Re: WARNING - Somepage linked to account hijackings

I need something explained to me:
Alright, so I have Vista (purely because I bought a new computer that came with it, I would never pay for OS upgrade), and Realplayer didn't have a patch for Vista(just a Premium Trial Download). I checked in the programs list, and I only has Rhapsody, Realtek and Roxio under the "R"'s. Does this mean I don't have RealPlayer, never did and thus, immune?

Or do I have the Trojan anyway and need to do something else to get rid of it? AVG never picked up anything other then various tracking cookies on a scan I did...

Re: WARNING - Somepage linked to account hijackings

Never had Real Player to exploit, the problem with FFXIah probably isn't a problem for you. Also Real Player on Vista may not have the problem. You may have the trojan on your system but without the Real Player to exploit it may be rendered useless.

This may or may not protect you from the Somepage problem, I don't know what that javascript does as it's been obfuscated to make it unreadable at a glance.

Re: WARNING - Somepage linked to account hijackings

Play on PS2 or Xbox 360, then you can go to any site you want

This is why I don't play on PC.

Re: WARNING - Somepage linked to account hijackings

Didn't some Xbox players get hijacked to?

which brings up another question... if this is java-based form Somepage, how did they get it? Possibly unrelated occurence?

Re: WARNING - Somepage linked to account hijackings

Most likely there is they are registered users on FFXIah and use the same username/password combo as their POL account.

Re: WARNING - Somepage linked to account hijackings

I decided to do a little poking around myself on the ol' family PC (doesn't have FFXI on it). Went to somepage, and as Olorin pointed out, that tiny little box is indeed an iframe that's linked to a suspicious looking address. Googled the address and viewed the cached site. Looking in the source I found a nice little javascript code that contains the words realplayer, activex, and pol at least once each along with lots and lots of scattered JS code all in an eval().

All this simply proves is what you all already know, and that would be that somepage is not safe to visit anymore if you are running IE and have RealPlayer installed. For the rest of the world (people using something else beside IE), you seem to be relatively safe from this exploit.

Thank you Olorin for bringing this news up.

Re: WARNING - Somepage linked to account hijackings

I play on PC and PS2. Both are required for me and my wife to play together.

What can I do to check my PC for infection and excise it if it exists? I've got Symantec antivirus and I don't believe I've ever installed Real crap on that box, but I want to be sure that there's not an opening for future variants. Certainly wouldn't want a keylogger to pick up admin access to this site and start abusing it too.

And dammit again, somepage was still useful. ><

Re: WARNING - Somepage linked to account hijackings

It figures out what the web browser version is, then tries to determine the version of Real Player on it. It does different things depending on if the language is set to Chinese or US English.

It generates a payload by padding a shell code with some other things. Then loads Real Player by opening c:\program files\netmeeting\testsnd.wav and the payload and has Real Player do the damage.

I haven't made it all readable yet.

Re: WARNING - Somepage linked to account hijackings

well this is all still scary... i wonder now what other crap i have on my computer that can potentially harm my POL account. I mean i don't exactly have the most expensive stuff, but it's still a scary thought.

Are there any other popular ffxi sites i should avoid? vanadiel atlas is still fine right?? How about alakazham? Killing ifrit? or even Piko's pots or Kida's fishing database??

Re: WARNING - Somepage linked to account hijackings

As long as you're using a non-administrative account in Vista and haven't turned off the user account control, the trojan can't have infected you in the first place. Even if you have (unwisely) been logging in as an admin or (worse) shut off UAC, Vista's DLL protection may still have barred the possibility of infection. And regardless of all of the above, you don't seem to have Realplayer installed in the first place, so you don't need to worry in any event.

Vista's as secure as a tank, as long as the user doesn't cripple the security. Nobody has yet managed to infect a Vista machine with a non-administrative user logged on, to the best of my knowledge. At the very least, none of my customers with Vista have yet called me to come fix a virus or spyware issue, and some of those customers couldn't go five minutes without catching Vundo when they had XP.
------------------------------------------
It's really not something to be losing sleep over. Grab firefox and the NoScript and AdBlock plugins for it. Go to http://www.mvps.org/winhelp2002/hosts.htm and follow the directions there to put a better hosts file in your computer to block known spyware sites. Set your computer to automatically install patches from Microsoft, and make sure your anti-virus program is up to date and scanning your computer every so often.

Re: WARNING - Somepage linked to account hijackings

Hi, welcome to Exploits 101.

As to this problem... really people. Browsing the internet is like going to bars. Sure, most of the time you won't have problems, but all it takes is one bitch to steal your wallet and screw you over. Or give you VD.

Bring protection.

First, the easiest and most sure way is to get a second computer. Also the most expensive, though you should be able to find a computer for under $100. If you can't, PM me with your location and budget, and I'll be happy to help you look for a secondary PC. This is also insanely useful when your main box goes down.

Second is to download a LiveCD and use it whenever you want to browse the web. http://damnsmalllinux.org/ should work well.

Third is to download CDs for a free OS (BSD and Linux being the most common ones, I recommend Ubuntu personally) and set up a Dual Boot between Windows and the other OS. Instructions for this are very easy to find on da interwebs.

Fourth, probably the hardest, not to mention slowest for your PC, would be to run a virtual box inside Windows, and run something else (again, such as DSL) inside that to browse the web. I'm pretty sure this isn't 100% safe, but given that it seems like this problem wouldn't have even affected normal firefox users, it should be plenty safe against these RMTs.

Still, no matter what, why the hell would anyone in their right mind browse with ActiveX left unchecked? If this is correct, it's exactly as I said, someone leaving a gaping security hole and being unsafe. Using ActiveX in IE is nearly the same as offering to show your wallet to anyone you pass on the street. Browsing in IE is bad enough, but allowing ActiveX is just plain retarded.

Re: WARNING - Somepage linked to account hijackings

The first post in this thread will help you manually check and clean out your system.

Also, a simple thing to do is to open up the Windows Task Manager, click the Processes tab, and see if any of the files listed on the link above are in the list. I personally don't run a virus scanner - I find them too demanding on my computer to be worthwhile. Instead I keep my task manager open almost all the time so I'm able to see if anything funky is running in the background. I also use Ad-Aware and SpyBot about once a month to take care of the browser cookies and scripts. I haven't used AVG yet, but I hear nothing but good words about their programs.

Btw.. Damn Small Linux

Re: WARNING - Somepage linked to account hijackings

The UAC must be shut off to save the sanity of any users for are forced to use Vista >_>
/em installs PCLinux atm.

Re: WARNING - Somepage linked to account hijackings

Which is it's biggest flaw-- Computers can in fact be too secure.

Imagine a computer as a car-- you need the keys to get in the door, pop the hood or trunk, and turn it on so you can change everything. Now, most people don't mind turning a key to unlock their doors and start their engine. But if you start requiring them to use the key every time they want to open the doors, be it to get in or get out; not to mention change the radio dial, turn up the AC, turn on cruise control, activate the windshield wipers, is it really any surprise that they're going to get pissed off and remove all the locks?

Computers are no different-- UAC actively encourages the user to either not pay attention to it, or to remove it entirely. Good security is far more than a dialog box that says "OK", security is partially a matter of the OS not allowing things to run as root without user approval, yes, but it's also about making sure that the user knows and pays attention to what they're doing.
------------------------------------------
Last I checked, this is insanely easy for most viruses/spyware to get around. I wouldn't trust this method at all.

Re: WARNING - Somepage linked to account hijackings

how do i know if i'm running this active X thing in my IE? i use firefox, is it any different?