Why/how does Antivirus 2009 malware popup attach itself to certainlinks?

Discussion in 'Computer Support' started by Doc, Jan 3, 2009.

  1. Doc

    Doc Guest

    There's a website for a couple of famous jazz trumpeters, the late
    Candoli brothers.

    http://www.candoli.com

    It's a legitimate site, these guys were icons. There's a photo in
    their gallery of Pete playing wearing a Superman suit. I posted the
    direct link to it in a trumpet forum.

    http://www.candoli.com/pic28.htm

    Several people reported that clicking the link brought up that
    Antivirus 2009 malware bogus alert. I tried it and got the same
    thing.

    How does that Antivirus 2009 page hijack attempts to go to other sites
    like that? How does it get attached to certain ones?

    How is it these people haven't been shut down?
    Doc, Jan 3, 2009
    #1
    1. Advertising

  2. Doc

    1PW Guest

    On 01/03/2009 07:48 AM, Doc sent:
    > There's a website for a couple of famous jazz trumpeters, the late
    > Candoli brothers.
    >
    > http://www.candoli.com
    >
    > It's a legitimate site, these guys were icons. There's a photo in
    > their gallery of Pete playing wearing a Superman suit. I posted the
    > direct link to it in a trumpet forum.
    >
    > http://www.candoli.com/pic28.htm
    >
    > Several people reported that clicking the link brought up that
    > Antivirus 2009 malware bogus alert. I tried it and got the same
    > thing.
    >
    > How does that Antivirus 2009 page hijack attempts to go to other sites
    > like that? How does it get attached to certain ones?


    Their web server is infected.

    >
    > How is it these people haven't been shut down?


    Which people? The web page author or maintainer? The hosting company?
    The ISP? Most of these folks are indemnified and will still collect
    recurring fees. I don't wish to disrespect you or your query but this
    is what safe hex is about.

    --
    1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
    1PW, Jan 3, 2009
    #2
    1. Advertising

  3. Doc

    Doc Guest

    Re: Why/how does Antivirus 2009 malware popup attach itself tocertain links?

    On Jan 3, 12:55 pm, 1PW <> wrote:

    > Which people?  The web page author or maintainer?  The hosting company?
    >  The ISP?  Most of these folks are indemnified and will still collect
    > recurring fees.  I don't wish to disrespect you or your query but



    ....but what, I should just *know*?

    That's the point of asking questions. If I knew the answers I wouldn't
    be asking.
    Doc, Jan 3, 2009
    #3
  4. Doc

    Doc Guest

    Re: Why/how does Antivirus 2009 malware popup attach itself tocertain links?

    On Jan 3, 12:55 pm, 1PW <> wrote:

    > > How is it these people haven't been shut down?

    >
    > Which people?  The web page author or maintainer?  The hosting company?
    >  The ISP?  



    Whoever is creating and is on the money collecting end of the malware
    site.
    Doc, Jan 3, 2009
    #4
  5. Doc wrote:
    > There's a website for a couple of famous jazz trumpeters, the late
    > Candoli brothers.
    >
    > hxxp://www.candoli.com
    >
    > It's a legitimate site, these guys were icons. There's a photo in
    > their gallery of Pete playing wearing a Superman suit. I posted the
    > direct link to it in a trumpet forum.
    >
    > hxxp://www.candoli.com/pic28.htm
    >
    > Several people reported that clicking the link brought up that
    > Antivirus 2009 malware bogus alert. I tried it and got the same
    > thing.
    >
    > How does that Antivirus 2009 page hijack attempts to go to other sites
    > like that? How does it get attached to certain ones?
    >
    > How is it these people haven't been shut down?



    Modified the links


    There are really two options

    1. The owners of the website are part of the group making money from
    sales of rogue software

    2. Most likely the owners of the site don't know how to properly secure
    their site and it is vulnerable to exploits that allow a third party to
    modify the content.


    You can find more info at <http://badwarebusters.org/>

    If you put the url into http://unmaskparasites.com/ you can see that it
    is redirecting traffic to malicious sites


    John
    John Mason Jr, Jan 3, 2009
    #5
  6. Doc

    Doc Guest

    Re: Why/how does Antivirus 2009 malware popup attach itself tocertain links?

