PDA

View Full Version : The disk-tools.com download site installed a virus on my computer



nfriedly
05.09.2008, 01:37
Hi guys, this is't a problem with damon-tools itself, it's with one of the file-hosting sites that the downloads page links to.

I had an older version of firefox, and while downloading daemon tools, the site installed a program called "Antivirus XP 2008" that changed my desktop wallpaper, automatically started scanning my computer, and started poping up from the system tray telling me it found some number of viruses on my computer.

There's absolutely no question as to where the virus came this is on my server and it's only visited 3 sites in the past month: firefox start, daemon-tools.cc, and disk-tools.com.

If you guys need another host for the application, I have a hosting account with 1TB/month bandwidth that I'd be willing to share for free. (No advertising, just an ftp account)

Alco
05.09.2008, 13:04
DT has no relation AT ALL with: "Antivirus XP 2008".

So how could DT be involved here?

Please provide URL where you did download DT product with such problems?

Jito463
05.09.2008, 14:14
Antivirus XP 2008. That's been popping up a LOT lately at work. Also known as Antivirus Vista 2008, Antivirus XP 2009 and WinAntivirus Pro (and possibly others). Fake AV program that riddles your computer with tons of malware, trojans and viruses. Not horribly difficult to remove (others - like Virtumonde - are much harder), but still a big problem for our customers.

As Alco said, there's no way you got that from DTools. I'm 100% certain you wouldn't have got it from any of their sites.

nfriedly
05.09.2008, 15:02
No, I am 100% certain that it came from the download site for daemon tools, the one that's linked as "DOWNLOAD-MIRROR 1: CLICK HERE TO DOWNLOAD IF ABOVE LINK DOES NOT WORK " on this page: - THE DAEMONS HOME (http://www.daemon-tools.cc/dtcc/download.php?mode=ViewCategory&catid=5)

The site (or possibly one of the advertisers on the site) is infected with something that exploits security flaws in old versions of firefox and installs the "Antivirus XP 2008" program.

LocutusofBorg
05.09.2008, 15:47
we just checked the server, all files and looked for exploits,
nada, nothing.

Although we're thankfull if someone points out flaws here, this
becomes more a witch-hunt with non-info.

If you have anything valid to say, please support us with more
info:

browser-version, OS version

also please store the site for deeper investigation that exploited
you - please contact us at: support@daemon-tools.cc

and then we give you instructions how you can submit
the site-sourcecode so we can take a look to it.

Please note that from the several thousand! of downloaders (daily!),
NOONE reported anything. Of course we take every info
serious, but I must point out that its very suspicious that
noone except you detected such behaviour.

So for now lets see what you can submit us - without further
proper info, we're unable to help you

nfriedly
05.09.2008, 18:30
I spent some time uninstalling and reinstalling old versions of firefox and java trying to get it to happen again and I couldn't, so maybe it's been fixed already. (I was on firefox 1.5.0.3, not sure which version of java, but I know I got java updates yesterday also.)

I found a couple other reports that one of their advertisers, clicksor was installing malware through a java exploit: Malicious Advertising - B.I.S.S. Forums (http://www.bluetack.co.uk/forums/index.php?showtopic=18462) and Flash Mystery - B.I.S.S. Forums (http://www.bluetack.co.uk/forums/index.php?s=&showtopic=18064) (it's way down the page, control+f for clicksor)

also, if anybody else gets "antivirus xp 2008", this program gets rid of it: http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe

Alco
05.09.2008, 19:56
.....

The site (or possibly one of the advertisers on the site) is infected with something that exploits security flaws in old versions of firefox and installs the "Antivirus XP 2008" program.

I found a couple other reports that one of their advertisers, clicksor was installing malware through a java exploit: Malicious Advertising - B.I.S.S. Forums and Flash Mystery - B.I.S.S. Forums (it's way down the page, control+f for clicksor)


Well then we will take it VERY seriously and we would contact clicksor about this sh.t!!!

Thanks a lot for bringing this issue to our attention!

LocutusofBorg
05.09.2008, 20:20
as you see, we already reacted and proof the whole issue, if
this is true it WILL have consequences. In no way did we ever
abused our users. As precaution, we already take that adsponsor
down. As you see we play with open cards as we always did.
Anyway, I still hope that you're wrong, it would be indeed sad.

We are aware that every now and then adsponsors on very
respected/serious sites were target of such kind of "attacks".

Therefore our apologies and a big thank you to point us in the
right direction!

We will keep you informed about our results.