Chrome says wickedfire not safe
- Thread starter patrick24601
- Start date
Was blocked all night last night in Firefox and even if I chose to ignore the warning the site wouldn't load.
Do you guys Love WF so much that you just ignored the warning and came here anyway?
I saw that shit and i figured i could go a day w/o WF till it was fixed. Working for me now....
I saw that shit and i figured i could go a day w/o WF till it was fixed. Working for me now....
Doesn't anyone here find it weird that the Admins aren't telling us how they are affiliated with the group whose exploit was running? Or that they didn't explain the risks (how infection occurs, via just loading the ad and viewing it, or if one has to click on the ad, or what)? Or that they don't offer any other info on it? Just a quick "oh it was fixed, lets move on now, nothing to see".
Temporary fix
Firefox - Preferences -> security -> un-check "Block reported attack sites"
What do you want to know?
It's a pain in the ass to track. If I go by the IP ranges, they're delivering the ZBot/Zeus trojan. If I go by whois information, they're using a exploit delivery mechanism written by someone nicknamed ExManoize. The whois information is fake but non-private, and has been used in a lot of similar drive-by exploits and fake antivirus software. The IP ranges are definitely bulletproof hosting, but once again are from eastern europe, so best of luck there.
Most trails go dead in serbia or mother russia.
The first script(included here) writes a script to another location. That script builds up a browser profile, then redirects to the exploit for the browser. All the javascript is encrypted.
If you want to see the code that runs the "end-script", I saved a (cleaned) copy here: //THIS CODE WILL RUNS UNKNOWN - Anonymous - zBHKyydY - Pastebin.com . Visiting that with Avast will still set off your antivirus, but it's not active and I swapped out the domain.
One method of infection is a Java class. Also apparent in the code is the fact that they can write to the c drive, and that they somehow gained access to the "ShellExecute" command, which more or less means the exploit can do whatever the fuck it wants.
Paranoid twats. Everyone except for me was working on getting the infection OFF the forum so fewer people would get infected rather than trying to track down who did it. That's why you didn't get much information.
Edit: If you want to fuck around with that Javascript I posted, GO OFFLINE BEFORE YOU EXECUTE IT. I'm unsure how functional that piece is, but it's a pain in the ass to tell what was successfully disabled. Also, one alert() in that script should actually be an eval, I forgot to change it back.
I had my antivirus off it loaded on my computer it kept redirecting my browser to infoprotector.net
I had to remove it from my registry which was a pain in the ass because it disables regedit. What a fucking pain in the ass lol
got rid of it, if you can't hit me up I'll show you how.
I had to remove it from my registry which was a pain in the ass because it disables regedit. What a fucking pain in the ass lol
got rid of it, if you can't hit me up I'll show you how.
Apologies
Paranoid twats. Everyone except for me was working on getting the infection OFF the forum so fewer people would get infected rather than trying to track down who did it. That's why you didn't get much information.
--
I'm sorry, and I understand that, the biggest detail missing for everyone, and I think still hasn't been clearly answered: does it infect your machine by simply loading a page which was displaying the ad, or does it require you to click on the ad/follow the link? Because if no interaction (click through) with the ad is required, merely having it displayed on a page suffices for infection, even though I run AV software, I and most likely others are infected and we need to take a closer look at our systems.
Paranoid twats. Everyone except for me was working on getting the infection OFF the forum so fewer people would get infected rather than trying to track down who did it. That's why you didn't get much information.
--
I'm sorry, and I understand that, the biggest detail missing for everyone, and I think still hasn't been clearly answered: does it infect your machine by simply loading a page which was displaying the ad, or does it require you to click on the ad/follow the link? Because if no interaction (click through) with the ad is required, merely having it displayed on a page suffices for infection, even though I run AV software, I and most likely others are infected and we need to take a closer look at our systems.
Yes. But it didn't run everytime. Out of ~30+ reloads I only saw it 2-3 times. Beyond that, the infection rate isn't 100%. If they were using a Java exploit(the only one I could recognize), chances are the infection rate was pretty low. But it's a definite possibility.
If your browser locked up when you visited Wickedfire, I'd run a full system scan before boot time. If not, I'd run some kind of scan at least just to be safe. This is the kind of thing your computer probably encounters quite frequently though.
If this is a Java exploit, could it affect non-Windows systems? I mean, Macs run Java too. Then again, there's no C drive. And "ShellExecute" command - well, there's the Terminal, a UNIX-type shell...
I'd be curious how this was delivered. Did they inject JS code into WickedFire? How? Specifically targeting a weakness in WF? Through the banner? Was there an ad network involved and if so, were they also attacked and compromised or were they knowingly part of the scheme?
It was some flaw in OpenX. If my understanding is right, we were fully patched. They did somehow inject JS code in.
It's hard to say if this could infect Macs. The way these systems work is they have decent sized pre-defined lists of exploits broken up by browser and OS. There isn't necesarilly an exploit for every browser on every OS(and my understand is that in most cases it only affects Windows), but it could be setup for Mac.
The Javascript that executes is supposed to determine your browser/OS, then send you to the proper exploit to infect. They get a nice little control panel that shows the success rate for each infection type and it's success rate.
Script Kiddy 2.0
Edit: No ad networks involved.
^^^ THIS. I couldn't fucking believe how many of you guys just bypassed/disabled the warnings holy fuck. All your campaigns are belong to them.
We host it ourselves but it was 100% up to date.
We will no longer be using OpenX because this is not the first time it was exploited.