Sunday, March 23, 2008

XPonlinescanner.com: Malware infection on Star Tribune and other news sites

Preface: 3/24/2008.

I've retitled this post and added this preface due to a comment I received today:
I've seen several versions of the install file over the past week which is an indication that someone is up to no good. The source was: hxxp://xponlinescanner.com/2008/download
XPantivirus2008_v77011816.exe
XPantivirus2008_v880136.exe
XPantivirus2008_v77024205.exe
XPantivirus2008_v880181.exe
I submitted these files to TrendMicro and they all came back as malware containing a Trojan downloader.
So it looks like this was part of an attack of some sort. The Minneapolis Star Tribune site may have been compromised or it may be an unwitting attack vector. I couldn't find a good email address to notify them yesterday, but I did find a "feedback" form that looked like it might work. They really need to have a link to notify them of website issues in general and malware attacks in particular.
--
I click on the StarTribune National News link and my Firefox page vanishes. Instead I see:

I have to kill Firefox from the XP application list to get free. Talk about "erratic PC behavior, PC freezes and creahes".

There actually is a vendor selling this product. So this might not be a simple phishing attack; maybe the bot virus is embedded in a supposed commercial product instead. Maybe my XP box isn't really infected and this really was something the Strib's ad supplier tossed up.

Or not. [jf: see comments. Looks like a malware attack.]

I just can't tell. McAfee SiteAdvisor connects the vendor to spam, so I'm leaning towards my machine NOT being infected and XPonlinescanner.com being a shady enterprise with a good probability of a nasty "backdoor" in their "antiviral" "security" product.

I really do need to get rid of my last XP box. Using XP on the net is like waving a wad of bills in a port bar of old Bangkok.

Update 9/14/09: A similar attack hit the New York Times

34 comments:

Anonymous said...

I found your comment about this by googling it (just this morning - google found you fast!) after we got the same thing when visiting the Star Tribune website. If it is something legitimately spawned from their site it's pretty tacky of them since they are a large metropolitan newspaper. It could, however, be an ad hijack from a third-party ad server (which does happen to even the biggest websites sometimes). Either way, if you close the window it doesn't seem to try to install anything (like some nasty-ware does).

Anonymous said...

This same thing happens to me on the StarTribune website. I hate this thing.

Anonymous said...

Do not install this software. I am sure it's spam or a virus. I sent an email to the StarTrib explaining the problem. However, I doubt that I'll hear back from them.

It would probably help if you could send them an email as well.

JGF said...

I sent an email to their "corrections" address.

They don't provide a contact address for problems like this. The Strib ain't the most sophisticated operation!

Anonymous said...

Another Twin Cities Startribune web reader and I got the same thing on both machines. I have up to date windows forefront and that did not detect it but it sounds like that is where its spawning from. Just closing and removing cookies.

Anonymous said...

I too got to this page from the Star Tribune site. It was weird since I was using safari on a mac, and it was an XP system scanner or whatever.

Sean said...

I just got the same treatment from them via salary.com and I notice it didn't install anything. They have a script that just resizes the browser really small and then they put a confirmation dialog on top of it. I closed the confirmation window and it resized my browser to the height and width of my screen and claimed to be scanning my computer. Nonsense. Nonsense that it is scanning and bigger, infuriating nonsense that such ads exist. I am going to filter them out with my ad blocker, and I am a bit glad that now I have something new to look for, in case someone else tries this sort of thing.

Anonymous said...

This popup is a Trojan Horse malware, users should close the window and not use any buttons presented in main popup.

Occurred twice this weekend on ST site.

Sent the webmaster a notice.

Anonymous said...

This is fraud. It supposedly "scanned" my computer and told me that I was 3 or 4 Windows viruses and needed to run their anti-virus. I run Linux.
The "antivirus" scan is nothing but a canned Javascript program that make it look like it's scanning things, but is really doing nothing.
Assume this is a malicious site, do NOT download anything from it (even though it tries hard to force you to), and complain to the site owner.

Anonymous said...

I've seen several versions of the install file over the past week which is an indication that someone is up to no good.
The source was: hxxp://xponlinescanner.com/2008/download'


XPantivirus2008_v77011816.exe
XPantivirus2008_v880136.exe
XPantivirus2008_v77024205.exe
XPantivirus2008_v880181.exe

I submitted these files to TrendMicro and they all came back as malware containing a Trojan downloader.
~jbrown

Wiscomm Staff said...

Started this weekend on the jsonline.com (Milwaukee Journal Sentinel) site. Complaint has been filed with site owner.

Anonymous said...

