Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Malware advert for systemdoctor

Status
Not open for further replies.
Moved 2 feet to another machine...

...and the ad was there again... And yes I am also in Norway... See attached pics...

EDIT: This machine has not been used to access MR in the last couple of days or so... I'm not able to replicate the ad on this machine even after clearing cookies...
 

Attachments

  • Bilde 2.png
    Bilde 2.png
    37.5 KB · Views: 120
  • Bilde 4.png
    Bilde 4.png
    145.6 KB · Views: 88
  • Bilde 5.png
    Bilde 5.png
    36.8 KB · Views: 89
arn said:
it'd really help if you use the test urls posted above, specifically the last one

https://www.macrumors.com/test2_tf.php

on a computer that hasn't visited macrumors lately.

arn
Click to expand...

Logged in to new user (that haven't been on MR), erased all cookies and typed in www.macrumors.com/test2_tf.php. Nothing happened. I erased all cookies again, and went to www.macrumors.com, again nothing. Erased all cookies again, and reloaded page. The ErrorSafe ad was then displayed. Attached you will see a log of all cookies immediately after beeing redirected to the errorsafe site. Hope it helps...
 

Attachments

  • Bilde 4.png
    Bilde 4.png
    112.9 KB · Views: 118
crassusad44 said:
Logged in to new user (that haven't been on MR), erased all cookies and typed in www.macrumors.com/test2_tf.php. Nothing happened. I erased all cookies again, and went to www.macrumors.com, again nothing. Erased all cookies again, and reloaded page. The ErrorSafe ad was then displayed. Attached you will see a log of all cookies immediately after beeing redirected to the errorsafe site. Hope it helps...
Click to expand...

Hi all, I appreciate the effort. Getting the ad on macrumors.com doesn't help me much... though the cookies might.

It would very much help to know if its reproducable on https://www.macrumors.com/test2_tf.php

update: Actually, the cookies may be very helpful. Based on what you said you had NO cookies, loaded the page which showed the ad and these are the only cookies there - right?

I'm going to have my adnetwork block workhomecenter

arn
 
arn said:
Hi all, I appreciate the effort. Getting the ad on macrumors.com doesn't help me much... though the cookies might.

It would very much help to know if its reproducable on https://www.macrumors.com/test2_tf.php

arn
Click to expand...

New user account (just to be sure). Typed www.macrumors.com/test2_tf.php directly into the url field. Nothing. Reloaded page 20-25 times. Nothing. Erased cookies. Reloaded again, maybe 20 times. Nothing. Typed in www.macrumors.com, and BOOOOM... ErrorSafe on first load. Seems to me like test2_tf.php is fine... Can try again on a another comp. with new user account if you want more testing...

EDIT: Regarding last post. Yes I erased all cookies before loading macrumors.com the second time, when the errorsafe ad was displayed. The screenshot with the cookies was taken immediatly after Safari was hijacked (after I pressed cancel)
 
Just to let you know, Im from Australia and Ive been getting a popup on macrumors.com for a couple of days for a product called drivecleaner.

Running safari 2.0.4 on iBook G3.

But when I go to https://www.macrumors.com/test2_tf.php I dont get any popups.

Hope this helps.
 
here's some more details on this works, and how it gets snuck in

http://chattyfig.figleaf.com/pipermail/flashcoders/2006-September/173142.html

Not quite sure what the 'prior errorsafe javascript' implementation is.
User experience is as follows:

- User visits his favorite website, say, www.joesblog.com
- Joesblogs puts some ads on his site and sell his inventory to an
adnetwork
- Adnetwork doesn't know this "matchservice.com" ad is a scam, and
serves the user a nice 468x60 flash banner of rmatchservice.com
- If the user's IP & timezone & (mysterious other reasons) match some
parameters in the actionscript, flash file opens a popup without a click
to errorsafe.com/...
- New errorsafe page tries to install active-x and also initiates an
.exe download to try to get the user to install the program.
- User accidentally clicks install, or "open" on the exe and is now
infected w/ spyware.
Click to expand...
 
Status
Not open for further replies.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back