    On Jan 3, 2:32 pm, "Fix it" <> wrote:

    > It seems a number of established security vendors have listed
    > the links you posted as very naughty in the same way as blockyell.
    > But thats why you posted them isn't it, you're spreading malware.



    Um, no. As stated I'm trying to understand the how and why.

    Did I not state exactly what behavior I was observing thereby giving
    you complete "click at your own risk" warning? And you're shocked
    that you found that yes, it does exactly what I said it would do
    because why?

    Perhaps you misunderstood the title of the thread?

    Initially when I clicked the website home page it didn't do it,
    several times. I only observed it when going to the direct link for
    the photo. I just now got it when clicking on the home page itself.
    Doc, Jan 3, 2009
    #6
  7. Doc

    Doc Guest

    Re: Why/how does Antivirus 2009 malware popup attach itself tocertain links?

    On Jan 3, 2:44 pm, John Mason Jr <> wrote:

    > If you put the url intohttp://unmaskparasites.com/you can see that it
    > is redirecting traffic to malicious sites



    Interesting, even though there's an initial "this site is clean"
    message, it shows various redirects.
    Doc, Jan 3, 2009
    #7
  8. Doc

    Doc Guest

    Re: Why/how does Antivirus 2009 malware popup attach itself tocertain links?

    I wrote to the site admin and they contacted the site server and it's
    supposed to be cured. I just clicked on the links and it doesn't seem
    to be doing it now.
    Doc, Jan 3, 2009
    #8
  9. Re: Why/how does Antivirus 2009 malware popup attach itself to certainlinks?

    Doc wrote:
    > On Jan 3, 2:44 pm, John Mason Jr <> wrote:
    >
    >> If you put the url intohttp://unmaskparasites.com/you can see that it
    >> is redirecting traffic to malicious sites

    >
    >
    > Interesting, even though there's an initial "this site is clean"
    > message, it shows various redirects.


    Sent a note to developer of unmaskparasites.com to let him know, the
    site is a beta, but is still very useful.

    John
    John Mason Jr, Jan 3, 2009
    #9
  10. Doc

    Damian Guest

    Re: Why/how does Antivirus 2009 malware popup attach itself to certain links?

    Fix it wrote:
    > "Doc" <> wrote in message
    > news:...
    >> There's a website for a couple of famous jazz trumpeters, the late
    >> Candoli brothers.
    >>
    >> http://www.candoli.com
    >>
    >>

    >
    > I clicked that link and my Kaspersky security suite blocked the URL
    > with exactly the same warning it gives with the blockyell.com scam.
    > It seems a number of established security vendors have listed
    > the links you posted as very naughty in the same way as blockyell.
    > But thats why you posted them isn't it, you're spreading malware.


    Any _good_ firewall/anti-virus/anti-malware app will block it. The OP's
    probably using some "Free" crap like AVG.
    Damian, Jan 3, 2009
    #10
  11. Doc

    Doc Guest

    Re: Why/how does Antivirus 2009 malware popup attach itself tocertain links?

    On Jan 3, 3:10 pm, "Fix it" <> wrote:

    > Oh yes it is still doing it. And Firefox blocks it, Kaspersky and Norton
    > block it



    I just went to each link about half a dozen times, got no redirect on
    either. The rest of your rambling isn't worth responding to.
    Doc, Jan 3, 2009
    #11
  12. Doc

    Doc Guest

    Re: Why/how does Antivirus 2009 malware popup attach itself tocertain links?

    On Jan 3, 5:11 pm, "Fix it" <> wrote:

    > And you x-posted it across
    > numerous groups.



    Well champ, if you'll look back so did you.

    Run along and take your meds.
    Doc, Jan 3, 2009
    #12
  13. Doc

    Doc Guest

    Re: Why/how does Antivirus 2009 malware popup attach itself tocertain links?

    On Jan 3, 5:35 pm, "Fix it" <> wrote:

    > Good luck, also I suggest as many as possible post a complaint to
    > google about the link being x-posted to so many groups by "Doc".



    I assume you'll be reporting yourself since you posted the same link
    to the same groups?

    Do the orderlies know you've wandered out of your room?
    Doc, Jan 3, 2009
    #13
  14. Doc

    Rube Bumpkin Guest

    Re: Why/how does Antivirus 2009 malware popup attach itself to certainlinks?

