# Malware on FA?



## stormydragon (Apr 30, 2010)

Norton Internet Security is flagging the facdn.net server as a site with "known security risks"

Specfically is says that

[NSFW]http://d.facdn.net/art/mathiasblack/1205467676.mathiasblack_winston-assfuck.jpg

contains Trojan.Maliframe!html


----------



## CannonFodder (Apr 30, 2010)

Probably just some dick reporting fa as a prank.
I've been here for a while and I've never gotten anything from anything.


----------



## Ricky (Apr 30, 2010)

A .jpg image can not contain a trojan.



CannonFodder said:


> Probably just some dick reporting fa as a prank.
> I've been here for a while and I've never gotten anything from anything.



...or maybe he hit that page when the alert came up?


----------



## Teco (Apr 30, 2010)

cool porn bro :V


----------



## Ricky (Apr 30, 2010)

Teco said:


> cool porn bro :V



You should thank him for that ^_^


----------



## Fuzzy Alien (Apr 30, 2010)

I feel like I need antivirus protection for myself after seeing that image. :3


----------



## Teco (Apr 30, 2010)

Ricky said:


> You should thank him for that ^_^


Nah. I was being sarcastic. I dislike :V


----------



## Vriska (Apr 30, 2010)

Ricky said:


> You should thank him for that ^_^


Okay. :U


----------



## south syde dobe (Apr 30, 2010)

Well this was retarded


----------



## Bloodshot_Eyes (Apr 30, 2010)

stormydragon said:


> Norton Internet Security is flagging the facdn.net server as a site with "known security risks"
> 
> Specfically is says that
> 
> ...


 A NSFW might be needed...

...besides that picture sucks anyway...


----------



## Ricky (Apr 30, 2010)

Teco said:


> Nah. I was being sarcastic.



I know 

That's why I didn't thank him either.

Good thing I wasn't in work when I clicked on it :roll:


----------



## south syde dobe (Apr 30, 2010)

Ricky said:


> I know
> 
> That's why I didn't thank him either.
> 
> Good thing I wasn't in work when I clicked on it :roll:


 
I am but no one is really around right now and I'm on my personal laptop but that is annoying.


----------



## Ames (Apr 30, 2010)

stormydragon said:


> Norton Internet Security is flagging the facdn.net server as a site with "known security risks"
> 
> Specfically is says that
> 
> ...



I'm also getting these messages, but I just assume that Norton's being a retarded furry-hating program.


----------



## Ricky (Apr 30, 2010)

Are they going ass to mouth in that picture?

I thought you never go ass to mouth...


----------



## CannonFodder (Apr 30, 2010)

Ricky said:


> Are they going ass to mouth in that picture?
> 
> I thought you never go ass to mouth...


Furries 'nuf said.


----------



## south syde dobe (Apr 30, 2010)

I think I want to slit the OP neck for that though.


----------



## Spawtsie Paws (Apr 30, 2010)

WHAT THE FUCK DID I CLICK. MY EYES ARE RUINED.


----------



## stormydragon (Apr 30, 2010)

Ricky said:


> A .jpg image can not contain a trojan.



No, but just because a file is named .jpg doesn't mean it actually is a JPEG image.


----------



## south syde dobe (Apr 30, 2010)

HAXX said:


> WHAT THE FUCK DID I CLICK. MY EYES ARE RUINED.


 I think we should hack the OP's comp.


----------



## Mentova (Apr 30, 2010)

I lol'd.


----------



## Vriska (Apr 30, 2010)

south syde dobe said:


> I think we should hack the OP's comp.


I'll make the fake pron site.
lololol.


----------



## stormydragon (Apr 30, 2010)

Bloodshot_Eyes said:


> A NSFW might be needed...


Doesn't the name assfuck.jpg kinda make the NSFW'ness kinda obivous?


----------



## Bloodshot_Eyes (Apr 30, 2010)

stormydragon said:


> Doesn't the name assfuck.jpg kinda make the NSFW'ness kinda obivous?


People see the blue text and they just click on it... >.>

See?


