Hello There, Guest!
View New Posts  |  View Today's Posts
reboot.pro infected?

  • 0 Vote(s) - 0 Average


11-22-2013, 07:07 PM #21
AceInfinity
Developer
*******
Administrators
Posts: 9,733 Threads:1,026 Joined: Jun 2011 Reputation: 76

RE: reboot.pro infected?
Not everything marked as suspicious is needed to be blocked, or is actually harmful. Suspicious is a chance, but I've seen lots of false positives in my experiences..

Quote:and not because they took out the alert thinking that the alert was a false positive - it wasn't. Now I am more confused and worried than before.

How are you so sure? Unsure
This post was last modified: 11-22-2013, 07:08 PM by AceInfinity.


Microsoft MVP .NET Programming - (2012 - Present)
®Crestron DMC-T Certified Automation Programmer

Development Site: aceinfinity.net

 ▲
 ▲ ▲

11-22-2013, 08:46 PM #22
Adys
Junior Member
**
Posts: 13 Threads:1 Joined: Oct 2013 Reputation: 0

RE: reboot.pro infected?
@AceInfinity,

When I first reported this issue, there where already 2 "Malicious site" and 2 "Suspicious site" reports in Virustotal. Now we are at 4 and 2 respectively.

I also tried to find out what this suspicious site does / produces / informs about. I wasn't able to find any "positive" info. Can anyone offer an explanation to what is that site doing, or why this connection attempts are happening when visiting reboot.pro?

I don't see any reason for this connection attempt to happen. Whether reboot.pro itself is somehow related to the cause of it or not, the warning doesn't seem to be a false positive. I have seen other FP in the past; and they were nothing like this.

The presence of the suspicious site when querying urlquery.net about reboot.pro is not clearing the situation for me; but adds to my concerns about what's really happening when I browse reboot.pro.

Thank you and Best Regards,
Ady

11-22-2013, 09:28 PM #23
AceInfinity
Developer
*******
Administrators
Posts: 9,733 Threads:1,026 Joined: Jun 2011 Reputation: 76

RE: reboot.pro infected?
Those are still just titles as far as I'm concerned. Certain AV's mark programs as dangerous just for being keygen utilities... I take that with a grain of salt until evidence can prove otherwise usually for executables. I don't do lots of web stuff.

Quote:I wasn't able to find any "positive" info

Post what you've found for information. If there is a chance, then any information like that can help. If you've found bad information about the site then you should not need to ask others what it does, otherwise it's not sufficient enough information to detail it as a non-false-positive IMHO.

reboot.pro uses Google Ads though, that's the main reason why I initially thought it was related. We don't host any ads on this forum subdomain.

Based on what I'm seeing:
Code:
http://urlquery.net/search.php?q=alnera.eu&type=string&start=2013-11-08&end=2013-11-23&max=50
http://urlquery.net/report.php?id=7838140

It may have to do with being linked to other locations that have been reported as bad, but it has nothing to do with reboot if that's the case.


Microsoft MVP .NET Programming - (2012 - Present)
®Crestron DMC-T Certified Automation Programmer

Development Site: aceinfinity.net

 ▲
 ▲ ▲

11-22-2013, 09:32 PM #24
AceInfinity
Developer
*******
Administrators
Posts: 9,733 Threads:1,026 Joined: Jun 2011 Reputation: 76

RE: reboot.pro infected?
I found a conversation, an odd one: https://lists.emergingthreats.net/piperm...22880.html

I think this is worthy of a read as well: http://www.malware-traffic-analysis.net/...index.html

Quote:This specific Java exploit hasn't been widely identified yet. VirusTotal only has 4 of 47 anti-virus organizations detecting it as of 2013-07-08 04:17 UTC. It might be a Java exploit based on CVE-2013-1493.

From what I read, it's used to send a malicious executable back, which from what I've seen has not happened to you.

Quote: Some UDP traffic going to 83.133.123.20 on port 53, but it's not DNS traffic.

This would be a trick for wireshark to examine I believe. They provide you a PCAP file of the malicious activity for you to compare too. It goes through a number of steps however to finalize that.

