Sunday, March 23, 2008

XPonlinescanner.com: Malware infection on Star Tribune and other news sites

Preface: 3/24/2008.

I've retitled this post and added this preface due to a comment I received today:
I've seen several versions of the install file over the past week which is an indication that someone is up to no good. The source was: hxxp://xponlinescanner.com/2008/download
XPantivirus2008_v77011816.exe
XPantivirus2008_v880136.exe
XPantivirus2008_v77024205.exe
XPantivirus2008_v880181.exe
I submitted these files to TrendMicro and they all came back as malware containing a Trojan downloader.
So it looks like this was part of an attack of some sort. The Minneapolis Star Tribune site may have been compromised or it may be an unwitting attack vector. I couldn't find a good email address to notify them yesterday, but I did find a "feedback" form that looked like it might work. They really need to have a link to notify them of website issues in general and malware attacks in particular.
--
I click on the StarTribune National News link and my Firefox page vanishes. Instead I see:

I have to kill Firefox from the XP application list to get free. Talk about "erratic PC behavior, PC freezes and creahes".

There actually is a vendor selling this product. So this might not be a simple phishing attack; maybe the bot virus is embedded in a supposed commercial product instead. Maybe my XP box isn't really infected and this really was something the Strib's ad supplier tossed up.

Or not. [jf: see comments. Looks like a malware attack.]

I just can't tell. McAfee SiteAdvisor connects the vendor to spam, so I'm leaning towards my machine NOT being infected and XPonlinescanner.com being a shady enterprise with a good probability of a nasty "backdoor" in their "antiviral" "security" product.

I really do need to get rid of my last XP box. Using XP on the net is like waving a wad of bills in a port bar of old Bangkok.

Update 9/14/09: A similar attack hit the New York Times

34 comments:

  1. I found your comment about this by googling it (just this morning - google found you fast!) after we got the same thing when visiting the Star Tribune website. If it is something legitimately spawned from their site it's pretty tacky of them since they are a large metropolitan newspaper. It could, however, be an ad hijack from a third-party ad server (which does happen to even the biggest websites sometimes). Either way, if you close the window it doesn't seem to try to install anything (like some nasty-ware does).

    ReplyDelete
  2. This same thing happens to me on the StarTribune website. I hate this thing.

    ReplyDelete
  3. Do not install this software. I am sure it's spam or a virus. I sent an email to the StarTrib explaining the problem. However, I doubt that I'll hear back from them.

    It would probably help if you could send them an email as well.

    ReplyDelete
  4. I sent an email to their "corrections" address.

    They don't provide a contact address for problems like this. The Strib ain't the most sophisticated operation!

    ReplyDelete
  5. Another Twin Cities Startribune web reader and I got the same thing on both machines. I have up to date windows forefront and that did not detect it but it sounds like that is where its spawning from. Just closing and removing cookies.

    ReplyDelete
  6. I too got to this page from the Star Tribune site. It was weird since I was using safari on a mac, and it was an XP system scanner or whatever.

    ReplyDelete
  7. I just got the same treatment from them via salary.com and I notice it didn't install anything. They have a script that just resizes the browser really small and then they put a confirmation dialog on top of it. I closed the confirmation window and it resized my browser to the height and width of my screen and claimed to be scanning my computer. Nonsense. Nonsense that it is scanning and bigger, infuriating nonsense that such ads exist. I am going to filter them out with my ad blocker, and I am a bit glad that now I have something new to look for, in case someone else tries this sort of thing.

    ReplyDelete
  8. This popup is a Trojan Horse malware, users should close the window and not use any buttons presented in main popup.

    Occurred twice this weekend on ST site.

    Sent the webmaster a notice.

    ReplyDelete
  9. This is fraud. It supposedly "scanned" my computer and told me that I was 3 or 4 Windows viruses and needed to run their anti-virus. I run Linux.
    The "antivirus" scan is nothing but a canned Javascript program that make it look like it's scanning things, but is really doing nothing.
    Assume this is a malicious site, do NOT download anything from it (even though it tries hard to force you to), and complain to the site owner.

    ReplyDelete
  10. I've seen several versions of the install file over the past week which is an indication that someone is up to no good.
    The source was: hxxp://xponlinescanner.com/2008/download'


    XPantivirus2008_v77011816.exe
    XPantivirus2008_v880136.exe
    XPantivirus2008_v77024205.exe
    XPantivirus2008_v880181.exe

    I submitted these files to TrendMicro and they all came back as malware containing a Trojan downloader.
    ~jbrown

    ReplyDelete
  11. Started this weekend on the jsonline.com (Milwaukee Journal Sentinel) site. Complaint has been filed with site owner.

    ReplyDelete
  12. I just recieved it this morning. But I believe this one actually popped up while I was on Photobucket.

