=======================================================
Thousands of home computers infiltrated after hackers infect
high-profile websites with booby-trapped ads
By Graham Smith
Last updated at 7:59 AM on 3rd March 2011
Tens of thousands of people are feared to have had their computers
infected by booby-trapped adverts on websites including the London Stock
Exchange as the full extent of a cyber-attack which began on Sunday
becomes apparent.
The scam, which also involved ads on Autotrader, Vue and six other
websites, began on Sunday after cyber-criminals hacked into an ad firm's
IT system.
Malicious adverts were then released which caused fake virus warnings to
pop-up on computers belonging to those surfing the affected sites.
Bogus warnings: The malicious adverts caused fake security warnings to
appear on the screens of people surfing the affected websites. They were
then asked for payment to remove them.
After telling them that their computer was infected, the bogus
diagnostic screen asked for payment to remove the 'infection'.
It is thought the scam only affected PC users running Safari, Chrome or
Firefox browser.
> As usual - running Win-98 and/or having a comprehensive or
> up-to-date HOSTS file is the answer here.
LOL, I'd have to disagree. I can run an NT machine here for months on end
without restarting. Win9x (and ME) have a bug which will cause them to
crash on you after roughly 45 days. Hard to take advantage of the newer
hardware using windows 9x. Hell, you can't even get windows XP loaded on
some of it now.
Playing it safe and not surfing the web without safe guards in place is
the answer.
--
If today was your last day... and tomorrow was too late...
could you say goodbye to yesterday?
Personally, I've never had anything but the default localhost entry in
any of mine.
>Just out of idle curiosity, do you use the hosts file for filtering out
>known adware/spyware domain names?
>
>Personally, I've never had anything but the default localhost entry in
>any of mine.
You didn't ask me, but lemme tell ya my experience. If you use the MSMVP HOSTS
file, along with Ad-Block+ and Ghostery in FF, you'll rarely see any ads.
The bonus of the HOSTS file is that pages load much faster when they don't have
to resolve all the ads, the ad-servers all are told to goto localhost (which
results in a 404).
Tell me, why don't you use *this* site instead of the MS MVP Hosts file?
After all, it's the one used by Malwarebytes!
>
>Tell me, why don't you use *this* site instead of the MS MVP Hosts file?
>
>http://www.hosts-file.net/
>
>After all, it's the one used by Malwarebytes!
I use a program called "Hostsman" that is able to get that one, the MSMVP one,
"Peters Lowe's ads list", etc...
I had hpHOSTS for a while but I think I found it too restrictive. I just d/l'ed
the update and will see how it goes. I just went from about 15k blocked domains
to 133,606.... We'll see.
I looked here http://www.abelhadigital.com/hostsman
It says:-
Requirements:-
Windows 98SE, Me, NT4 SP6, 2000, XP, Server 2003, Vista, Server 2008,
Windows 7
No good for my iMac or the Linux users! <rolls eyes> :(
>I looked here http://www.abelhadigital.com/hostsman
>
>It says:-
>
>Requirements:-
>
>Windows 98SE, Me, NT4 SP6, 2000, XP, Server 2003, Vista, Server 2008,
>Windows 7
>
>No good for my iMac or the Linux users! <rolls eyes> :(
Would this help?
http://www.apple.com/downloads/macosx/development_tools/gasmask.html
> Dustin wrote:
>> Virus Guy<Vi...@Guy.com> wrote in news:4D6FBBE3...@Guy.com:
>>
>>> As usual - running Win-98 and/or having a comprehensive or
>>> up-to-date HOSTS file is the answer here.
>>
>> LOL, I'd have to disagree. I can run an NT machine here for months
>> on end without restarting. Win9x (and ME) have a bug which will
>> cause them to crash on you after roughly 45 days. Hard to take
>> advantage of the newer hardware using windows 9x. Hell, you can't
>> even get windows XP loaded on some of it now.
>>
>> Playing it safe and not surfing the web without safe guards in
>> place is the answer.
