Google Analytics disguises virus infects Firefox and Opera
Among the web pages added to the free antivirus database for SiteGuard sites, recently there have often come across pages containing potentially dangerous iframe or javascript codes, while these codes had a common feature ─ they all led to different pages of the _google- domain analistyc.net_ (caution, at the moment there is just a word test, but anything may appear, so you should visit such sites with JS disabled). Details ─ under habrakatom.
For example, a page was found that in turn downloads an iframe with the address _http: //www.telexexchange.net/psy/_ (be careful!).
The script at this address determines the type of browser, and displays an appropriate exploit for it, including for Firefox and Opera. Those who wish to conduct experiments on their own will once again emphasize that visiting this site should only be disabled by turning off JavaScript in the browser settings, and IE users should refrain from experimenting at all. At the time of this writing, the site has not yet appeared in the database of dangerous sites Firefox.
A more detailed “debriefing” suggests that this virus has much more serious intentions than the “Clone” Google Analytics that appeared in April of this year at _http: //gooqle-analytics.com/_. The new modification of the clone has nothing to do with the previous one, and is more dangerous in terms of its destructive effect ─ using the vulnerabilities of the browsers, it tries to secretly download and execute the exe-file with the trojan.
The above link to telexexchange is not diagnosed by Dr.Web on-line as a virus, apparently due to incompatibility of the User-agent (any safe code is issued to the scanner's spooler, and less safe to all browsers).
')
The developers of leading domestic antiviruses have already been informed by us about this type of virus, so soon we can expect the release of the corresponding database updates.
Thus, today, even the use of correct browsers does not solve the problem with viruses, so it remains only to recommend using modern anti-virus tools, and as a half-measure for Windows users ─ add to the WINDOWS \ system32 \ drivers \ etc \ hosts file:
UPD: Firefox 3 already warns about the site as potentially dangerous.
For example, a page was found that in turn downloads an iframe with the address _http: //www.telexexchange.net/psy/_ (be careful!).
The script at this address determines the type of browser, and displays an appropriate exploit for it, including for Firefox and Opera. Those who wish to conduct experiments on their own will once again emphasize that visiting this site should only be disabled by turning off JavaScript in the browser settings, and IE users should refrain from experimenting at all. At the time of this writing, the site has not yet appeared in the database of dangerous sites Firefox.
A more detailed “debriefing” suggests that this virus has much more serious intentions than the “Clone” Google Analytics that appeared in April of this year at _http: //gooqle-analytics.com/_. The new modification of the clone has nothing to do with the previous one, and is more dangerous in terms of its destructive effect ─ using the vulnerabilities of the browsers, it tries to secretly download and execute the exe-file with the trojan.
The above link to telexexchange is not diagnosed by Dr.Web on-line as a virus, apparently due to incompatibility of the User-agent (any safe code is issued to the scanner's spooler, and less safe to all browsers).
')
The developers of leading domestic antiviruses have already been informed by us about this type of virus, so soon we can expect the release of the corresponding database updates.
Thus, today, even the use of correct browsers does not solve the problem with viruses, so it remains only to recommend using modern anti-virus tools, and as a half-measure for Windows users ─ add to the WINDOWS \ system32 \ drivers \ etc \ hosts file:
127.0.0.1 google-analistyc.net
127.0.0.1 telexexchange.net
UPD: Firefox 3 already warns about the site as potentially dangerous.
Source: https://habr.com/ru/post/47769/
All Articles