Back to previous post: Iran revolution

Go to Making Light's front page.

Forward to next post: Open thread 126

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

June 16, 2009

Fun, Making Of Own
Posted by Jim Macdonald at 05:21 PM * 44 comments

Well, folks. Some filmmakers are in town. They’re making a movie up in Pittsburg.

I can make some guesses about what happened to the people of Friar:

  1. Froze to death? Sounds about right
  2. Eaten by black flies. Hate when that happens.
  3. Went to Coaticook to see the hootchie-kootchie show.
Comments on Fun, Making Of Own:
#1 ::: xeger ::: (view all by) ::: June 16, 2009, 05:23 PM:

They spent their days trying to translate between Unix and Windows, and grew ever stranger and more peculiar, until one night ...

#2 ::: Lee ::: (view all by) ::: June 16, 2009, 05:59 PM:

Not to my taste, thanks. But it looks like it should be decent for horror fans.

#3 ::: MichaelC ::: (view all by) ::: June 16, 2009, 06:05 PM:

Um. The making a movie site link triggered my browser's fraudulent website warning and directed me to a Google Safe Browsing diagnostic page, which reported the following:
"The last time Google visited this site was on 2009-06-16, and the last time suspicious content was found on this site was on 2009-06-16. Malicious software includes 143 trojan(s), 48 scripting exploit(s), 27 exploit(s)."

FYI, here's the address of the Google page to which my browser directed me:
http://google.com/safebrowsing/diagnostic?tpl=safari&site=91.212.65.148&hl=en-us

#4 ::: Jim Macdonald ::: (view all by) ::: June 16, 2009, 06:10 PM:

Here's their MySpace page.

(I'm not getting Google alerts, nor are any of my AV programs popping up warnings....)

The site does have annoying music....

#5 ::: Jim Macdonald ::: (view all by) ::: June 16, 2009, 06:15 PM:

91.212.65.148 seems to be located in Russia. I'm pretty sure that yellowbrickroadthemovie.com isn't hosted there.

#6 ::: Dave Bell ::: (view all by) ::: June 16, 2009, 06:20 PM:

Avasti AV gives me a warning on that site.

A quick check on a Linux box shows a site very dependent on Flash, apparently with no way past the the opening page without using Flash and scripts.

I'm not curious enough to take chances.

#7 ::: Dave Bell ::: (view all by) ::: June 16, 2009, 06:25 PM:

I tried to check the MySpace page and my eyes fell out.

#9 ::: James D. Macdonald ::: (view all by) ::: June 16, 2009, 09:53 PM:

I'm back home now. Yellowbrickroadthemovie.com is at 67.228.235.94

91.212.65.148 is indeed somewhere in Russia. I dunno how that popped up.

The official site is pretty darned Flash-heavy.

Here are the sub-pages:

http://www.yellwobrickroadthemovie.com/CONTACT.html

http://www.yellowbrickroadthemovie.com/TRAILER.html

http://www.yellowbrickroadthemovie.com/LEGEND.html

http://www.yellowbrickroadthemovie.com/EXPEDITION.html

http://www.yellowbrickroadthemovie.com/MESSAGE.html

The trailer doesn't seem to exist. (Seeing as the principal photography hasn't happened yet, this isn't surprising.)

#10 ::: Steve Taylor ::: (view all by) ::: June 16, 2009, 10:59 PM:

I don't have a knee jerk reaction against Flash - it's great for games, interactive artworks, video and music players, visualisation tools...

But why why why is someone using it to navigate through what are basically a set of pages of text with still pictures? Oh well...

Drifting back on topic, I love seeing my city (Melbourne, Aus) on film. I even rented Queen of the Damned (don't!) just to play "look for the Melbourne locations".

#11 ::: xeger ::: (view all by) ::: June 16, 2009, 11:53 PM:

Steve Taylor @ 10 ...
I do have a knee-jerk reaction against flash. When it's used appropriately, it's almost invisible -- but it's so often used inappropriately that my first reaction is inevitably "not -that- again" followed by closing the window.

#12 ::: Steve Taylor ::: (view all by) ::: June 17, 2009, 12:03 AM:

xeger at #11 writes:

> I do have a knee-jerk reaction against flash. When it's used appropriately, it's almost invisible -- but it's so often used inappropriately that my first reaction is inevitably "not -that- again" followed by closing the window.

I admit I do use the Firefox "FlashBlock" plugin in self defence. I just wish there was a setting to not animate animated gifs without my permission. But then I've got to defend myself against javascript and dhtml based animation as well. Why can't people just play nice?

#13 ::: Lee ::: (view all by) ::: June 17, 2009, 12:20 AM:

Jim, #9: I didn't have any trouble with your original link (which does indeed go to yellowbrickroadthemovie.com), and the trailer was there when I clicked on it. That's what prompted my post #2, was watching it.

#14 ::: James D. Macdonald ::: (view all by) ::: June 17, 2009, 01:08 AM:

Ah yes, I see. There is a trailer. It just takes forever to download.

#15 ::: Duncan J Macdonald ::: (view all by) ::: June 17, 2009, 10:26 AM:

My Norton 2009 is popping "Bloodhound.Expolit.196" which it identifies as a heuristic virus. The warning showed up as soon as I connected to the site.

#16 ::: zoanne ::: (view all by) ::: June 17, 2009, 11:34 AM:

yep, I got a trojan horse and a dropper virus from that site :-(

#17 ::: Zack ::: (view all by) ::: June 17, 2009, 12:44 PM:

Yeah, when I loaded that site, it tried to redirect me to a PDF containing javascript that tries to exploit heap-overflow bugs in Adobe Acrobat. It's quite a bit less obfuscated than the last time I saw this, and has amusing comments in it like

//so the exploit jumps actually to 0x90909090. Place a very long 'AAAA' at the second param to go to 0x41414141 ;)

and

//adobe reader 8 works also with app.setTimeOut?

