Dodgy website?

Ernest_t...@hotmail.com

unread,

Oct 2, 2008, 9:17:07 PM10/2/08

to

Yesterday I was reading an article on the 'Kiwiblog' website which
included a link to another website, 'The Standard', which I believe is
related to the Labour party. Anyway upon clicking on this link I got a
message from Norton AV informing me of something going by the name
'Malicious Toolkit Variant Activity'. I am using IE7 as browser. From
memory I think it may have also tried to open a pdf file but in the
panic I'm not 100 percent sure of that. I think I did get a message
saying about adobe 7.0 having to close, which I thought odd as I was
not attempting to open any file at the time. I did a quick AV scan and
every thing seemed fine. I was not sure whether it was coincidence
that I got the AV warning on following the link to The Standard so I
tried it a little later and exactly the same thing occurred. I've not
tried it again since. Can anyone elaborate on what 'Malicious Toolkit
Variant Activity' means and whether I should be worried?

Thanks in advance for any help in this matter.

Mark Robinson

unread,

Oct 2, 2008, 10:58:08 PM10/2/08

to

Let me see if I have this straight:

You went to a site which is linked to the National Party.

From there you went to a site linked to the Labour Party.

And there you found a pdf file which appeared malicious.

So you downloaded it again.

You don't know which file.

You don't know where the file was linked from.

You didn't think to Google 'Malicious Toolkit Variant Activity'.

Ernest_t...@hotmail.com

unread,

Oct 2, 2008, 11:19:06 PM10/2/08

to

On Oct 3, 3:58 pm, Mark Robinson <use...@blackhole.zl2tod.net> wrote:

Not quite. I did google 'Malicious Toolkit Variant Activity' but it
left me not much the wiser. What happened is that once I got the AV
warning I 'backed' out of the link. I'm guessing that this may have
caused adobe to crash. I did not attempt to download a pdf file, that
happened automatically. I plucked up the courage to try it again just
now and nothing happened so I guess the site is okay now. I checked my
browser history and it looks as if there may have been an attempt to
download a pdf from a website "golpii.com". I have no idea what the
website might be and certainly don't recall having seen it previously.

Ernest_t...@hotmail.com

unread,

Oct 3, 2008, 6:01:41 AM10/3/08

to

On Oct 3, 4:19 pm, "Ernest_the_Sh...@hotmail.com"

Well I foolishly tried it again and got another different AV alert,
"HTTP SnapShot Viewer ActiveX File Download". My PC froze and I had to
use the power button to turn it off. Now I'm too sh!t scared to try it
again. My browsing habits are very conservative and getting messages
such as this are rare so I tend to panic on the occasions that it does
happen.

Now could someone really brave and with expertise in the field please
go to kiwiblog.co.nz and then proceed to the article 'Typical smears'
about half-way down the page. The beginning words of the article also
act as a link to an article on thestandard.org.nz website. Could they
then click on the link (WARNING: could be dangerous to do so) and then
report back on any unusual activity that results. Thanks.

~misfit~

unread,

Oct 3, 2008, 8:03:54 AM10/3/08

to

Somewhere on teh intarwebs "Ernest_t...@hotmail.com" typed:

Ok, I'm only "really brave", not so knowledgable. However, I imaged my OS
partition, then did as you asked and I'm now on the standard.org website, at
the article and AVG didn't do anything, nor did anything else out of the
ordinary happen.

Either I'm infected and don't know it yet, you have problems beyond this
link or kiwiblog have cleaned up a previous problem. I'm using Firefox 3.02
on XP Pro SP3.

Cheers,
--
Shaun.

DISCLAIMER: If you find a posting or message from me
offensive, inappropriate, or disruptive, please ignore it.
If you don't know how to ignore a posting, complain to
me and I will be only too happy to demonstrate... ;-)

Stephen Worthington

unread,

Oct 3, 2008, 10:30:50 AM10/3/08

to

I did it from my old OS/2 box using SeaMonkey, with all my protections
turned on. That page appears to have been hijacked - it has a lot of
automatic links to other sites, quite a few of which appear to be
webcounters of some sort, and two that are just an IP addresses. There
are a few .ru sites, which are always very suspicious. And a
reference to an external .js: api.recaptcha.net/js/recaptcha.js.
SeaMonkey eventually locked up on me, after the golpii.com site was
referenced, and I had to kill it. Here is what my Privoxy log had for
all the links:

Mark Robinson

unread,

Oct 3, 2008, 1:49:17 PM10/3/08

to

That's weird.

