| View previous topic :: View next topic |
| Author |
Message |
Magister_Sum
Cadet
Joined: Apr 27, 2008
Posts: 1
Location: USA
|
 Posted: Sun Apr 27, 2008 1:26 am Post subject: Zap2It hijacked by spywaredestructor? |
|
|
On two separate computers (same network), I have been redirected while trying to leave Zap2It.com. It looks like a rogue spyware removal program that's trying to get me to install. I found others who have noticed this just this evening with Zap2it. See http://groups.google.com/group/alt.atheism/browse_thread/thread/0d8bbb1cc2ee1733.
After closing out (Alt + F4) for the pop-up and then for the new browser window which looked like a scan (I closed it pretty quick), I scanned my computer with Bazooka and SpyBod S&D. Nothing came up.
Should I be concerned?
|
|
| Back to top |
|
 |
jgrtmp
Guest
IP: 209.4.*.*
|
| Posted: Sun Apr 27, 2008 6:33 am Post subject: Got the same thing when going to ZAP2IT for TV guide listing |
|
|
I ran into the same thing.Thought it was my machine at first, but Spyware Terminator & Hijack This says no.It uses CTtoolbar to display an error thru IE.From there the Hijack takes you to the Spyware Destructor website & intrudes on your machine to initiate a from site scan of your computer.Something seems illegal the way its done.I've never seen it overtly before- ZAP2IT is the thru gate & Microsft isn't sendiing you to this site as the Warning seems to infer.Its a Hijackied IE.The question is ZAP2IT allowing this? Both Microsoft & ZAP2IT should be alarmed at this...
|
|
| Back to top |
|
|
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5869
|
| Posted: Sun Apr 27, 2008 6:55 am Post subject: |
|
|
I just checked Zap2It.com and nothing happend on my PC.
Could you post a link to the websites which it tried to get you to visit? The fake scan ones are just that, fake scans which try to trick users into downloading a fake anti-malware product.
After installing the fake anti-malware product it will do a "scan", find loads of "malware" and then ask you to pay to "remove" it.
_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.
Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx
|
|
| Back to top |
|
|
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5869
|
| Posted: Sun Apr 27, 2008 7:05 am Post subject: |
|
|
The Google groups link above says that one of the links is
| Code: | | http://spywaredestructor.com/ |
I've downloaded SpywareDestructorSetup.exe which is malware.
I've added the file to the malware listserv.
_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.
Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx
|
|
| Back to top |
|
|
jgrtmp
Guest
IP: 209.4.*.*
|
| Posted: Sun Apr 27, 2008 7:14 am Post subject: ZAP2IT HIJACK Cont... |
|
|
When you close out the alert warning you are sent to this web page & the scan immediately commences - there is no download.
| Code: | | http://scan.spywaredestructor.com/scan.php?landid=2&depid=maxc%5Fclr08&cid=2271&parid=mc%5F916028161 |
Moderator edit: Disabled the link
|
|
| Back to top |
|
|
nousndthem
Cadet
Joined: Apr 27, 2008
Posts: 2
Location: USA
|
|
| Back to top |
|
|
maliciousbrains
Sergeant
Premium Member
Joined: Feb 23, 2008
Posts: 103
|
| Posted: Sun Apr 27, 2008 10:15 am Post subject: |
|
|
I have striped down all the .js script files. I found the below files:
| Code: |
<script type="text/javascript" src="/javascript/shared/jquery-1.2.2.min.js"></script>
<script type="text/javascript" src="/javascript/shared/zcSharedFunctions.js"></script>
<script type="text/javascript" src="/javascript/tvlistings/zbGridView.js"></script>
<script type="text/javascript" src="/javascript/tvlistings/zbSetMyPreferences.js"></script>
<script type="text/javascript" src="/javascript/tvlistings/zbUserAccount.js"></script>
<script type="text/javascript" src="/javascript/tvlistings/zbInCellAddPlugins.js"></script>
<script type="text/javascript" src="/javascript/tvlistings/mapLocalizationFunctions.js"></script>
<script type="text/javascript" src="/javascript/tvlistings/jquery.treeview.min.js"></script>
<script type="text/javascript" src="http://mserv.zap2it.com/dfp/production/googleSetup.js"></script>
<script type="text/javascript" src="http://mserv.zap2it.com/dfp/production/dfpSetup.js"></script>
<script language="JavaScript" src="http://www.zap2it.com/central/javascript/mtrx/s_code.js"></script>
|
And while tracing back, I found there was an advertisement to Colgate that was getting displayed by calling a SWF file:
| Code: |
http://atlas-ads.com/89000/300x250.swf?clickURL=http://www.colgate.com/?om21&clickTARGET=_blank\\
|
My point is, there is some external call in some .js file or some .swf file which is redirecting the browser to the hxxp://scan.spywaredestructor.com site.
