Beware - statcounter.com may be infected with malware - Website Analytics - Tracking and Logging forum at WebmasterWorld

Forum Moderators: DixonJones

Message Too Old, No Replies

Beware - statcounter.com may be infected with malware

Web_speed

10:10 pm on Oct 2, 2011 (gmt 0)

Just thought i should share my experience about statcounter.com of late.

My virus scanner sprang into action twice in the last 48 hours while visiting the statcounter.com website.

Reporting the "win32/winwebsec" virus/exploit/malawere

It happened to me as follow;
When I visit the statcounter.com website using IE8, and as soon as the log-in page comes up my "Adobe reader" springs into life and via an exploit downloads the virus (java code) into my system and try to run it. Luckily my virus scanner was able to stop it on time on both occasions and quarantine the downloaded code (i use Microsoft security essentials).

I have sent the guys at statcounter two emails alerting them to the fact.I don't even want to think what may happen if this code is being injected to viewers via their tracking code on all the website they help track.

Anyone else noticed this problem lately ?

God help us all...

Innovate

12:00 am on Oct 3, 2011 (gmt 0)

No, I haven't noticed anything but I use firefox. I wonder if it's a IE exploit. Nevertheless, I am about to run some scans on my computer. Thanks for the heads up.

Leosghost

12:25 am on Oct 3, 2011 (gmt 0)

just been to statcounter ..no "java code" ( do you mean javascript? which it uses ..or java ..which is not at all the same thing )..the javascript ( which is what they use ..and how they run "stats" on your pages ) there is normal..and no unusual "payloads" or "downloads"...

Suggest you look elsewhere for what is "jump starting" your adobe reader..

btw "win32/winwebsec" is a fake AV ( scamware )..if you are seeing this ..you may well have it ..and have picked it up elsewhere..MSRT from MS removes it ..it doesn't quarantine it..MSRT has been able to do this since late 2009.

[edited by: Leosghost at 12:30 am (utc) on Oct 3, 2011]

incrediBILL

12:27 am on Oct 3, 2011 (gmt 0)

Most likely it's a compromised ad serving in their ad server, seen this happen to several sites that aggregate third party ad servers. One of the ad servers get compromised and everyone assumes it's the site itself.

Web_speed

12:46 am on Oct 3, 2011 (gmt 0)

@incrediBILL

I think you are spot on. It may well be the one of their ad servers. I was trying to recreate the problem a short while ago over their main page but it is no longer happening. Maybe they received and acted upon my emails. Who knows..... i will check again later and will take a note of the ads shown once the trojan pops.

Everyone take note. It starts with trying to automatically run/open your "adobe reader" which then try to download and run the Trojan (using java .... you'll notice the java sun systems littel icon come up in the task bar when it all happens).

Web_speed

12:56 am on Oct 3, 2011 (gmt 0)

@ Leosghost

Happened to me only over statcounter.com home page (twice, and from two different systems). Virus scanned my system with two more virus scanners. My adobe reader may need a patch to cover for this exploit but my system is clean as far as i can see.

Web_speed

12:13 am on Oct 4, 2011 (gmt 0)

Update

The exploit was delivered via an ad. Apparently they received a couple more reports form users and were able to pin point it (so i was informed).

wheel

12:21 am on Oct 4, 2011 (gmt 0)

It's going around. I'm still working my way out of an openx hack from Sunday evening and the consultant I used indicated I'm not alone on this.

incrediBILL

3:42 am on Oct 4, 2011 (gmt 0)

The exploit was delivered via an ad.

Yup, just like I said as I've seen it happen a bunch.

The worse case scenario I've witnessed is an ad servers domain expired and a hacker bought it and put the nastiest set of randomly rotating redirected servers into the ad serving mix so it really confused the issue of where it was coming from.

Very random, I found out who was doing it, but it took some serious sleuthing.

Nothing they won't do for money, sad really.

Web_speed

6:27 am on Oct 4, 2011 (gmt 0)

Nothing they won't do for money, sad really.

What i don't get is who the hell is processing online CC payments for those Crooks.

Apparently the sneaky exploit is trying to install malware masquerading as a virus scanner. Interrupting the computer's normal operations and acting in a very malicious and deceiving way, trying to get the user to buy the full version. Pure and simple fraud.

Who the hell is processing orders for those crooks..... surly the money trial will lead right back to he company creating this malicious code. How can they get away with this so easily is simply mind boggling!