Quantcast

Malware on popups?

BadDNA

hophead
Mar 31, 2006
4,257
231
Living the dream.
Avast is detecting malware coming from boyishgak.cx.cc as I browse the monkey this morning. I'm not sure if this is from a popup or something entirely different but RM is the only site this is happening on for me.
 

binary visions

The voice of reason
Jun 13, 2002
22,092
1,132
NC
I'll look into it.

So far, we've never had an incident where malware was reported that actually turned out to be served from Ridemonkey but there's always a first time.
 

BadDNA

hophead
Mar 31, 2006
4,257
231
Living the dream.
Turned on AdBlockPlus for a little while today and I'm still getting the warnings while browsing the monkey. Anything I can do to help you look into it?

Multiple browsers as well, Firefox and Chrome both alert in Avast when I browse around RM.
 
Last edited:

binary visions

The voice of reason
Jun 13, 2002
22,092
1,132
NC
You guys have any source domains for the virus warnings?

One of the ad networks (not ours specifically, one of the big ones - MSN) was distributing malicious ads yesterday but it was only for a brief period of time and it was shut down pretty quickly.

Can you also run full system scans to see if you're picking anything else up? If you do pick something up on the virus scan, can you post what it is and what file(s) it infected? Even if it's in your temp internet files.

Anything would be helpful, we're looking but nothing has come up so far.
 

BadDNA

hophead
Mar 31, 2006
4,257
231
Living the dream.
I gave you the source domain in the first post. I've verified on a couple of systems now, only on RM and with or without ads being blocked.
 

syadasti

i heart mac
Apr 15, 2002
12,690
290
VT
Noscript will only run content from the domains you whitelist (content won't run by default until you authorize a domain) so in the future you won't have problems like this - best option against new/zero-day webpage based attacks. Adblock only blocks ads/content from known ad servers so that's why it fails - this attack is not coming from a domain listed on the adblock subscription.
 

binary visions

The voice of reason
Jun 13, 2002
22,092
1,132
NC
I gave you the source domain in the first post. I've verified on a couple of systems now, only on RM and with or without ads being blocked.
Yeah, I know, I was trying to determine if it was coming from multiple domains or only one place.

There are a whole bunch of people looking at this. Anyone run a system scan?
 

binary visions

The voice of reason
Jun 13, 2002
22,092
1,132
NC
Thanks for your help troubleshooting. Still looking into it. I can't get my A/V programs (three different ones) to pop positive, but I do see calls to the aforementioned domain.
 

binary visions

The voice of reason
Jun 13, 2002
22,092
1,132
NC
The malware has been found and removed.

We are taking steps today to ensure that it does not happen again.

Of course we do our best to maintain the highest security, but something apparently slipped through. We will be installing some upgrades and some additional security software to further secure the servers. There's no evidence to believe this was anything but an adware injector, so as bad as that is, we don't have reason to believe that passwords or personal information was compromised. I will post again if we find anything like that.

I sincerely apologize for the problem. Not the least of this issue is the problem that we have had a good track record and now if something is found, this site is going to be questioned even if it didn't originate here.

That's frustrating, but I suppose, as the latest Gawker, McDonalds and Walgreens hacks recently demonstrate, nothing is perfectly secure. It's not an excuse, though, and we'll continue to be vigilant to prevent future problems.

If anyone experiences problems, please report them here or directly to me immediately. Make sure you clear your caches and temp files first, though, to ensure that there is no cached malware.
 

Mr.Bishop

King of Beers
Jun 2, 2009
286
0
Montreal
If anyone experiences problems, please report them here or directly to me immediately. Make sure you clear your caches and temp files first, though, to ensure that there is no cached malware.
This is so true - your guys extreme diligence towards reporting this stuff is what allows us to track it down. So please keep doing what you're doing, and if you notice something funky report it as quickly as you can!
 

Routier07

Monkey
Mar 14, 2009
259
0
Same as above. AVG is telling me it has something to do with what IH8Rice said, vuciso9.co.cc.
 