    Doc wrote:
    > On Jan 3, 2:32 pm, "Fix it" <> wrote:
    >
    >> It seems a number of established security vendors have listed
    >> the links you posted as very naughty in the same way as blockyell.
    >> But thats why you posted them isn't it, you're spreading malware.

    >
    >
    > Um, no. As stated I'm trying to understand the how and why.
    >
    > Did I not state exactly what behavior I was observing thereby giving
    > you complete "click at your own risk" warning?

    <SNIP>

    It's generally considered good form to obfuscate suspect links, by, for
    instance, changing the first part to hxxp://

    That way nobody could accidentally click on it and end up in a bad
    place. Not everyone reads posts completely before clicking.

    RB
    Rube Bumpkin, Jan 3, 2009
    #14
  15. Doc

    Dustin Cook Guest

    Re: Why/how does Antivirus 2009 malware popup attach itself to certain links?

    Doc <> wrote in news:6a82feef-8a3a-4042-bfd0-
    :

    > Several people reported that clicking the link brought up that
    > Antivirus 2009 malware bogus alert. I tried it and got the same
    > thing.


    The web server got infected...

    > How does that Antivirus 2009 page hijack attempts to go to other sites
    > like that? How does it get attached to certain ones?


    By infecting vulnerable servers and computers.

    > How is it these people haven't been shut down?


    Shut down? Who would you shut down exactly?


    --
    Regards,
    Dustin Cook
    Malware Researcher
    MalwareBytes - http://www.malwarebytes.org
    Dustin Cook, Jan 4, 2009
    #15
  16. Doc

    Dustin Cook Guest

    Re: Why/how does Antivirus 2009 malware popup attach itself to certain links?

    "Damian" <> wrote in
    news:gjokq3$v70$:

    > Fix it wrote:
    >> "Doc" <> wrote in message
    >> news:
    >> ...
    >>> There's a website for a couple of famous jazz trumpeters, the late
    >>> Candoli brothers.
    >>>
    >>> http://www.candoli.com
    >>>
    >>>

    >>
    >> I clicked that link and my Kaspersky security suite blocked the URL
    >> with exactly the same warning it gives with the blockyell.com scam.
    >> It seems a number of established security vendors have listed
    >> the links you posted as very naughty in the same way as blockyell.
    >> But thats why you posted them isn't it, you're spreading malware.

    >
    > Any _good_ firewall/anti-virus/anti-malware app will block it. The
    > OP's probably using some "Free" crap like AVG.


    free crap? Hah. So you think a paid version of norton or mcafee is better
    do you?


    --
    Regards,
    Dustin Cook
    Malware Researcher
    MalwareBytes - http://www.malwarebytes.org
    Dustin Cook, Jan 4, 2009
    #16
  17. Doc

    Dustin Cook Guest

    Re: Why/how does Antivirus 2009 malware popup attach itself to certain links?

    Doc <> wrote in news:1428fcaa-d3af-47ae-b945-
    :

    > On Jan 3, 5:35 pm, "Fix it" <> wrote:
    >
    >> Good luck, also I suggest as many as possible post a complaint to
    >> google about the link being x-posted to so many groups by "Doc".

    >
    >
    > I assume you'll be reporting yourself since you posted the same link
    > to the same groups?
    >
    > Do the orderlies know you've wandered out of your room?
    >


    Minor Suggestion.. If you wish to be taken seriously, ignore the posters
    who outright attack you, Such as Fix. Responding in this manner only
    provokes him further and wastes even more time for those of us reading
    along.


    --
    Regards,
    Dustin Cook
    Malware Researcher
    MalwareBytes - http://www.malwarebytes.org
    Dustin Cook, Jan 4, 2009
    #17
  18. Doc

    Dustin Cook Guest

    Re: Why/how does Antivirus 2009 malware popup attach itself to certain links?

