Google flagged rolexforums as dangerous..

[thecentennial]

?? Riddled with Trojans and malware..

Just happened today??

[AAP8]

Yeah, Firefox made me accept the "risk"

[77T]

Guys - did you miss the long thread on this starting yesterday?

[thecentennial]

..must have done..will have a look for it. Do you have a link?

[thecentennial]

Ok. Upto speed. Looks like its an ongoing issue. Will only access through iPad until confirmed remediated.

[Lol-x]

The issue has been resolved.
It was associated with Tapatalk.
For the time being Tapatalk has been removed from the forum.

Google take a couple of days to remove the 'malware' warning.

No accounts have been compromised and it should all be back to normal.

[john333]

Thanks Steve!!

[2careless]

FWIW... what I have found:
1. In Dec 08 to Dec 10, someone registered a number of domain names, all using fake credentials/IDs, e.g. ioiscaeomc.com and sjrenoopoeis.com (these 2 were the ones I captured, there should be more). When accessed with a specific URL, they come back with a Javascript payload - the first domain's server is in Romania.
2. We saw the Google warning on Firefox. If we ignored the warning and continued to access TRF, our browser would connect into 2 external non TRF locations:
a. http://api.twitter.com/1/trends/daily.json?... - this looks like a twitter daily "hot" topic feed, and
b. http://<one of the above sites in 1)>/index.php?tp=... and a payload will be downloaded to the computer and got executed. I don't know what the payload does as I am not skilful enough to understand what it does, albeit I have saved a capture of this payload.
It is possible that these 2 external access were related to tapatalk, and I have checked and I can confirm that there is no such access with current TRF code anymore.

However, I do think this is serious - someone obviously registered those domains to engage in criminal activities, and the attacks are "freshly baked" and used right away. Since malware sites were accessed, there is a distinct possibility that our computers may have been compromised. Note that those malware sites are not flagged by any anti virus or anti spam detectors. Googling those 2 domain names don't reveal anything, but when I dug into the registration details, the "owners" of these 2 domains are related to malware. My hats off to Google for able to detect these malware.

My recommendation is - review your anti spam, anti virus installation - change your passwords on your financial accounts from a computer you know you have not used to access TRF.

[Lol-x]

No accounts have been compromised.
No one has lost any information or data.
No one has had any of their private information utilised.

It is one thing to take measured precautions, its another thing altogether to create panic when I know no panic is required.

The source of the issue 'Tapatalk' has been removed for the time being.
Google has triggers to flag a site with 'malware' and properly Google indicated malware.
However that did not in these circumstances indicate that any passwords or personal information was being stolen.

Its about dealing with facts.

[dysondiver]

nice to see things are back to normal ,,, by the way , what language is the above post or two in ,,,, i didnt get a word of it.

[2careless]

The following is quite IT intensive. If IT / technical stuff is not your cup of tea, jump to the last paragraph.

I can only go from what I have seen using my tools. I use Fiddler2 as my web debugger and following is the snapshot of the trace I got for accessing TRF from latest Firefox yesterday, starting from the Google warning screen. (The lines with avast.com are things that my antivirus program does in the background - webrep is the web reputation index, for example).


From #8 up to #11, it's the vbulletin code.
#12 is the tapatalk detection javascript.
#13 is the banner at the top of TRF home page (the banner changes every load so it's called rotatebanner :-)
#14-15 also TRF vbulletin code.
#16-17 - the twitter stuff. See https://dev.twitter.com/docs/api/1/get/trends/daily, this is a report for some daily trends in Twitter. I have no idea on what it does, and why they are there and why there are two of them. I can only speculate this is a seed for the malware to mutate.
#18 - the malware download. There is a payload from this domain sjrenoopoeis.com.
I've captured this particular payload and it's some javascript. Note that on the right the content type was listed as "text/html" so there is a type mismatch and firefox didn't execute it, but on older browsers, this may not be the case.
The payload has approx 100kbyte of obfuscated Javascript code. I can forward it to the more technically minded on request, as I have no idea what it does but I can say 99.99% it's of no good.

One may say that when they accessed TRF, there is absolutely no references of twitter and this sjrenoopoeis.com anywhere in the page source. Well, I had the same doubt and I couldn't explain it why it's not there.
However, I have repeated the above opening of TRF home page many times yesterday and every time those 3 extra lines were there in my capture.

This is not just the capture from fiddler. I also did network sniffing and the raw ethernet packets were indeed going to those sites. It's not a figment of my imagination.

My conclusion is that my firefox browser loaded references to those sites after initiating a connection into TRF, and my firefox dutifully accessed those twitter and sjrenoopoeis.com pages. The payload was NOT in TRF, but I can say my browser was "directed" by the TRF web page to "go fetch the payload" from those other sites.

