counterfeit anti-spyware software on firefox

Asked by Chuck

I was browsing using firefox 3 on h heron and was attacked by a counterfeit anti-spyware software that I could not get remove. I restarted without affect. I never pushed any of the keys they were asking me to push to removes their fake threats. Finally, I removed firefox and re-installed to get rid of this problem. I have had this same thing happen on win xp, but did not believe Ubuntu would be vunerable. How can I prevent in future or how should I remove if attacked again. What steps to protect my Ubuntu should I add? Thank you. This problem surprised me. I expect this kind of thing on windows but not on Ubuntu.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu firefox Edit question
Assignee:
No assignee Edit question
Solved by:
Philip Wyett
Solved:
Last query:
Last reply:
Revision history for this message
Philip Wyett (philwyett) said :
#1

Thank you for reporting this issue.

Can you supply a link to the website you were visiting at the time you saw this popup?

Regards

Phil

Revision history for this message
Chuck (chux-industryinet) said :
#2

http://scan.free-antispyware-scanner.com/110065/3/

was the site that caused the problem. How I got there is a mystery to me

Revision history for this message
Chuck (chux-industryinet) said :
#3

http://scan.free-antispyware-scanner.com/110065/3/

was the site that caused the problem. How I got there is a mystery to me

The site I was at was:
http://www.google.com/search?hl=en&q=baton+rouge+traffic+report&btnG=Google+Search#hl=en&q=louisianna+I-10++traffic+report&btnG=Search&nochrome=1

I repeat this to make sure you get it
The name was antivirus-2008

Revision history for this message
Best Philip Wyett (philwyett) said :
#4

Firstly let me put your mind at rest as this page cannot hurt you and is using creative scripting that locks firefox. The mother load is the .exe file they want you to download and hopefully run. It is this file that would have the bad stuff in it. However if you are running Ubuntu you cannot run it unless you have wine and ask it to install and that I do not believe you are going to do. :-)

What I would do is add a rule to my that blocks the domain supplying the download. See section 2.

See: https://help.ubuntu.com/community/Firestarter for a firewall front end you can easily add new rules in.

Regards

Phil

// Tech info below.

1) HTML of the index page of the link supplied. Note all the links to javascript (.js) files and link to the .exe file.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2"><title>Antivirus 2008</title>

 <script>var mw_texts = new Array();</script>

 <script>var install_link = 'http://dnld.securitydwl.com/load/setup_110065_3_.exe';</script>

 <script language="javascript" src="/ns/antivirus2008/brand_constants.js"></script>

 <script language="javascript" src="/ns/landing_3/mw_script/mouse_texts.js"></script>

 <link href="/ns/landing_3/mw_img/pre_load.css" rel="stylesheet" type="text/css">

 <script language=javascript>if(self.parent.frames.length!=0){self.parent.location=document.location}</script><script language=javascript>window.moveTo(0, 0); window.resizeTo(screen.availWidth, screen.availHeight);</script> <link href="/ns/landing_3/mw_win_img/window.css" rel="stylesheet" type="text/css">

 <link href="/ns/landing_3/mw_img/this_landing.css" rel="stylesheet" type="text/css">

 <link href="/ns/landing_3/mw_img/translate.css" rel="stylesheet" type="text/css">

 </head>

 <body>

<div id="preloader"></div>

 <script language="javascript" src="/ns/landing_3/mw_script/mouse_block.js"></script>

 <div class="mw_final_win" id="mw_results_window">

  <a class="mw_final_res" href="javascript:install_begun();"></a>

 </div>

 <div class="mw_window" id="mw_main_win">

   <div class="mw_win_body">

    <!--plaz-->

     <div class="mw_window_plaz">

      <div class="mw_search_left_panel">

       <a href="javascript:install_begun();" class="mw_security_panel"></a>

      </div><!-- dfsdfsdfsdfsdfsdfsdf dsf sdf sdf sdf sdfd -->

      <div class="mw_window_body">

       <div id="mw_disk_c" class="mw_wi_disk mw_hd_disk"><span class="mw_name"><span class="local_c"></span></span><span id="mw_err_1" class="mw_error"><span class="hardw_error"></span></span></div>

       <div id="mw_disk_d" class="mw_wi_disk mw_hd_disk"><span class="mw_name"><span class="local_d"></span></span><span id="mw_err_2" class="mw_error"><span class="hardw_error"></span></span></div>

       <div id="mw_disk_dvd" class="mw_wi_disk mw_dvd_disk"><span class="mw_name"><span class="local_dvd"></span></span></div>

       <div id="mw_disk_fldr" class="mw_wi_disk mw_folder_disk"><span class="mw_name"><span class="shared"></span></span><span id="mw_err_3" class="mw_error"><span class="sec_thr"></span></span></div>

       <div class="mw_disclaimer"><span class="secr_thr_fndd"></span></div>

       <div class="mw_progress_bar">

        <span class="mw_status" id="mw_status"></span>

        <div class="pb_decor"><div class="decor_lp"></div><div class="decor_rp"></div><div id="mw_progress_bar"></div></div>