>>
> Just out of idle curiosity, do you use the hosts file for filtering
> out known adware/spyware domain names?
No.
> Personally, I've never had anything but the default localhost entry
> in any of mine.
Same here.
Pcbutts is lieing to you again.
Malwarebytes IP blocking ranges come from a variety of places.
Thank you!
This is what it shows on my machine:
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
I then 'Googled' and found this
http://superuser.com/questions/241642/what-is-the-relevance-of-fe801lo0-localhost-in-etc-hosts
I guess all is just as it should be!
Please tell me if you think otherwise!
--
Dave
> > Just out of idle curiosity, do you use the hosts file for filtering
> > out known adware/spyware domain names?
>
> If you use the MSMVP HOSTS file, along with Ad-Block+ and Ghostery
> in FF, you'll rarely see any ads.
>
> The bonus of the HOSTS file is that pages load much faster when they
> don't have to resolve all the ads, the ad-servers all are told to
> goto localhost (which results in a 404).
There has been a somewhat large increase over the past few years in the
number of ad-serving and web-tracking / web-metrics companies offering
services to site and server-farm owners/operators. There are lots of
people spending time imagining new business models that revolve around
how to come up with new ways to leverage the click-behavior of internet
users as they navigate between sites, visit or post to social media
sites, and perform e-commerce transactions. Once they have a new
concept ironed out, they form a startup business, write back-end
software and set up servers to perform the intended service, and pitch
the service to site owners.
Site or domain owners seem to have no end to an appetite to pay for and
integrate these third-party services into their web content.
By hooking into these services, new vulnerabilities are created for
hackers to infiltrate the servers of these companies and inject
malicious code or monitor valuable transaction data (personal info,
credit-card numbers, etc). For end users, these companies and the
servers they operate are a garbage or a parasitic drain on your
web-surfing experience - and can be much worse if they happen to be
serving you malware because they've been hacked into.
If you browse to any of the popular pseudo-journalistic websites
(gizmodo, cnet/zdnet, arstechnica, engadget, etc) what you don't see are
the behind-the-scenes linkages to these various ad-serving and
web-metrics services. If you had a look at the out-going log of your
broadband modem or router you would see just where or who your browser
is sending data to for any given website you browse to.
As we are seeing more and more often, nullifying the ability of your
browser to make contact with those parasitic servers will do more than
just result in a smoother and faster site-surfing experience - it will
close a vulnerability window that can expose your PC to malware. The
beauty here is that these parasitic servers operate from fixed domains
or IP addresses that rarely change.
Here's an example of some entries in my own hosts file that I've added
manually after observing their existence as a result of my own
web-surfing and file-downloading:
127.0.0.1 2o7.net
127.0.0.1 aa.newsblock.dt07.net
127.0.0.1 ad.amgdgt.com
127.0.0.1 ad4game.com
127.0.0.1 adbureau.net
127.0.0.1 addthis.com
127.0.0.1 addthiscdn.com
127.0.0.1 ad-emea.doubleclick.net
127.0.0.1 ad-g.doubleclick.net
127.0.0.1 adgardener.com
127.0.0.1 ads.ad4game.com
127.0.0.1 ads.crowda.com
127.0.0.1 ads.fulldls.com
127.0.0.1 ads.hulu.com