Switch back to this sjrenoopoeis.com site. A whois search shows the registrant as:
Mike razov razou63h@yahoo.com +1.8002360481
resseler
4175 Market Road
Mechanicsville VA US 23111
Domain Name: SJRENOOPOEIS.COM {sjrenoopoeis.com }
Registration Date : 2011-12-10
Expiration Date : 2012-12-10
Last update :2011-12-10 01:30:01

It was registered yesterday and got put to use right away! Googling sjrenoopoeis.com shows nothing but googling "razou63h@yahoo.com" showed up with malware references everywhere (don't click on any of the answers - they may be malware sites themselves!) There is no doubt that this site has malware written all over it.

This episode is not just an attack to TRF. It is also an attack to TRF members. The main target is TRF members with vulnerable computers (e.g. unpatched PCs, old versions of IE / Firefox / other browsers).

So, my recommendation is still the same. If a member has accessed TRF after ignoring the malware warnings, it is possible his/her computer has been infected, and a full antivirus / anti malware clean is advised, as well as changing passwords with bank accounts (do it from a different computer that has not accessed TRF recently) and keep an eye on your transactions. Also note that antivirus companies can take a few days to analyse this malware so one may need to do another virus/malware sweep in 1-2 weeks' time. Last, if your computer is not patched up to date, you may want to reconsider your options. The Internet is NOT a safe place.

[dsio]

Quote:

Originally Posted by 2careless

The following is quite IT intensive. If IT / technical stuff is not your cup of tea, jump to the last paragraph.

I can only go from what I have seen using my tools. I use Fiddler2 as my web debugger and following is the snapshot of the trace I got for accessing TRF from latest Firefox yesterday, starting from the Google warning screen. (The lines with avast.com are things that my antivirus program does in the background - webrep is the web reputation index, for example).


From #8 up to #11, it's the vbulletin code.
#12 is the tapatalk detection javascript.
#13 is the banner at the top of TRF home page (the banner changes every load so it's called rotatebanner :-)
#14-15 also TRF vbulletin code.
#16-17 - the twitter stuff. See https://dev.twitter.com/docs/api/1/get/trends/daily, this is a report for some daily trends in Twitter. I have no idea on what it does, and why they are there and why there are two of them. I can only speculate this is a seed for the malware to mutate.
#18 - the malware download. There is a payload from this domain sjrenoopoeis.com.
I've captured this particular payload and it's some javascript. Note that on the right the content type was listed as "text/html" so there is a type mismatch and firefox didn't execute it, but on older browsers, this may not be the case.
The payload has approx 100kbyte of obfuscated Javascript code. I can forward it to the more technically minded on request, as I have no idea what it does but I can say 99.99% it's of no good.

One may say that when they accessed TRF, there is absolutely no references of twitter and this sjrenoopoeis.com anywhere in the page source. Well, I had the same doubt and I couldn't explain it why it's not there.
However, I have repeated the above opening of TRF home page many times yesterday and every time those 3 extra lines were there in my capture.

This is not just the capture from fiddler. I also did network sniffing and the raw ethernet packets were indeed going to those sites. It's not a figment of my imagination.

My conclusion is that my firefox browser loaded references to those sites after initiating a connection into TRF, and my firefox dutifully accessed those twitter and sjrenoopoeis.com pages. The payload was NOT in TRF, but I can say my browser was "directed" by the TRF web page to "go fetch the payload" from those other sites.

Switch back to this sjrenoopoeis.com site. A whois search shows the registrant as:
Mike razov razou63h@yahoo.com +1.8002360481
resseler
4175 Market Road
Mechanicsville VA US 23111
Domain Name: SJRENOOPOEIS.COM {sjrenoopoeis.com }
Registration Date : 2011-12-10
Expiration Date : 2012-12-10
Last update :2011-12-10 01:30:01

It was registered yesterday and got put to use right away! Googling sjrenoopoeis.com shows nothing but googling "razou63h@yahoo.com" showed up with malware references everywhere (don't click on any of the answers - they may be malware sites themselves!) There is no doubt that this site has malware written all over it.

This episode is not just an attack to TRF. It is also an attack to TRF members. The main target is TRF members with vulnerable computers (e.g. unpatched PCs, old versions of IE / Firefox / other browsers).

So, my recommendation is still the same. If a member has accessed TRF after ignoring the malware warnings, it is possible his/her computer has been infected, and a full antivirus / anti malware clean is advised, as well as changing passwords with bank accounts (do it from a different computer that has not accessed TRF recently) and keep an eye on your transactions. Also note that antivirus companies can take a few days to analyse this malware so one may need to do another virus/malware sweep in 1-2 weeks' time. Last, if your computer is not patched up to date, you may want to reconsider your options. The Internet is NOT a safe place.

You're on the money, the latest version of chrome stopped it running but you can see where it tried:



Downloaded a fresh copy of Firefox with stock settings to see if that would run it out of the box, and sure enough:



Tried it in a couple of sacrificial windows VMs and you can see the thing connecting out to third party servers.

