Thursday, March 27, 2008

XPonlinescanner: malware attack or very nasty ad? Interesting, either way.

Last week I ran into Firefox attack while browsing a local website. I posted about XPonlinescanner.com: Malware infection on Star Tribune and other news sites.

I figured I'd hear something more about this, but a Google search today only shows my original post. So maybe I was imagining things.

Except my original post continues to attract about one comment a day, along the lines of:

I've never heard of or been to the Star Tribune website, but this pop up has appeared on starting up firefox on both a Linux and a Mac computer. I don't use MS Windows.
It would appear that this is wider spread than just a rogue web site.

I just received it this morning. But I believe this one actually popped up while I was on Photobucket.
I closed it but it just opened into a window saying it was scanning and then I just closed it again. I'm hoping it didn't do anything else.

Started this weekend on the jsonline.com (Milwaukee Journal Sentinel) site. Complaint has been filed with site owner.

I've seen several versions of the install file over the past week which is an indication that someone is up to no good.
The source was: hxxp://xponlinescanner.com/2008/download'
XPantivirus2008_v77011816.exe
XPantivirus2008_v880136.exe
XPantivirus2008_v77024205.exe
XPantivirus2008_v880181.exe
I submitted these files to TrendMicro and they all came back as malware containing a Trojan downloader.

This popup is a Trojan Horse malware, users should close the window and not use any buttons presented in main popup.

just got the same treatment from them via salary.com and I notice it didn't install anything. They have a script that just resizes the browser really small and then they put a confirmation dialog on top of it. I closed the confirmation window and it resized my browser to the height and width of my screen and claimed to be scanning my computer....

I do wonder what's going on. If this is indeed a malware attack, it's interesting that it's propagating without comment across multiple sites. If it's not a malware attack, then it says something about the state of web advertising and the desperation of news sites.

Update 10/2/09: I wonder if the NYT breach of 9/15/09 was something similar...

...According to security experts, groups that are often based in Russia and Ukraine create the fake antivirus software and then recruit people to help distribute it by giving them a cut of any money made by selling the software. These so-called affiliates can mimic the advertisements of legitimate companies, learn their techniques for submitting ads to networks and sites, meddle with ad servers and then go so far as to provide customer support for people who install the software, keeping the scam running as long as possible...

Did the Strib ever realize it had been hacked? I don't think they ever admitted it.

14 comments:

Anonymous said...

Same thing just happened to me!

Jeremy said...

FWIW, I've been having this problem, too. And it's happened from a couple of reliable sites, so I highly doubt that it has anything to do w/ the sites themselves. It is likely a trojan, which is getting triggered whenever 'something' is accessed by IE. Haven't figured out myself where it is coming from yet, but I'm hoping to do it today.

Best thing I've found to do when you see the popup is to bring up your task manager and kill iexplore.exe. Even clicking on the 'x' to close it has taken me to an undesired web page where it starts 'scanning' my pc.

Jessica said...

I only get this popup when I am browsing Photobucket. It happened to me yesterday twice and today. I figured I google it and this came up. Not to sure. When I click the x it takes me out of Photobucket and onto an advertising site that says its scanning my computer. Not sure what to do about it. I am on Mozilla Firefox when it happens...I just exit out of the browser and go back on.

Anonymous said...

This has happened to me as well. I have been dealing with this for a few days. I believe it started as I was on the photobucket site. I also use firefox.

morgaath said...

It is spreading by advertising. Near as anyone can make out it is ads from DoubleClick (Who seem to get this type of 'advertising' way more then anyother advertiser)

Anonymous said...

This happened to me on FlightGlobal.com after clicking an internal link. I'm using Safari under OS X 10.4.11.

Austin said...

same exact thing happened to me. luckily i was on a mac.

Anonymous said...

The xponlinescanner popped up for me this morning. I was on photobucket as well. It's suspicious that it's happened to so many of us on photobucket & 2 weeks apart.

Anonymous said...

I got it in the middle of webmd.com.They make it look exactly like a windows xp site.

stefnstuff said...

I use internet explorer or various versions of it through Yahoo and America online. I wonder has anyone had any trouble with a netscape browser? Do those even exist as an actual browser anymore? I experienced it on photobucket and livejournal. I have run (and I am not kidding here)about 6 different anti-virus/anti-spyware programs that claim to detect and erase malware. Right now I am running Trend Housecall. This seems to have detected files that no other anti whatever could find. Why wouldn't a firewall protect against this thing? Norton Antispyware and Antivirus did not detect it. This thing seems to be pretty new. Does anyone have an experience with this and come up with a solution for this or do I have to stop visiting certain internet sites indefinately? grrrr.

Anonymous said...

I am in the midst of listing something on eBay and that "xponlinescanner" popped up. I was trying to figure out where it was coming from and it originated from my Photobucket tab. I am running Vista Home Premium and AVG - so far I don't think that pop up has done any harm to my computer. Odd to say the least. I am using FireFox 2.0 at the moment.

Anonymous said...

this just happened to me a few minutes ago. I knew it was suspicious, so I started task manager and end tasked internet explorer. I did a scan and the only thing that popped up was tracking cookies. It came from a frugal shopper site that I visit daily. I use Vista and my computer is only 4 months old.

PJ said...

Whenever I visit F1live.com I get the xponlinescanner
popup on my scren. I am using Mac/Safari. When this
xponlinescanner message pops up it disables the shut down button for Safari and the computer. A message comes up if I hit "shut down" that tells me that Safari has cancelled shut down. The only way to turn the computer off is to hold down the power button.

Kamilah Hauptmann said...

2009 and it's still happening. This one claimed to be from malware-aadestroyer.com

I just killed it with the X and started snooping google for solutions/explanations.