Snopes infected?

Yesterday and today i visited Snopes and recieved (edited links - correct links can be sent via PM if a Mod or Staff requires them)

15/12/2009 08:55:44 HTTP filter file http://xxxuvbcmxxx.com/xxx/trest10....0006R517c6c1810aT86cbced5201l0809K7460664f317 JS/Exploit.Pdfka.ASD trojan connection terminated - quarantined Paul-PC\Paul Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe

16/12/2009 08:32:30 HTTP filter file http://xxxeeklgxxx.com/xxx/TREST10....0006Rf919303b10aT86c41ac0201l0809K4afa19fd317 JS/Exploit.Pdfka.ASD trojan connection terminated - quarantined Paul-PC\Paul Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe

when visiting a story in the What's New section.

I've emailed Snopes but wondered if ESET can confirm this?

 

Maybe it has to do with this:

Adobe Warns of Reader, Acrobat attack in the wild

 

Snopes response

 

Change your DEP settings from OptIn to OptOut: http://techblissonline.com/enable-disable-dep-in-windows-xp-vista/

 

My guess is that Snopes were hit by a third party malvetising ad.

What I would like to know is were the information stating that the ad in question was removed from "rotation" was obtained?

What is the guarantee that the same ad will not reappear and infect more users ?

 

There's never a real guarantee. They contact the ad service and make sure that specific one gets pulled out of rotation, but so much ad content is outsourced to very shady providers that it is a matter of hours before another one malicious one makes it in the rotation and starts hitting people again.

 

This is a given, with an oft-visited site such as Snopes who makes their real revenue from advertising. A HOSTS File would help those that do not already use one.

Snopes replied to me as follows:

This would appear to me to be a rather rubber-stamp reply.
Snopes users should be cautioned on clicking third-party ads while visiting the site.

 

Good advice, but all visitors to the site should be forewarned: You do not need to click on any ad for malvertisement to launch it's attack. Simply visiting the Snopes page hosting the ad (i.e. the front page, what's new page, etc.), will be enough for the attack to launch.

Snopes' pass-the-blame attitude in this is deplorable, in my opinion. As the owners and operators of the page in question, they have a responsibility to keep their ads clean and safe. Anything less is negligence.

On the other hand, ++ to ESET for recognizing and stopping the attack before it could get its hooks into the OP!

 

I am hoping the Snopes folks have read this and are taking this somewhat seriously. Meanwhile, surf safe. Think before you click

 

The alert would appear when the advert LOADED on the Snopes page. NOT when the advert was clicked on. Actually i don't know about the last part because i didn't click on an advert to find out.

Exactly what happened, as per my opening post.

 

I can only advise as to what Snopes was quoted to in several previous replies in this thread, visit the site at your own risk and peril if you feel it is a security risk for your Browsing experience.

 

Looks like the "Aint it cool" website was also hacked. And according to VirusTotal, ESET doesn't detect it.

http://www.theregister.co.uk/2009/12/18/aintitcool_malware_attack/

(follow the VirusTotal link).




Jim

 

This is yet another zero-day PDF exploit in-the-wild which Adobe has no plans on patching until January 12 / 2010