Mon Sep 11, 2006 4:02 am
anjuna wrote:sx6deep2k2: I know. Firefox and Orca use the Gecko engine so do not use ActiveX. Please read through the rest of the thread. This has been addressed.
Block all the other ads you want, great. I am pointing out FastClick's virus to protect the 70%-80% market share that represents IE/other users.
So, just to clarify, use of FF and Adblock will serve as an effective prophylactic against this particular exploit?
Mon Sep 11, 2006 11:03 am
Oh yeah it could make your computer slower depending on various circumstances. For every ad, your browser will now try to connect to your own computer's web server (which may or may not exist). If it doesn't exist timeouts will happen. If it does exist you'll get instead of an ad a 404 (looks dirty on the eyes). In Apache, a regexp redirect (using mod_rewrite) + transparent PNG may help thats what I used a few years ago before Adblock.
The virus doesn't work on non-Windows. I had Adblock _off_ and didn't catch the virus. I'm using Windows XP SP2 + no patches, Mozilla Firefox 1.5.0.6, Java 1.5 r6 (aka 5.0 r6) and Ad-Watch part of Ad-Aware updated at 08 sept 2006. Adblock is able to achieve the same as the hosts file plus its a much cleaner solution. It allows one to hide or remove the ads (the former will load the ads hence generating cash for the advertiser without you seeing 'em, the latter will in general make a page look much more cleaner), allows wildcards in your blacklist (e.g. http://images.neopets.com/buttons/*), easy on the fly adding or removing from within the browser, manual whitelisting (whitelist wins over blacklist so you can add non-hostile ads and friend(ly) pages), and won't redirect the ads to 127.0.0.1 or another blackhole, generating either timeouts, or load on your local webserver / 404s. Together with Adblock Filterset.G Updater you can even update your blacklist easily from within the browser. A marvelous extension with a lot of control. KrAd
shapu wrote:anjuna wrote:sx6deep2k2: I know. Firefox and Orca use the Gecko engine so do not use ActiveX. Please read through the rest of the thread. This has been addressed.
Block all the other ads you want, great. I am pointing out FastClick's virus to protect the 70%-80% market share that represents IE/other users.
So, just to clarify, use of FF and Adblock will serve as an effective prophylactic against this particular exploit?
The virus doesn't work on non-Windows. I had Adblock _off_ and didn't catch the virus. I'm using Windows XP SP2 + no patches, Mozilla Firefox 1.5.0.6, Java 1.5 r6 (aka 5.0 r6) and Ad-Watch part of Ad-Aware updated at 08 sept 2006. Adblock is able to achieve the same as the hosts file plus its a much cleaner solution. It allows one to hide or remove the ads (the former will load the ads hence generating cash for the advertiser without you seeing 'em, the latter will in general make a page look much more cleaner), allows wildcards in your blacklist (e.g. http://images.neopets.com/buttons/*), easy on the fly adding or removing from within the browser, manual whitelisting (whitelist wins over blacklist so you can add non-hostile ads and friend(ly) pages), and won't redirect the ads to 127.0.0.1 or another blackhole, generating either timeouts, or load on your local webserver / 404s. Together with Adblock Filterset.G Updater you can even update your blacklist easily from within the browser. A marvelous extension with a lot of control. KrAd
Mon Sep 11, 2006 11:49 am
My virus scanner just picked up a Trojan horse Downloader.Generic2.NDJ from Neopets . . .
I have adblock so i dont know if it was linked to a specific ad or not. I didnt get any pop-ups either.
You would think they would screen better . . .
I have adblock so i dont know if it was linked to a specific ad or not. I didnt get any pop-ups either.
You would think they would screen better . . .
Mon Sep 11, 2006 6:28 pm
Interesting. What version of OS, browser, Java? FF has a popup blocker, by default on. At best you'd get a message a popup has been blocked. Would the virus have gone through when your AV didn't catch it? That is an interesting question. I never have an AV on while surfing, I scanned my computer yesterday, and it found nothing whatsoever.
Mon Sep 11, 2006 6:45 pm
Let's get this straight, people. Firefox is a browser, not an anti-virus application, nor a substitute for a brain!
Adblock may block ads, but it is also not an anti-virus application. Nor will it necessarily block viruses just because they are "in" ads, okay!?
It was originally thought this virus needed both ActiveX and Java to crawl onto your system, but it has evolved before and I wouldn't be surprised if it always could or now can affect Firefox. Anyway, the virus is not "in" a pop-up ad.
Knock the damn chips off your shoulders. Do not hide behind something that claims to be safe just because you don't understand about safety.
