The Rolex Forums   The Rolex Watch

ROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEX


Go Back   Rolex Forums - Rolex Forum > Miscellaneous Forums > Announcements/feedback & support

Reply
 
Thread Tools Display Modes
Old 10 December 2011, 01:21 AM   #1
thecentennial
"TRF" Member
 
thecentennial's Avatar
 
Join Date: Feb 2011
Real Name: Anthony
Location: UAE
Watch: PAM312M
Posts: 67
Google flagged rolexforums as dangerous..

?? Riddled with Trojans and malware..

Just happened today??
thecentennial is offline   Reply With Quote
Old 10 December 2011, 01:28 AM   #2
AAP8
"TRF" Member
 
AAP8's Avatar
 
Join Date: Dec 2010
Real Name: AP
Location: Cleveland, OH
Watch: SubC LN
Posts: 428
Yeah, Firefox made me accept the "risk"
AAP8 is offline   Reply With Quote
Old 10 December 2011, 01:28 AM   #3
77T
2024 SubLV41 Pledge Member
 
77T's Avatar
 
Join Date: Dec 2010
Real Name: PaulG
Location: Georgia
Posts: 42,013
Guys - did you miss the long thread on this starting yesterday?
__________________


Does anyone really know what time it is?
77T is offline   Reply With Quote
Old 10 December 2011, 01:30 AM   #4
thecentennial
"TRF" Member
 
thecentennial's Avatar
 
Join Date: Feb 2011
Real Name: Anthony
Location: UAE
Watch: PAM312M
Posts: 67
..must have done..will have a look for it. Do you have a link?
thecentennial is offline   Reply With Quote
Old 10 December 2011, 01:49 AM   #5
thecentennial
"TRF" Member
 
thecentennial's Avatar
 
Join Date: Feb 2011
Real Name: Anthony
Location: UAE
Watch: PAM312M
Posts: 67
Ok. Upto speed. Looks like its an ongoing issue. Will only access through iPad until confirmed remediated.
thecentennial is offline   Reply With Quote
Old 11 December 2011, 12:37 PM   #6
Lol-x
Facilitator
 
Lol-x's Avatar
 
Join Date: Nov 2005
Real Name: Steve
Location: Omnipresent
Posts: 33,587
The issue has been resolved.
It was associated with Tapatalk.
For the time being Tapatalk has been removed from the forum.

Google take a couple of days to remove the 'malware' warning.

No accounts have been compromised and it should all be back to normal.
__________________

Most folks are about as happy as they make up their minds to be. ~Abraham Lincoln
Nothing compares to the simple pleasure of a bike ride. ~John F. Kennedy

ROLEXploitation - yeah I'm a victim
Lol-x is offline   Reply With Quote
Old 11 December 2011, 01:11 PM   #7
john333
2024 SubLV41 Pledge Member
 
john333's Avatar
 
Join Date: Aug 2011
Location: Gotham
Posts: 1,274
Thanks Steve!!
john333 is offline   Reply With Quote
Old 11 December 2011, 01:40 PM   #8
2careless
"TRF" Member
 
2careless's Avatar
 
Join Date: Dec 2007
Location: Melbourne, AU
Watch: Pepsi
Posts: 4,370
FWIW... what I have found:
1. In Dec 08 to Dec 10, someone registered a number of domain names, all using fake credentials/IDs, e.g. ioiscaeomc.com and sjrenoopoeis.com (these 2 were the ones I captured, there should be more). When accessed with a specific URL, they come back with a Javascript payload - the first domain's server is in Romania.
2. We saw the Google warning on Firefox. If we ignored the warning and continued to access TRF, our browser would connect into 2 external non TRF locations:
a. http://api.twitter.com/1/trends/daily.json?... - this looks like a twitter daily "hot" topic feed, and
b. http://<one of the above sites in 1)>/index.php?tp=... and a payload will be downloaded to the computer and got executed. I don't know what the payload does as I am not skilful enough to understand what it does, albeit I have saved a capture of this payload.
It is possible that these 2 external access were related to tapatalk, and I have checked and I can confirm that there is no such access with current TRF code anymore.