This wasn't happening for me yesterday and isn't happening for me today, even
when I allow all that nasty javascript.

Perhaps this is some man in the middle attack.

Sorry about the amount of quotage, it seemed important to include it. I even
considered top posting.

Mark Robinson

unread,

Oct 3, 2008, 2:00:32 PM10/3/08

to

That said, *gravatar* has been in my block list since it first appeared on the
net - horrid tracky stuff.

~misfit~

unread,

Oct 3, 2008, 5:02:38 PM10/3/08

to

Somewhere on teh intarwebs "Mark Robinson" typed:
> Mark Robinson wrote:

[snip snip]

>> That's weird.
>>
>> This wasn't happening for me yesterday and isn't happening for me
>> today, even when I allow all that nasty javascript.
>>
>> Perhaps this is some man in the middle attack.
>>
>> Sorry about the amount of quotage, it seemed important to include
>> it. I even considered top posting.
>
> That said, *gravatar* has been in my block list since it first
> appeared on the net - horrid tracky stuff.

Well, I did say that I wasn't knowledgeable on these things. However, after
visiting said site I did a complete scan with AVG and it didn't come up with
anything that could have been related to that site.

(It did find what it called "Trojan horse Downloader.Generic7.AUBS" but that
was in IE's temp files and I used Firefox to check the site in question.)

Mark Robinson

unread,

Oct 3, 2008, 5:39:56 PM10/3/08

to

~misfit~ wrote:
> Somewhere on teh intarwebs "Mark Robinson" typed:
>> Mark Robinson wrote:
>
>
> [snip snip]
>
>>> That's weird.
>>>
>>> This wasn't happening for me yesterday and isn't happening for me
>>> today, even when I allow all that nasty javascript.
>>>
>>> Perhaps this is some man in the middle attack.
>>>
>>> Sorry about the amount of quotage, it seemed important to include
>>> it. I even considered top posting.
>> That said, *gravatar* has been in my block list since it first
>> appeared on the net - horrid tracky stuff.
>
> Well, I did say that I wasn't knowledgeable on these things. However, after
> visiting said site I did a complete scan with AVG and it didn't come up with
> anything that could have been related to that site.
>
> (It did find what it called "Trojan horse Downloader.Generic7.AUBS" but that
> was in IE's temp files and I used Firefox to check the site in question.)
>
> Cheers,

The webmaster for thestandard can't see it either and suspects a
man-in-the-middle attack.

Now, who would be in a position to do that ...

lynn.p...@gmail.com

unread,

Oct 3, 2008, 7:43:23 PM10/3/08

to

On Oct 4, 10:39 am, Mark Robinson <use...@blackhole.zl2tod.net> wrote:
> The webmaster for thestandard can't see it either and suspects a
> man-in-the-middle attack.
>
> Now, who would be in a position to do that ...

Thanks to Stephen. I've had vague complaints coming in about this over
the last week, but have never been able to see it myself from any of
my routes from any site.

It appears to be coming in via the google analytics request from the
request logs that Stephen supplied. I've disabled the plugin that is
getting it. Could someone who can see it try again and tell me if it
has stopped.

Lynn

Stephen Worthington

unread,

Oct 3, 2008, 8:58:11 PM10/3/08

to

On Fri, 3 Oct 2008 16:43:23 -0700 (PDT), lynn.p...@gmail.com
wrote:

It can not have been the google analytics that did it, as you can see
from my log I have long since blocked that. Anything in my log with
"crunch!" after it was blocked.

