Rolex Forums - Rolex Watch Forum - View Single Post - Google flagged rolexforums as dangerous..

2careless · 11 December 2011, 10:00 PM

The following is quite IT intensive. If IT / technical stuff is not your cup of tea, jump to the last paragraph.

I can only go from what I have seen using my tools. I use Fiddler2 as my web debugger and following is the snapshot of the trace I got for accessing TRF from latest Firefox yesterday, starting from the Google warning screen. (The lines with avast.com are things that my antivirus program does in the background - webrep is the web reputation index, for example).

From #8 up to #11, it's the vbulletin code.
#12 is the tapatalk detection javascript.
#13 is the banner at the top of TRF home page (the banner changes every load so it's called rotatebanner :-)
#14-15 also TRF vbulletin code.
#16-17 - the twitter stuff. See https://dev.twitter.com/docs/api/1/get/trends/daily, this is a report for some daily trends in Twitter. I have no idea on what it does, and why they are there and why there are two of them. I can only speculate this is a seed for the malware to mutate.
#18 - the malware download. There is a payload from this domain sjrenoopoeis.com.
I've captured this particular payload and it's some javascript. Note that on the right the content type was listed as "text/html" so there is a type mismatch and firefox didn't execute it, but on older browsers, this may not be the case.
The payload has approx 100kbyte of obfuscated Javascript code. I can forward it to the more technically minded on request, as I have no idea what it does but I can say 99.99% it's of no good.

One may say that when they accessed TRF, there is absolutely no references of twitter and this sjrenoopoeis.com anywhere in the page source. Well, I had the same doubt and I couldn't explain it why it's not there.
However, I have repeated the above opening of TRF home page many times yesterday and every time those 3 extra lines were there in my capture.

This is not just the capture from fiddler. I also did network sniffing and the raw ethernet packets were indeed going to those sites. It's not a figment of my imagination.

My conclusion is that my firefox browser loaded references to those sites after initiating a connection into TRF, and my firefox dutifully accessed those twitter and sjrenoopoeis.com pages. The payload was NOT in TRF, but I can say my browser was "directed" by the TRF web page to "go fetch the payload" from those other sites.

Switch back to this sjrenoopoeis.com site. A whois search shows the registrant as:
Mike razov razou63h@yahoo.com +1.8002360481
resseler
4175 Market Road
Mechanicsville VA US 23111
Domain Name: SJRENOOPOEIS.COM {sjrenoopoeis.com }
Registration Date : 2011-12-10
Expiration Date : 2012-12-10
Last update :2011-12-10 01:30:01

It was registered yesterday and got put to use right away! Googling sjrenoopoeis.com shows nothing but googling "razou63h@yahoo.com" showed up with malware references everywhere (don't click on any of the answers - they may be malware sites themselves!) There is no doubt that this site has malware written all over it.

This episode is not just an attack to TRF. It is also an attack to TRF members. The main target is TRF members with vulnerable computers (e.g. unpatched PCs, old versions of IE / Firefox / other browsers).

So, my recommendation is still the same. If a member has accessed TRF after ignoring the malware warnings, it is possible his/her computer has been infected, and a full antivirus / anti malware clean is advised, as well as changing passwords with bank accounts (do it from a different computer that has not accessed TRF recently) and keep an eye on your transactions. Also note that antivirus companies can take a few days to analyse this malware so one may need to do another virus/malware sweep in 1-2 weeks' time. Last, if your computer is not patched up to date, you may want to reconsider your options. The Internet is NOT a safe place.

11 December 2011, 10:00 PM	#11
2careless "TRF" Member Join Date: Dec 2007 Location: Melbourne, AU Watch: Pepsi Posts: 4,370	The following is quite IT intensive. If IT / technical stuff is not your cup of tea, jump to the last paragraph. I can only go from what I have seen using my tools. I use Fiddler2 as my web debugger and following is the snapshot of the trace I got for accessing TRF from latest Firefox yesterday, starting from the Google warning screen. (The lines with avast.com are things that my antivirus program does in the background - webrep is the web reputation index, for example). From #8 up to #11, it's the vbulletin code. #12 is the tapatalk detection javascript. #13 is the banner at the top of TRF home page (the banner changes every load so it's called rotatebanner :-) #14-15 also TRF vbulletin code. #16-17 - the twitter stuff. See https://dev.twitter.com/docs/api/1/get/trends/daily, this is a report for some daily trends in Twitter. I have no idea on what it does, and why they are there and why there are two of them. I can only speculate this is a seed for the malware to mutate. #18 - the malware download. There is a payload from this domain sjrenoopoeis.com. I've captured this particular payload and it's some javascript. Note that on the right the content type was listed as "text/html" so there is a type mismatch and firefox didn't execute it, but on older browsers, this may not be the case. The payload has approx 100kbyte of obfuscated Javascript code. I can forward it to the more technically minded on request, as I have no idea what it does but I can say 99.99% it's of no good. One may say that when they accessed TRF, there is absolutely no references of twitter and this sjrenoopoeis.com anywhere in the page source. Well, I had the same doubt and I couldn't explain it why it's not there. However, I have repeated the above opening of TRF home page many times yesterday and every time those 3 extra lines were there in my capture. This is not just the capture from fiddler. I also did network sniffing and the raw ethernet packets were indeed going to those sites. It's not a figment of my imagination. My conclusion is that my firefox browser loaded references to those sites after initiating a connection into TRF, and my firefox dutifully accessed those twitter and sjrenoopoeis.com pages. The payload was NOT in TRF, but I can say my browser was "directed" by the TRF web page to "go fetch the payload" from those other sites. Switch back to this sjrenoopoeis.com site. A whois search shows the registrant as: Mike razov razou63h@yahoo.com +1.8002360481 resseler 4175 Market Road Mechanicsville VA US 23111 Domain Name: SJRENOOPOEIS.COM {sjrenoopoeis.com } Registration Date : 2011-12-10 Expiration Date : 2012-12-10 Last update :2011-12-10 01:30:01 It was registered yesterday and got put to use right away! Googling sjrenoopoeis.com shows nothing but googling "razou63h@yahoo.com" showed up with malware references everywhere (don't click on any of the answers - they may be malware sites themselves!) There is no doubt that this site has malware written all over it. This episode is not just an attack to TRF. It is also an attack to TRF members. The main target is TRF members with vulnerable computers (e.g. unpatched PCs, old versions of IE / Firefox / other browsers). So, my recommendation is still the same. If a member has accessed TRF after ignoring the malware warnings, it is possible his/her computer has been infected, and a full antivirus / anti malware clean is advised, as well as changing passwords with bank accounts (do it from a different computer that has not accessed TRF recently) and keep an eye on your transactions. Also note that antivirus companies can take a few days to analyse this malware so one may need to do another virus/malware sweep in 1-2 weeks' time. Last, if your computer is not patched up to date, you may want to reconsider your options. The Internet is NOT a safe place.