However, I do think this is serious - someone obviously registered those domains to engage in criminal activities, and the attacks are "freshly baked" and used right away. Since malware sites were accessed, there is a distinct possibility that our computers may have been compromised. Note that those malware sites are not flagged by any anti virus or anti spam detectors. Googling those 2 domain names don't reveal anything, but when I dug into the registration details, the "owners" of these 2 domains are related to malware. My hats off to Google for able to detect these malware.

My recommendation is - review your anti spam, anti virus installation - change your passwords on your financial accounts from a computer you know you have not used to access TRF.
2careless is offline   Reply With Quote
Old 11 December 2011, 07:28 PM   #9
Lol-x
Facilitator
 
Lol-x's Avatar
 
Join Date: Nov 2005
Real Name: Steve
Location: Omnipresent
Posts: 33,587
No accounts have been compromised.
No one has lost any information or data.
No one has had any of their private information utilised.

It is one thing to take measured precautions, its another thing altogether to create panic when I know no panic is required.

The source of the issue 'Tapatalk' has been removed for the time being.
Google has triggers to flag a site with 'malware' and properly Google indicated malware.
However that did not in these circumstances indicate that any passwords or personal information was being stolen.

Its about dealing with facts.
__________________

Most folks are about as happy as they make up their minds to be. ~Abraham Lincoln
Nothing compares to the simple pleasure of a bike ride. ~John F. Kennedy

ROLEXploitation - yeah I'm a victim
Lol-x is offline   Reply With Quote
Old 11 December 2011, 08:44 PM   #10
dysondiver
"TRF" Member
 
dysondiver's Avatar
 
Join Date: Jul 2010
Real Name: tom
Location: northern ireland
Watch: my fins
Posts: 10,063
nice to see things are back to normal ,,, by the way , what language is the above post or two in ,,,, i didnt get a word of it.
dysondiver is offline   Reply With Quote
Old 11 December 2011, 10:00 PM   #11
2careless
"TRF" Member
 
2careless's Avatar
 
Join Date: Dec 2007
Location: Melbourne, AU
Watch: Pepsi
Posts: 4,370
The following is quite IT intensive. If IT / technical stuff is not your cup of tea, jump to the last paragraph.

I can only go from what I have seen using my tools. I use Fiddler2 as my web debugger and following is the snapshot of the trace I got for accessing TRF from latest Firefox yesterday, starting from the Google warning screen. (The lines with avast.com are things that my antivirus program does in the background - webrep is the web reputation index, for example).


From #8 up to #11, it's the vbulletin code.
#12 is the tapatalk detection javascript.
#13 is the banner at the top of TRF home page (the banner changes every load so it's called rotatebanner :-)
#14-15 also TRF vbulletin code.
#16-17 - the twitter stuff. See https://dev.twitter.com/docs/api/1/get/trends/daily, this is a report for some daily trends in Twitter. I have no idea on what it does, and why they are there and why there are two of them. I can only speculate this is a seed for the malware to mutate.
#18 - the malware download. There is a payload from this domain sjrenoopoeis.com.
I've captured this particular payload and it's some javascript. Note that on the right the content type was listed as "text/html" so there is a type mismatch and firefox didn't execute it, but on older browsers, this may not be the case.
The payload has approx 100kbyte of obfuscated Javascript code. I can forward it to the more technically minded on request, as I have no idea what it does but I can say 99.99% it's of no good.

One may say that when they accessed TRF, there is absolutely no references of twitter and this sjrenoopoeis.com anywhere in the page source. Well, I had the same doubt and I couldn't explain it why it's not there.
However, I have repeated the above opening of TRF home page many times yesterday and every time those 3 extra lines were there in my capture.

This is not just the capture from fiddler. I also did network sniffing and the raw ethernet packets were indeed going to those sites. It's not a figment of my imagination.

My conclusion is that my firefox browser loaded references to those sites after initiating a connection into TRF, and my firefox dutifully accessed those twitter and sjrenoopoeis.com pages. The payload was NOT in TRF, but I can say my browser was "directed" by the TRF web page to "go fetch the payload" from those other sites.