I have just tried loading the page again, and had a very similar
result. So I then added ".gravatar.com" to my Privoxy block list, and
reloaded. This time, SeaMonkey was OK and I was able to use "View
source" to get a copy of the page. I have emailed it to you at your
gmail address above, so you can see if it is the same as what is on
the server.

If this is a man-in-the-middle attack, then maybe someone has managed
to hack Ihug/Vodafone's Squid web cache - there have been a number of
complaints about it in the last week or two.

Enkidu

unread,

Oct 3, 2008, 11:12:04 PM10/3/08

to

Nothing. I looked at the source and it appears to be reasonable normal.
Looks like he uses Wordpress and a bunch of Javascript from somewhere,
but I didn't see anything out of the ordinary.

Cheers,

Cliff

--

Tax is not theft.

Enkidu

unread,

Oct 3, 2008, 11:15:47 PM10/3/08

to

recaptcha is about those wavy letters that they get you to type into a
form to prove you are human.

lynn.p...@gmail.com

unread,

Oct 4, 2008, 12:00:12 AM10/4/08

to

> The webmaster for thestandard can't see it either and suspects a
> man-in-the-middle attack.

It is interesting. Could people who saw it before try again. It looks
like there was something doing a man-in-the-middle on the request to
google analytics javascript. I've removed google analytics, but it is
a bit worrying.

Lynn

Stephen Worthington

unread,

Oct 4, 2008, 12:32:39 AM10/4/08

to

On Fri, 3 Oct 2008 21:00:12 -0700 (PDT), lynn.p...@gmail.com
wrote:

For me, blocking www.gravatar.com seems to be the thing that fixes it.
I already had google analytics blocked when I was getting the problem.

Lynn Prentice

unread,

Oct 4, 2008, 12:34:03 AM10/4/08

to

Finally dusted off my usenet knowledge, created nntp in thunderbird, and
found a portal..

That is strange.

In your origional listing it showed a request to gstats.cn which a
well-known malware site. That was followed by a request to
google-analytics.com for the ga.js (which is what it is meant to have
done). Then the rest of the malware requests.

Now it is showing as fixed on gravatar.com? That tends to imply that
there is either something in my linux/apache/wordpress system or
something is doing interesting things to the html pages that I'm
generating on the way through.

In the former case it is not showing in the wordpress php or js. There
doesn't seem to be anything odd in the mods for apache.

I isolated the code on an openSUSE box (production is fedora) and had a
close look at the internal structures in the php generators and js.
Can't see anything there. Now having a look at the fedora system with a
sucession of AV's scanning the file system.

The man-in-the-middle is to put it mildly, quite a worry. It is one way
to waste a day

Lynn

Craig Sutton

unread,

Oct 4, 2008, 3:27:37 AM10/4/08

to

<Ernest_t...@hotmail.com> wrote in message
news:54215cef-404c-4992...@x41g2000hsb.googlegroups.com...

On Oct 3, 4:19 pm, "Ernest_the_Sh...@hotmail.com"

I went to Kiwiblog.co.nz and got nothing more than a screen full of garbage

~misfit~

unread,

Oct 4, 2008, 5:09:07 AM10/4/08

to

Somewhere on teh intarwebs "Craig Sutton" typed:

I think that's normal for blog sites.

Enkidu

unread,

Oct 4, 2008, 5:46:58 AM10/4/08

to

David Farrar is one of the most articulate and accurate of the right
wing bloggers.

Lynn Prentice

unread,

Oct 4, 2008, 7:57:09 PM10/4/08

to

It has happened a few times to me when I've been reading as well. I
first saw it about 2 weeks ago. Looks like a screen full of raw binary.
It seems to clear up pretty fast.

Lynn

gk7...@yahoo.co.in

unread,

Oct 5, 2008, 1:17:15 PM10/5/08

to

> Now, who would be in a position to do that ...- Hide quoted text -
>
> - Show quoted text -

it surely is a man-in-the-middle attack. I think that the "golpii"
attacks certain sites. Anyone heard of GameBrite ? Its a standard
gaming site when i try to visit it, i get a golpii popup.
Fortunately, my bitdefender will block the whole site :) This golpii
seems to be new. hope AV guys get on its trail soon.