IMPORTANT: FPN hit with Code injection exploit

[mjh]

Earlier this evening I saw fountainpennetwork.com has been listed as harmful on google, after disabling scripting and plugins (Opera) I checked on the site, they are working on it. For the moment you want to be cautious when visiting, for starters I would disable any scripts or use a plugin like NoScript for Firefox. Also, add the following entries into your hosts file,

127.0.0.1 arsdh.in
127.0.0.1 gighw.in

Those are the two domains which the exploit is pulling code down from. (Possibly others)

I know this is a separate fountain pen forum, and I'm not listing this as an 'avoid' FPN and stay here, this is a merely a public service as users can have private data stolen, systems compromised, etc. I don't care if I owned the site, I'd want to warn people.

-MJ

[ttakacs]

Are anti-virus programs proof against these exploits? I am using Trend Micro at work and Microsoft Security Essentials at home. Both are up-to-date.

[SProctor]

Yes, apparently there are several malicious scripts coming from both domains. I sure am glad that Norton (Symantec) caught it and announced the MalWare problems before it went too far on my machine... I'm not trying to make anyone wrong for this but it seems to me that the Admin could do some sort of mass-email and let everyone know of the problems before those that are susceptible to this visit the FPN website. Perhaps there's a reason, who knows at this point.

Very Best Wishes,
Stephen

[penspouse]

Yes, apparently there are several malicious scripts coming from both domains. I sure am glad that Norton (Symantec) caught it and announced the MalWare problems before it went too far on my machine... I'm not trying to make anyone wrong for this but it seems to me that the Admin could do some sort of mass-email and let everyone know of the problems before those that are susceptible to this visit the FPN website. Perhaps there's a reason, who knows at this point.

Very Best Wishes,
Stephen

All you get when visiting, is a page saying the page doesn't exist anymore with a link to the main page that indicates they are doing maintenance. They are taking care of it.

[Roger3]

I run Webroot Internet Secuity Essentials and Microsoft Security Essentials. Do these processes prevent/block this issue?

[Maruk]

Most of the security programs listed should find them, they are fairly well known. According to Sophos the payload was 2 trojans and a compromised temporary image file. From what I can remember from the Sophos report, it was roughly in this order:
Sus/Buffer Overflow (IE8)
Sus/PDFJs-S (This is a remote PDF/Adobe Acrobat exploit through the browser)
Sus/[don't remember the compromised windows dll]

Image file was C:\Documents and Settings\<user>\Temorary Internet Files\<random name>\img[1].jpg

If you are rather unsure there are a few out there that I know do work:

Installable programs:
Spybot Search and Destroy - http://www.safer-networking.org/index2.html
Avast Antivirus - http://www.avast.com/free-antivirus-download
MalwareBytes - http://malwarebytes.org/mbam.php
Sophos (trial) - http://www.sophos.com

Online Scanners:
ESET - http://www.eset.com/online-scanner
F-Secure - http://www.f-secure.com/en_EMEA/secu...nline-scanner/
Symantec - http://security.symantec.com/sscv6/WelcomePage.asp

Problem is, Trojans usually have a rootkit payload. You may want to try F-Secure's Blacklight or Sophos Anti-Rootkit to determine if you have one. If you do, just reinstall your OS as they are a pain to fix and the system never truely recovers from one.

If you have more questions, feel free to ask.

[mjh]

Are anti-virus programs proof against these exploits? I am using Trend Micro at work and Microsoft Security Essentials at home. Both are up-to-date.

No anti-virus has a 100% detection rate, sadly. That is why it is important to practice safe-browsing. Avoid using products that have a high degree of exploits, IE, Adobe, etc.

Look at Opera, Firefox or Chrome as a possible browser. For PDF's try an alternative like FoxIt. Instead of using Outlook or Windows Mail, look at Thunderbird, Opera's built in client or use webmail such as Yahoo mail or Gmail.

Learn the security settings on your browser and other software. Often times these are enough to stop the majority of what is out there. Even if you aren't worried about viruses, the level at which companies exploit personal information on the web is scary. By preventing various scripts, flash and URL's you can avoid the bulk of advertiser tracking and such.

Consider using a custom hosts file; http://www.mvps.org/winhelp2002/hosts.htm

And MAKE SURE YOU UPDATE YOUR SOFTWARE! Most dangerous exploits/holes are caught even before they make it into the wild, it becomes an issue for those people that haven't updated to the latest versions of their browser, plugins, etc.

