Malware is fast overtaking spam as an absolute pain in the arse. People should be shot for this kind of thing.

"Malware is fast overtaking spam as an absolute pain in the arse. People should be shot for this kind of thing."

If it's any consolation, in China there's a good chance that they will be. ISTR that the usual protocol involves sending their families a bill for the bullet...

So where's the list of sites affected? All that is spread is FUD if you don't make clear who/what to avoid.

If a truly "major" site was infected, it's important for its visitors to know.

Of course, all of the references at McAfee's Avert Labs appear to point to ActiveX - not a problem for this Linux fanboy - but unfortunately I have friends and relatives using Winblows, and if there's a reasonable chance that one of these 10,000 sites is on their list of regulars, I'd like to forewarn them appropriately.

They're inextricably linked and often come from the same gangs. Firefox + Noscript should prevent most malware redirection attempts, we need to spread the word.

Paris? Already being spread.

again they target "Trusted" websites.. maybe people should stop using the term "trusted website" and use something like "seems to work so far"

Paris because even she knowns beter.

Yes, we should start shooting malware creators and other low-life.

And we should start by shooting those who run 'bulletproof hosting' services. They're the easiest of the low-life to be found)

Without those servers, it would be very difficult for Pill-peddlers and other low-life to set up shop, and without shops, why bother to send out SPAM?

The same goes for Malware. Many of them also need a 'discreet' hosting service. And if they can't get hosting for their files...

There's also the 'Dynamic DNS' services.

This is sometimes used to poing idiots(those who read spam) to 'shops' hosted on compromised servers or PCs.

These services are really meant for 'low volume' usage(someone accessing his PC from the office, a 'home-brewed' game server or that sort), so it should be possible for them to 'switch off' the translation of a particular server name if the activity suddenly peaks...

Why don't they?

There seems to be a trend of attacking web communities developing right now. I traced the miscreants responsible for an attack on two communities I deal with as a punter back to sites allied to the RBN (Russian Business Network), and am of the opinion that this is far from unique. After all, the returns are potentially far higher - the perps know the central themes in the community fora and can target scams more accurately. More return, less work.

Trusted Websites ? That's an oxymoron isn't it ? In the case above though, I was one of the few that got away without getting compromised.

"So where's the list of sites affected? All that is spread is FUD if you don't make clear who/what to avoid."

Exactly. Warnings without names are pointless noise. Please don't waste our time.

As a "Linux Fanboi", I'd have to say that currently Linux users have some protection from this---but although I believe *nix is generally more secure, if it had anywhere near the popularity that Windows has with end-users, I'm sure there would be many more exploits. Right now its comparative rarity and the lack of total interoperability between different flavors of Linux makes it more secure.

For everyone, I'd personally recommend Firefox and a script blocker like "NoScript" IE's headed in the right direction, but the annoying and worthless popups that you have to click through to get anything to work causes them to undermine their own usefulness---after a while, people will blindly just 'click it' when IE "cries wolf", or lower their security settings out of annoyance when they get a bland and uninformative warning every time they try to do something.

I recently installed the beta of XP SP3 on one of my Windows boxes, and the generic warning to the effect of: "this contains a potential security risk" when doing something as innocuous as copying files across the network is useless and maddening...

And where is the pointing China Domain?

If we got this info we can block out going traffic to it...

Would have protected us. With this wonderful antiphishing service of theirs.

SImply run Opera. Problem solved.

OK, *another* Modest Proposal:

Both US and UK Special Operations teams need lots of training in order to stay sharp for real warfare.

I suggest those teams be assigned to identify all members of the RBN, hunt them down, and capture, or if capture is not practical, kill them.

And I really am serious. Wipe out the RBN and you'll eliminate a huge volume of spam, and make it possible for Joe Sixpack to pay his mortgage (because he didn't stupidly get fleeced by an RBN spammer).

Once the RBN is down, move on to the next-largest spam/malware gang. Lather, rinse, repeat.

The heart icon, because that's what I want: The warm, still-beating hearts of the RBN members ripped from their chests on live Webcam.

From original report by McAfee Avert Labs, it seems that only users running Internet Explorer wold be affected, since the exploits us Active Xcontrols that are not implemented in Mozzilla browsers. The attack involves injection of script into valid web page to include a reference to a malicious .JS file which loads an HTML file that attempts to exploit vulnerabilities such as:

* MS06-014

* RealPlayer (ActiveX Control)

* Baofeng Storm (ActiveX Control)

* Xunlei Thunder DapPlayer (ActiveX Control)

* Ourgame GLWorld GlobalLink Chat (ActiveX Control).

So you should be safe if you use any non-microsoft browser (like Firefox, or any mozzilla browser).

The "vulnerable" servers are likely to be ( again ) LAMP servers. If this could make the penguins shut up a bit.. The last infection of this kind was based on a linux kernel rootkit ..

Not only are the exploits used to infect users all in IE but all the infected sites are using ASP. So both their client and server software is vulnerable ... terrific.

I'm surprised Microsoft doesn't just move into the malware and virus business full time! They are missing out, everyone is exploiting the potential to make money from their software and they aren't taking their cut?

I'm very pleased to see my recent campaigns to institute public execution of these filth seem to be gaining support! My preferred method is mass public hanging; it's more spectacular and dramatic than shooting. :D So, all together now... 1... 2... 3...

Ch-klick... HOCK! OOOORRRRAAAAAYYYYYYY!!

End Done Fin

So many sites rely on scripts that I have scripting allowed on many of the sites I visit. Then if the evil script is hosted by the site I am visiting, Noscript won't help.

If your PC is connected to the Real Internet (as opposed to the Happy La La Internet some people seem to think is out there) it should be hardened against malware so that if you ever click on an inappropriate link in Google you don't get hosed. You can't reliably avoid "untrusted sites"; you need to be prepared for the day you accidentally end up on one.

If you need me, I'll be in the basement, stockpiling canned food and dried goods.

@Tony W:

in all these attacks the malicious scripts, even if embedded in "trusted" pages, are actually loaded from sites you're very unlikely to have ever heard of, hosted in obscure Chinese servers.

When you allow the "trusted" page to execute JavaScript, NoScript still prevents 3rd party scripts from loading unless you explicitly allow them too one site by one: hence yes, NoScript is an effective protection in this case as well.