Switch back to this sjrenoopoeis.com site. A whois search shows the registrant as:
Mike razov razou63h@yahoo.com +1.8002360481
resseler
4175 Market Road
Mechanicsville VA US 23111
Domain Name: SJRENOOPOEIS.COM {sjrenoopoeis.com }
Registration Date : 2011-12-10
Expiration Date : 2012-12-10
Last update :2011-12-10 01:30:01

It was registered yesterday and got put to use right away! Googling sjrenoopoeis.com shows nothing but googling "razou63h@yahoo.com" showed up with malware references everywhere (don't click on any of the answers - they may be malware sites themselves!) There is no doubt that this site has malware written all over it.

This episode is not just an attack to TRF. It is also an attack to TRF members. The main target is TRF members with vulnerable computers (e.g. unpatched PCs, old versions of IE / Firefox / other browsers).

So, my recommendation is still the same. If a member has accessed TRF after ignoring the malware warnings, it is possible his/her computer has been infected, and a full antivirus / anti malware clean is advised, as well as changing passwords with bank accounts (do it from a different computer that has not accessed TRF recently) and keep an eye on your transactions. Also note that antivirus companies can take a few days to analyse this malware so one may need to do another virus/malware sweep in 1-2 weeks' time. Last, if your computer is not patched up to date, you may want to reconsider your options. The Internet is NOT a safe place.
2careless is offline   Reply With Quote
Old 11 December 2011, 11:19 PM   #12
dsio
"TRF" Member
 
dsio's Avatar
 
Join Date: Jun 2010
Real Name: Ashley
Location: Brisbane
Watch: Rolex Sub 1680 '79
Posts: 2,301
Quote:
Originally Posted by 2careless View Post
The following is quite IT intensive. If IT / technical stuff is not your cup of tea, jump to the last paragraph.

I can only go from what I have seen using my tools. I use Fiddler2 as my web debugger and following is the snapshot of the trace I got for accessing TRF from latest Firefox yesterday, starting from the Google warning screen. (The lines with avast.com are things that my antivirus program does in the background - webrep is the web reputation index, for example).


From #8 up to #11, it's the vbulletin code.
#12 is the tapatalk detection javascript.
#13 is the banner at the top of TRF home page (the banner changes every load so it's called rotatebanner :-)
#14-15 also TRF vbulletin code.
#16-17 - the twitter stuff. See https://dev.twitter.com/docs/api/1/get/trends/daily, this is a report for some daily trends in Twitter. I have no idea on what it does, and why they are there and why there are two of them. I can only speculate this is a seed for the malware to mutate.
#18 - the malware download. There is a payload from this domain sjrenoopoeis.com.
I've captured this particular payload and it's some javascript. Note that on the right the content type was listed as "text/html" so there is a type mismatch and firefox didn't execute it, but on older browsers, this may not be the case.
The payload has approx 100kbyte of obfuscated Javascript code. I can forward it to the more technically minded on request, as I have no idea what it does but I can say 99.99% it's of no good.

One may say that when they accessed TRF, there is absolutely no references of twitter and this sjrenoopoeis.com anywhere in the page source. Well, I had the same doubt and I couldn't explain it why it's not there.
However, I have repeated the above opening of TRF home page many times yesterday and every time those 3 extra lines were there in my capture.

This is not just the capture from fiddler. I also did network sniffing and the raw ethernet packets were indeed going to those sites. It's not a figment of my imagination.

My conclusion is that my firefox browser loaded references to those sites after initiating a connection into TRF, and my firefox dutifully accessed those twitter and sjrenoopoeis.com pages. The payload was NOT in TRF, but I can say my browser was "directed" by the TRF web page to "go fetch the payload" from those other sites.

Switch back to this sjrenoopoeis.com site. A whois search shows the registrant as:
Mike razov razou63h@yahoo.com +1.8002360481
resseler
4175 Market Road
Mechanicsville VA US 23111
Domain Name: SJRENOOPOEIS.COM {sjrenoopoeis.com }
Registration Date : 2011-12-10
Expiration Date : 2012-12-10
Last update :2011-12-10 01:30:01

It was registered yesterday and got put to use right away! Googling sjrenoopoeis.com shows nothing but googling "razou63h@yahoo.com" showed up with malware references everywhere (don't click on any of the answers - they may be malware sites themselves!) There is no doubt that this site has malware written all over it.

