As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

Drive-by Virus advice.

TetraNitroCubaneTetraNitroCubane The DjinneratorAt the bottom of a bottleRegistered User regular
edited March 2009 in Help / Advice Forum
Hi everyone. I hate to do this, since it seems like every thread I make is a tech problem, but I just got hit with a drive-by infection and I was hoping I could get some advice. I'll note that I'm using XP, SP3, and am patched up to date. I'm also using Opera 9.63, and NOD32 v2.7 on definitions 3895.

This morning I was browsing a website I frequent every so often, when - just from looking at the index.html, I was greated with a NOD32 alert that read the following:

----

File: C:\Documents and Settings\{My username}\Local Settings\Application Data\Opera\Opera...\op0XS46

Threat: SWF/TrojanDownloader.Agent.NAJ trojan

Comment:
Event occurred on a file modified by the application: C:\Program Files\Opera\opera.exe. This file was moved to quarantine. You may close this window.

----

(The actual file path was: C:\Documents and Settings\{My username}\Local Settings\Application Data\Opera\Opera\profile\cache4\op0XS46 )

As soon as this alert poped up, the webpage got redirected. It took me to a blank page, but the history file of Opera showed about eight malicious-looking sites in it that I never visited, nor ever saw pop up. I closed Opera immediately. I omit those web addresses here, but I did record them.

I'm a little squicked out that my browser could get that kind of treatment, and I'm unsure of whether or not I'm currently infected. The website was a familiar one, but I suppose I can't deny the possibility that it's been hijacked. In the wake of all this, I've done a full NOD32 in-depth scan, a Malwarebytes AntiMalware full scan, and a Spybot S&D full scan. None of these programs reported any problems. I can't seem to find the problematic file fingered by NOD, though I guess it could be in quarantine. Also, auto-analysis of a Hijackthis log seems to check out OK. I've not noticed any problems since that point, either, other than mysteriously being forced out of my login while trying to post this message due to 'a database error'.

I'm not convinced that things are alright, though. Otherwise, how else would my browser get redirected other than a browser hijack or a viral infection? Does anyone have any advice for how to ensure that I'm clean and okay? Most of the Malware removal forums I've browsed seem to take some really extreme measures, and I was hoping for a level headed opinion on this matter in the wake of my panic. Thanks.

VuIBhrs.png
TetraNitroCubane on

Posts

  • mspencermspencer Registered User regular
    edited March 2009
    You're probably fine.

    Opera reported those URLs because it had been directed to visit each of the sites. Opera had been told to start loading each of those sites.

    Your security software apparently intercepted each of those connection attempts, so as far as your browser is concerned, each of those sites contain blank pages.

    To be really safe, since some malware can hide itself while the system is running, you might consider using a second, uninfected computer to scan your possibly-infected computer's disk. You would install your anti-malware software on another machine, remove the hard disk and connect it so its file can be read but the drive can't be accidentally booted, and then scan all of the files on that hard disk.

    mspencer on
    MEMBER OF THE PARANOIA GM GUILD
    XBL Michael Spencer || Wii 6007 6812 1605 7315 || PSN MichaelSpencerJr || Steam Michael_Spencer || Ham NOØK
    QRZ || My last known GPS coordinates: FindU or APRS.fi (Car antenna feed line busted -- no ham radio for me X__X )
  • exoplasmexoplasm Registered User regular
    edited March 2009
    Do a scan with Malware Bytes, Spybot S&D, Adaware, etc.

    Also look into a hosts file and opera-specific malware site blocking files. Both of these should prevent you from being able to access most of the problem sites and you shouldn't even notice a difference.

    If you use Firefox there is Adblock Plus which has a malware domains subscription to prevent hijacks and stuff.

    exoplasm on
    1029386-1.png
    SC2 NA: exoplasm.519 | PA SC2 Mumble Server | My Website | My Stream
  • theclamtheclam Registered User
    edited March 2009
    SWF is a flash file. Make sure you're using an up to date version of Flash to avoid any vulnerabilities in old ones. You may also want to get something like CCleaner to clear out any saved Flash information so that the trojan doesn't stay hidden in some cache somewhere.

    theclam on
    rez_guy.png
  • SentrySentry Registered User regular
    edited March 2009
    I don't mean to hijack... but I need some serious help and I can't make a new thread.