Learn and do something about this. Sorry for the angry post, I just woke up and am sad to learn more infected, possibly FF users and I might call Neopets HQ today. I live in nor-cal so it is only a long distance call to me.
And allnameswereout, just because you are not getting the virus, is sort of a moot point. I mean lots of users are so please don't discount us.
EDIT: The best way for all users to protect themselves, so it seems, as I doubt Neopets can get rid of this ad campaign so easily, is to at the very least add to your HOSTS file the neopets-related ad addresses even if only to your original Windows HOSTS file. This will effectively 'boycott' the FastClick ads and keep your computer safer from the viruses rotated in Neopets ads.
Adblock may block ads, but it is also not an anti-virus application. Nor will it necessarily block viruses just because they are "in" ads, okay!?
It was originally thought this virus needed both ActiveX and Java to crawl onto your system, but it has evolved before and I wouldn't be surprised if it always could or now can affect Firefox. Anyway, the virus is not "in" a pop-up ad.
Knock the damn chips off your shoulders. Do not hide behind something that claims to be safe just because you don't understand about safety.
Learn and do something about this. Sorry for the angry post, I just woke up and am sad to learn more infected, possibly FF users and I might call Neopets HQ today. I live in nor-cal so it is only a long distance call to me.
And allnameswereout, just because you are not getting the virus, is sort of a moot point. I mean lots of users are so please don't discount us.
EDIT: The best way for all users to protect themselves, so it seems, as I doubt Neopets can get rid of this ad campaign so easily, is to at the very least add to your HOSTS file the neopets-related ad addresses even if only to your original Windows HOSTS file. This will effectively 'boycott' the FastClick ads and keep your computer safer from the viruses rotated in Neopets ads.
Mon Sep 11, 2006 8:06 pm
To pinpoint the problem I need to learn why some FF/Windows users get it, while others don't get it. The same may be true for IE users, btw.
I like to use the Internet knowing I cannot get a virus, or knowing that I minimalized such chance. It seems to be going well, except for a few times when I went to crack sites such as Astalavista and P2P. Such was deliberately clicking on a .exe file without AV on. Dumb me.
I actually am not able to access 64.34.181.44*slash*adrun*slash*exp.wmf nor 64.34.181.44. Its not in my firewall. From a shell server of my ISP (way beyond my firewall) I'm not able to acccess either that URL nor the IP address either. Odd? Maybe my ISP blocked them? The IP is pingable though.
I like to use the Internet knowing I cannot get a virus, or knowing that I minimalized such chance. It seems to be going well, except for a few times when I went to crack sites such as Astalavista and P2P. Such was deliberately clicking on a .exe file without AV on. Dumb me.
I actually am not able to access 64.34.181.44*slash*adrun*slash*exp.wmf nor 64.34.181.44. Its not in my firewall. From a shell server of my ISP (way beyond my firewall) I'm not able to acccess either that URL nor the IP address either. Odd? Maybe my ISP blocked them? The IP is pingable though.
Tue Sep 12, 2006 11:01 pm
I have written a polite, short private message to Matt Sherman of ValueClick Media (manager of FastClick) since I do not expect Neopets to even make this a priority considering both companies are profiting from such.
Acting as an impartial 'mediator' with nothing to gain or lose, I thought might bring a faster resolution. If nothing is done soon I will submit a more proper bug report to Neopets using the link for Ads instead of a general complaint.
If nothing happens I will post publically on the forum that brought this to my attention (where he claimed earlier the viruses were removed).
If nothing is still done, I will try to snail-mail or call Neopets on the phone.
In the meantime, trust your Adblock if you wish, even update it if you choose to rely on such, but I insist a decent HOSTS file will allow you to sleep better at night, lol. Again, some common ad servers to block on Neopets (including the one rotating the virus exploit) are:
Acting as an impartial 'mediator' with nothing to gain or lose, I thought might bring a faster resolution. If nothing is done soon I will submit a more proper bug report to Neopets using the link for Ads instead of a general complaint.
If nothing happens I will post publically on the forum that brought this to my attention (where he claimed earlier the viruses were removed).
If nothing is still done, I will try to snail-mail or call Neopets on the phone.