127.0.0.1 ak1.abmr.net
127.0.0.1 algebra.com
127.0.0.1 allslotscasino.com
127.0.0.1 allyoubet.com
127.0.0.1 amazonaws.com
127.0.0.1 amgdgt.com
127.0.0.1 an.tacoda.net
127.0.0.1 api.facebook.com
127.0.0.1 api.tweetmeme.com
127.0.0.1 api-read.facebook.com
127.0.0.1 as5000.com
127.0.0.1 asterpix.com
127.0.0.1 b.scorecardresearch.com
127.0.0.1 b.scorecardresearch.com
127.0.0.1 beacon.scorecardresearch.com
127.0.0.1 cache-01.gawkerassets.com
127.0.0.1 cache-02.gawkerassets.com
127.0.0.1 cache-03.gawkerassets.com
127.0.0.1 cache-04.gawkerassets.com
127.0.0.1 cdn.krxd.net
127.0.0.1 cgi.gstatic.com
127.0.0.1 chartbeat.net
127.0.0.1 clients1.google.ca
127.0.0.1 cm.g.doubleclick.net
127.0.0.1 com.com
127.0.0.1 com-net.info
127.0.0.1 crowda.com
127.0.0.1 cspix.media6degrees.com
127.0.0.1 digg.com
127.0.0.1 dmgt.grapeshot.co.uk
127.0.0.1 doubleclick.net
127.0.0.1 dt07.net
127.0.0.1 edge.quantserve.com
127.0.0.1 egba.eu
127.0.0.1 eproof.com
127.0.0.1 error.facebook.com
127.0.0.1 facebook.com
127.0.0.1 feeds.feedburner.com
127.0.0.1 flickr.com
127.0.0.1 fulldls.com
127.0.0.1 gamblingcontrol.org
127.0.0.1 gamblingtherapy.org
127.0.0.1 gawkerassets.com
127.0.0.1 gfxworld.ws
127.0.0.1 googleads.g.doubleclick.net
127.0.0.1 googlesyndication.com
127.0.0.1 gotomyprotectedzone.com
127.0.0.1 gra.gi
127.0.0.1 grapeshot.co.uk
127.0.0.1 gravatar.com
127.0.0.1 i.i.com.com
127.0.0.1 idgenterprise.112.2o7.net
127.0.0.1 imageshack.us
127.0.0.1 imgn.dt07.net
127.0.0.1 imrworldwide.com
127.0.0.1 instant.allslotscasino.com
127.0.0.1 jsn.dt07.net
127.0.0.1 jwtapps.com
127.0.0.1 keisu02.eproof.com
127.0.0.1 krxd.net
127.0.0.1 lightningcast.com
127.0.0.1 limestee.net
127.0.0.1 map.media6degrees.com
127.0.0.1 media6degrees.com
127.0.0.1 metrics.reedbusiness.net
127.0.0.1 mgid.com
127.0.0.1 mundofox.com
127.0.0.1 nctracking.com
127.0.0.1 objects.mundofox.com
127.0.0.1 oc.allyoubet.com
127.0.0.1 omaha.adbureau.net
127.0.0.1 onlinesecurescan.com
127.0.0.1 p.ic.tynt.com
127.0.0.1 pagead2.googlesyndication.com
127.0.0.1 partyaccount.com
127.0.0.1 partygaming.com
127.0.0.1 partypartners.com
127.0.0.1 partypoker.com
127.0.0.1 pgmediaserve.com
127.0.0.1 pixel.quantserve.com
127.0.0.1 platinumgmat.com
127.0.0.1 quantserve.com
127.0.0.1 reddit.com
127.0.0.1 reedbusiness.net
127.0.0.1 scorecardresearch.com
127.0.0.1 secure.partyaccount.com
127.0.0.1 server1.as5000.com
127.0.0.1 server2.as5000.com
127.0.0.1 static.addtoany.com
127.0.0.1 static.ak.connect.facebook.com
127.0.0.1 static.ak.fbcdn.net
127.0.0.1 static.travelscream.com
127.0.0.1 statse.webtrendslive.com
127.0.0.1 t0.gstatic.com
127.0.0.1 tacoda.net
127.0.0.1 tcr.tynt.com
127.0.0.1 theshoppingchannel.com
127.0.0.1 tqn.com
127.0.0.1 traffz.com
127.0.0.1 travelscream.com
127.0.0.1 tweetmeme.com
127.0.0.1 twitter.com
127.0.0.1 tynt.com
127.0.0.1 unvisitedplaces.com
127.0.0.1 viperhost.net
127.0.0.1 w.ic.tynt.com
127.0.0.1 webtrendslive.com
127.0.0.1 weeklyprizewinner.com-net.info
127.0.0.1 windows-protectonline.net
127.0.0.1 www.addthis.com
127.0.0.1 www.allyoubet.com
127.0.0.1 www.facebook.com
127.0.0.1 www.gravatar.com
127.0.0.1 www.israbox.com
127.0.0.1 www.miliwoman.com
127.0.0.1 www.partypoker.com
127.0.0.1 www.reddit.com
127.0.0.1 www.traffz.com
127.0.0.1 www.weeklyprizewinner.com-net.info
127.0.0.1 yfum.com
127.0.0.1 youtube-3rd-party.com
127.0.0.1 zulu.tweetmeme.com
You can see all those linked sites if you use NoScript on Firefox. You
start with JavaScript disabled by default, then allow (temporarily or
permanently) the main page of the website. NoScript shows you all the
linked sites, so you can avoid them.