IH8Rice

I'm Mr. Negative! I Fail!
Aug 2, 2008
24,524
494
Im over here now

Wumpus

makes avatars better
Dec 25, 2003
8,161
153
Six Shooter Junction
Warning: Visiting this site may harm your computer!
The website at ridemonkey.com contains elements from the site vuciso9.co.cc, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for vuciso9.co.cc.
Learn more about how to protect yourself from harmful software online.
 

Pesqueeb

bicycle in airplane hangar
Feb 2, 2007
40,145
16,539
Riding the baggage carousel.
Same here. Both Firefox and *shudder* IE. Screen caps:






Norton quick scan found nothing. Will run full scan but I believe norton killed it pre-emptivly.

Please god fix this. WTF will I do at work tommorow?
 
Last edited:

Udi

RM Chief Ornithologist
Mar 14, 2005
4,915
1,200
After the warning for vuciso9.co.cc, when ridemonkey loaded, chrome downloaded a .ram file (vuciso9.co.cc/multi/xwyvyzavfubmyp.ram) and tried to run it automatically.

Pretty dodgy stuff.
 

IH8Rice

I'm Mr. Negative! I Fail!
Aug 2, 2008
24,524
494
Im over here now
After the warning for vuciso9.co.cc, when ridemonkey loaded, chrome downloaded a .ram file (vuciso9.co.cc/multi/xwyvyzavfubmyp.ram) and tried to run it automatically.

Pretty dodgy stuff.
ouch. ill be checking RM from my phone until resolved.
 

HAB

Chelsea from Seattle
Apr 28, 2007
11,580
2,006
Seattle
I just had VLC pop up and try to run something before avast said fvck that. Getting the same "attack site" issue in FF too.
 

DaveW

Space Monkey
Jul 2, 2001
11,162
2,686
The bunker at parliament
After the warning for vuciso9.co.cc, when ridemonkey loaded, chrome downloaded a .ram file (vuciso9.co.cc/multi/xwyvyzavfubmyp.ram) and tried to run it automatically.

Pretty dodgy stuff.

Yeah I've added "vuciso9.co.cc" to my ad blocker... seems to have dealt to it. :)
 

worship_mud

Turbo Monkey
Dec 9, 2006
1,464
2
F*cking browser keeps blocking Rm as an "Reported attack site" every time i click on a page and I have to click on ignore warning for every page view.
same here! tried blocking vuciso9.co.cc in ad block, does not work. pretty annoying...
 

DaveW

Space Monkey
Jul 2, 2001
11,162
2,686
The bunker at parliament
same here! tried blocking vuciso9.co.cc in ad block, does not work. pretty annoying...
Nah it's google via your browser thats blocking RM.
I just ad blocked the vuciso9.co.cc and then went to the preferences panel/security then clicked off the block reported sites.... a risk but with the Mac + strict firewall settings it's a low risk.
 

Serial Midget

Al Bundy
Jun 25, 2002
13,053
1,896
Fort of Rio Grande
Mozilla shut me down!!!

AllIwant todo is upload my RMSS image!

Safe Browsing
Diagnostic page for ridemonkey.com

What is the current listing status for ridemonkey.com?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 4 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 69 pages we tested on the site over the past 90 days, 47 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-12-19, and the last time suspicious content was found on this site was on 2010-12-19.

Malicious software includes 8 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 1 domain(s), including vuciso9.co.cc/.

This site was hosted on 2 network(s) including AS558 (NET2EZ), AS14618 (AMAZON).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, ridemonkey.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:

* Return to the previous page.
* If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

Updated 12 hours ago

©2008 Google - Google Home
 

Bicyclist

Turbo Monkey
Apr 4, 2004
10,152
2
SB
I think I got something on my desktop (running xp). I don't know jack about computers really but I went to RM, got a warning, and now when I turn the thing on and log in to any of my accounts or my family's, no user data loads (blank desktop screen). Any recommendations other than letting a professional handle it?