    I closed it but it just opened into a window saying it was scanning and then I just closed it again. I'm hoping it didn't do anything else.

    ReplyDelete
  13. I got it on JSOnline and a music lyrics website called "letssingit.com."

    ReplyDelete
  14. I just got this on a livejournal user's page. It had pictures from photobucket, ads from google, and javascript from snap.com for I'm not sure what.

    ReplyDelete
  15. I've never heard of or been to the Star Tribune website, but this pop up has appeared on starting up firefox on both a Linux and a Mac computer. I don't use MS Windows.

    It would appear that this is wider spread than just a rogue web site.

    ReplyDelete
  16. A new anonymous person here. It just happened to me when I was trying to connect to LiveJournal. Looks like it's getting around...

    ReplyDelete
  17. I love the fact that it tries to pull this crap my Mac. Never mind the fact that Im running safari , the malware spammer doesn't seem to bother checking what os it's trying to chum. Im sorry, I dont have any sort of DLL's , C: , or Local Setting. windows style pop up diallogs on a mac is even funnier.

    ReplyDelete
  18. Car Domain has it as a popup as well.

    ReplyDelete
  19. Metacritic.com is also featuring this nasty dialog warning box. I sincerely hope it does not feature a self-installing component, as I clicked 'cancel' when it popped up.

    ReplyDelete
  20. I got the same thing and I was on The Sporting News website. It is definetly not limited to one site.

    ReplyDelete
  21. my website is also hijacked by xponlinescanner.com :-(

    somebody know what to do?

    ReplyDelete
  22. I got that popup about many months ago, but I don't know which site it originated from.. and since then, my computer lost its main user profile. So everything that is now saved, which is now on the temp profile all gets deleted. /:
    And now I just received it again and I was on Photobucket.
    It's getting ridiculous and I need my main login again, but I don't know how to do that without paying lots of money to fix it.

    ReplyDelete
  23. I have just received this very misleading pop-up. Thanks god decided to google it first. I have submitted the info to Symantec people. Let's see what they have to say.
    Thank you very much for your blog.

    ReplyDelete
  24. I just got the http://xponlinescanner.com/2008/1/_freescan.php?aid=77024204
    error with the 4 virus warning and popup to download their software. I was/am using firefox and was looking at my photobucket account.

    It startled me because the wording is somewhat tricky in how to 'exit' it, so I just clicked the X (hope that didn't dispense anything) and shut down firefox and ran a couple of my virus protections.

    WHAT IS THIS AND WHERE IS IT COMING FROM? (Not yelling, per se, but VERY curious)

    I couldn't even find it on major geeks!

    ReplyDelete
  25. DO NOT INSTALL THIS!

    Go to your task manager and close whatever internet program you were using when you got this.

    This will infect your computer.

    ReplyDelete
  26. i that same warning message when i went to photobucket.com

    ReplyDelete
  27. Look here if you have been infected with this.Hopefully you have not.

    http://www.spyware-techie.com/how-to-remove-xponlinescannercom/

    or just google xponlinescanner.com

    it brings up lots of results.

    ReplyDelete
  28. I'm pretty sure that this exploit is not caused by how much crap is on a LiveJournal page. I was going through my friends list and I got the pop-up as well--and I usually get it on Safari, not Firefox (since I upgraded to the latest beta). It's the work of Russian mafia scammers trying to make a buck.

    ReplyDelete
  29. This crap has been embedded in ads displayed from advertisers. It is happening all over the place. The good news is that most ad firms are catching on.

    Hope that helps. It has nothing to do with the site itself you may be visiting at the time.

    ReplyDelete
  30. I had a TON of windows pop up when I started AOL a few weeks ago. I had to shut AOL down to get them to stop. This morning when I started AOL, I got the XPONLINESCANNER message that all of you have gotten. Everytime I tried to close it, it popped up in a different window. I finally got it to close, but it took a while. I googled it, and found this site. Thanks for all the info posted, and I will surely warn everyone I know about this. Also, thanks wo whoever posted the site for the removal tool. I am going to give it a shot as soon as I am done writing this.

    ReplyDelete
  31. Its obviously malware... Fake website, all links on it lead to the download box.

    And to top it off, I was using Linux when it popped up. It can't scan something it wasn't supposedly designed to scan... :) Windows incompatibility ya know...

    ReplyDelete
  32. well it's happening again at star trib, it's done it to me twice in the past day, trying to take me to xponilnescanner.com. grr.

    ReplyDelete
  33. The StarTribune has tried to give me the Antivirus XP malware twice today on separate PC's and twice last week. I'm still trying to identify what pages i'm sitting on etc but it has consistantly been StarTribune handing out malware.

    ReplyDelete
  34. I had it happen to me on StarTribune.com yesterday. I was using Safari on my Mac. How frustrating.

    Should I find a new place to read my news?

    ReplyDelete