PDA

View Full Version : Collet Specifications vs Attack Sites



GadgetBuilder
10-15-2010, 12:49 PM
I recently looked for "collet specifications" and "ER collet specification" via Google. Apparently I was not alert enough because I clicked on a site whose text description looked OK and up popped one of those fake virus alerts where you're asked to click a box to run a virus scan from their site. This brought up several questions.

1) What is the proper way to handle these? I know I shouldn't click on anything in their box so I hit the modem standby button to prevent a driveby download and then kill Firefox via Task manager. This is a hassle so is there a better way?

2)What's up with collet specs that near 5% of the Google responses are attack sites? The way I identify them now is that the site name doesn't have anything to do with tools or collets and the address ends in a random string terminated with a slash. Usually Google doesn't offer a cache of attack pages.

3)There are some sites where the site name has nothing to do with collets but some text about collets is present. It looks like someone inserts this text, waits for Google to index the page, then inserts the attack stuff later so Google will lead you to an attack site (I reported a couple). That is, it seems coordinated and takes some effort to accomplish.

I think I see what is happening, but why collets? Seems like a peculiar subject to use for setting up attack sites. I haven't seen anything like this on other subjects I've searched for -- or is this occurring for other subjects I'm not aware of?

John

Evan
10-15-2010, 01:26 PM
What is the proper way to handle these? I know I shouldn't click on anything in their box so I hit the modem standby button to prevent a driveby download and then kill Firefox via Task manager.

That is the best way. It may be inconvenient but it's a lot less hassle than trying to remove crap after it is installed. Same procedure applies to IE.



I think I see what is happening, but why collets? Seems like a peculiar subject to use for setting up attack sites. I haven't seen anything like this on other subjects I've searched for -- or is this occurring for other subjects I'm not aware of?


The word collet(s) is in the dictionary. The sites will use enormous word lists so that any search query produces a hit. Google tries to put those sites at the very bottom of the search results but doesn't always succeed. You are much more likely to encounter these issues with searches on less common terms.

J Harp
10-15-2010, 03:21 PM
Where is the modem standby button? Is the normal way of clicking the X to close firefox risky? That seems much quicker than going thru ctrl-alt-delete to get to task manager, but if it is risky then we need to avoid using it when attack warnings or virus scan offers come up.

AllThumbz
10-15-2010, 03:24 PM
Collets & Applications
Basic dimensions to help identify collets,

http://shopswarf.orconhosting.net.nz/collet.html

There is also a ton of other useful info on the site.

Enjoy!

GadgetBuilder
10-15-2010, 04:55 PM
Jim,

The problem that occurs with these sites is that they put up a box and you must click a response in this box or you can't click on the X at upper right - the browser forces this when the script from the site is run. The only way I know to quit without clicking in their box is via the Task Mgr.

I downloaded the Firefox add-on suggested by Evan in another thread:
http://noscript.net/

And this fixes the problem by letting me choose which sites are allowed to run scripts. The attack sites run scripts to put these boxes up so the program allows you to choose which sites are allowed to run scripts on your computer and the program remembers which sites are allowed and which are blocked. I mostly go the the same few sites so they're now on the program's whitelist making the process transparent now for the most part.

I've spent the afternoon poking around with these weird sites. Someone is finding sites that aren't locked down, putting random keywords/text on them, waiting for Google to index them, and then replacing the random stuff with scripts. The result in most cases results in being redirected to the site:
http://www2.best-force-guard2.net with a long string after the site name.

I looked in Whois and the site name was registered just today by a registrar in China. It looks like the target sites don't stay up long. Also, several of the attack sites have been added to Google's list just this afternoon so they now bring up the brown "Attack Site" screen rather than letting you get nailed.

Bottom line: I guess I need to get out more, this is apparently an on-going problem that I simply didn't realize existed.

John

Edit: link to news about this phenomena:
http://www.examiner.com/computer-user-in-national/fake-anti-virus-software-on-the-rise

I have an old Motorola SB4200 with a standby button on the top near the front.

clutch
10-15-2010, 05:42 PM
I've run into this before and the task manager solution is the way to go. As soon as some web page gets impolite, the last thing you want to do is click on anything.

I also use opendns.org as my DNS provider to try to weed some of this crap out and for reliability reasons.

Clutch

squirrel
10-15-2010, 07:01 PM
This happened to my machine a couple weeks ago, once the pop up is already visible you have been hijacked. They stuck a sniffer on my machine and ton of spyware.

You must click on windows update to see if your machine can actually get to the windows site to check for updates. If you cannot you have a nasty bug. If you can get an update this does not mean you are in the clear.

It was so bad I had to have Mcafee.com work on the machine remotely and it took them several hours and 2 attempts to clean it up. They charged $89 and that was well worth the price. They did do an excellent job.

dp
10-15-2010, 09:41 PM
One solution is to have a tunable firewall between you the the Internet, and add regional blocklists to it. For example:

http://www.okean.com/

BillDaCatt
10-15-2010, 10:28 PM
I run Adblock Plus (http://adblockplus.org/en/) as a Firefox Add-on. It removes the vast majority of those annoying pop-up and sidebar ads so well that I hardly see them any more.

It's hard to get trapped by one of those hi-jack style ads when their ad is actively blocked and is never downloaded to your computer.

The Adblock-Plus database is constantly updated to keep you protected and you can also white-list sites of your choosing on an individual basis either by the page or for an entire domain.

Evan
10-15-2010, 10:55 PM
This happened to my machine a couple weeks ago, once the pop up is already visible you have been hijacked. They stuck a sniffer on my machine and ton of spyware.


Not so if you have all your IE security settings set to either prompt or disable.