Just to see if fansub.tv admin is aware.. or thinks it's something we shouldn't feel concerned about.. u do know one (or more) of your third party advertisers is using your website to deliver & launch EXECUTABLES to our c:\ root folders, right? ...I believe & trust that it's third party anyway; i can only conceive they are being delivered thru the ad system.
It just happened again.. this time I noted it was right after the "Somebody has a crush on you!" ad loaded when I opened a new window to the koushin-editor.php
As with many of the other times, I haven't browsed anywhere else this week -- when I'm busy with project work my poor neglected internet box basically just stays connected to the awesome Daft script all the time, but the incursions only ever pop up the firewall warnings while I'm actually moving around the fansub site; they've never been logged when I'm not here.
I've kept disabled copies of the unauthorised downloaded executables going back several months:
-The files are always called c:\sys????.exe or c:\sys???.exe (suffixed by 3 or 4 random letters)
-They're always 9k in size, which unpack to 24k
-They're executables compressed by UPX (Ultimate Packer for eXecutables, a win32 version of something like LZEXE)
-They're implementations of GetWebFile v1.0 (C++ by Jay Beckert, open source at The Code Project)
-Inside u can find Jay's titlebar blurb "GetWebFile - What file will we get today?"
-Contain handles to KERNEL32.DLL MFC42.DLL MSVCRT.DLL USER32.DLL
-All contain a reference to the insidious infecty site "sys-browser.com"
My AVG annoyingly doesn't pick up on it, probably because it's not a fully fledged "infection" -- only find it in c:\ and task manager -- couldn't find evidence of registry or other permanent tampering after only these foothold incursions, but who knows what might've happened if the sys-browser.com download attempts succeeded.. luckily my firewall chucks visible nanas and automatically blocks them.
The destination IPs in the log are various but seem to follow a theme, eg: owned by such domains as akamai (the advertising e-hub giant); origin-codecs (a microsoft.com domain); www.l (google); extremehosting.net; the odious sys-browser.com site itself. When the exe initially fails (thanks to outgoing firewall) there's ongoing attempts to query my ISP's DNS before I kill the process in task manager.
sys-browser.com is responsible for such gems as Troj/Dloadr-BDI which is a Browser Helper Object infection that downloads files from their site.
(refer http://www.sophos.com/security/analyses/trojdloadrbdi.html )
Hopefully the firewall log evidence suggests a third-party of sys-browser.com origin is just racking up hits for themselves against forth-party ad-hosting giants, rather than something sinister (i have yet to set up a sacrifical quarantined system to find out what file(s) these incursions are trying to download), but it would be nice if fansub.tv -- which has long proven its motives selfless and the site & its admin team worthy of esteem, admiration & user trust -- lobbied their ad provider to ban such practice by their clients.
Have fun & mung beans,
Duck.
It just happened again.. this time I noted it was right after the "Somebody has a crush on you!" ad loaded when I opened a new window to the koushin-editor.php
As with many of the other times, I haven't browsed anywhere else this week -- when I'm busy with project work my poor neglected internet box basically just stays connected to the awesome Daft script all the time, but the incursions only ever pop up the firewall warnings while I'm actually moving around the fansub site; they've never been logged when I'm not here.
I've kept disabled copies of the unauthorised downloaded executables going back several months:
-The files are always called c:\sys????.exe or c:\sys???.exe (suffixed by 3 or 4 random letters)
-They're always 9k in size, which unpack to 24k
-They're executables compressed by UPX (Ultimate Packer for eXecutables, a win32 version of something like LZEXE)
-They're implementations of GetWebFile v1.0 (C++ by Jay Beckert, open source at The Code Project)
-Inside u can find Jay's titlebar blurb "GetWebFile - What file will we get today?"
-Contain handles to KERNEL32.DLL MFC42.DLL MSVCRT.DLL USER32.DLL
-All contain a reference to the insidious infecty site "sys-browser.com"
My AVG annoyingly doesn't pick up on it, probably because it's not a fully fledged "infection" -- only find it in c:\ and task manager -- couldn't find evidence of registry or other permanent tampering after only these foothold incursions, but who knows what might've happened if the sys-browser.com download attempts succeeded.. luckily my firewall chucks visible nanas and automatically blocks them.
The destination IPs in the log are various but seem to follow a theme, eg: owned by such domains as akamai (the advertising e-hub giant); origin-codecs (a microsoft.com domain); www.l (google); extremehosting.net; the odious sys-browser.com site itself. When the exe initially fails (thanks to outgoing firewall) there's ongoing attempts to query my ISP's DNS before I kill the process in task manager.
sys-browser.com is responsible for such gems as Troj/Dloadr-BDI which is a Browser Helper Object infection that downloads files from their site.
(refer http://www.sophos.com/security/analyses/trojdloadrbdi.html )
Hopefully the firewall log evidence suggests a third-party of sys-browser.com origin is just racking up hits for themselves against forth-party ad-hosting giants, rather than something sinister (i have yet to set up a sacrifical quarantined system to find out what file(s) these incursions are trying to download), but it would be nice if fansub.tv -- which has long proven its motives selfless and the site & its admin team worthy of esteem, admiration & user trust -- lobbied their ad provider to ban such practice by their clients.
Have fun & mung beans,
Duck.
(