) started in background tab and created crappy application in my TEMP folder.
Whoa, people still have the Java plugin in their browsers? :-O

We're forced to use Java applets in .dk because of the whole "NemID" scandal (enforced "digital signatures" that's really just a defunct Single-Sign-On mechanism that's open to a lot of abuse, including MITM) - but since that's the only use I have for Java applets, and since Java is one of the biggest security holes for several years... it's delegated to a virtual machine with a browser that's only used for official sites + webbanking, and has NoScript+AdBlockPlus+CertificatePatrol.
Logged

- carpe noctem
Giampy
Participant
*
Posts: 317


View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #8 on: August 02, 2012, 04:36:14 PM »

But if you visit sites of that... quality... where they use advertisements that are allowed to use those tactics? You really, really, really shouldn't be browsing without NoScript + AdBlockPlus. Heck, people who frequent that kind of warez/pr0n/stream-tv-shows sites should be doing so from a browser not just with NS+ABP, but preferably a sandboxed one, and it definitely wouldn't hurt running it from a VM.

I want to clarify that website is not of that kind. It's more serious. It shows the list of Tv programs just like http://au.tv.yahoo.com/tv-guide for example.
Logged

"A refrigerator without beer is like a body without soul"
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #9 on: August 02, 2012, 06:04:01 PM »

But if you visit sites of that... quality... where they use advertisements that are allowed to use those tactics? You really, really, really shouldn't be browsing without NoScript + AdBlockPlus. Heck, people who frequent that kind of warez/pr0n/stream-tv-shows sites should be doing so from a browser not just with NS+ABP, but preferably a sandboxed one, and it definitely wouldn't hurt running it from a VM.
I want to clarify that website is not of that kind. It's more serious. It shows the list of Tv programs just like http://au.tv.yahoo.com/tv-guide for example.
Ah, fair enough.

But still, if it shows banner ads of that kind? It's definitely in the danger zone. Heck, even totally reputable sites using (as) reputable (as they come) banner services have ended up serving malware because the banner servers were hacked.

It's really not safe surfing the web without NS+ABP, and you definitely don't want the Java plugin installed in your day-to-day browser either.
Logged

- carpe noctem
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.034s | Server load: 0.34 ]