Last week I ran into Firefox attack while browsing a local website. I posted about XPonlinescanner.com: Malware infection on Star Tribune and other news sites.
I figured I'd hear something more about this, but a Google search today only shows my original post. So maybe I was imagining things.
Except my original post continues to attract about one comment a day, along the lines of:
I've never heard of or been to the Star Tribune website, but this pop up has appeared on starting up firefox on both a Linux and a Mac computer. I don't use MS Windows.
It would appear that this is wider spread than just a rogue web site.I just received it this morning. But I believe this one actually popped up while I was on Photobucket.
I closed it but it just opened into a window saying it was scanning and then I just closed it again. I'm hoping it didn't do anything else.Started this weekend on the jsonline.com (Milwaukee Journal Sentinel) site. Complaint has been filed with site owner.
I've seen several versions of the install file over the past week which is an indication that someone is up to no good.
The source was: hxxp://xponlinescanner.com/2008/download'
XPantivirus2008_v77011816.exe
XPantivirus2008_v880136.exe
XPantivirus2008_v77024205.exe
XPantivirus2008_v880181.exe
I submitted these files to TrendMicro and they all came back as malware containing a Trojan downloader.This popup is a Trojan Horse malware, users should close the window and not use any buttons presented in main popup.
just got the same treatment from them via salary.com and I notice it didn't install anything. They have a script that just resizes the browser really small and then they put a confirmation dialog on top of it. I closed the confirmation window and it resized my browser to the height and width of my screen and claimed to be scanning my computer....
I do wonder what's going on. If this is indeed a malware attack, it's interesting that it's propagating without comment across multiple sites. If it's not a malware attack, then it says something about the state of web advertising and the desperation of news sites.
Update 10/2/09: I wonder if the NYT breach of 9/15/09 was something similar...
...According to security experts, groups that are often based in Russia and Ukraine create the fake antivirus software and then recruit people to help distribute it by giving them a cut of any money made by selling the software. These so-called affiliates can mimic the advertisements of legitimate companies, learn their techniques for submitting ads to networks and sites, meddle with ad servers and then go so far as to provide customer support for people who install the software, keeping the scam running as long as possible...
Did the Strib ever realize it had been hacked? I don't think they ever admitted it.