AnyNowhere conversation log (July 08, 2010)

July 08, 2010
AnyNowhere — daily chat log — back (to logs index)

02:55, Speeder> Paranoia last turn just me realize something rather evil about paranoia multiple lives... Enemies respawn too.
04:08, Jam shudders. All those clones... They are coming to get me...
07:42, Cryoburner whispers: Clone Zombies!
13:05, Serpens> Cat planet cat planet cat planet http://anynowhere.com/bb/cd/jpgs/3dHhoxQgRpljyiWeMy5eYSC3pp1.jpg
13:10, Serpens> And for something completely different, a rather interesting captcha I've seen a minute ago: http://anynowhere.com/bb/cd/jpgs/3dHhoxQgxIdhFabjGXpgi1.jpg
13:16, Neuzd whispers: Mmmmh Serpens, did you talk with Cryo in the last week? I mean about something important. Otherwise I think he was expecting me to do it....
13:20, Neuzd whispers: Also, cat planet: there were no records in the guide relating specified subject.
13:27, Serpens whispers: I think the last time I talked with Cryo, it was about ways to get rid of martens, so no.
13:32, Serpens whispers: Something Noctis-related, I guess? I pretty much lost touch with this lately...
13:34, Neuzd whispers: It's about the "Home System Project". There's a malware.
13:37, Neuzd whispers: Have a read of the June 30 chatlogs. The T35 hosting seems a much liked target of hackers, it's not something put there by me or you.
13:39, Neuzd whispers: Re-upload the whole site paying attention to two 1x1 images. Those are most likely to be the malware, though I could only see them as resources in the page, I don't know if they've been upoaded to the site.
13:43, 4616599 whispers: Oh, the Home Systems Project!
13:44, 4616599 whispers: Last thing I remember about it was just doing a quick survey of an unusually bright ssdc moon there...then the Grid caught my eye and I forgot all about it...
13:48, Serpens> Oh my. Let's have a look.
14:04, Serpens> Well, I don't know, I don't see anything suspicious... I have a proactive defence and there's no malware jumping out on me...
14:05, Serpens> I'll try deleting and reuploading everything to be sure, though.
14:10, Serpens> This is going to take a while with my connection. Oh well.
14:12, Serpens> 4.6M, if you were doing something for this project, go ahead and complete it if you want, I still accept contributions.
15:32, Cryoburner whispers: Oh yeah, that thing... Maybe you should have suggested replacing the site's contents before visiting it. :P
15:34, Cryoburner whispers: As for malware scanners catching it, as of the time I encountered it, only 2 of the 41 scanners on virustotal were detecting it. :|
15:36, Cryoburner whispers: It might potentially not have been your site, since I had other tabs open at the time, but revisiting your site a second time launched Java again, before I disabled it for the site.
15:36, Serpens whispers: Scanner are often ineffective, but as for blocking any activity by unrecognized files, that's another story, I guess.
15:38, Cryoburner whispers: you might just check to make sure you don't have a 'loader.exe' or 'smss.exe' in your temporary internet files folder.
15:38, Cryoburner whispers: Along with some randomly numbered .exe files.
15:40, Serpens whispers: Nope, nothing like that. Looking at the source, there's a javascript bit, but it's just the stat counter...
15:40, Cryoburner whispers: It may only exploit vunerabilities in certain versions of Java too.
15:41, Cryoburner> Yeah, I saw that, and mentioned to Neuzd that it just looked like a stat counter.
15:41, Cryoburner whispers: When viewing the page's source, that is.
15:42, Cryoburner> It could be possible that the stat counter was compromised though.
15:45, Cryoburner whispers: If that was the case, it may have already been fixed.
15:46, Cryoburner> I reuploaded the file to virustotal, and it seems a lot more scanners pick it up now...
15:47, Cryoburner> http://www.virustotal.com/analisis/7be638f31c8c87c97e70adb34d86cd94df4a53e a5a3962478eac481ae2c6d22d-1278599395
15:50, Serpens> Well, I can't do anything more now that the site's contents are completely replaced.
15:51, Serpens> As for my own computer, I use a combination of Comodo's Defense+, Malwarebytes' Anti-Malware and HijackThis, so I don't think anything could sneak through. At least I hope so.
15:52, Cryoburner> I was checking to see if there was any further info on it.
15:54, Cryoburner whispers: Except that almost no scanners were detecting it before... Now most seem to though.
15:56, Serpens whispers: Defense+ and HijackThis aren't based on signatures anyway, and I can't even find MBAM on this VirusTotal list
15:56, Neuzd> I found that several of the articles mentioned the 2 images I was talking about.
15:57, Cryoburner whispers: I think I read that Hijackthis wasn't detecting it either though. :P
15:58, Neuzd> One comes from statcounter the other from quantserve
15:58, Cryoburner> That may have been after the person rebooted though, since I believe it tries to install a rootkit.
15:59, Serpens> I still see these images in the source.
15:59, Serpens whispers: That's why I don't rely on HijackThis itself. :P I'll try rebooting later to see what happens.
15:59, Cryoburner> The names given on virustotal seem to imply that it's a 'click cycler'.
16:00, Neuzd> They're loaded by the statcounter javascript.
16:00, Cryoburner whispers: Rebooting would just make it moer difficult to get rid of, I imagine. :P
16:01, Serpens whispers: Or I'd just get a Defense+ message telling me that something tries to tamper with my system files and asking what to do. :P
16:06, Neuzd whispers: I'm not sure if it's ok now Serpens. I still believe the malware is hidden in those 2 images and I still see them there.
16:07, Serpens> But what I can do about them? It must the web hoster that puts them there.
16:08, Neuzd> In fact all of the articles I read about this infection were of T35 hosted websites.
16:10, Neuzd> Try contacting T35 saying that thier javascript loads 2 images that you believe are suspicious. They're 1x1 pixel both, but they're suspiciously heavy.
16:11, Neuzd whispers: I have to go now, and I don't know if I can catch you later for today.
16:15, Serpens> Oh well, I guess I'll just try doing what you suggested.
16:18, Cryoburner whispers: I'm thinking those images may just be stat counters. :P
16:46, Cryoburner whispers: It is possible that the script that loads them could have been compromised at some point though. :)
21:55, Speeder> More people can test my game pleaaase? (cryo, you still don't said what stuff you want pulsing!)
22:27, Jam> I got to level 22. Almost to the end...
22:29, Jam goes to play more...
22:38, E_net4> Wait, what game?
22:48, Jam> His breakout clone. Paddle Wars: Hit The Wall.
22:48, Jam> http://anynowhere.com/bb/posts.php?t=4590
23:19, Speeder> Wow, Jam really liked it (went farther than me in a normal play... I always lose in the level 15... Although if I use developer tools to start on 16, I can finish the game :P I only suck on level 15 in particular...)
23:35, Jam> I lost many, many times. :P But I can play the same level as many times as I want, so I'm slowly progressing.
23:43, Speeder> Oh, I see... (so you got the last version :P I don't tried finishing the game after I implemented autosave...)
23:47, Jam> I had gotten to level 22, lost, then accidentally quit the game. I really didn't want to start back at the beginning, so I cheated a bit and skipped ahead :P
23:48, Jam> I'll have to play a few games from the beginning and see how far I get...
23:49, Jam> Ah! Gligar posted the next turn early! Hooray!