In the meantime, trust your Adblock if you wish, even update it if you choose to rely on such, but I insist a decent HOSTS file will allow you to sleep better at night, lol. Again, some common ad servers to block on Neopets (including the one rotating the virus exploit) are:
# [Neopets Ads]
127.0.0.1 servedby.advertising.com
127.0.0.1 pagead2.googlesyndication.com
127.0.0.1 anrtx.tacoda.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 network.realmedia.com
127.0.0.1 rmd.atdmt.com
127.0.0.1 a.tribalfusion.com
127.0.0.1 m1.2mdn.net
127.0.0.1 an.tacoda.net
127.0.0.1 t.pointroll.com
127.0.0.1 media.fastclick.net #[adrun]
127.0.0.1 searchplain.com
127.0.0.1 tag.context.web
127.0.0.1 us.a2.yimg.com
127.0.0.1 view.atdmt.com
127.0.0.1 media.adrevolver.com
Tue Sep 12, 2006 11:59 pm
Thanks for the add-ons to the HOSTS file, Anjuna. While my computer is a bit slower (still contemplating returning to my original HOSTS file and adding in your links), the amount of spyware (tracking cookies, mostly) detected by my system has decreased from ~10/day to zero. Can't argue with results!
Wed Sep 13, 2006 12:32 am
Sure, actually if your original HOSTS file is smaller and adding the neopets-only entries helps, that is still better than nothing (and may be better than Adblock alone especially for this virus exploit in particular). And for the record I have not gotten the virus exploit again since I used the HOSTS file Cranberry linked to PLUS added fastclick and a few others. And I do not use Firefox or Adblock.
Strangely, I tried my original Windows HOSTS with ONLY my neopets entries and despite having some clearly listed, my Temporary Internet Files still loaded *some* ad links (fortunately not any that were from fastclick or contained viruses, nevertheless). Not sure why that is yet.*
*(I know I have my WinPatrol set to "ask to accept" any change to my HOSTS file and it takes a while to register, so that might be it. I can change that setting but feel like leaving it as it is for safety's sake. I possibly just needed to close and re-open my browser to re-fresh settings, as well. Not a big deal anyway; I digress. Sorry.)
The one Cranberry linked to, she is probably right in that it is the "best" HOSTS file out there and I do agree but it even blocks some things I would rather not have blocked (lol, how is that for fortunate over-protection?).
For instance, some of my award-winning crab photos at picture.com which are supposed to be safely viewable as they are to be published in a real book soon, available at libraries and for sale, etc. as well as some of the ads I have chosen to be affiliated with on some of my blog sites (sorry 
but at least they don't host viruses; I was just trying to earn some money as I have no source of income now or ever).
All I get with Cranberry's linked HOSTS file plus my entries (on a fairly fast computer, running XP with the most basic DSL package affordable) is a very very slight lag only after the very top of the sidebar loading (I do not load the main top banner ad at all, deflecting that with a CSS stylesheet) and then BAM! everything on the page loads instantaneously. The lag is almost what I experience and complain about when using Firefox (and even Orca; both using the Gecko engine)
but I am very pleased after when in Avant I see only Neo images and no ads and page loaded completely clean. 
Wed Sep 13, 2006 1:26 am
allnameswereout wrote:To pinpoint the problem I need to learn why some FF/Windows users get it, while others don't get it. The same may be true for IE users, btw.
.
It may be related to the implementation of Adblock. I have adblock set to "Site Blocking" in the Adblock preferences, which as far as I know is NOT a default option for it.
Now, this may not have anything to do with why I have yet to, as far as I know, contract this virus. It could be something totally unrelated to firefox, and based on the fact that I use a router with a firewall in combination with Adblock and firefox.
Wed Sep 13, 2006 2:56 am
Some random tidbits:
Adblock seems not developed anymore, it seems Adblock Plus it more compatible with Fileset.G Updates. I'm gonna try out the Plus variant soon. The Fileset.G extension is a useful extension to keep your blacklist up-to-date. Highly recommended. You can also add your own to a blacklist (using e.g. Anjuna's list), or start a whitelist (your friends websites who you wish ad-money to). Adblock (Plus) is very powerful allowing "regular expressions" which allow one to use e.g. wildcards such as *. With great power comes with great responsibility and this may not be easy for some to use, but you can learn that.
The hosts file will work in any modern OS and affect any application; hence also any browser. Adblock (Plus) is is for FF and will only affect FF. The hosts file does not allow regular expressions, and its hard to block IPs using it. Hence I personally prefer to block on firewall or browser level.
Besides Adblock. I also suggest using noscript extension http://www.noscript.org this way, you disable JavaScript (and e.g. Flash, if you want) for any site, by default. If you need JS (or whatever else you disabled, such as Flash) then you just right-click on the striked out S on the bottom right in your browser and you can either temporarily allow JS (+ other) for this session, or permanent. If you'd add Neopets to your allow list, an advertisement on Neopets not from neopets.com (all ads afaik) will not be allowed to use JS. Your fav sites you trust you can add permanently, the sites you stumble upon and need JS for you add temp, and the sites which seem scary you can safely leave or use without JS.
