PDA

View Full Version : Online Metals ...Trojan



QSIMDO
07-21-2010, 12:08 PM
Went to Online Metals this morning from work and immediately got pinned by a Trojan Horse.
Never had that happen from them before.
Maybe someone could contact them and let them know?
I'M not going back there...not from here especially!

dp
07-21-2010, 12:15 PM
Do you recall what page you were on, and what the nature of the trojan is? Many times a thing like this is introduced by advert rotators unknown to the host site and immediately fall out of rotation thus making it difficult to track.

Advert agencies are supposed to cleanse those kinds of things but they still get through.

QSIMDO
07-21-2010, 12:37 PM
It was the main page just as soon as I got there.
What the trojan was I have no idea but it made 79 attempts before Symantec quarantined it.

dp
07-21-2010, 12:56 PM
Online Metals uses a bookmarking product called AddThis (http://addthis.com) and which has been loosely tied to a known trojan exploitation here:

http://www.threatexpert.com/report.aspx?md5=7f28287f172edd87f7c31b6b4e883d05

I use a proxy server between my home systems and the internet that filters those kinds of things so I don't normally see them. The length of the list is becoming impossibly long, unfortunately.

Black_Moons
07-21-2010, 01:38 PM
Grumble, I hate how ad servers are allowed to 'push' ads to websites. It should be a 'pull' insted with preauthorization.
As is you get a trojan from some well known website and the website owner is 'ohh musta been our ads, Don't blame us, talk to them' ad server is like 'Ohh it must of been our clients, don't blame us!' 'oh who are those' 'sorry not allowed to tell' 'Really.. because im sure the police would love to know your infecting peoples computers willingly'

praticaly every website with 'pull' random ads eventualy gets annoying ones with full motion/sound in the rotation, or trojans, etc.

I really like how this website just has the 2 ads from KNOWN companys and it does not rotate to random god unknown ads.

MTNGUN
07-21-2010, 01:48 PM
FF gave a warning when I went to the Online Metals site:


Diagnostic page for onlinemetals.com

What is the current listing status for onlinemetals.com?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 6 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-07-21, and the last time suspicious content was found on this site was on 2010-07-21.

Malicious software includes 5 exploit(s). Successful infection resulted in an average of 2 new process(es) on the target machine.

Malicious software is hosted on 1 domain(s), including w91t.com/.

This site was hosted on 1 network(s) including AS11274 (ADHOST).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, onlinemetals.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

I ignored the warning and went to the site, anyway. I'm not worried since I am running Linux. :)

kenrinc
07-21-2010, 04:40 PM
Yep. Site was hacked sometime yesterday afternoon. Your usually greeted with an "attack" page now. "This web page at www.onlinemetals.com has been reported as an attack page and has been blocked based on your security preferences." in firefox.

I have a "dirty" system I keep around for checking these things and found that if you ignore the message it infects with Trojan.Win32.VBKrypt.zg if you click the "ignore this message" in most browsers. Unfortunately this happens a lot, especially sites with large amounts of SQL. Hope they fix it soon.

Ken-

dp
07-21-2010, 05:30 PM
The site author is Chris Sypolt who is tweetable, Facebookable, and very LinkedIn. He'd probably like to know.