However, the tracking software writers have come up with a few tricks to
reduce the value of NoScript:
a) linking the tracking site to the main page in such a way that you
can't navigate from it without allowing at least one of those additional
sites;
b) hiding the linked sites until you allow the main page.
Ad blockers don't work as well as they used to, either.
IMO, vendors that insist on your watching ads you don't want, or
cluttering their pages with 3rd party ads, etc, should not be rewarded
by buying from them. Make up a boiler-plate complaint and explanation of
why you'll look for another vendor, and mail it to them. Then go buy
somewhere else. Maybe even a real shop downtown or at the mall. They
still exist, you know. ;-)
FWIW, I don't mind ads on the "free" on-line edition of a newspaper, but
if I subscribe, I don't want any ads. Ad-free would be the incentive to
get me to subscribe. Gee, what a concept: buying nothing but news from a
newspaper! You could of course _ask_ the paper to offer you ads for
products you're looking for - when you are ready to buy, that is. The
paper could charge quite a bit more for _requested_ ads, eh?
IOW, give me control over what you offer on your website, and I'll
reward you. Shove unwanted stuff at me, and I'll avoid you.
Wolf K.
> You start with JavaScript disabled by default, then allow
> (temporarily or permanently) the main page of the website.
I tried noscript several years ago and found it to be a pain in the ass,
so I stopped using it.
I think having a hosts file is a much more elegant, seamless, and
efficient way to disable unwanted web-content.
Now something I have been trying recently is "yesscript" - to remedy a
problem I'm seeing more and more often - websites that temporarily
freeze on me because of an unresponsive script.
> IMO, vendors that insist on your watching ads you don't want, or
> cluttering their pages with 3rd party ads, etc, should not be
> rewarded by buying from them.
I simply neuter a website's ability to profit or gain from my viewership
by denying it the proper or intended operation of hooking into the
servers that are blocked by my hosts file. I think I'm sending it a
much more effective message by doing that vs not visiting that site or
vendor in the first place.
> IOW, give me control over what you offer on your website, and
> I'll reward you. Shove unwanted stuff at me, and I'll avoid you.
Using a hosts file gives you the control you seek in a very ergonomic
and elegant way.
Google could be put out of business tommorrow if everyone added a few
select entries in their hosts file - assuming their
internet-access-device of choice allows them the ability to have a hosts
file (or equivalent). I would think that iDevices (iPod/Pad/Phone) do
not.
> Here's an example of some entries in my own hosts file that I've added
> manually after observing their existence as a result of my own
> web-surfing and file-downloading:
> 127.0.0.1 ad-emea.doubleclick.net
> 127.0.0.1 ad-g.doubleclick.net
> 127.0.0.1 cm.g.doubleclick.net
> 127.0.0.1 doubleclick.net
> 127.0.0.1 googleads.g.doubleclick.net
Which just goes to show that using the hosts file for this purpose is
an inefficient way of doing it. There's loads of doubleclick servers,
not to mention TLDs, so it's far better to have software (firewall,
filter) between your browser and the net where you can use wildcard
entries like: *.doubleclick.* for domains you want to deny.
Why add another program to just manage a couple of text files
wget, sort,uniq will do what you need
John
> You didn't ask me, but lemme tell ya my experience. If you use the MSMVP HOSTS
> file, along with Ad-Block+ and Ghostery in FF, you'll rarely see any ads.