    I think I have a keylogger on my Mac. My roommate was fucking around with Limewire, and now all my WOW characters have been transferred or deleted.

    Has anyone dealt with this before? Every google search I do just turns up people saying it can't happen on a Mac... but here I am... totally boned.

    Sentry on
    [SIGPIC][/SIGPIC]
    wrote:
    When I was a little kid, I always pretended I was the hero,' Skip said.
    'Fuck yeah, me too. What little kid ever pretended to be part of the lynch-mob?'
  • theclamtheclam Registered User
    edited March 2009
    Sentry wrote: »
    I don't mean to hijack... but I need some serious help and I can't make a new thread.

    I think I have a keylogger on my Mac. My roommate was fucking around with Limewire, and now all my WOW characters have been transferred or deleted.

    Has anyone dealt with this before? Every google search I do just turns up people saying it can't happen on a Mac... but here I am... totally boned.

    Change all your passwords, email Blizzard ASAP, reformat, and punch your roommate.

    theclam on
    rez_guy.png
  • DrFrylockDrFrylock Registered User regular
    edited March 2009
    You are probably safe. If your browser was vulnerable at all (and Opera may not be) to whatever the infection was, NOD32 probably also caught it for you. The fact that you were redirected to malicious sites is not, in itself, evidence of infection - only attempted infection.

    That said, drive-by viruses are nasty when you do get them. I have gotten them from innocuous-looking pages linked from the front page of Digg and God knows where else. I even got a fullscreen Flash ad for one of those fake anti-spyware packages (that is really malware) from Hotmail.com. I read an article after that happened, and it turned out the bad guys had been representing themselves as advertisers for a legitimate company (let's say cars.com or something) and buying Flash advertising (usually with stolen money or credit cards) on legitimate websites. Well most of the time the fake ad for cars.com would show and nothing would pop up, but there was a little nasty in there for every 10th or 100th visitor that would show this "YOUR COMPUTER IS INFECTED" crap.

    As the above poster mentioned, your browser is no longer your only (and perhaps it's not even the primary) attack vector. Vulnerabilities in your Java Runtime Environment, Flash, QuickTime, Adobe Acrobat Reader, and other plug-in applications can hit as well. You have to keep these applications up-to-date as much as you possibly can.

    Stay safe and happy browsing!

    DrFrylock on
    Pheezer wrote: »
    I would strongly recommend reading DrFrylock's post thoroughly and considering all of his points individually.
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited March 2009
    Thanks for the input, everyone. I really do appreciate the advice.

    I've done scans with just about everything (NOD32, Malwarebytes Antimalware, Spybot S&D, even ran Microsoft's Malicious Software Removal tool), and made sure Java and Flash are up to date. Everything came back clean, and I've not noticed any aberrant behavior to date. Hopefully I'm clean for the time being.

    I also did a little bit of research into this SWF/TrojanDownloader.Agent varient. It also goes by the name of Win32/Gida.A, and it looks like the MO of this exploit is exactly what you're talking about DrFrylock. It was probably one of those Fake Antivirus 'Scareware' Flash banners, and either NOD, Opera, or S&D's immunization stopped it before it got to do too much damage. Apparently the exploit itself can't deliver a payload - it can only trick the user into downloading files (and apparently it does so very well. Refusing their offers in the fake windows is actually what triggers the downloads). The Opera database seems to indicate that a virus in the cache is not a sign of infection, too, but damn did the whole thing give my heart a jump. I still feel a bit nervous.

    I guess the days of trusting websites are over, if the sites I know to be clean can get jacked by banner ads like this. I'd not fully appreciated the scope to which other avenues of exploits were being used, so I'm grateful to everyone for educating me on this. Thanks again.

    TetraNitroCubane on
    VuIBhrs.png
Sign In or Register to comment.