Current computing is often based on "trust everyone except some". This principle is simply bogus. You cannot trust everyone for everything. You can trust nobody, except some for certain aspects. That is how computers have to be configured and how people have to be teached. But no fear, we will eventually apply this principle on computing as we as society are learning more about computers in relation to security and privacy.
Short answer from Adblock FAQ: since version 0.4 Adblock does not load ads it blocks no matter the setting is "remove ads" or "hide ads". If you have an earlier version it is really time to update, and/or use Adblock Plus + Fileset.G which allows you to synchronize your blocking DB with people who evolve a large part of their life around researching which hosts run ads (similar to the people who make hosts files).
So, I was wrong in that regard. Earlier I told "remove ads" will still load them and "hide ads" will 'repair' the page to reflect as if there were no ads at all. This is true, but neither will load the ads. The latter is a cleaner solution since it will reconstruct the page nice to your eyes. I just wish they still had an option to load ads, eventually w/o cookies, but just not showing them (hiding) thus providing income, yet without you seeing the BS. That'd be undetectable, and would totally screw this market upside down. When I watched TV I always went doing something during commercials as I am simply not and have never been interested in that kind of junk.
Your firewall may indeed block it. Mine blocks media.fastclick.net via Peer Guardian:
$ sudo pfctl -t p2p -T test media.fastclick.net
1/1 addresses match.
(p2p == PG blacklist)
But not one of those IPs hosting the virus:
$ sudo pfctl -t p2p -T test 64.34.181.44
0/1 addresses match.
When I checked yesterday I found Peer Guardian was not blocking that latter IP. I cannot access that IP (the scrubbed URLs Anjuna provided). I cannot even load the server from a so-called "shell" server of my ISP which they allow their customers access to (for *NIX power users). That computer certainly does not block such and I know my ISP does not tamper with WWW access. I was able to ping it though. Perhaps that damn thing is down? Or changed location?
Adblock seems not developed anymore, it seems Adblock Plus it more compatible with Fileset.G Updates. I'm gonna try out the Plus variant soon. The Fileset.G extension is a useful extension to keep your blacklist up-to-date. Highly recommended. You can also add your own to a blacklist (using e.g. Anjuna's list), or start a whitelist (your friends websites who you wish ad-money to). Adblock (Plus) is very powerful allowing "regular expressions" which allow one to use e.g. wildcards such as *. With great power comes with great responsibility and this may not be easy for some to use, but you can learn that.
The hosts file will work in any modern OS and affect any application; hence also any browser. Adblock (Plus) is is for FF and will only affect FF. The hosts file does not allow regular expressions, and its hard to block IPs using it. Hence I personally prefer to block on firewall or browser level.
Besides Adblock. I also suggest using noscript extension http://www.noscript.org this way, you disable JavaScript (and e.g. Flash, if you want) for any site, by default. If you need JS (or whatever else you disabled, such as Flash) then you just right-click on the striked out S on the bottom right in your browser and you can either temporarily allow JS (+ other) for this session, or permanent. If you'd add Neopets to your allow list, an advertisement on Neopets not from neopets.com (all ads afaik) will not be allowed to use JS. Your fav sites you trust you can add permanently, the sites you stumble upon and need JS for you add temp, and the sites which seem scary you can safely leave or use without JS.
Current computing is often based on "trust everyone except some". This principle is simply bogus. You cannot trust everyone for everything. You can trust nobody, except some for certain aspects. That is how computers have to be configured and how people have to be teached. But no fear, we will eventually apply this principle on computing as we as society are learning more about computers in relation to security and privacy.
shapu wrote:allnameswereout wrote:To pinpoint the problem I need to learn why some FF/Windows users get it, while others don't get it. The same may be true for IE users, btw.
.
It may be related to the implementation of Adblock. I have adblock set to "Site Blocking" in the Adblock preferences, which as far as I know is NOT a default option for it.
Now, this may not have anything to do with why I have yet to, as far as I know, contract this virus. It could be something totally unrelated to firefox, and based on the fact that I use a router with a firewall in combination with Adblock and firefox.
Short answer from Adblock FAQ: since version 0.4 Adblock does not load ads it blocks no matter the setting is "remove ads" or "hide ads". If you have an earlier version it is really time to update, and/or use Adblock Plus + Fileset.G which allows you to synchronize your blocking DB with people who evolve a large part of their life around researching which hosts run ads (similar to the people who make hosts files).