        <A id="mw_cncl_but" class="mw_cancel" href="javascript:install_begun();"></A>

                                <div id="simulation_1"><span class="simulation_qts"></span></div>

       </div><!-- dfsdfsdfsdfsdfsdfsdf dsf sdf sdf sdf sdfd -->

       <div class="mw_display_filename">

        <span class="mw_status"><span class="object"></span></span>

        <span class="mw_filename" id="mw_file_name"></span>

       </div>

       <div class="mw_test_results" id="mw_inwin_results"><div class="mw_test_rez_decor"><div class="mw_res_rtc"></div>

       <div class="mw_header_f_res"><span class="hrdw_n_sec"></span></div>

        <a class="mw_remove_button" href="http://dnld.securitydwl.com/load/setup_110065_3_.exe"></a>

        <div class="mw_res_pads">

         <span class="mw_res_hdr"><span class="hrdw_errors"></span></span>

         <div class="mw_res_text"><span class="perfomance_usw"></span></div>

    <!-- dfsdfsdfsdfsdfsdfsdf dsf sdf sdf sdf sdfd -->

         <span class="mw_res_hdr"><span class="privacey_errors"></span></span>

         <div class="mw_res_text">

          <span class="spyw_ws_stol"></span>

                     Country:&nbsp;<b>United Kingdom</b><br>

                     City:&nbsp;<b>Loughborough</b><br>

                     IP Address:&nbsp;<b>82.27.239.2</b><br>

                     ISP:&nbsp;<b>NTL Internet</b><br>

         </div>

        </div><!-- dfsdfsdfsdfsdfsdfsdf dsf sdf sdf sdf sdfd -->

       </div></div>

      </div>

     </div>

    <!--//plaz-->

   </div>

 </div>

</body>

 <script language="javascript" src="/ns/landing_3/mw_script/unic_scripts.js"></script>

 <script language="javascript" src="/ns/landing_3/mw_script/text_constants.js"></script>

 <script language="javascript" src="/ns/landing_3/mw_script/file_names.js"></script>

 <script language="javascript" src="/ns/landing_3/mw_script/domFunction.js"></script>

 <script language="javascript" src="/ns/landing_3/mw_script/startafter.js"></script>

</html>

2) The domain the .exe comes from is: securitydwl.com

whois shows us.

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: SECURITYDWL.COM
   Registrar: ESTDOMAINS, INC.
   Whois Server: whois.estdomains.com
   Referral URL: http://www.estdomains.com
   Name Server: NS1.EVERYDNS.NET
   Name Server: NS2.EVERYDNS.NET
   Name Server: NS3.EVERYDNS.NET
   Name Server: NS4.EVERYDNS.NET
   Status: clientTransferProhibited
   Updated Date: 18-aug-2008
   Creation Date: 18-aug-2008
   Expiration Date: 18-aug-2009

>>> Last update of whois database: Tue, 19 Aug 2008 12:19:33 EDT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: SECURITYDWL.COM

Registrant:
    Last Concert
    Clara Confield (<email address hidden>)
    399 avenue hachette
    Paris
    Paris,75019
    FR
    Tel. +33.148334235
    Fax. +33.148334235

Creation Date: 18-Aug-2008
Expiration Date: 18-Aug-2009

Domain servers in listed order:
    ns4.everydns.net
    ns3.everydns.net
    ns2.everydns.net
    ns1.everydns.net

Administrative Contact:
    Last Concert
    Clara Confield (<email address hidden>)
    399 avenue hachette
    Paris
    Paris,75019
    FR
    Tel. +33.148334235
    Fax. +33.148334235

Technical Contact:
    Last Concert
    Clara Confield (<email address hidden>)
    399 avenue hachette
    Paris
    Paris,75019
    FR
    Tel. +33.148334235
    Fax. +33.148334235

Billing Contact:
    Last Concert
    Clara Confield (<email address hidden>)
    399 avenue hachette
    Paris
    Paris,75019
    FR
    Tel. +33.148334235
    Fax. +33.148334235

Status:ACTIVE

The data in this whois database is provided to you for information purposes only,
that is, to assist you in obtaining information about or related
to a domain name registration record. We make this information available "as is",
and do not guarantee its accuracy. By submitting a whois query, you agree that you will
use this data only for lawful purposes and that, under no circumstances will you use this data to:
(1) enable high volume, automated, electronic processes that stress
or load this whois database system providing you this information; or
(2) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via direct mail, electronic mail, or by telephone.
The compilation, repackaging, dissemination or other use of this data is expressly prohibited without
prior written consent from us. The Registrar of record is ESTDOMAINS Inc.
We reserve the right to modify these terms at any time.
By submitting this query, you agree to abide by these terms.

Revision history for this message
Chuck (chux-industryinet) said :
#5

Thanks and super thanks. This thing or something similar ate my desktop with windows. Thanks for the help.

Revision history for this message
Chuck (chux-industryinet) said :
#6

Thanks Philip Wyett, that solved my question.

Revision history for this message
marcobra (Marco Braida) (marcobra) said :
#7

Reported as "web forgery" to Google.
Using the Firefox menu Help->Report Web Forgery

Thank you

Revision history for this message
marcobra (Marco Braida) (marcobra) said :
#8

I scanned the setup_110065_3_.exe it contain a virus i sent this file to Clamav free antivirus...
http://www.clamav.net/sendvirus/
they will analyze it and include into clamav database.

Thank you