Why Syzygy
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-31-09 07:34 PM
Original message |
Anyone into malware sleuthing? (and gif shrinker) RevLeft |
|
I want to make a new avatar. So, I'm looking for an application to shrink a 16kb gif to, I guess about 3kb (whatever the max for DU).
I clicked on the link in this thread (link broken to avoid inadvertant *issues*) . There's nothing wrong with this site. I'm pretty sure revleft is a reputable site. However, when I clicked the link within the thread to resize gif, I got a redirect, and a pop-up that said, "Clicking cancel will cancel one download". So, I did end task on firefox! I've scanned, and everything is clear. I'll do a deeper scan overnight. The status bar indicates the redirect starts with "anonym.to".
Is this standard? Am I freaking out over nothing?
www. revleft. com/vb/can-you-shrink-t68557/index.html
|
RoyGBiv
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-31-09 07:50 PM
Response to Original message |
|
The anonym.to is an anonymous redirector, meaning the http headers are munged or in some way modified so that the referrer isn't disclosed when you hit the site where the download is.
Being into anonymity and security myself, I've used such things for completely legitimate purposes just as I encrypt all my e-mail to anyone who can be bothered with installed GPG. However, websites sometimes use these things for less than legitimate purposes.
Without having witnessed what took place, my guess is that you were redirected to the IP address where the resized graphic was, which is what was about to download. You canceled, so nothing happened, and I doubt you were infected with anything.
It's possible (pure guess as I know nothing of that site) that it was utilizing someone else's code/space/etc. and doesn't want a lot of hits showing up there that lead back to it.
|
Why Syzygy
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-31-09 08:09 PM
Response to Reply #1 |
|
appears to be a legit anonymity tool. The "download" window I got was not firefox download. I have pop-ups blocked. There's a thread in this forum where someone describes "canceling" a download, and then became worm infected.
After browsing a bit, it does seem like something is wrong with firefox. I disabled java and script for now. The built in spell checker wasn't working when I composed a PM @ DU. And now, I'm not sure all my menu options are available in right click. ARGG
I'm running unprotected right now (other than zonealarm) because I have an uninstall issue with AVG. I can't install another virus program until it completes the uninstall. Files are waiting to be deleted upon restart, but it never completes. I've One Care scanned several times, which includes registry, but the files remain lodged somewhere. I just haven't taken the time to investigate. Dangerous, I know.
|
RoyGBiv
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-31-09 08:24 PM
Response to Reply #2 |
3. Well that's not good ... |
|
It's been awhile since I've done this, but IIRC you can install Avast, and it'll do some hocus pocus with the reboot afterward where it rids your system of that. I did that on a machine once, but it was a couple years ago, and I don't remember the details, just that it took awhile.
I didn't realize this was a non-Firefox dialog box where you did the cancel. Yes, those can be the triggers for infection themselves. Just because it *says* cancel doesn't mean that's what pressing that button actually does. Was it a javascript popup I take it?
Try running Firefox in safe mode.
firefox -safe-mode
None of your extensions or plugins will be loaded, and you can test basic functionality. It's a start anyway.
|
Why Syzygy
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-31-09 08:52 PM
Response to Reply #3 |
|
Edited on Sat Jan-31-09 08:54 PM by Why Syzygy
I assume it was a javascript popup. I'm not versed in web design, so I don't know how to identify the various applications. But it was automatic, and that's what I've read about js.
I'm glad to have read that thread. I'm fairly certain that by ending task in task manager, I avoided the potential. The spellcheck plugin is working fine in this window.
I'm going to follow up as you suggest.
|
RoyGBiv
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Feb-07-09 11:21 PM
Response to Reply #4 |
|
The "downside" to running No-Script is that you end up not witnessing a lot of the crap that takes place in the wild.
During my recent SuSE tests, I browsed the web a bit with an unmodified Firefox. I ran into one of these malware installers while doing so.
It popped up a javascript window that wanted me to download something, which I attempted to close, and the dialog box it presented me had both OK and CANCEL buttons that seemed to indicate one should press OK to continue closing the box. However, that was not the case. Reading it closely, I realized that pressing OK actually confirmed my desire to download something. Clicking CANCEL stopped the download, but actually clicking CANCEL opened yet another window that presented me with yet another dialog box with the options reversed again.
I avoided the problem entirely by just killing the process. Who knows how long that would have continued.
So, I can see how this kind of thing could easily happen. When one hits a site that attempts to install malware, preventing that installation can be tricky.
|
Why Syzygy
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Feb-07-09 11:41 PM
Response to Reply #5 |
|
That's why I also canceled process. I found google reader uses java, so I turned it back on.
|
DU
AdBot (1000+ posts) |
Thu May 09th 2024, 02:27 AM
Response to Original message |