Yesterday, I was playing with the swf files and how malware authors make use of the swf files to redirect traffic of good sites to bad sites and I have posted a small article about that activity in CC itself. Refer below:
 /t220423-Analyzing_Malicious_SWF_Files.html
In reference to the problem that we are facing regarding the Zap2it.com, it seems very likely that the same mechanism has been deployed. The fault may be because of a .js or a .swf file thats redirecting the traffic to the malware site.
Its really hectic task to do a code review of all the .js files cus one .js file calls another and till now I have checked at least 15 .js files.
Instead of scavenging it like this, its better if the message can be passed on to the zap2it admin. Its very unlikely that they have done it knowingly or the site has been hacked lol... Anyways, good example.
_________________
.:: Malicious Brains ::.
http://www.malwareinfo.org
http://blog.malwareinfo.org
http://forum.malwareinfo.org
There are no patches or service packs for ignorance!
|
|
| Back to top |
|
|
nousndthem
Cadet
Joined: Apr 27, 2008
Posts: 2
Location: USA
|
| Posted: Sun Apr 27, 2008 10:26 am Post subject: |
|
|
Great work maliciousbrains!
I did contact the "general" contact at zap2it since they don't seem to have anything more technical, and I pointed them back to this thread.
Hopefully they'll take it seriously.
Steve
|
|
| Back to top |
|
|
reiter2000
Cadet
Joined: Apr 27, 2008
Posts: 1
Location: USA
|
| Posted: Sun Apr 27, 2008 2:13 pm Post subject: spywaredestructor & Zap2it |
|
|
I have encountered the same phenomenon for the past 2 days while visiting Zap2it using Firefox
|
|
| Back to top |
|
|
tcorbet
Guest
IP: 66.167.*.*
|
| Posted: Sun Apr 27, 2008 9:27 pm Post subject: zap2it problem |
|
|
I also use zap2it and have seen this popup
over the past 48 hours. As it turns out, I also
run a debug version of the Flash Player and
it captured a stream of *** Security Sandbox Violation ***
messages that arrive from URLs associated with
view.atdmt.com
and
spe.atdmt.com
if that will help you find the culprits.
|
|
| Back to top |
|
|
Zap
Guest
IP: 64.183.*.*
|
| Posted: Mon Apr 28, 2008 6:46 pm Post subject: Spyware Complaint |
|
|
Thank you for compiling this information. I have forwarded it to the administrators at Zap2it and they have removed the offending advertisement.
Heather,
Zap2it Forums Admin
|
|
| Back to top |
|
|
Randy67
Corporal
Joined: May 18, 2006
Posts: 61
Location: USA
|
| Posted: Sat May 03, 2008 10:28 pm Post subject: my wife got the same popup, luckily I was here |
|
|
I had her click the X on the prompt. I searched Google and found this page.
The URL she was at is
http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=17654018
I guess it is an infected ad.
She hit the Back key after going to another site and the same popup happened. She hit Cancel instead and it started scanning. She closed the window immediately. I 'kicked' her off and added spywaredestructor to her hosts file.
I'm running SpyBot S&D right now as a precaution.
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