----------



## Spawtsie Paws (Apr 30, 2010)

south syde dobe said:


> I think we should hack the OP's comp.


 
but secretly i fingered my asshole out of envy and masturbated to it

oh sure


----------



## south syde dobe (Apr 30, 2010)

HAXX said:


> but secretly i fingered my asshole out of envy and masturbated to it
> 
> oh sure


 
Awesome 



Bloodshot_Eyes said:


> People see the blue text and they just click on it... >.>
> 
> See?


 
MY EYES, MY FUCKING EYES...er oh its just that


----------



## Spawtsie Paws (Apr 30, 2010)

Bloodshot_Eyes said:


> People see the blue text and they just click on it... >.>
> 
> See?



I came. Hard. D:

It hurts now.


----------



## south syde dobe (Apr 30, 2010)

HAXX said:


> I came. Hard. D:
> 
> It hurts now.


 
Slap the OP with it, he'd probably like it :3c


----------



## Spawtsie Paws (Apr 30, 2010)

D:< 

He would probably like it if he was looking at that stuff.

How about I just light him on fire it call the feeling love at first sight?


----------



## south syde dobe (Apr 30, 2010)

HAXX said:


> D:<
> 
> He would probably like it if he was looking at that stuff.
> 
> How about I just light him on fire it call the feeling love at first sight?


 
Best way to do it, he deserves it.


----------



## stormydragon (Apr 30, 2010)

BTW, what the hell is wrong with you people?  I post that a particular URL might have a Trojan in it, and everyone is clicking on it?

And I don't know what's in the file (not being stupid, I haven't clicked on it).  I'm just mentioning it because it's listed on:

http://safeweb.norton.com/report/show?url=facdn.net


----------



## Ricky (Apr 30, 2010)

stormydragon said:


> No, but just because a file is named .jpg doesn't mean it actually is a JPEG image.



That was a JPEG image, and a pretty nasty one too.

*YOU NEVER GO ASS TO MOUTH*


----------



## south syde dobe (Apr 30, 2010)

stormydragon said:


> BTW, what the hell is wrong with you people? I post that a particular URL might have a Trojan in it, and everyone is clicking on it?


 Its the internet, I click things...nough said


----------



## Mentova (Apr 30, 2010)

stormydragon said:


> BTW, what the hell is wrong with you people?  I post that a particular URL might have a Trojan in it, and everyone is clicking on it?


What the hell is wrong with _you_ for looking at it in the first place. :V


----------



## Bloodshot_Eyes (Apr 30, 2010)

stormydragon said:


> BTW, what the hell is wrong with you people?  I post that a particular URL might have a Trojan in it, and everyone is clicking on it?



My computer has bitchin' security...


----------



## south syde dobe (Apr 30, 2010)

Heckler & Koch said:


> What the hell is wrong with _you_ for looking at it in the first place. :V


 I fucking agree with this 1000 percent


----------



## Spawtsie Paws (Apr 30, 2010)

You realize that jpg/jpeg can't contain a virus, right?

You guys are a bunch of proud trolls:


----------



## south syde dobe (Apr 30, 2010)

HAXX said:


> You realize that jpg/jpeg can't contain a virus, right?


He's not very bright as it seems.


----------



## stormydragon (Apr 30, 2010)

Heckler & Koch said:


> What the hell is wrong with _you_ for looking at it in the first place. :V





south syde dobe said:


> I fucking agree with this 1000 percent



I wasn't looking at it, I don't even know what's in it.  I just brought it up because it's listed on:

http://safeweb.norton.com/report/show?url=facdn.net


----------



## Fuzzy Alien (Apr 30, 2010)

By the way, your problem is using Norton in the first place. Get a real antivirus program.


----------



## south syde dobe (Apr 30, 2010)

Fuzzy Alien said:


> By the way, your problem is using Norton in the first place. Get a real antivirus program.


 
This is true, Norton fucking slows your system down and what not when its not even doing anything


----------



## stormydragon (Apr 30, 2010)

HAXX said:


> You realize that jpg/jpeg can't contain a virus, right?
> 
> You guys are a bunch of proud trolls:





south syde dobe said:


> He's not very bright as it seems.