I don't use Ghostery (it changed ownership to one "BetterAdvertising"),
but I do use Fx with NoScript, AdBlock Plus (+ Element Hiding Helper)
> The bonus of the HOSTS file is that pages load much faster when they don't have
> to resolve all the ads, the ad-servers all are told to goto localhost (which
> results in a 404).
I also use the MVPS HOSTS-file that is found on
<http://www.mvps.org/winhelp2002/hosts.htm>
but there's a warning.
| Editors Note: in most cases a large HOSTS file (over 135 kb) tends to slow down the machine.
|
| To resolve this issue (manually) open the "Services Editor"
|
| * Start | Run (type) "services.msc" (no quotes)
| * Scroll down to "DNS Client", Right-click and select: Properties - click Stop
| * Click the drop-down arrow for "Startup type"
| * Select: Manual (recommended) or Disabled click Apply/Ok and restart. [more info]
I neglected to do this once (on a Win2k Pro SP4 system) and it resulted
in constant CPU peaks up to 100%. Certainly *not* faster (but solved
once the DNS Client was stopped).
--
s|b
> Tell me, why don't you use *this* site instead of the MS MVP Hosts file?
>
> http://www.hosts-file.net/
>
> After all, it's the one used by Malwarebytes!
You could also use the one in SpyBot - Search & Destroy...
--
s|b
[...]
> I simply neuter a website's ability to profit or gain from my viewership
> by denying it the proper or intended operation of hooking into the
> servers that are blocked by my hosts file. I think I'm sending it a
> much more effective message by doing that vs not visiting that site or
> vendor in the first place.
Sure, you hit them right in the wallet, but how is there a message
there? How could they know that you are blocking off-site content and
for what reason you did so?
[...]
>As we are seeing more and more often, nullifying the ability of your
>browser to make contact with those parasitic servers will do more than
>just result in a smoother and faster site-surfing experience - it will
>close a vulnerability window that can expose your PC to malware. The
>beauty here is that these parasitic servers operate from fixed domains
>or IP addresses that rarely change.
Yup, just last week an ad-server was hacked. If affected millions in Germany I
believe.
>However, the tracking software writers have come up with a few tricks to
>reduce the value of NoScript:
>a) linking the tracking site to the main page in such a way that you
>can't navigate from it without allowing at least one of those additional
>sites;
>b) hiding the linked sites until you allow the main page.
I also use Ghostery for FF, it turns off trackers like Google Analytics.
>
>Which just goes to show that using the hosts file for this purpose is
>an inefficient way of doing it. There's loads of doubleclick servers,
>not to mention TLDs, so it's far better to have software (firewall,
>filter) between your browser and the net where you can use wildcard
>entries like: *.doubleclick.* for domains you want to deny.
Yeah, but there are people working full time to nail down *every* ad-server. If
one slips thru, it's easy enough to add it to HOSTS.
I think the opposite, it's a very efficient way of doing it. There are no DNS
lookups for the ad's while you're waiting on content to load from the actual
site. I've seen major sites hang because the page was waiting on one ad-server
to reply.
You and your butt buddy say you and Linux
can not get infected.
"~BD~" <~BD~@nomail.afraid.com> wrote in message
news:zr2dnWdvo7FGhu3Q...@bt.com...
>I neglected to do this once (on a Win2k Pro SP4 system) and it resulted
>in constant CPU peaks up to 100%. Certainly *not* faster (but solved
>once the DNS Client was stopped).
That's what's nice about it's batch file installer, it turns it off for ya!
>"Ant" wrote:
>>Which just goes to show that using the hosts file for this purpose is
>>an inefficient way of doing it. There's loads of doubleclick servers,
>>not to mention TLDs, so it's far better to have software (firewall,
>>filter) between your browser and the net where you can use wildcard
>>entries like: *.doubleclick.* for domains you want to deny.
>
> Yeah, but there are people working full time to nail down *every* ad-server.