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    news::

    > From: "Doc" <>
    >
    >| There's a website for a couple of famous jazz trumpeters, the late
    >| Candoli brothers.
    >
    >| h**p://www.candoli.com
    >
    >| It's a legitimate site, these guys were icons. There's a photo in
    >| their gallery of Pete playing wearing a Superman suit. I posted the
    >| direct link to it in a trumpet forum.
    >
    >| h**p://www.candoli.com/pic28.htm
    >
    >| Several people reported that clicking the link brought up that
    >| Antivirus 2009 malware bogus alert. I tried it and got the same
    >| thing.
    >
    >| How does that Antivirus 2009 page hijack attempts to go to other
    >| sites like that? How does it get attached to certain ones?
    >
    >| How is it these people haven't been shut down?
    >
    > The site was hacked and is now compramised. It takes you to a
    > malicious site 78.110.175.21
    >
    > http://isc.sans.org/diary.html?storyid=5440
    >
    > The malicous site will test the PC for vulneranilities in Adobe Flash,
    > Adobe Reader and MDAC.
    >
    > Successful exploitation will yield a EXE file.
    >
    > http://www.virustotal.com/analisis/e8a650fafef32407bb729fdc63f44f78
    >
    > Prevx1 V2 2009.01.03 Information Stealer
    > Sophos 4.37.0 2009.01.03 Troj/Daonol-Fam
    > TrendMicro 8.700.0.1004 2009.01.02 PAK_Generic.001
    >
    > Which will drop; %windir%\system32\wdmaud.sys


    Someone sent us 4 copies of this, all different. It's quite the morphing
    little turd.

    > All you can do it was what you did, contact the site owner to get the
    > site fixed.


    Yep.


    --
    Regards,
    Dustin Cook
    Malware Researcher
    MalwareBytes - http://www.malwarebytes.org
    Dustin Cook, Jan 4, 2009
    #18
  19. Doc

    Cadillakin Guest

    Re: Why/how does Antivirus 2009 malware popup attach itself tocertain links?

    On Sat, 03 Jan 2009 17:06:54 -0500, David H. Lipman wrote:

    > From: "Doc" <>


    >
    > | How is it these people haven't been shut down?
    >
    > The site was hacked and is now compramised. It takes you to a malicious
    > site 78.110.175.21
    >
    > http://isc.sans.org/diary.html?storyid=5440
    >
    > The malicous site will test the PC for vulneranilities in Adobe Flash,
    > Adobe Reader and MDAC.
    >
    > Successful exploitation will yield a EXE file.
    >
    > http://www.virustotal.com/analisis/e8a650fafef32407bb729fdc63f44f78
    >
    > Prevx1 V2 2009.01.03 Information Stealer Sophos 4.37.0 2009.01.03
    > Troj/Daonol-Fam TrendMicro 8.700.0.1004 2009.01.02 PAK_Generic.001
    >
    > Which will drop; %windir%\system32\wdmaud.sys
    >
    > All you can do it was what you did, contact the site owner to get the
    > site fixed.
    >
    > { BTW: Thanx go to Ant ! }



    Right! Using Firefox3 sandboxed with Sandboxie, an explicit warning popup
    comes to the fore from Sandboxie alerting me that Acrobat.exe is trying
    to connect to the net. In my default sandbox, only the browsers are
    allowed to connect... This is the first time I've seen such a warning. I
    configured Sandboxie for just such an occurance - that something other
    than the browsers would be vulnerable to exploit.


    --
    Regards,
    Cadillakin
    Cadillakin, Jan 8, 2009
    #19
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Beauregard T. Shagnasty

    Re: Ripped Off By AntiVirus 2009

    Beauregard T. Shagnasty, Nov 15, 2008, in forum: Computer Support
    Replies:
    3
    Views:
    388
    Buffalo
    Nov 16, 2008
  2. Re: Ripped Off By AntiVirus 2009

    , Nov 16, 2008, in forum: Computer Support
    Replies:
    12
    Views:
    686
    dark.angel
    Nov 22, 2008
  3. richard

    Re: Ripped Off By AntiVirus 2009

    richard, Nov 16, 2008, in forum: Computer Support
    Replies:
    0
    Views:
    408
    richard
    Nov 16, 2008
  4. SMS

    Re: Ripped Off By AntiVirus 2009

    SMS, Nov 21, 2008, in forum: Computer Support
    Replies:
    0
    Views:
    369
  5. SMS

    Re: Ripped Off By AntiVirus 2009

    SMS, Nov 21, 2008, in forum: Computer Support
    Replies:
    0
    Views:
    419
Loading...

Share This Page