| Author: |
[Covers Help] Topic: More viruses |
|
tinfoils |
RSI   View Space | Friends | Playbook | |
Legend
Joined: Jun 2002
Posts: 34948
Location: |
#26 Posted: 12/19/2011 5:01:17 PM |
|
quote |
|
kaponofor3 |
View Space | Blog | Friends | Playbook | |
Legend
Joined: Nov 2007
Posts: 33909
Location: California |
#27 Posted: 12/19/2011 6:37:01 PM QUOTE Originally Posted by Rizzo:
Believe me sir we are working hard to get rid of this once and for all. The last thing we want is for anyone not to want to visit our site for these reasons.
We are treating it very serious and taking the necesary steps to prevent it happening again.
Rizz
Rizz -- Thanks for responding. By my look, there are threads in the CT section going as far back as November 10 discussing the problems that users are having. I'm sure I'm not the only one that these problems are occurring with, but quite frankly, I'm pretty tired of having to re-boot my computer in safe mode and run full virus/malware scans. I've had to do it like 5 times now, its getting to be a little ridiculous at this point.
Perhaps you can give us users an idea of what steps are being taken by Covers to rectify this problem?
|
|
quote |
|
kaponofor3 |
View Space | Blog | Friends | Playbook | |
Legend
Joined: Nov 2007
Posts: 33909
Location: California |
#28 Posted: 12/21/2011 11:23:22 AM
|
|
quote |
|
222bad |
View Space | Friends | Playbook | |
All-Star
Joined: Dec 2009
Posts: 10863
Location: United States |
#29 Posted: 12/21/2011 7:08:20 PM 
|
|
quote |
|
Rizzo |
RSI  |
Covers Referee
Joined: Aug 2001
Posts: 13178
Location: Nova Scotia |
#30 Posted: 12/21/2011 7:08:24 PM Hey Guys,
We are investigating this thoroughly. Below is some more info for you...
http://www.wiki-security.com/wiki/Parasite/Win7AntiVirus2012/
These viruses usually come bundled with free software. The reason why they appear as ads on our site is because the virus sniffs out the ads on our site and replaces them with their own ads – basically stealing our traffic and making money off it. It’s part of the scam.
The continuous virus warnings are designed to keep the victim updating and upgrading their fake virus software. |
|
quote |
|
|
|
Europa |
RSI |
Legend
Joined: Dec 2003
Posts: 30932
Location: California |
#31 Posted: 12/22/2011 1:39:56 AM Exploit:Java/CVE-2011-3544.E
Above is the newest virus detected by Microsoft Security Essentials(MSE) on my computer. MSE just finished the scan and removed it. |
|
quote |
|
kaponofor3 |
View Space | Blog | Friends | Playbook | |
Legend
Joined: Nov 2007
Posts: 33909
Location: California |
#32 Posted: 12/22/2011 10:29:38 AM
|
|
quote |
|
Lou |
RSI  |
Covers Referee
Joined: May 2001
Posts: 4487
Location: Canada |
#33 Posted: 12/22/2011 12:53:54 PM
The bottom line is that YOU HAVE TO DOWNLOAD THIS VIRUS AND INSTALL IT YOURSELF.
In other words, it does not come from our site.
Here are a couple of links: http://answers.yahoo.com/question/index?qid=20111215180531AA0ZopT
http://www.bleepingcomputer.com/virus-removal/remove-win-7- antispyware-2012#
http://answers.microsoft.com/en-us/windows/forum/windows_vista- security/how-do-i-remove-vista-home-security-2012-virus/1e3ea9ab- 8b1b-486f-b840-1d1fd4988322
Read them.
You will see that these viruses are caused by users getting tricked into downloading fake anti-virus programs.
Has Covers ever asked you to download anything? Never.
And those "crappy" ads you see running on our site???? Those are delivered by the virus, not Covers. If you are seeing those ads, it's because you already have the virus.
Right now, we are only running ads from Google. Pretty good ones too.
Now, I have to add that there are rare occasions where sites get hacked and can try to install these viruses without the user knowing.