This episode is not just an attack to TRF. It is also an attack to TRF members. The main target is TRF members with vulnerable computers (e.g. unpatched PCs, old versions of IE / Firefox / other browsers).

So, my recommendation is still the same. If a member has accessed TRF after ignoring the malware warnings, it is possible his/her computer has been infected, and a full antivirus / anti malware clean is advised, as well as changing passwords with bank accounts (do it from a different computer that has not accessed TRF recently) and keep an eye on your transactions. Also note that antivirus companies can take a few days to analyse this malware so one may need to do another virus/malware sweep in 1-2 weeks' time. Last, if your computer is not patched up to date, you may want to reconsider your options. The Internet is NOT a safe place.
You're on the money, the latest version of chrome stopped it running but you can see where it tried:



Downloaded a fresh copy of Firefox with stock settings to see if that would run it out of the box, and sure enough:



Tried it in a couple of sacrificial windows VMs and you can see the thing connecting out to third party servers.
__________________
-- Omega Seamaster Grand-Lux Stepped Pie-Pan 14K Gold OJ2627 '53 --
-- Omega Cal 320 Chronograph 18K Gold OT2872 '58 --
-- Omega Cal 321 Speedmaster Pro 145.012 '67 --
-- Rolex Submariner 1680 "Ghost" '79 --
-- Rolex SS Daytona 116520 '04 --
dsio is offline   Reply With Quote
Old 11 December 2011, 11:26 PM   #13
2careless
"TRF" Member
 
2careless's Avatar
 
Join Date: Dec 2007
Location: Melbourne, AU
Watch: Pepsi
Posts: 4,370
Ashley, did firefox execute the payload?
Mine did download it but the payload didn't run.
2careless is offline   Reply With Quote
Old 11 December 2011, 11:37 PM   #14
dsio
"TRF" Member
 
dsio's Avatar
 
Join Date: Jun 2010
Real Name: Ashley
Location: Brisbane
Watch: Rolex Sub 1680 '79
Posts: 2,301
Quote:
Originally Posted by 2careless View Post
Ashley, did firefox execute the payload?
Mine did download it but the payload didn't run.
Yea, it actually did, then crashed firefox (if you check the screenshot you can see firefox no longer responding). I didn't have FF installed so I just pulled it down, current version, no settings changed, ignored the warning, and it ran first go. IE7/8 in WinXP / Vista VMs did the same, didn't try anything else. It didn't get as far as connecting out or doing anything on OSX, just ran then crashed firefox, but the Windows VMs it had no problem, and you could see it establishing external connections. Most likely it only ran on a mac at all by virtue of it happening to be a .jar and being able to create a JVM process but you would imagine it was intended for windows.
__________________
-- Omega Seamaster Grand-Lux Stepped Pie-Pan 14K Gold OJ2627 '53 --
-- Omega Cal 320 Chronograph 18K Gold OT2872 '58 --
-- Omega Cal 321 Speedmaster Pro 145.012 '67 --
-- Rolex Submariner 1680 "Ghost" '79 --
-- Rolex SS Daytona 116520 '04 --
dsio is offline   Reply With Quote
Old 11 December 2011, 11:43 PM   #15
2careless
"TRF" Member
 
2careless's Avatar
 
Join Date: Dec 2007
Location: Melbourne, AU
Watch: Pepsi
Posts: 4,370
Weird.
I tested using IE9 on Win 7 64bit and it didn't even go out to the 3rd party sites.
Only firefox went out. Also only JavaScript was run, not java.
2careless is offline   Reply With Quote
Old 11 December 2011, 11:52 PM   #16
dsio
"TRF" Member
 
