Today, was browsing nytimes.com, and suddenly redirected to best-antivirus03.com for the usual fake online scan, but quick MBAM 1.41 scan revealed nothing, and google search only indicated it was a rogue site, but no details about possible nature of infection, removal etc. So far, no signs of trouble, but I remain on guard. Wingnut attack on Times? LOL
#1
Posted 12 September 2009 - 06:18 PM
#2
Posted 12 September 2009 - 07:34 PM
Yeah they are sprouting up all over the place 
If you did'nt consent to installing the trojan file then the fake scanner page would not have infected you,here is an explaination i gave back a while to someone with a very simmilar query.
http://www.malwarebytes.org/forums/index.p...st&p=109708
If you did'nt consent to installing the trojan file then the fake scanner page would not have infected you,here is an explaination i gave back a while to someone with a very simmilar query.
http://www.malwarebytes.org/forums/index.p...st&p=109708
#3
Posted 12 September 2009 - 08:31 PM
Norton Antivirus detected it as title: "An intrusion attempt by brest-antivirus03.com was blocked." "Network traffic from best-antivirus03.com matches the signature of a known attack." It attempts to download & run a 166,820 byte file "Scanner-xxxxxx_2006-63.exe", where the x's are random alphanumerics. The file did download on another computer where ClamAV did not detect it; notably, Norton did not detect a virus in the file.
Browsing back to the same page later on does not pick up the virus, so it hides itself.
Browsing back to the same page later on does not pick up the virus, so it hides itself.
#4
Posted 12 September 2009 - 08:36 PM
Fatdcuk, on Sep 12 2009, 08:34 PM, said:
Yeah they are sprouting up all over the place 
If you did'nt consent to installing the trojan file then the fake scanner page would not have infected you,here is an explaination i gave back a while to someone with a very simmilar query.
http://www.malwarebytes.org/forums/index.p...st&p=109708
If you did'nt consent to installing the trojan file then the fake scanner page would not have infected you,here is an explaination i gave back a while to someone with a very simmilar query.
http://www.malwarebytes.org/forums/index.p...st&p=109708
Re: Trojan best-antivirus03.com, on August 13th you wrote:
One issue occuring is that these fake scanner pages make it difficult to navigate away from the consented file download prompt by normal means of closing the webpage or using backpage.One sure fire way is to invoke taskmanager and terminate all iexplore.exe's that are running.This will kill the fake scanner page stone cold dead"
I encountered this pop up when visiting NYTimes website.
I'm running Win XP (svc Pack3). When I went to the task manager I could see no "iexplore.exe" in the list of open processes.
Please advise. Thank you.
#5
Posted 12 September 2009 - 10:47 PM
To Fatdcuk: Having helped a few friends with similar attacks, I knew if I didn't allow the download that I wouldn't be infected - at least for now these trojans are trojans: you have to invite them in.
To Tom CC: Thanks for the details from NAV. Odd that it detected an attack signature in the network traffic but no virus in the payload.
To musafir: I can't say why iexplore.exe was not visible in Task Manager, but another way to kill a process is to enter Alt-F4. That sometimes works for sites or programs that refuse to close.
To Tom CC: Thanks for the details from NAV. Odd that it detected an attack signature in the network traffic but no virus in the payload.
To musafir: I can't say why iexplore.exe was not visible in Task Manager, but another way to kill a process is to enter Alt-F4. That sometimes works for sites or programs that refuse to close.
#6
Posted 13 September 2009 - 12:02 AM
Seems to give a different named/numbered installer at every download and installs Personal Antivirus.
Installer not hit from rc.
No hits at jottis.
File size: 167936 bytes
Installer not hit from rc.
http://best-antivirus03.com/1/?sess=pmT05jzxMi0xJmlwPTIxMS4yNi45Mi4yMDImdGltZT0xMjUzNkAMPQZN http://best-antivirus03.com/download.php?id=2013-1Scanner-8d5d_2013-1.exe
No hits at jottis.
File size: 167936 bytes
http://rapidshare.de/files/48331573/Scanner-8d5d_2013-1.rar.html
#7
Posted 13 September 2009 - 02:50 AM
Ran into this on my Mac running both Firefox and Safari. Tested on a Linux box. Seems to me that the NYT got itself compromised there. I called (not easy to find someone at this hour) and let them know that they had a problem. Redirect seems to be gone now.
Hope they decide it's worth their while to go after these scumbags. NYT should be big enough to do the job if they have the stones. Heck, if nothing else it'd be a great story: "how we followed the money and brought down a virus crew."
Sigh, if only. I doubt they'll do it though.
Hope they decide it's worth their while to go after these scumbags. NYT should be big enough to do the job if they have the stones. Heck, if nothing else it'd be a great story: "how we followed the money and brought down a virus crew."
Sigh, if only. I doubt they'll do it though.
#8
Posted 13 September 2009 - 03:34 AM
It seems nytimes.com is still compromised, if indeed that was the problem. I have been redirected to these "best antivirus" websites several times today, the most recent time being just five minutes ago. It seems entirely random which links trigger it, and it is difficult to reproduce the results by following the same link again. This last time, however, the redirect failed because the best-antivirus03 address was invalid. I'm using XP + the most recent version of Firefox.
Jen D.
Jen D.
#9
Posted 13 September 2009 - 03:54 AM
JenD, on Sep 12 2009, 08:34 PM, said:
It seems nytimes.com is still compromised, if indeed that was the problem. I have been redirected to these "best antivirus" websites several times today, the most recent time being just five minutes ago. It seems entirely random which links trigger it, and it is difficult to reproduce the results by following the same link again. This last time, however, the redirect failed because the best-antivirus03 address was invalid. I'm using XP + the most recent version of Firefox.
Jen D.
Jen D.
#10
Posted 13 September 2009 - 12:47 PM
Thanks Jax,
Have now added the URL for harvesting
Have now added the URL for harvesting
#11
Posted 13 September 2009 - 08:32 PM
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
Sign In
Create Account
This topic is locked
Back to top