-MJ

[bardolator]

Never mind; thanks!

[Roger3]

Thank you for info. I think all o.k. as virus scans/sweeps by Webroot(uses Sophos) and Microsoft Essentials found no issues. I do use IE8 and Chrome, with recommended security applications enabled.
Also just ran MalwareBytes free scan, downloaded from CNET.com, that showed no infections....so apparently no worries, all is o.k. Although I am way gunshy of logging onto to FPN

[penspouse]

I love Macs!

[dizzypen]

Here's an update for those who don't want to try to access fpn: http://dizzypen.wordpress.com/2010/0...aga-continues/

[Silvermink]

MalwareBytes' Anti-Malware did pick up one malicious file for me on this machine at %AppData%\avdrn.dat, though there's no guarantee it was from this. I didn't get anything when I scanned my home machine, but I proactively put those domains in my hosts file and routed them off to oblivion there, so I don't remember if I ever actually had any contact with the bad script.

[mjh]

MalwareBytes' Anti-Malware did pick up one malicious file for me on this machine at %AppData%\avdrn.dat, though there's no guarantee it was from this. I didn't get anything when I scanned my home machine, but I proactively put those domains in my hosts file and routed them off to oblivion there, so I don't remember if I ever actually had any contact with the bad script.

Regardless of where that came from, and assuming it isn't a false positive (a quick google search seems to suggest it isn't), that should be an alarm signal. At a minimum I was suggest that you go and run at least two of these online virus scans on your system.

http://www.bitdefender.com/scanner/online/free.html
http://housecall.trendmicro.com/
http://www.eset.com/online-scanner

Or download and burn these two scanners to a CD and boot from them and scan your system, as they are images, it is improbable any virus would be able to infect the image before burning and once you boot from the CD you would have a clean system to scan your hard drive with. As, I believe, the only BIOS rootkits are theoretical in nature.

http://download.bitdefender.com/rescue_cd/
http://devbuilds.kaspersky-labs.com/...ds/RescueDisk/

If you need help burning ISO's let me know. Like I said, the benefit with them is that you can get a clean boot with the rescue CD's. They do go out and download the latest virus definitions once the system is booted.

Once any virus is identified on a system, it is important to verify whether it was dormant or active. If it was active more will pop up on the system. It may simply have gotten in via an exploit but was never able to be activated. If more pop up, it is generally a better idea to just wipe the computer from scratch and reload it. Even going so far as to scan the drive with rescue cd's after partitioning and formating due to the possibility of MBR (Master Boot Record) viruses.

I used to be a SysAdmin and I'd say my knowledge of virus detection and recovery is good, but there are plenty of people that know more and are more specialized in the field. If any of them want to chime in, be my guest.

-MJ

[Silvermink]

I also ran a full Trend Micro scan on this machine yesterday that didn't turn up anything, so I'm reasonably confident that it's clean at this point. If anything else pops up I'll just get the desktop team here to reimage the machine.

I'm an IT guy myself (Java coder, mostly, though with significant general helpdesk experience as well).

[ToasterPastry]

I have a Mac running Firefox. I also use Sophos institutional virus scan...found nothing.

As sad as I am to say this, I think FPN has been "infected" with something for the last year or so. Anyway, this is my first post on this forum. Many of you I know, some of you I don't. Glad to meet all of you. I will be bringing over my reviews to this forum.

[Ernst Bitterman]

The good news-- the baby blue message is gone. The bad news-- logging in brings up this error message on the board:

[#1000] You are not allowed to visit this forum.

...which is pretty depressing. They seem to be wrestling it to the ground, though.

[ttakacs]

At work, I use Trend Micro, which detected and cleaned seven trojans, which I'm almost certain came from FPN. At home I use Microsoft Security Essentials. I'm running the Trend Micro HouseCall scan now to see whether MSE missed these trojans.

[bardolator]

I just ran ClamXav, and I apparently had the Trojan. :O Gone now, but still....

[riffraff]

Our corporate IT guys have even disabled searches for "gighw.in" so I have no doubt that this particular bit of malware is fairly widespread. As mjh says, best to stay abreast of Windows Updates (for those of you still using Windoze ), and keep up-to-date with your anti-virus .dat files.

[mjh]

I just ran ClamXav, and I apparently had the Trojan. :O Gone now, but still....

I recommend you follow the advice I listed in post #13 above. Just to be safe. Hopefully the trojan didn't get to propagate. But you are better off running a couple different scans than just one.

-MJ