dsio's Avatar
 
Join Date: Jun 2010
Real Name: Ashley
Location: Brisbane
Watch: Rolex Sub 1680 '79
Posts: 2,301
Quote:
Originally Posted by 2careless View Post
Weird.
I tested using IE9 on Win 7 64bit and it didn't even go out to the 3rd party sites.
Only firefox went out. Also only JavaScript was run, not java.
Yea I only have IE7 and IE8's handy for browser testing, and an IE6 for the most troublesome of clients. I do a fair bit of work with JSA consulting companies (Federal Gov Job Services Australia) and they won't have even heard of IE9 until the year 2020 at the current rate, half of them still use IE6 on WinXP 1024x768.
__________________
-- Omega Seamaster Grand-Lux Stepped Pie-Pan 14K Gold OJ2627 '53 --
-- Omega Cal 320 Chronograph 18K Gold OT2872 '58 --
-- Omega Cal 321 Speedmaster Pro 145.012 '67 --
-- Rolex Submariner 1680 "Ghost" '79 --
-- Rolex SS Daytona 116520 '04 --
dsio is offline   Reply With Quote
Old 12 December 2011, 02:12 AM   #17
Grissom
"TRF" Member
 
Grissom's Avatar
 
Join Date: Oct 2010
Real Name: Nathan
Location: US, Latin America
Watch: GMT IIc 18K/SS
Posts: 3,349
Icon5 What potential exposure for a Mac current on all updates

2careless, dsio.......

If a mac running OS X 10.6.8 accessed TRF via Safari 5.1.2 during this time, would that machine have been vulnerable and if so, how, and to what. I did access TRF during the first day of this, with no warning screens (interestingly under the Safari security tab, there was an error message under the checked Fraudulent Sites box which warned that Google Safe Browsing had not updated for 2 days. That error was gone the following day, and the warning screens were then popping up).

I ran ClamXav and found no issues, noticed no unusual (to me) java processes running on the machine.

Curious as to what in particular to look for, on a mac that was accessing TRF during this period.

Thanks!
__________________
(Member NAWCC since 1976)
116713LN GMT-IIc 18k/SS (Z) + 116520 SS Daytona (M) + 16700 GMT Master (A) + 16610LV Submariner (V) + 16600 Sea Dweller (Z) +
116400 Milgauss White Dial (V) + 70330N Tudor Heritage Chronograph Grey w/Black Sub Dials (J) + 5513 Submariner Serif Dial (5.2 Mil)

Who else needs an Intervention?
(109 297) (137 237) (73 115) (221) (23) (56) (229) P-Club Member #5

RIP JJ Irani - TRF Legend
Grissom is offline   Reply With Quote
Old 12 December 2011, 02:34 AM   #18
dsio
"TRF" Member
 
dsio's Avatar
 
Join Date: Jun 2010
Real Name: Ashley
Location: Brisbane
Watch: Rolex Sub 1680 '79
Posts: 2,301
Quote:
Originally Posted by Grissom View Post
2careless, dsio.......

If a mac running OS X 10.6.8 accessed TRF via Safari 5.1.2 during this time, would that machine have been vulnerable and if so, how, and to what. I did access TRF during the first day of this, with no warning screens (interestingly under the Safari security tab, there was an error message under the checked Fraudulent Sites box which warned that Google Safe Browsing had not updated for 2 days. That error was gone the following day, and the warning screens were then popping up).

I ran ClamXav and found no issues, noticed no unusual (to me) java processes running on the machine.

Curious as to what in particular to look for, on a mac that was accessing TRF during this period.

Thanks!
Seriously doubt you'd have any issues, it failed to do anything on 10.7.2 other than start and do nothing... You've checked for processed and found none anyway, if there was one you'd see it it process manager. Macs may be on the increase but they're still only about 10% of the market, and a pain in the ass to exploit, most don't bother trying.
__________________
-- Omega Seamaster Grand-Lux Stepped Pie-Pan 14K Gold OJ2627 '53 --
-- Omega Cal 320 Chronograph 18K Gold OT2872 '58 --
-- Omega Cal 321 Speedmaster Pro 145.012 '67 --
-- Rolex Submariner 1680 "Ghost" '79 --
-- Rolex SS Daytona 116520 '04 --
dsio is offline   Reply With Quote
Old 12 December 2011, 02:41 AM   #19
Trev
"TRF" Member
 
Trev's Avatar
 
Join Date: Apr 2008
Location: AU
Watch: Ω 2599.80
Posts: 387
ClamXav also finds the exploit files within the Chrome browser cache. These files were created from accessing TRF yesterday:


This does not imply the attack was successful on Chrome/MacOS.
Trev is offline   Reply With Quote
Old 12 December 2011, 03:58 AM   #20
2careless
"TRF" Member
 
