Democratic Underground Latest Greatest Lobby Journals Search Options Help Login
Google

Anyone into malware sleuthing? (and gif shrinker) RevLeft

Printer-friendly format Printer-friendly format
Printer-friendly format Email this thread to a friend
Printer-friendly format Bookmark this thread
This topic is archived.
Home » Discuss » DU Groups » Computers & Internet » Computer Help and Support Group Donate to DU
 
Why Syzygy Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jan-31-09 07:34 PM
Original message
Anyone into malware sleuthing? (and gif shrinker) RevLeft
I want to make a new avatar. So, I'm looking for an application to shrink a 16kb gif to, I guess about 3kb (whatever the max for DU).

I clicked on the link in this thread (link broken to avoid inadvertant *issues*) . There's nothing wrong with this site. I'm pretty sure revleft is a reputable site. However, when I clicked the link within the thread to resize gif, I got a redirect, and a pop-up that said, "Clicking cancel will cancel one download". So, I did end task on firefox! I've scanned, and everything is clear. I'll do a deeper scan overnight. The status bar indicates the redirect starts with "anonym.to".

Is this standard? Am I freaking out over nothing?

www. revleft. com/vb/can-you-shrink-t68557/index.html
Printer Friendly | Permalink |  | Top
RoyGBiv Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jan-31-09 07:50 PM
Response to Original message
1. Not sure ...

The anonym.to is an anonymous redirector, meaning the http headers are munged or in some way modified so that the referrer isn't disclosed when you hit the site where the download is.

Being into anonymity and security myself, I've used such things for completely legitimate purposes just as I encrypt all my e-mail to anyone who can be bothered with installed GPG. However, websites sometimes use these things for less than legitimate purposes.

Without having witnessed what took place, my guess is that you were redirected to the IP address where the resized graphic was, which is what was about to download. You canceled, so nothing happened, and I doubt you were infected with anything.

It's possible (pure guess as I know nothing of that site) that it was utilizing someone else's code/space/etc. and doesn't want a lot of hits showing up there that lead back to it.
Printer Friendly | Permalink |  | Top
 
Why Syzygy Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jan-31-09 08:09 PM
Response to Reply #1
2. anonym.to
appears to be a legit anonymity tool. The "download" window I got was not firefox download. I have pop-ups blocked. There's a thread in this forum where someone describes "canceling" a download, and then became worm infected.

After browsing a bit, it does seem like something is wrong with firefox. I disabled java and script for now. The built in spell checker wasn't working when I composed a PM @ DU. And now, I'm not sure all my menu options are available in right click. ARGG

I'm running unprotected right now (other than zonealarm) because I have an uninstall issue with AVG. I can't install another virus program until it completes the uninstall. Files are waiting to be deleted upon restart, but it never completes. I've One Care scanned several times, which includes registry, but the files remain lodged somewhere. I just haven't taken the time to investigate.
Dangerous, I know.
Printer Friendly | Permalink |  | Top
 
RoyGBiv Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jan-31-09 08:24 PM
Response to Reply #2
3. Well that's not good ...

It's been awhile since I've done this, but IIRC you can install Avast, and it'll do some hocus pocus with the reboot afterward where it rids your system of that. I did that on a machine once, but it was a couple years ago, and I don't remember the details, just that it took awhile.

I didn't realize this was a non-Firefox dialog box where you did the cancel. Yes, those can be the triggers for infection themselves. Just because it *says* cancel doesn't mean that's what pressing that button actually does. Was it a javascript popup I take it?

Try running Firefox in safe mode.

firefox -safe-mode

None of your extensions or plugins will be loaded, and you can test basic functionality. It's a start anyway.
Printer Friendly | Permalink |  | Top
 
Why Syzygy Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jan-31-09 08:52 PM
Response to Reply #3
4. Thanks..
Edited on Sat Jan-31-09 08:54 PM by Why Syzygy
I assume it was a javascript popup. I'm not versed in web design, so I don't know how to identify the various applications.
But it was automatic, and that's what I've read about js.

I'm glad to have read that thread. I'm fairly certain that by ending task in task manager, I avoided the potential. The spellcheck plugin is working fine in this window.

I'm going to follow up as you suggest.
Printer Friendly | Permalink |  | Top
 
RoyGBiv Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Feb-07-09 11:21 PM
Response to Reply #4
5. Follow-Up ...

The "downside" to running No-Script is that you end up not witnessing a lot of the crap that takes place in the wild.

During my recent SuSE tests, I browsed the web a bit with an unmodified Firefox. I ran into one of these malware installers while doing so.

It popped up a javascript window that wanted me to download something, which I attempted to close, and the dialog box it presented me had both OK and CANCEL buttons that seemed to indicate one should press OK to continue closing the box. However, that was not the case. Reading it closely, I realized that pressing OK actually confirmed my desire to download something. Clicking CANCEL stopped the download, but actually clicking CANCEL opened yet another window that presented me with yet another dialog box with the options reversed again.

I avoided the problem entirely by just killing the process. Who knows how long that would have continued.

So, I can see how this kind of thing could easily happen. When one hits a site that attempts to install malware, preventing that installation can be tricky.

Printer Friendly | Permalink |  | Top
 
Why Syzygy Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Feb-07-09 11:41 PM
Response to Reply #5
6. Yeah.
That's why I also canceled process. I found google reader uses java, so I turned it back on.
Printer Friendly | Permalink |  | Top
 
DU AdBot (1000+ posts) Click to send private message to this author Click to view 
this author's profile Click to add 
this author to your buddy list Click to add 
this author to your Ignore list Thu Dec 26th 2024, 10:16 PM
Response to Original message
Advertisements [?]
 Top

Home » Discuss » DU Groups » Computers & Internet » Computer Help and Support Group Donate to DU

Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators


Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.

Home  |  Discussion Forums  |  Journals |  Store  |  Donate

About DU  |  Contact Us  |  Privacy Policy

Got a message for Democratic Underground? Click here to send us a message.

© 2001 - 2011 Democratic Underground, LLC