Right, because it's not like someone could take virus.exe and rename it virus.jpg

I mean, no one ever lies on the internet.


----------



## Mentova (Apr 30, 2010)

stormydragon said:


> I wasn't looking at it, I don't even know what's in it.  I just brought it up because it's listed on:
> 
> http://safeweb.norton.com/report/show?url=facdn.net


suuuuure you weren't. :V


----------



## Dragoneer (Apr 30, 2010)

stormydragon said:


> Norton Internet Security is flagging the facdn.net server as a site with "known security risks"
> 
> Specfically is says that
> 
> ...


And this is why Norton and McAfee both suck balls. Because they're unreliable as shit when it comes to the one thing they REALLY need to do right.


----------



## Ricky (Apr 30, 2010)

stormydragon said:


> Right, because it's not like someone could take virus.exe and rename it virus.jpg
> 
> I mean, no one ever lies on the internet.



Except for the fact that _*it wouldn't do anything*_.  But that involves complicated concepts like how Windows uses file extensions.

By the way, if I were Norton I'd consider that picture a threat, too.


----------



## south syde dobe (Apr 30, 2010)

Ricky said:


> Except for the fact that _*it wouldn't do anything*_. But that involves complicated concepts like how Windows uses file extensions.
> 
> By the way, if I were Norton I'd consider that picture a threat, too.


 
Same, its corrupting the system


----------



## Ricky (Apr 30, 2010)

relevant:

[yt]tO6q7EiNPaA[/yt]


----------



## south syde dobe (Apr 30, 2010)

Ricky said:


> relevant:
> 
> [yt]tO6q7EiNPaA[/yt]


 
Damn lol


----------



## ArielMT (May 1, 2010)

According to the linux command "file", it's a file of type: JPEG image data, JFIF standard 1.02

According to VirusTotal.com, 14 of 42 antivirus programs declare it a virus: https://www.virustotal.com/analisis...04bbf691785e50afbe12f39685652af3dc-1272685395

Of those that do, most are calling it JPEG-related malware.  I've never seen anything of the like before, but *I did find what made Norton freak out.*  The very last bytes of the file data is this ASCII string:


```
<iframe name="GlobalBanner" src="http://globalbanner.furnation.com/default.asp" width="0" height="0" frameborder="0" scrolling="no" allowautotransparency=true></iframe>
```

The target site returned a 404 error when visited in Firefox, and the root directory returned a 403.


----------



## Taren Fox (May 1, 2010)

Yiff clogged FAF's internet tubes. D:



Ricky said:


> relevant:
> 
> [yt]tO6q7EiNPaA[/yt]


OMG Clerks 2!!! <3333~


----------



## stormydragon (May 1, 2010)

ArielMT said:


> Of those that do, most are calling it JPEG-related malware.  I've never seen anything of the like before, but *I did find what made Norton freak out.*  The very last bytes of the file data is this ASCII string:
> 
> 
> ```
> ...


It could be an attempt to take advantage of:

Microsoft Security Bulletin MS04-028: Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)

to display an ad banner from Furnation (which isn't responding since it's dead now).


----------



## Dragoneer (May 1, 2010)

ArielMT said:


> According to the linux command "file", it's a file of type: JPEG image data, JFIF standard 1.02
> 
> According to VirusTotal.com, 14 of 42 antivirus programs declare it a virus: https://www.virustotal.com/analisis...04bbf691785e50afbe12f39685652af3dc-1272685395
> 
> ...


So, images that were uploaded to FurNation are being edited, tagged with a line and that's causing Norton to freak out over FA?

Color me shocked.

I guess this is the ghost of FurNation coming back to haunt us after FA "killed" their website.


----------



## Ricky (May 1, 2010)

ArielMT said:


> According to the linux command "file", it's a file of type: JPEG image data, JFIF standard 1.02
> 
> According to VirusTotal.com, 14 of 42 antivirus programs declare it a virus: https://www.virustotal.com/analisis...04bbf691785e50afbe12f39685652af3dc-1272685395
> 
> ...



haha, you're right!  holy shit

That's weird.  Why the hell would someone put an iframe in a jpg file?  Maybe it's something the server is stamping on?