2careless's Avatar
 
Join Date: Dec 2007
Location: Melbourne, AU
Watch: Pepsi
Posts: 4,370
Thx Trev!
so the exploit look like CVE-2010-1885 and it affects Microsoft Windows XP and Windows 2003 servers. For more details see http://www.microsoft.com/security/po...-2010-1885.gen
2careless is offline   Reply With Quote
Old 12 December 2011, 03:59 AM   #21
Grissom
"TRF" Member
 
Grissom's Avatar
 
Join Date: Oct 2010
Real Name: Nathan
Location: US, Latin America
Watch: GMT IIc 18K/SS
Posts: 3,349
Trev, Ashley.....Thanks! I am running ClamXav again, just to see what it finds. Yesterday, it only picked up the scammer/phishing emails I get from time to time (Banks, PayPal, and the like), and nothing else was noted to be out of the ordinary.

I never noticed anything weird, when I was on TRF the first day this began, when surfing the site....became concerned when I saw the little yellow ! triangle under the Fraudulent Sites box, in the security tab, showing me that Google Safe Browsing had not updated in 2 days.....I thought that was odd, and when I searched on that, I found nothing explaining why it would not have been updated for 2 days, nor could Apple Tech Support shed any light on that. They are the one who suggested ClamXAV........

Quote:
Originally Posted by 2careless View Post
Thx Trev!
so the exploit look like CVE-2010-1885 and it affects Microsoft Windows XP and Windows 2003 servers. For more details see http://www.microsoft.com/security/po...-2010-1885.gen
So based on the above, Macs should be ok, surfing with Safari, even after having been on TRF during this event?
__________________
(Member NAWCC since 1976)
116713LN GMT-IIc 18k/SS (Z) + 116520 SS Daytona (M) + 16700 GMT Master (A) + 16610LV Submariner (V) + 16600 Sea Dweller (Z) +
116400 Milgauss White Dial (V) + 70330N Tudor Heritage Chronograph Grey w/Black Sub Dials (J) + 5513 Submariner Serif Dial (5.2 Mil)

Who else needs an Intervention?
(109 297) (137 237) (73 115) (221) (23) (56) (229) P-Club Member #5

RIP JJ Irani - TRF Legend
Grissom is offline   Reply With Quote
Old 12 December 2011, 04:35 AM   #22
2careless
"TRF" Member
 
2careless's Avatar
 
Join Date: Dec 2007
Location: Melbourne, AU
Watch: Pepsi
Posts: 4,370
It does look ok for Macs but it's always those that are not shown that one fears.
Be vigilant and keep up with patching.
2careless is offline   Reply With Quote
Old 12 December 2011, 05:21 AM   #23
Grissom
"TRF" Member
 
Grissom's Avatar
 
Join Date: Oct 2010
Real Name: Nathan
Location: US, Latin America
Watch: GMT IIc 18K/SS
Posts: 3,349
Quote:
Originally Posted by 2careless View Post
It does look ok for Macs but it's always those that are not shown that one fears.
Be vigilant and keep up with patching.
Just went thru my entire system.......clean bill of health! Thanks to everyone who so selflessly added their expertise!!
__________________
(Member NAWCC since 1976)
116713LN GMT-IIc 18k/SS (Z) + 116520 SS Daytona (M) + 16700 GMT Master (A) + 16610LV Submariner (V) + 16600 Sea Dweller (Z) +
116400 Milgauss White Dial (V) + 70330N Tudor Heritage Chronograph Grey w/Black Sub Dials (J) + 5513 Submariner Serif Dial (5.2 Mil)

Who else needs an Intervention?
(109 297) (137 237) (73 115) (221) (23) (56) (229) P-Club Member #5

RIP JJ Irani - TRF Legend
Grissom is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

WatchesOff5th

DavidSW Watches

Takuya Watches

OCWatches

Asset Appeal

Wrist Aficionado

My Watch LLC


*Banners Of The Month*
This space is provided to horological resources.





Copyright ©2004-2024, The Rolex Forums. All Rights Reserved.

ROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEX

Rolex is a registered trademark of ROLEX USA. The Rolex Forums is not affiliated with ROLEX USA in any way.