Yet: https://www.virustotal.com/en/file/a2c23...384556190/

Hmm, no detections for this yet? Unless it really is harmless, or probably the wrong file? Seems recent though:
Quote:Analysis date: 2013-11-15 22:56:30 UTC ( 1 week ago )
This post was last modified: 11-22-2013, 09:43 PM by AceInfinity.


Microsoft MVP .NET Programming - (2012 - Present)
®Crestron DMC-T Certified Automation Programmer

Development Site: aceinfinity.net

 ▲
 ▲ ▲

11-23-2013, 12:20 AM #25
Adys
Junior Member
**
Posts: 13 Threads:1 Joined: Oct 2013 Reputation: 0

RE: reboot.pro infected?
@AceInfinity,

I wanted to quote parts of your post and answer accordingly, but this forum is not so "nice" to my settings and web browser.

Anyway, the content of the page in malware-traffic-analysis.net you linked to, seems very similar to what I have seen when opening reboot.pro "for the first time".

I don't know where the initial trigger resides (reboot.pro, the ads, elsewhere) that starts the chain. I have no doubts that reboot.pro is _not_ intentionally involved.

As I mentioned before in this topic, I lack the technical knowledge to go much deeper, and the whole pcap / wireshark info seems out of my league so I'm not sure how to help (or even if I am capable of).

I am hoping that my current block list is effective and adequate, so to block the whole chain but without blocking non-related connections that have nothing to do with this malware code.

I also hope that reboot.pro admins can find a way to prevent this from happening to others, or at least to stop and minimize the potential damage.

Thank you and Best Regards,
Ady.

11-23-2013, 02:54 AM #26
Nuno Brito
Team Reboot
Team Reboot
Posts: 351 Threads:13 Joined: Aug 2011 Reputation: 10

RE: reboot.pro infected?
Hi Ady and Ace,

Thank you for the investigation. I've blocked alnera from displaying ads. The reason why only adsense is used was exactly to prevent ads from hijacking the security of visitors.

Now it seems that even Adsense is allowing bad ads to be rendered. Thumbs Down

It is my hope that this is an isolated incident since we've been using adsense since several years ago without similar problems. If it isn't, then it is time to disable it completely.

Once again, thank you for going deep into this matter. :)
Want to help TLF? Place tech.reboot.pro on your signature around the web. Let's help TLF grow! :)

03-20-2014, 11:51 PM #27
Adys
Junior Member
**
Posts: 13 Threads:1 Joined: Oct 2013 Reputation: 0

RE: reboot.pro infected?
Hi,

I just want to let you know that the "a l n e r a" issue is back in reboot.pro.

Regards,
Ady.

03-21-2014, 03:32 AM #28
Nuno Brito
Team Reboot
Team Reboot
Posts: 351 Threads:13 Joined: Aug 2011 Reputation: 10

RE: reboot.pro infected?
Doesn't seem much else we can do. This is likely coming from the ads specific to where you are. :(
Want to help TLF? Place tech.reboot.pro on your signature around the web. Let's help TLF grow! :)

03-21-2014, 05:53 AM #29
Adys
Junior Member
**
Posts: 13 Threads:1 Joined: Oct 2013 Reputation: 0

RE: reboot.pro infected?
@Nuno,

Last time it took months until something *was* done. I didn't change my location then, and nothing changed on my side now either.

Chances are that something on reboot.pro changed now, reverting whatever you did before so to stop this harmful matter.

Sounds somehow strange that nothing really could be done. Whoever is providing reboot.pro with ads, for sure there is some contact method.

Regards,
Ady.

06-24-2014, 05:22 AM #30
Mikorist
I, Robot
**
Posts: 8 Threads:2 Joined: Oct 2011 Reputation: 3

RE: reboot.pro infected?




Forum Jump:


Possibly Related Threads...
Thread Author Replies Views Last Post
  Ugh - Infected BreShiE 19 9,843 08-12-2012, 10:38 AM
Last Post: Predator
   Infected, help please. dead 7 4,390 06-20-2011, 11:34 AM
Last Post: dead


Users browsing this thread: 1 Guest(s)