----------



## Verin Asper (May 1, 2010)

I know your problem here

NORTON :V


----------



## Taren Fox (May 1, 2010)

Crysix Corps said:


> I know your problem here
> 
> NORTON :V


Avast here!


----------



## Verin Asper (May 1, 2010)

Taren Fox said:


> Avast here!


I use Comodo


----------



## Smelge (May 1, 2010)

I'm going to have to agree that Norton is a pile of ass. One of my old computers came with it pre-installed. I set up a load of other antiviruses on it, and they all picked up Norton as a trjan. Killed it, and suddenly the internet ran a lot faster for me.

And if you have a potential virus, you don't go "oh, and here's a link to it". You message the link to an admin, if it is a virus, you're just encouraging its spread.


----------



## LizardKing (May 1, 2010)

Pretty sure if you can't figure out it's NSFW from the fact it's on FA and ends in "assfuck.jpg" then its your own damn fault for being stupid.


----------



## Smelge (May 1, 2010)

Yeah.

I always check the address of the link. You never know when http://www.furaffinity.net/view/3792516/ isn't what it seems.


----------



## ArielMT (May 1, 2010)

stormydragon said:


> It could be an attempt to take advantage of:
> 
> Microsoft Security Bulletin MS04-028: Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
> 
> to display an ad banner from Furnation (which isn't responding since it's dead now).



Agreed, but a more annoyingly logical purpose would be to either force pop-ups to appear or to redirect viewers to a "why u steal this" page if the image wasn't on Furnation's servers.  Since the iframe is 0x0, it couldn't be used by itself to embed another image.

But unless you're running Windows 95 or an unpatched Windows (XP SP2 and later are patched), it's all academic anyway.  To everyone but Norton and the like, whose antivirus programs probably won't even install on vulnerable versions anymore.


----------



## SnowFox (May 1, 2010)

This already got reported before, but no-one else seemed to care that time
http://forums.furaffinity.net/showthread.php?t=69956

I wonder why?


----------



## Taren Fox (May 1, 2010)

SnowFox said:


> This already got reported before, but no-one else seemed to care that time
> http://forums.furaffinity.net/showthread.php?t=69956
> 
> I wonder why?


You're a bird. It's f'in racism man.


----------



## Foxstar (May 1, 2010)

If Dragoneer starts using lulz.net's ads, then yeah, Malware.


----------



## Ricky (May 1, 2010)

ArielMT said:


> Agreed, but a more annoyingly logical purpose would be to either force pop-ups to appear or to redirect viewers to a "why u steal this" page if the image wasn't on Furnation's servers.  Since the iframe is 0x0, it couldn't be used by itself to embed another image.
> 
> But unless you're running Windows 95 or an unpatched Windows (XP SP2 and later are patched), it's all academic anyway.  To everyone but Norton and the like, whose antivirus programs probably won't even install on vulnerable versions anymore.



You can't inject HTML into a jpeg image.  The browser won't render it.


----------



## ArielMT (May 1, 2010)

Ricky said:


> You can't inject HTML into a jpeg image.  The browser won't render it.



IE did, via buffer overflow in GDI+ six years ago.  I remember facepalming hard when I learned that.


----------



## Ricky (May 1, 2010)

ArielMT said:


> IE did, via buffer overflow in GDI+ six years ago.  I remember facepalming hard when I learned that.



I saw that and it made me lol.  Hopefully that's long gone by now.

Microsoft, you fail at C D:


----------



## stormydragon (May 1, 2010)

Ricky said:


> You can't inject HTML into a jpeg image.  The browser won't render it.



You could at one point because there was a buffer overrun error in the windows GDI system that allowed you to execute code from a JPG


----------



## stormydragon (May 1, 2010)

ArielMT said:


> But unless you're running Windows 95 or an unpatched Windows (XP SP2 and later are patched), it's all academic anyway.  To everyone but Norton and the like, whose antivirus programs probably won't even install on vulnerable versions anymore.