I know it's useless for me to try to convince you that we have not been hacked (we haven't been) but regardless, you can always protect yourself from this by tightening your security settings on your browser. This works for every site.
Problem solved. |
|
quote |
|
Europa |
RSI |
Legend
Joined: Dec 2003
Posts: 30932
Location: California |
#34 Posted: 12/22/2011 1:11:46 PM QUOTE Originally Posted by Lou: The IT team is naturally looking into this. they have been for a month. They haven't found anything, because there is nothing tto find.
The bottom line is that YOU HAVE TO DOWNLOAD THIS VIRUS AND INSTALL IT YOURSELF.
In other words, it does not come from our site.
Here are a couple of links:
http://answers.yahoo.com/question/index?qid=20111215180531AA0ZopT
http://www.bleepingcomputer.com/virus-removal/remove-win-7-
antispyware-2012#
http://answers.microsoft.com/en-us/windows/forum/windows_vista-
security/how-do-i-remove-vista-home-security-2012-virus/1e3ea9ab-
8b1b-486f-b840-1d1fd4988322
Read them.
You will see that these viruses are caused by users getting tricked into downloading fake anti-virus programs.
Has Covers ever asked you to download anything? Never.
And those "crappy" ads you see running on our site???? Those are delivered by the virus, not Covers. If you are seeing those ads, it's because you already have the virus.
Right now, we are only running ads from Google. Pretty good ones too.
Now, I have to add that there are rare occasions where sites get hacked and can try to install these viruses without the user knowing.
I know it's useless for me to try to convince you that we have not been hacked (we haven't been) but regardless, you can always protect yourself from this by tightening your security settings on your browser. This works for every site.
Problem solved.
My computer has been consistently infected by those virues, that i provided above, through Covers.com even last night. If Covers thinks problem solved, then i will be forced to cut down or avoid totally on my computer from visiting Covers.com from now on to be safe from viruses attacked. i have been visiting Covers daily since late 2003 and this site has been a pleasure and safe site for me but it is increasingly difficult ever since the malware issues exit. Thanks for your attention.  |
|
quote |
|
kaponofor3 |
View Space | Blog | Friends | Playbook | |
Legend
Joined: Nov 2007
Posts: 33909
Location: California |
#35 Posted: 12/22/2011 1:14:44 PM
Is it possible that its just a coincidence that a ton of users on covers are reporting complaints with viruses and spyware? Of course.
Is it also possible that maybe covers' website itself has a vulnerability that was used by the rogue spyware (either the ads or the site itself) to install itself onto users' computers?
If I'm reading you correctly Lou, you are saying there is zero chance as per your IT investigation that it is Covers that is the problem, and instead it is the fault of the individual users?
I just want to make sure I am understanding you correctly Lou.
|
|
quote |
|
Lou |
RSI |
Covers Referee
Joined: May 2001
Posts: 4487
Location: Canada |
#36 Posted: 12/22/2011 1:59:46 PM
I don't want to be rude, but these are facts:
- Covers has a website that serves over 2 million people a month.
- Covers has been online for 16 years and has never been hacked. Note to all hackers out there: This is not a challenge! We are not claiming to be smarter than y'all, just that we think we are a very uninteresting site for you to attack. Peace out.
- Covers has a very talented and experienced team of developers and IT professionals. People who have worked all over the place and have experience dealing with garbage like this.
- Covers deals with multiple ad networks, but after this issue arose, we throttled it down to just Google AdSense.
- The developers have combed through all of the code and haven't found any types of snippets that might cause false positives.
- The sys admin team runs daily virus checks and has up-to-date monitoring software that checks for intrusions. Since Covers needs multiple servers that need to be mirrored across the network, any possible hacks of this nature would need to change system settings which would get spotted by our mirroring software.
- The viruses that have been mentioned so far are all transmitted primarily by users downloading it themselves.
- Yes, there is a possibility that the site has been hacked, but due to all of the above facts, we have ruled that out. Not that we haven't fully checked, but there is no sign of it.
- Many of the reports involve users claiming to have received the virus from ads that we don't even serve on this site - a known indicator for the virus.
