the bad bad internets August 7, 2008 4:51 AM   Subscribe

so, about this post --> http://www.metafilter.com/73909/History-of-the-DC-Universe ... please read all of more inside first before looking at the post.

it looks like pixie already figured it out, but, for the benefit of all the other Mefi Jr. Detectives out there, let's break this thing down piece by piece.

  • The second link in the post is http://dcu.smartmemes.com/ and it's infected by something. But, what? Let's look at the source. On the last line of the page is a script:
    eval(unescape("%77%69%6e% .... %3e%27%29"));
  • if you expand out the unescape portion, you get the following:
    [clever shit making people's browsers go gaga elided]
  • How did we get from that gobbleygook of % signs and hexadecimal to actual that? Easiest way to figure it is out is to cut out the eval() part (which actually causes the code to run) and change it to a alert(), which causes it to open a prompt in your browser like so. You can even run it from your browser via a javascript: handler like shown in the pic

  • Now, what you should never ever do is change the eval() to a document.write() Why? Because in the case of this code for example, the iframe html tag will actually get written to the page and you won't even know it! Which is what probably happened to Leon, I'm guessing. (Yeah, this whole metatalk post is really just a callout about that.)

  • Anyway, now that we can actually see what the code is, and as pixie points out, it loads an iframe opening a webpage: hxxp://58.xxx.xxx.33/gpack/index.php (please don't actually visit that site). That site has more iframes which load something called the gpack exploit.

  • Anyway, the gpack exploit itself is beyond the scope of this post, but, the important thing to remember is to keep ALL of your software up to date with security patches, because you'll never know when a site could be infected with something. (Or, if you're super paranoid like me, but, also an idiot who runs IE, add all of china to your IE restricted sites list. I had http://58-61.* in there, among other things. saved my ass it did!)

    Oh. Since I'm here anyway, can we get a "this site infected with badware/malware" pony, er, flag?
  • posted by yeoz to Bugs at 4:51 AM (44 comments total) 6 users marked this as a favorite

    It's a shame, too, because that link had some incredible content.
    posted by jbickers at 4:55 AM on August 7, 2008


    A tiny note: it's becoming common to put links discussing malware as "hxxp://" so that no fancy browser will autoconvert the plain text to a link.
    posted by These Premises Are Alarmed at 5:43 AM on August 7, 2008 [3 favorites]


    I love the smell of technical explanations in the morning. You know, one time we had a thread to shit in for 12 hours. When it was closed, I browsed back in. Didn't find one of 'em, not one stinkin' comment. The smell, you know that dead troll smell, the whole thread. Smells like... geektory!
    posted by Kattullus at 5:45 AM on August 7, 2008 [1 favorite]


    anyone know how do i get to see this in action with firebug? i added a breakpoint at the line, but nothing happens...
    posted by not sure this is a good idea at 5:55 AM on August 7, 2008


    Thanks for the warning!
    posted by [more inside] at 5:58 AM on August 7, 2008


    Erm, at the risk of proclaiming my non-geekiness, any chance of someone explaining this in non-tech (it's all geek to me).
    posted by Gratishades at 6:15 AM on August 7, 2008


    Good catch, and lovely explication.

    Oh. Since I'm here anyway, can we get a "this site infected with badware/malware" pony, er, flag?

    Nah, just flag it as something current and send us an email (or just hit the contact form). It's not a common enough problem to bother with a specific flag, and it's really a let-us-know-immediately kind of problem anyway.
    posted by cortex (staff) at 6:19 AM on August 7, 2008


    It probably speaks poorly of me that every time something like this comes up, I want very badly to go and see the bad things happen for myself.

    "Oh guys; I found a very sharp stick over there. Whatever you do, don't poke yourself in the eye with it."
    posted by yhbc at 6:28 AM on August 7, 2008 [1 favorite]


    Erm, at the risk of proclaiming my non-geekiness, any chance of someone explaining this in non-tech (it's all geek to me).