[2careless]

Ashley, did firefox execute the payload?
Mine did download it but the payload didn't run.

[dsio]

Quote:

Originally Posted by 2careless

Ashley, did firefox execute the payload?
Mine did download it but the payload didn't run.

Yea, it actually did, then crashed firefox (if you check the screenshot you can see firefox no longer responding). I didn't have FF installed so I just pulled it down, current version, no settings changed, ignored the warning, and it ran first go. IE7/8 in WinXP / Vista VMs did the same, didn't try anything else. It didn't get as far as connecting out or doing anything on OSX, just ran then crashed firefox, but the Windows VMs it had no problem, and you could see it establishing external connections. Most likely it only ran on a mac at all by virtue of it happening to be a .jar and being able to create a JVM process but you would imagine it was intended for windows.

[2careless]

Weird.
I tested using IE9 on Win 7 64bit and it didn't even go out to the 3rd party sites.
Only firefox went out. Also only JavaScript was run, not java.

[dsio]

Quote:

Originally Posted by 2careless

Weird.
I tested using IE9 on Win 7 64bit and it didn't even go out to the 3rd party sites.
Only firefox went out. Also only JavaScript was run, not java.

Yea I only have IE7 and IE8's handy for browser testing, and an IE6 for the most troublesome of clients. I do a fair bit of work with JSA consulting companies (Federal Gov Job Services Australia) and they won't have even heard of IE9 until the year 2020 at the current rate, half of them still use IE6 on WinXP 1024x768.

[Grissom]

2careless, dsio.......

If a mac running OS X 10.6.8 accessed TRF via Safari 5.1.2 during this time, would that machine have been vulnerable and if so, how, and to what. I did access TRF during the first day of this, with no warning screens (interestingly under the Safari security tab, there was an error message under the checked Fraudulent Sites box which warned that Google Safe Browsing had not updated for 2 days. That error was gone the following day, and the warning screens were then popping up).

I ran ClamXav and found no issues, noticed no unusual (to me) java processes running on the machine.

Curious as to what in particular to look for, on a mac that was accessing TRF during this period.

Thanks!

[dsio]

Quote:

Originally Posted by Grissom

2careless, dsio.......

If a mac running OS X 10.6.8 accessed TRF via Safari 5.1.2 during this time, would that machine have been vulnerable and if so, how, and to what. I did access TRF during the first day of this, with no warning screens (interestingly under the Safari security tab, there was an error message under the checked Fraudulent Sites box which warned that Google Safe Browsing had not updated for 2 days. That error was gone the following day, and the warning screens were then popping up).

I ran ClamXav and found no issues, noticed no unusual (to me) java processes running on the machine.

Curious as to what in particular to look for, on a mac that was accessing TRF during this period.

Thanks!

Seriously doubt you'd have any issues, it failed to do anything on 10.7.2 other than start and do nothing... You've checked for processed and found none anyway, if there was one you'd see it it process manager. Macs may be on the increase but they're still only about 10% of the market, and a pain in the ass to exploit, most don't bother trying.

[Trev]

ClamXav also finds the exploit files within the Chrome browser cache. These files were created from accessing TRF yesterday:


This does not imply the attack was successful on Chrome/MacOS.

[2careless]

Thx Trev!
so the exploit look like CVE-2010-1885 and it affects Microsoft Windows XP and Windows 2003 servers. For more details see http://www.microsoft.com/security/po...-2010-1885.gen

[Grissom]

Trev, Ashley.....Thanks! I am running ClamXav again, just to see what it finds. Yesterday, it only picked up the scammer/phishing emails I get from time to time (Banks, PayPal, and the like), and nothing else was noted to be out of the ordinary.

I never noticed anything weird, when I was on TRF the first day this began, when surfing the site....became concerned when I saw the little yellow ! triangle under the Fraudulent Sites box, in the security tab, showing me that Google Safe Browsing had not updated in 2 days.....I thought that was odd, and when I searched on that, I found nothing explaining why it would not have been updated for 2 days, nor could Apple Tech Support shed any light on that. They are the one who suggested ClamXAV........

Quote:

Originally Posted by 2careless

Thx Trev!
so the exploit look like CVE-2010-1885 and it affects Microsoft Windows XP and Windows 2003 servers. For more details see http://www.microsoft.com/security/po...-2010-1885.gen

So based on the above, Macs should be ok, surfing with Safari, even after having been on TRF during this event?

[2careless]

It does look ok for Macs but it's always those that are not shown that one fears.
Be vigilant and keep up with patching.

[Grissom]

Quote:

Originally Posted by 2careless

It does look ok for Macs but it's always those that are not shown that one fears.
Be vigilant and keep up with patching.

Just went thru my entire system.......clean bill of health! Thanks to everyone who so selflessly added their expertise!!