- Many of the reports claim that they are getting virus warnings while browsing Covers. There is no way to verify these reports without more information from the individuals. Virtually every time we do receive additional information, it inevitably shows that these users actually HAVE a virus already, and that is displaying false warnings.
- Judging from the reports, we figure there are a few dozen - maybe up to a hundred or so - users that are convinced they have a virus coming from Covers. And if the number was significantly higher than that, then we would definitely be hearing about it from more than just a few dozen people.
- Many of the complaints claim that they only receive these warnings while on Covers.
Again, please note that all of the above are pure unadulterated and incontrovertible facts.
Now, with all of those facts in hand, we have the following possibilities...
1) Google AdSense is delivering bad ads. This is possible, but very unlikely as a Internet-wide uproar would be in full swing.
2) Covers is infected, but the virus only transmits to less than 0.01% of the visitors on the site... and those people repeatedly. Again, this is possible, but seems like an unlikely design for a virus.
3) Perhaps. Just perhaps... the people infected and complaining have contracted the virus elsewhere and they just haven't figured out where it actually happened. It's known to be a very difficult virus to eradicate, and maybe they've had it for longer than suspected.
You are a gambling man, kapono. Knowing those above facts, which possibility would you bet on?
I'm not trying to insult you either. Seriously, if we could find out why some people keep having this problem specifically with our site, we would have fixed it by now. We want all of our users to be happy ones.
Perhaps since Covers is a large gambling site, we have been put on some sort of "list" of sites that the virus targets. We don't know.
What we do know is that we can't spend all our time chasing down a ghost that only exists for 0.01% of our users and for which the evidence strongly suggests that the problem not on our site anyway.
What more can I say? |
|
quote |
|
kaponofor3 |
View Space | Blog | Friends | Playbook | |
Legend
Joined: Nov 2007
Posts: 33909
Location: California |
#37 Posted: 12/22/2011 2:17:50 PM
Again, appreciate the response. I know you want your users to be happy ones. I love this site which is why this issue is so important to me. Sounds like I'll need to do more digging on my end and see if I can't find something wrong.
|
|
quote |
|
Lou |
RSI |
Covers Referee
Joined: May 2001
Posts: 4487
Location: Canada |
#38 Posted: 12/22/2011 2:53:15 PM Europa,
I know you are not going to accept this, but I just checked with the IT team and this is what I can tell you...
Regarding the specific virus you mention (Exploit:Java/CVE-2011-3544.E)...
Please read this page from Microsoft
Specifically, read the part where it says: "Exploit:Java/CVE-2011-3544.E is a detection for a malicious Java applet stored within a Java Archive (.JAR) that attempts to exploit a vulnerability..."
And now consider this... Covers.com's website contains no java whatsoever. None. Nada. We simply don't do java.
Therefore, it is physically impossible for Covers to transmit that file to you. We don't have any java or JAR files on our servers. None. You can't transmit a file that doesn't exist.
So Europa, there are two possibilities for you: 1) You got that infected file somewhere else. 2) You actually have a virus that's displaying false warnings.
Those are the only two possibilities.
Now, you can continue to blame Covers for your virus problems, but it's pretty clear that the specific problem you are mentioning (Exploit:Java/CVE-2011-3544.E) is not something that came from Covers.
kaponofor3... this is a perfect example of what we have been dealing with. It always comes from somewhere else. |
|
quote |
|
Europa |
RSI |
Legend
Joined: Dec 2003
Posts: 30932
Location: California |
#39 Posted: 12/22/2011 3:43:58 PM Exploit:Java/CVE-2011-3544.E was detected by MME and successfully deleted last night. My computer only browsed few web sites, CBS Sportline, Yahoo news, Covers.com and my local book. One way to find it out is, i will NOT go to Covers.com for a couple of days and have Microsoft Security Essentials (MME) scanning everday when my PC is off from Covers.com, and see MME still pick ups viruses in the days without browsing Covers.com.