So, I was wrong in that regard. Earlier I told "remove ads" will still load them and "hide ads" will 'repair' the page to reflect as if there were no ads at all. This is true, but neither will load the ads. The latter is a cleaner solution since it will reconstruct the page nice to your eyes. I just wish they still had an option to load ads, eventually w/o cookies, but just not showing them (hiding) thus providing income, yet without you seeing the BS. That'd be undetectable, and would totally screw this market upside down. When I watched TV I always went doing something during commercials as I am simply not and have never been interested in that kind of junk.
Your firewall may indeed block it. Mine blocks media.fastclick.net via Peer Guardian:
$ sudo pfctl -t p2p -T test media.fastclick.net
1/1 addresses match.
(p2p == PG blacklist)
But not one of those IPs hosting the virus:
$ sudo pfctl -t p2p -T test 64.34.181.44
0/1 addresses match.
When I checked yesterday I found Peer Guardian was not blocking that latter IP. I cannot access that IP (the scrubbed URLs Anjuna provided). I cannot even load the server from a so-called "shell" server of my ISP which they allow their customers access to (for *NIX power users). That computer certainly does not block such and I know my ISP does not tamper with WWW access. I was able to ping it though. Perhaps that damn thing is down? Or changed location?
Wed Sep 13, 2006 3:31 am
allnameswereout wrote:The hosts file will work in any modern OS and affect any application; hence also any browser.
This is all I needed to know, thanks. Even though I don't use FF or Adblock, I actually feel safer.
As for your being able to selectively block things with an * in some Adblock Plus whatever thingeymabob, Avant and Orca (using Gecko just like FF) can do the same thing. You can also load absolutely no scripts and/or no Flash with the click of a button in both.
Oh and that hosts file makes every page easy on the eyes (at least in IE/Avant).
Good luck to all!
Last edited by anjuna on Wed Sep 13, 2006 4:50 am, edited 3 times in total.
Wed Sep 13, 2006 3:47 am
Nice to hear. Its important to feel safe on the Internet. A healthy balance between usability, paranoia/distrust and feeling of safety is preferable. At least, that is my goal.
Another useful application is "DropMyRights". It allows one to run an untrusted application as non-Administrator. The Administrator is able to change <i>anything</i> on the system. If your application is breached, evil people can use that great power to take great responsibility over your computer. Under a normal user account, there are also risks, but far less. For example, they cannot edit or tamper with anything in c:\windows. Hence, one should not browse the Internet as Administrator (or use the computer with that priveledge under casual usage) one should do such under a non-priveledged user account (normal user; mortal) but for those who prefer to play with power while still wanting to use e.g. a browser more securely as normal user there is this application called "DropMyRights" allowing you to run your unsecure applications such as your browser under normal user account rights. Its pretty straightforward to install and setup. Its just a matter of clicking, reading, and making a shortcut to the application you want to run unpriveledged. Short explanation + URL here http://nonadmin.editme.com/DropMyRights (ignore the 2nd part related to programming etc)
Another useful application is "DropMyRights". It allows one to run an untrusted application as non-Administrator. The Administrator is able to change <i>anything</i> on the system. If your application is breached, evil people can use that great power to take great responsibility over your computer. Under a normal user account, there are also risks, but far less. For example, they cannot edit or tamper with anything in c:\windows. Hence, one should not browse the Internet as Administrator (or use the computer with that priveledge under casual usage) one should do such under a non-priveledged user account (normal user; mortal) but for those who prefer to play with power while still wanting to use e.g. a browser more securely as normal user there is this application called "DropMyRights" allowing you to run your unsecure applications such as your browser under normal user account rights. Its pretty straightforward to install and setup. Its just a matter of clicking, reading, and making a shortcut to the application you want to run unpriveledged. Short explanation + URL here http://nonadmin.editme.com/DropMyRights (ignore the 2nd part related to programming etc)
Wed Sep 13, 2006 9:10 pm
This is indeed a pain and shouldn't have happened. 
Thu Sep 14, 2006 12:16 am
Crystal, if you could provide any details (publically or privately) if you are experiencing this virus too, it would be much appreciated as I am compiling a list of users affected should I need to provide such to Neopets.
Any details at all, really, and if you are re-experiencing it, I am sure someone here, including myself would be happy to help you solve it.
Any details at all, really, and if you are re-experiencing it, I am sure someone here, including myself would be happy to help you solve it.