Well, even if you computer is no longer susceptible, it's probably not a good idea to leave an infected file lying around.  Someone else may be susceptible.  Also, malware is like cockroaches; if you see one (even an old ineffectual one) there's probably others around.


----------



## mrfinnigan (May 1, 2010)

http://www.facepunch.com/showthread.php?p=3057778

Just sayin'. I know the problem's already been solved, but you really shouldn't dismiss something like that outright.


----------



## Ricky (May 1, 2010)

stormydragon said:


> Well, even if you computer is no longer susceptible, it's probably not a good idea to leave an infected file lying around.  Someone else may be susceptible.  Also, malware is like cockroaches; if you see one (even an old ineffectual one) there's probably others around.



That file is not infected.  It is probably metadata that is used by an image gallery program and the iframe was injected along with the metadata into the image gallery's site (my roommate actually pointed this out when I asked, but I think he's right).  That would be a bug in that image gallery's software though, not cleaning up the metadata before rendering it to the site.

Also, the vulnerability you pointed out does not cause HTML to be able to be injected to a JPEG image and has nothing to do with this, at all.  It isn't even compiled, for one thing.


----------



## Rianu (Jul 17, 2010)

That's what digging on norton hp shows:


Trojan.Maliframe!html
Risk Level 1: Very Low
Discovered: July 10, 2007
Updated: July 10, 2007 11:40:58 AM
Type: Trojan
Infection Length: 65 bytes; 67 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000

Trojan.Maliframe!html is a detection for HTML files that contain hidden iframe elements that attempt to perform malicious actions on the computer. This detection is generally encountered when visiting a malicious Web page, which attempts to quietly direct the user to a malicious URL while the current page is loading.

This detection differs from standard virus definitions in that it is used to catch malicious iframe attacks, as opposed to detecting a particular threat. The detection will block an attack at inception, before the malicious code actually arrives on the computer. If your Symantec antivirus produce displays a warning with this name, this is a good indication that the attack has been stopped.
Antivirus Protection Dates

    * Initial Rapid Release version July 10, 2007 revision 007
    * Latest Rapid Release version July 12, 2010 revision 021
    * Initial Daily Certified version July 10, 2007 revision 017
    * Latest Daily Certified version July 12, 2010 revision 022
    * Initial Weekly Certified release date July 11, 2007

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild

    * Wild Level: Low
    * Number of Infections: 0 - 49
    * Number of Sites: 0 - 2
    * Geographical Distribution: Low
    * Threat Containment: Easy
    * Removal: Easy

Damage

    * Damage Level: Low
    * Payload: These attacks can lead to further malicious code being downloaded on to the compromised computer.

Distribution

    * Distribution Level: Low

Writeup By: Ben Nahorney


----------



## Rockerkitsune (Jul 22, 2010)

I got that same warning to as well from Norton security


----------



## Rakuen Growlithe (Jul 23, 2010)

Snowfox said:
			
		

> This already got reported before, but no-one else seemed to care that  time
> http://forums.furaffinity.net/showthread.php?t=69956
> 
> I wonder why?



I posted it in the right place. People pay more attention if something's in the wrong place.


----------



## Firehazard (Jul 24, 2010)

Dragoneer said:


> So, images that were uploaded to FurNation are being edited, tagged with a line and that's causing Norton to freak out over FA?
> 
> Color me shocked.
> 
> I guess this is the ghost of FurNation coming back to haunt us after FA "killed" their website.


My only question is what is a picture that was ripped from FurNation doing on FurAffinity? I can't trace a file back to its submission page from the filename, but someone who can (i.e. probably any admin) may want to check if this is a TOS violation. I assume the original artist and/or whoever it may have been commissioned by would have had a local copy they could upload instead.

Also, I bet ArielMT is right, although if it relies on an Internet Explorer 6 exploit it's a pretty pathetic attempt at an anti-art-theft measure. Of course, it could be ages old, too. Internet Explorer 6 was probably the most popular browser the last time Furnation worked.


----------