I just recieved it this morning. But I believe this one actually popped up while I was on Photobucket.

I closed it but it just opened into a window saying it was scanning and then I just closed it again. I'm hoping it didn't do anything else.

Mike said...

I got it on JSOnline and a music lyrics website called "letssingit.com."

Tim said...

I just got this on a livejournal user's page. It had pictures from photobucket, ads from google, and javascript from snap.com for I'm not sure what.

Alfred said...

I've never heard of or been to the Star Tribune website, but this pop up has appeared on starting up firefox on both a Linux and a Mac computer. I don't use MS Windows.

It would appear that this is wider spread than just a rogue web site.

Anonymous said...

A new anonymous person here. It just happened to me when I was trying to connect to LiveJournal. Looks like it's getting around...

Anonymous said...

I love the fact that it tries to pull this crap my Mac. Never mind the fact that Im running safari , the malware spammer doesn't seem to bother checking what os it's trying to chum. Im sorry, I dont have any sort of DLL's , C: , or Local Setting. windows style pop up diallogs on a mac is even funnier.

Anonymous said...

Car Domain has it as a popup as well.

Anonymous said...

Metacritic.com is also featuring this nasty dialog warning box. I sincerely hope it does not feature a self-installing component, as I clicked 'cancel' when it popped up.

Anonymous said...

I got the same thing and I was on The Sporting News website. It is definetly not limited to one site.

Anonymous said...

my website is also hijacked by xponlinescanner.com :-(

somebody know what to do?

Anonymous said...

I got that popup about many months ago, but I don't know which site it originated from.. and since then, my computer lost its main user profile. So everything that is now saved, which is now on the temp profile all gets deleted. /:
And now I just received it again and I was on Photobucket.
It's getting ridiculous and I need my main login again, but I don't know how to do that without paying lots of money to fix it.

Anonymous said...

I have just received this very misleading pop-up. Thanks god decided to google it first. I have submitted the info to Symantec people. Let's see what they have to say.
Thank you very much for your blog.

Anonymous said...

I just got the http://xponlinescanner.com/2008/1/_freescan.php?aid=77024204
error with the 4 virus warning and popup to download their software. I was/am using firefox and was looking at my photobucket account.

It startled me because the wording is somewhat tricky in how to 'exit' it, so I just clicked the X (hope that didn't dispense anything) and shut down firefox and ran a couple of my virus protections.

WHAT IS THIS AND WHERE IS IT COMING FROM? (Not yelling, per se, but VERY curious)

I couldn't even find it on major geeks!

Tony G said...

DO NOT INSTALL THIS!

Go to your task manager and close whatever internet program you were using when you got this.

This will infect your computer.

Unknown said...

i that same warning message when i went to photobucket.com

Anonymous said...

Look here if you have been infected with this.Hopefully you have not.

http://www.spyware-techie.com/how-to-remove-xponlinescannercom/

or just google xponlinescanner.com

it brings up lots of results.

Anonymous said...

I'm pretty sure that this exploit is not caused by how much crap is on a LiveJournal page. I was going through my friends list and I got the pop-up as well--and I usually get it on Safari, not Firefox (since I upgraded to the latest beta). It's the work of Russian mafia scammers trying to make a buck.

Unknown said...

This crap has been embedded in ads displayed from advertisers. It is happening all over the place. The good news is that most ad firms are catching on.

Hope that helps. It has nothing to do with the site itself you may be visiting at the time.

Anonymous said...

I had a TON of windows pop up when I started AOL a few weeks ago. I had to shut AOL down to get them to stop. This morning when I started AOL, I got the XPONLINESCANNER message that all of you have gotten. Everytime I tried to close it, it popped up in a different window. I finally got it to close, but it took a while. I googled it, and found this site. Thanks for all the info posted, and I will surely warn everyone I know about this. Also, thanks wo whoever posted the site for the removal tool. I am going to give it a shot as soon as I am done writing this.

Anonymous said...

Its obviously malware... Fake website, all links on it lead to the download box.

And to top it off, I was using Linux when it popped up. It can't scan something it wasn't supposedly designed to scan... :) Windows incompatibility ya know...

cori said...

well it's happening again at star trib, it's done it to me twice in the past day, trying to take me to xponilnescanner.com. grr.

beer234 said...

The StarTribune has tried to give me the Antivirus XP malware twice today on separate PC's and twice last week. I'm still trying to identify what pages i'm sitting on etc but it has consistantly been StarTribune handing out malware.

Anonymous said...

I had it happen to me on StarTribune.com yesterday. I was using Safari on my Mac. How frustrating.

Should I find a new place to read my news?