    The second page linked to in the MeFi post has some code on it that automatically (in certain browsers) loads a different page. This other page tries to automatically infect your computer with Bad Things.
    posted by EndsOfInvention at 6:28 AM on August 7, 2008 [1 favorite]


    Google search on soup+utah+smartmemes reguritated [NSFW] (I assume the soup is coincidental):
    http://official.handbook.of.the.marvel.universe.en.wikimiki.org/
    Marvel as well as DC!
    posted by tellurian at 6:46 AM on August 7, 2008 [1 favorite]


    I tried digging up some info about the gpack exploit and all I could really discover is that AdWords spammers /really/ like stealing each others' blog material.

    As an aside, now that the evidence has been posted and confirmed, can one of the mods obfuscate or delete the URLs and exploit scripts?
    posted by ardgedee at 6:48 AM on August 7, 2008


    Munged. Let's see if that does it.
    posted by cortex (staff) at 7:35 AM on August 7, 2008


    So did NoScript in Firefox keep this weird bit of hoo-hah from loading, or do I have a problem on my home computer to tend to tonight?
    posted by Shepherd at 7:43 AM on August 7, 2008


    Heh. Now that the URL is munged, Firefox (2.x) complains every time this thread is loaded. It wasn't complaining before.
    posted by neckro23 at 7:43 AM on August 7, 2008


    Safari Version 3.1.2 (5525.20.1) under Mac OS X 10.5.4 also gives me a warning about a frame attack now, which it didn't earlier this morning.
    posted by cgc373 at 7:51 AM on August 7, 2008


    If you use the contact form, does vacapinta get informed as well?
    posted by grouse at 7:52 AM on August 7, 2008


    Um, this post does a redirect in IE as well, and so should be similarly flagged. Not usper happy about that.
    posted by Artw at 7:59 AM on August 7, 2008


    Ah, the hxxp: thing probably saved me a little, but can we get whatever code is actually excecuting out of teh page? Thanks.
    posted by Artw at 8:02 AM on August 7, 2008


    If you use the contact form, does vacapinta get informed as well?

    No, the contact form is a great big firehose of weirdness, wouldn't really make sense to subject him to it. If it's a middle-of-the-night mod emergency thing, flagging or sending him an email direct are the two good bets.
    posted by cortex (staff) at 8:02 AM on August 7, 2008


    Yeah, nixed the code snippet (and munged the IP, just to be thorough). Hopefully that will do it. Oof.
    posted by cortex (staff) at 8:05 AM on August 7, 2008


    No redirect in IE.
    posted by Artw at 8:08 AM on August 7, 2008


    If it's a middle-of-the-night mod emergency thing, flagging or sending him an email direct are the two good bets.

    A couple people had flagged the post as "display error" or "other." I took a look and, reading a few comments made it clear what was going on. To confirm, I consulted yeoz on IM and...here we are!

    A mefi mail is fine if its urgent. I've gotten a few and I see them right away unless I'm AFK.
    posted by vacapinta at 8:09 AM on August 7, 2008


    Why do people do shit like this exploit? Is it just the joys of knowing they are causing other people grief?

    Because if so, allow me to respond: You suck.

    [Nice summary, yeoz.]
    posted by quin at 8:12 AM on August 7, 2008


    there's nothing wrong with the internets. it only looks like something is wrong if you run a microsoft os and browser.
    posted by quonsar at 8:20 AM on August 7, 2008 [1 favorite]


    Less of the LOLMICROSOFTSUX turdisms please, putting up deliberately harmful code is an act of arseholism regaqrdless of which OS/browser it effects.
    posted by Artw at 8:25 AM on August 7, 2008


    > Why do people do shit like this exploit? Is it just the joys of knowing they are causing other people grief?

