Vulnerability attack when visiting flightstats.com?

Discussion in 'Travel Technology' started by JALPak, Mar 2, 2011.  |  Print Topic

  1. JALPak
    Original Member

    JALPak Gold Member

    Messages:
    152,236
    Likes Received:
    53,266
    Status Points:
    20,020
    Am I the only one getting the vulnerability alert when visiting flightstats.com? I start getting them today when I visited it. It doesn't happen 100% of the time but I just got the same alert from Norton just now after loading for a couple of pages. Below are the screen captures. Notice the HTTP FakeAV WebPage Request alert from Norton. Good that it's blocking the attack :eek: Most likely it's from the ads. Am I the only one getting this?

    Screen shot 2011-03-02 at 10.45.07 PM.png

    Screen shot 2011-03-02 at 10.45.23 PM.png
     
  2. Travel2Food
    Original Member

    Travel2Food Silver Member

    Messages:
    445
    Likes Received:
    374
    Status Points:
    535
    I'm not seeing it here, but I'm using Firefox w/Adblock+ and Ghostery so I don't see the ads served up, either. My AV is Eset.

    I'd bet that someone has poisoned one of the ads being served so it points to a malware site that tries to entice you to start a fake AV scan (which then would load malware onto your computer). But there may be something that's loaded itself
     
    JALPak and vbroucek like this.
  3. vbroucek
    Original Member

    vbroucek Silver Member

    Messages:
    305
    Likes Received:
    241
    Status Points:
    470
    I cannot replicate it either, but I would not be surprised if one of the ads was having malicious content. On the other hand, I am using McAfee 8.8 Enterprise, so detection experience will be different from Norton - false positive is also a possibility.
     
    JALPak likes this.
  4. JALPak
    Original Member

    JALPak Gold Member

    Messages:
    152,236
    Likes Received:
    53,266
    Status Points:
    20,020
    McAfee missing it is also a possibility too :p
     
  5. vbroucek
    Original Member

    vbroucek Silver Member

    Messages:
    305
    Likes Received:
    241
    Status Points:
    470
    Right now, we are testing 8.8 extensively and even have McAfee engineers on site due to 8.8 making false positive on one of our corporate applications... So, you might be right too :) However, compared to Norton, I would not be sure. If it was compared to Dr Web or something like that... :)

    Looking more closely at the OP's screen captures, it looks that FakeAV has been detected. That would strongly suggest that one of the ads was actually one of those that say that you computer is infected and that you should download software to fix it. I had just had look into our ePO console and there has been increased activity of these in the last few days (detected by McAffe :)) As you know, the ads delivered do not depend on the site visited but on many other factors, so I may not get that particular ad. To the OP, I would recommend to clear all cookies and caches.
     
  6. JALPak
    Original Member

    JALPak Gold Member

    Messages:
    152,236
    Likes Received:
    53,266
    Status Points:
    20,020
    I have Norton engineers on site to improve the one installed on my machine too :) The alert says BLOCKED so I have faith in those Norton engineers and isn't worried about it too much. But at the same time, probably good idea not to visit flightstats. That's the only site giving me those alert in the last two days
     
  7. vbroucek
    Original Member

    vbroucek Silver Member

    Messages:
    305
    Likes Received:
    241
    Status Points:
    470
    Well, I did not make myself clear - we have 15000 seat McAfee licence here - not one on my machine :) I am on flightstats right now with 5 VM's each running different AV product. None of them sees anything suspicious. And trust me, I know what I am talking about - I was there when we killed most AV products in under several minutes. Have a look here, here and here. It's part of my job to do these things...
     
  8. JALPak
    Original Member

    JALPak Gold Member

    Messages:
    152,236
    Likes Received:
    53,266
    Status Points:
    20,020
    Same here with more than 15000+ seat Symantec products installed here :) Those slides make it sound easy but in reality it's not as easy as it seems.

    Anyway, there are some problems with either the site or the Norton product and I am leaning towards it's the ads displayed. There's a flightstats PM on MP. Hopefully he will reply sooner or later.
     
  9. vbroucek
    Original Member

    vbroucek Silver Member

    Messages:
    305
    Likes Received:
    241
    Status Points:
    470
    Unfortunately, it is that easy, trust me. I have been member of one of the 2009 teams and one of the judges in 2010. The guy who organises this (Eric Filiol) is my close friend and we do lot of work together in the area of Cyber Warfare.
     
  10. JALPak
    Original Member

    JALPak Gold Member

    Messages:
    152,236
    Likes Received:
    53,266
    Status Points:
    20,020
    Well if you have a disgruntled user then everything is easy. You might as well go uninstall the AV products and save yourself some time LOL
     
  11. vbroucek
    Original Member

    vbroucek Silver Member

    Messages:
    305
    Likes Received:
    241
    Status Points:
    470
    Which (interestingly enough) some of my colleagues actually do. Most of our work is done in secure labs and from VM machines, so if infection happens, you just return to previous snapshot and voila :)
    The work that particularly Eric does is not very popular with AV industry. I am not involved in this one, but his team is releasing free version of hardened ClamAV to show the industry how much the industry is ripping all of us off. But we are too much off topic here now :)
     
  12. JALPak
    Original Member

    JALPak Gold Member

    Messages:
    152,236
    Likes Received:
    53,266
    Status Points:
    20,020
    Not very popular maybe cuz they don't think those are real issues :) It's not that easy for a threat to first get onto the system and do all those steps while the AV products are running. But having a disgruntled user is a complete different story.

    Anyway, I had replied to the flightstats PM post last night but have yet to heard from them about this issue. Hopefully their ad provider has fixed it already. I have yet to see this issue today.
     
  13. vbroucek
    Original Member

    vbroucek Silver Member

    Messages:
    305
    Likes Received:
    241
    Status Points:
    470
    2010 challenge winners did not need access to the computer. They created Open/Microsoft Office Macro that did it for them... :)
     
  14. JALPak
    Original Member

    JALPak Gold Member

    Messages:
    152,236
    Likes Received:
    53,266
    Status Points:
    20,020
    on which AV product?
     
  15. vbroucek
    Original Member

    vbroucek Silver Member

    Messages:
    305
    Likes Received:
    241
    Status Points:
    470
    It was Attack #4 and it worked on all 15 products. Little bit more about the attack is here. Full details have been provided to vendors.
     
    JALPak likes this.
  16. JALPak
    Original Member

    JALPak Gold Member

    Messages:
    152,236
    Likes Received:
    53,266
    Status Points:
    20,020
    um...but it still required user actions to change the setting? But I guess most user will just do when prompted.

    But the alert in OP is completely different from this :eek:
     
  17. vbroucek
    Original Member

    vbroucek Silver Member

    Messages:
    305
    Likes Received:
    241
    Status Points:
    470
    I have a feeling that it was capable changing settings itself. It was using very simple but efficient crypt to fool AV around. It was proof of concept and there was some critique about the methodology (it used EICAR test virus), but I have seen it done with a real virus. The Attack #4 came from students and they are not allowed to work with real viruses.
     

Share This Page