A strange Hijack?

[Giampy]

Hail!
Every day I see dozens of websites without inconveniences. When I instead surf into a certain website (it shows Tv programs) I am sometimes redirected to other extraneous pages. I usually see a page that claims I got a virus and that page offers the way to delete that infection. Of course it's all false.
As far as I know such behavior is typical of an Hijack (or similar) but I have a doubt: is it possible/normal that a Hijack hits one website only and that website only?
Besides: such Hijack is affecting me or that website? Who should be worried, me or the owner of that website?

[Renegade]

Welcome to the world of spammy ads~!

Most likely it's just JavaScripted ads. It's unlikely that you have anything to worry about.

[TaoPhoenix]

(Ahem) In the world of pr0n, there are a lot of page redirects similar to the one I think you are talking about. There's probably a few types of ways to code the concept, but basically one version is a kind of hot-rotator link that feeds the correct linked-to page say a third of the time, and the other two times it sends you to one of their "affiliates", presumably for ad revenue. I'm no expert so I'm probably describing it wrong but the links often look sorta like "spinbot.rotator.com?cgi="outputfeed"&affiliate="534856"&visitclickID="5428"

[tomos]

[...] such Hijack is affecting me or that website?

-Giampy (August 02, 2012, 06:22 AM)

a couple of years ago (XP admin account), I was opening tabs in the background, from a google search. The antivirus blocked the webpage, but the virus (or whatever you want to call it) was able to run, IIRC it played a siren sound (!) and opened a manically flashing window telling me I had a virus. The window could not be closed normally. I'll quote from my report to the AV company:

The app was downloaded in the background and it disabled AntiVir & the
Windows firewall. It started itself, telling me I had a virus
and I should register to remove it.
I panicked at the time, so I dont remember the details exactly, but I do
remember it was difficult to kill. I removed at least one app from the
startup, found the app itself - it was installed in:
Documents and Settings\*User*\Application Data\Desktop Securities
2010\securitycenter.exe
It also had a bunch of files installed in the temp folder which I
securely erased (some of these had been running and one was in windows
startup) Unfortunately I have no record of them.

because I panicked a little, and started killing & deleting things left right and centre, I didnt keep a proper record of the url or the files.
 
The app also created four files within legitimate software installs (Filehamster/FARR/Softmaker/Cloudberry). It took a name from a (random?) file in the install, and created an exe file with the same name. These files were later reported by my AV (Avira AntiVir paid version) and I noticed that the created date for them all was exactly the same as the time I got the infection.

I guess my point is that you'll probably know if you have a virus. And using UAC &/or a non-admin account would probably help a lot...

[f0dder]

Giampy, I wouldn't call those pop-up/pop-under advertisements hijacks, and they're not necessarily full of malware - the products they advertise are definitely snake-oil, though.

But if you visit sites of that... quality... where they use advertisements that are allowed to use those tactics? You really, really, really shouldn't be browsing without NoScript + AdBlockPlus. Heck, people who frequent that kind of warez/pr0n/stream-tv-shows sites should be doing so from a browser not just with NS+ABP, but preferably a sandboxed one, and it definitely wouldn't hurt running it from a VM.

Paranoia? Only slightly. Even if the sites themselves aren't sleazy enough to serve you malware, their banner advertisement affiliates might be - and even if they aren't, they're nice goals for hackers to inject malware into.

[Renegade]

Do be careful about which "AdBlock" you use though. There are like 50 trillion of them out there with the same name, and some really suck and will grind your browser to a halt. Check for reviews about them. (And I mean 5 minutes to load a page - literally...)

[fenixproductions]

a couple of years ago (XP admin account), I was opening tabs in the background, from a google search.

-tomos (August 02, 2012, 11:25 AM)

Thread just in time?
I had similar issue 2 days ago on my PC: some Java applet (or Uplay I forgot to disable) started in background tab and created crappy application in my TEMP folder. Comodo reacted immediately but I was unable to do anything because intruder showed fullscreen window (white with 404 page) on top of everything. Since it was constantly putting itself on top of everything I couldn't even kill it from Task Manager. Live Security Premium fake AV was running and I thought nothing can be done. Although second screen was unchanged I couldn't even close my system so… hard reset into Admin mode.

Luckily: such crap did not start automatically. I've cleared TEMP folder completely, managed to find and disable bad stuff with Autoruns, and run couple of helpful applications (including HijackThis). After full system scan it appeared that manual play with DEL button and Autoruns was enough and only some trash in browser cache was additionally removed.

BUT now my believe in having clean system decreased… and browsing with browsers plugins disabled is not as comfortable as with them.

[f0dder]

a couple of years ago (XP admin account), I was opening tabs in the background, from a google search.

-tomos (August 02, 2012, 11:25 AM)

Thread just in time?
I had similar issue 2 days ago on my PC: some Java applet (or Uplay I forgot to disable) started in background tab and created crappy application in my TEMP folder.

-fenixproductions (August 02, 2012, 03:17 PM)

Whoa, people still have the Java plugin in their browsers? :-O

We're forced to use Java applets in .dk because of the whole "NemID" scandal (enforced "digital signatures" that's really just a defunct Single-Sign-On mechanism that's open to a lot of abuse, including MITM) - but since that's the only use I have for Java applets, and since Java is one of the biggest security holes for several years... it's delegated to a virtual machine with a browser that's only used for official sites + webbanking, and has NoScript+AdBlockPlus+CertificatePatrol.

[Giampy]

But if you visit sites of that... quality... where they use advertisements that are allowed to use those tactics? You really, really, really shouldn't be browsing without NoScript + AdBlockPlus. Heck, people who frequent that kind of warez/pr0n/stream-tv-shows sites should be doing so from a browser not just with NS+ABP, but preferably a sandboxed one, and it definitely wouldn't hurt running it from a VM.

-f0dder (August 02, 2012, 02:56 PM)

I want to clarify that website is not of that kind. It's more serious. It shows the list of Tv programs just like http://au.tv.yahoo.com/tv-guide for example.

[f0dder]

But if you visit sites of that... quality... where they use advertisements that are allowed to use those tactics? You really, really, really shouldn't be browsing without NoScript + AdBlockPlus. Heck, people who frequent that kind of warez/pr0n/stream-tv-shows sites should be doing so from a browser not just with NS+ABP, but preferably a sandboxed one, and it definitely wouldn't hurt running it from a VM.

-f0dder (August 02, 2012, 02:56 PM)

I want to clarify that website is not of that kind. It's more serious. It shows the list of Tv programs just like http://au.tv.yahoo.com/tv-guide for example.

-Giampy (August 02, 2012, 04:36 PM)

Ah, fair enough.

But still, if it shows banner ads of that kind? It's definitely in the danger zone. Heck, even totally reputable sites using (as) reputable (as they come) banner services have ended up serving malware because the banner servers were hacked.

It's really not safe surfing the web without NS+ABP, and you definitely don't want the Java plugin installed in your day-to-day browser either.