    There are various motivations, but they almost always involve taking your money and almost never involve simple vandalism.
    posted by ardgedee at 8:26 AM on August 7, 2008


    So, any hints for those less tech savvy as to how check to see if links they are thinking of putting on are safe? I'm assuming this was an honest mistake by whoever posted (and I don't know who did post, due to not clicking the links just in case).
    posted by Gratishades at 8:42 AM on August 7, 2008


    I actually woke up this morning from a depressingly realistic dream about malware, which is very slightly freaking me out.
    posted by cortex (staff) at 8:45 AM on August 7, 2008 [1 favorite]


    Perhaps the link could be put back up for Mac and Linux users.
    posted by Blazecock Pileon at 8:46 AM on August 7, 2008 [1 favorite]


    /me loves NoScript so badly
    posted by Skorgu at 8:57 AM on August 7, 2008


    Just to be clear, I take it that this is an Internet Explorer exploit which has no effect on any other browser? It isn't clear from the Gpack exploit link one way or the other.
    posted by Chuckles at 9:37 AM on August 7, 2008


    Metafilter: I actually woke up this morning... which is very slightly freaking me out.
    posted by Science! at 10:31 AM on August 7, 2008


    It used to be LaToya and jim hats, but now it's Uzis, macs and Gpacks.
    posted by box at 11:04 AM on August 7, 2008


    I hate to repeat the question, but did NoScript in Firefox keep this weird bit of hoo-hah from loading, or do I have a problem on my home computer to tend to tonight?

    I am technically savvy enough to have NoScript running, but not savvy enough to know if it saved my compu-bacon.
    posted by Shepherd at 1:12 PM on August 7, 2008


    Assuming you had the smartmemes.com site denied by default, which you should have, yeah you're fine.
    posted by puke & cry at 1:30 PM on August 7, 2008


    Do the gpack exploits depend on local admin rights on a windows machine? Various malware scanners report nothing after a browse to the site with Firefox 2.0.0.16 as nonpriv user.
    posted by benzenedream at 2:01 PM on August 7, 2008


    (say, has anyone tried to contact the site author and explain all this? He's probably just a comic-lovin' fella that has no idea that this is going on.)
    posted by Shepherd at 3:57 PM on August 7, 2008


    Little does he know of the real-life battles between Good and Evil raging underneath his comic book timeline.
    posted by benzenedream at 4:48 PM on August 7, 2008 [1 favorite]


    I sent a not very detailed email saying my Anti-Vir popped a warning on his site before I even knew what a gpack exploit was. Hopefully someone followed up with a more elaborate explanation.
    posted by BrotherCaine at 1:02 AM on August 8, 2008


    That thread, and the people mentining the warnings, prompted me to update to the newest Firefox.

    Now I have, and neither the latest Firefox nor the latest Safari (OSX 10.5.4) gives me the tiniest flicker of warning. Is there some reason that neither browser is warning me? Did I FUBAR my settings somewhere along the line or something?

    (I'm also not sure if this is the right place to ask this, so apologies if it isn't)
    posted by paisley henosis at 2:54 AM on August 8, 2008


    paisley:

    Here's how it worked for me. Originally, Avast (my antivirus tool) popped up a warning for me. Then cortex "munged" the offensive URL, changing it from http... to hxxp...

    Firefox then complained that it didn't know how to handle that protocol (hxxp). Then Cortex changed the URL again / removed the offending code completely, and neither Avast nor Firefox made any complaints after that.

    So, if you're checking now for the first time, you don't need to be worried that you're not seeing any warnings. Cortex has removed the offending content.
    posted by syzygy at 4:36 AM on August 8, 2008


    Pray I do not remove it furth—Darth Vadar holding brain hostage, please send help
    posted by cortex (staff) at 6:48 AM on August 8, 2008


    Thanks syzygy, but I was actually referring to the dcu.smartmemes page.

    It is probably because I'm not running anti anti-virus software? Lots of people's complaints made it seem like their errors were browser-based, though, which is why I am confused.

    Sorry for the derail.
    posted by paisley henosis at 7:51 AM on August 8, 2008


    In case anyone is still reading, I wrote the site author and he got back to me thusly:
    Thanks for the heads-up! I assumed your message was spam at first, actually, but I'm glad I took a look at the link and then checked the files at my host. I have deleted the malware script, and added a note for visitors to let them know that. If you happen across any other problems with the site, don't hesitate to let me know.
    So we did some good here today. GO TEAM MEFI. Etc.
    posted by Shepherd at 3:26 PM on August 8, 2008


    « Older Apology.   |   Troja! Newer »

    You are not logged in, either login or create an account to post comments