> If one slips thru, it's easy enough to add it to HOSTS.
Even easier to add it to a filter if accessible from a tray icon.
> I think the opposite, it's a very efficient way of doing it.
The hosts file, at least in Windows, doesn't handle a huge number of
entries efficiently as has been pointed out by someone else. I fail to
see how disabling the DNS client service improves this because at some
point hosts has to be loaded into memory and parsed if it's to be used
at all.
> There are no DNS lookups for the ad's while you're waiting on content
> to load from the actual site.
There are no lookups with decent filtering software, either. When it
sees the blocked domain name it won't pass on the http "GET /" request
and will return whatever you've configured it to do. In my case, it
shows a small "blocked" message where any visible content would be.
> The hosts file, at least in Windows, doesn't handle a huge number of
> entries efficiently as has been pointed out by someone else.
The funny (or sad) thing about that is - yes, I think it's true.
For XP that is.
It's been reported that Win-98 is somehow able to handle huge HOSTS file
without any similar performance problems.
>> Yeah, but there are people working full time to nail down *every* ad-server.
>> If one slips thru, it's easy enough to add it to HOSTS.
>
>Even easier to add it to a filter if accessible from a tray icon.
Sure, if you are already running a s/w firewall. I don't like s/w firewalls,
and I've tried plenty. The Windows default firewall is good for me.
>> I think the opposite, it's a very efficient way of doing it.
>
>The hosts file, at least in Windows, doesn't handle a huge number of
>entries efficiently as has been pointed out by someone else. I fail to
>see how disabling the DNS client service improves this because at some
>point hosts has to be loaded into memory and parsed if it's to be used
>at all.
Mine is 512k, the largest object in memory now is Firefox (498k). It does not
take up memory space.
>> There are no DNS lookups for the ad's while you're waiting on content
>> to load from the actual site.
>
>There are no lookups with decent filtering software, either. When it
>sees the blocked domain name it won't pass on the http "GET /" request
>and will return whatever you've configured it to do. In my case, it
>shows a small "blocked" message where any visible content would be.
And then you have the overhead of a S/W firewall, further slowing things down.
>"Ant" wrote:
>>Even easier to add it to a filter if accessible from a tray icon.
>
> Sure, if you are already running a s/w firewall. I don't like s/w firewalls,
> and I've tried plenty. The Windows default firewall is good for me.
I don't use a firewall.
>>The hosts file, at least in Windows, doesn't handle a huge number of
>>entries efficiently as has been pointed out by someone else. I fail to
>>see how disabling the DNS client service improves this because at some
>>point hosts has to be loaded into memory and parsed if it's to be used
>>at all.
>
> Mine is 512k, the largest object in memory now is Firefox (498k). It does not
> take up memory space.
Space or not, it still has to be processed/searched. Because some
domains have many hosts it's inefficient compared to using the domain
name only.
How is Firefox using only 498K? Task Manager's memory usage (working
set) for mine is around 20,000K. Even a new instance of Notepad uses
over 1000K.
>>There are no lookups with decent filtering software, either. When it
>>sees the blocked domain name it won't pass on the http "GET /" request
>>and will return whatever you've configured it to do. In my case, it
>>shows a small "blocked" message where any visible content would be.
>
> And then you have the overhead of a S/W firewall, further slowing things down.
Which you have anyway if using the built-in Windows one. In any case,
I don't have a firewall installed, Windows or otherwise. What I'm
using is a small simple program that filters outgoing browser requests
and incoming cookies only. The overhead is negligible.
Where is your boss, bd?
"G. Morgan" <usenet...@gawab.com> wrote in message
news:8vj2n65iqivklcg2d...@4ax.com...
"
Good for linux - if you do a bit of hunting around you will find a
hosts.deny file in /etc. su to root and gedit that file. Open the
original hosts file and copy all it's entries, and paste them into
hosts.deny. Save the hosts.deny file, then close it and exit root.
Should work - worked for me
Also if you don't want to go that route use Adblock Plus on FF or Ghostery.