Thanks for your attention, Lou! |
|
quote |
|
oddsbuster |
View Space | Blog | Friends | Playbook | My Sportsbook: BookMaker | |
Banned
Joined: Oct 2006
Posts: 20924
Location: Ohio |
#40 Posted: 12/22/2011 6:32:27 PM I'm on a brand new lap top right now, and I have already had to send 3 virus's to the vault for termination... |
|
quote |
|
Lou |
RSI |
Covers Referee
Joined: May 2001
Posts: 4487
Location: Canada |
#41 Posted: 12/22/2011 7:44:01 PM
We need to know the names of those viruses, as well as the name of your antivirus software. Finally, if you can tell us what pages you were browsing and the ads that were showing, that would be great.
I know that's a lot to ask, but as I mentioned above, we've looked at everything and found nothing. The more specifics we have, the more likely it is that we'll quickly find out the problem, whether it's on our site or your computer. |
|
quote |
|
pa_picks |
RSI |
Veteran
Joined: Aug 2003
Posts: 1261
Location: Pennsylvania |
#42 Posted: 12/25/2011 10:09:01 AM QUOTE Originally Posted by Lou: The IT team is naturally looking into this. they have been for a month. They haven't found anything, because there is nothing tto find.
And those "crappy" ads you see running on our site???? Those are delivered by the virus, not Covers. If you are seeing those ads, it's because you already have the virus.
Right now, we are only running ads from Google. Pretty good ones too.
Clearly this NOT TRUE! This is part of the SOURCE CODE from Covers that is loading on THIS PAGE to which I am replying.
<script language="JavaScript" type="text/javascript">
ord=Math.random()*10000000000000000;
document.write('<scr' + 'ipt language="JavaScript" src="http://ad.doubleclick.net/adj/covers.forum/;vid=728x90-2;;sz=728x90;ord=' + ord + '?" type="text/javascript"></scr' + 'ipt>');
</script>
<noscript>
<a href="http://ad.doubleclick.net/jump/covers.forum/;vid=728x90-2;sz=728x90;ord=123456789?" target="_blank" rel="nofollow">
<img src="http://ad.doubleclick.net/ad/covers.forum/;vid=728x90-2;sz=728x90;ord=123456789?" border="0" alt=""></a></noscript>It is never good policy to spread false information to your customers!!!!
|
|
quote |
|
pa_picks |
RSI |
Veteran
Joined: Aug 2003
Posts: 1261
Location: Pennsylvania |
#43 Posted: 12/25/2011 10:18:06 AM QUOTE Originally Posted by Lou: Europa,
Specifically, read the part where it says: "Exploit:Java/CVE-2011-3544.E is a detection for a malicious Java applet stored within a Java Archive (.JAR) that attempts to exploit a vulnerability..."
And now consider this... Covers.com's website contains no java whatsoever. None. Nada. We simply don't do java.
Here is source code from your MY SCORES page (which I love BTW) that CLEARLY DOES USE JAVA.
<script type="text/javascript" src="/ajax/common.ashx"></script><script type="text/javascript" src="/ajax/SportsDirect.Controls.LiveScoresControls.CustomScoreboard,SportsDirect.Controls.LiveScoresControls.ashx"></script><script type="text/javascript" src="/ajax/SportsDirect.Controls.LiveScoresControls.Scoreboard,SportsDirect.Controls.LiveScoresControls.ashx"></script><script type="text/javascript" src="/ajax/SportsDirect.Controls.LiveScoresControls.BetGraph,SportsDirect.Controls.LiveScoresControls.ashx"></script><script type="text/javascript" src="/ajax/SportsDirect.Controls.LiveScoresControls.BetStatus,SportsDirect.Controls.LiveScoresControls.ashx"></script>
<script type="text/javascript">
//<
Veteran
Joined: Sep 2009
Posts: 3488
Location: Texas |
#49 Posted: 12/26/2011 12:07:45 AM |
|
quote |
|
Mr.Win |
RSI |
Banned
Joined: Jan 2004
Posts: 4116
Location: Germany |
#50 Posted: 12/26/2011 2:08:34 AM QUOTE Originally Posted by philo99:
My brother said to stop using IE, so I am using chrome now. what a differance. Much faster and so far no attacks on here. are you using chrome or firefox? maybe that is why nothing set off your norton.
I've used Chrome since it came out...excellent browser. I used FF before that....never used IE...that stuff is just horrible. |
|
quote |