Should contact the owners of the site and tell them they need to clean it up. I've saved the malicious PDF and the decoded javascript in case anyone wants to see them.

#18 ::: Earl Cooley III ::: (view all by) ::: June 17, 2009, 12:45 PM:

Steve Taylor @12, in the Firefox about:config page, you can set "image.animation_mode" to either "none" or "once", or reset it back to "normal".

#19 ::: Lee ::: (view all by) ::: June 17, 2009, 01:22 PM:

Okay, you guys have got me all paranoid now. I didn't have anything pop up on me, but I'll get my partner to run a full virus sweep while I'm off at the dentist.

#20 ::: Zack ::: (view all by) ::: June 17, 2009, 01:50 PM:

Following up to myself to say that I can't actually find any contact info for the people responsible for that website. Neither CONTACT.htm nor CONTACT.html actually exists, there doesn't seem to be contact info anywhere else on the site, and their whois listing points to a very large hosting provider, midphase.com. I have emailed that provider's technical contact address, but I doubt that will have any effect.

#21 ::: Dave Bell ::: (view all by) ::: June 17, 2009, 02:02 PM:

Jim, if you have actually seen these film-makers, maybe you'd better pass on the malware warning. Somebody on the website side has been either careless or malicious.

If you haven't, do they even exist?

#22 ::: James D. Macdonald ::: (view all by) ::: June 17, 2009, 03:37 PM:

I'm just back from spending the day with them. They're nice people. I'll let 'em know.

#23 ::: James D. Macdonald ::: (view all by) ::: June 17, 2009, 03:47 PM:

I've disabled the link until the virus situation is resolved.

#24 ::: James D. Macdonald ::: (view all by) ::: June 17, 2009, 04:42 PM:

FWIW, I'm running Firefox with NoScript.

#25 ::: abi ::: (view all by) ::: June 17, 2009, 04:46 PM:

Jim @25:
The three infected files are all copies of "Trojan horse generic 13.BEGH"

And the random irreverent part of me pictures a large white horse, with a bar code on its side just below the word HORSE in sans-serif lettering.

#26 ::: James D. Macdonald ::: (view all by) ::: June 17, 2009, 04:48 PM:

TrendMicro give a completion time of 21 1/2 days. This might just take some time....

#27 ::: abi ::: (view all by) ::: June 17, 2009, 05:06 PM:

I did not hallucinate Jim's comment about that generic Trojan horse. Did not.

#28 ::: Mary Aileen ::: (view all by) ::: June 17, 2009, 05:20 PM:

abi (27): <soothingly> We believe you. </soothingly>

#29 ::: James D. Macdonald ::: (view all by) ::: June 17, 2009, 05:40 PM:

You didn't. But I removed it because it might give the wrong impression. Further checking through the AVG files told me that they'd entered the Virus Vault on April 9, when I was out looking for updated video drivers.

#30 ::: James D. Macdonald ::: (view all by) ::: June 17, 2009, 06:25 PM:

TrendMicro is down to saying just four days. Things improve.

I've long considered that the existence of computer viruses is proof of the existence of original sin.

#31 ::: Steve Taylor ::: (view all by) ::: June 17, 2009, 07:28 PM:

Earl Cooley III at #18 writes:

> Steve Taylor @12, in the Firefox about:config page, you can set "image.animation_mode" to either "none" or "once", or reset it back to "normal".

You star! My life is now slightly better.

All good things come from Making Light.

#32 ::: Zack ::: (view all by) ::: June 17, 2009, 07:50 PM:

James: NoScript would totally block this attack; if you don't execute javascript it doesn't even get as far as reaching out to 91.212.65.148 to grab the malicious script that grabs the malicious PDF.

#33 ::: James D. Macdonald ::: (view all by) ::: June 18, 2009, 07:52 AM:

Their contact address is info[at]yellowbrickroadthemovie[dot]com

#34 ::: Serge ::: (view all by) ::: June 18, 2009, 09:23 AM:

abi @ 27... Thought you were having a George Orr moment, eh?

#35 ::: albatross ::: (view all by) ::: June 18, 2009, 10:46 AM:

It's worth finding a non-Adobe PDF viewer, so you're not 100% part of the monoculture for which the virus writers are adapted.

One thing that would be really useful is a setting or add-on for my browser, that would push the PDF file being opened off to some remote PDF-to-HTML server. Anyone know of any such thing?

#36 ::: David Harmon ::: (view all by) ::: June 18, 2009, 10:50 AM:

albatross #35: Well, Google can do the conversion, so you could potentially just use them to look up the PDF's original URL.

#37 ::: Jim Macdonald ::: (view all by) ::: June 18, 2009, 10:02 PM:

Eric, the producer, thanks us for informing them that their site was hacked.

#38 ::: Lee ::: (view all by) ::: June 18, 2009, 10:29 PM:

My virus scan showed no problems. Very likely the attempt was blocked by my Hosts File From Hell.

#39 ::: James D. Macdonald ::: (view all by) ::: June 19, 2009, 09:50 AM:

Sequential scans by TrendMicro Housecall, Malwarebytes, SuperAntiSpyware, and AVG, found a total of four tracking cookies.

I don't think I caught anything.

#40 ::: James D. Macdonald ::: (view all by) ::: June 19, 2009, 10:17 AM:

The post at the bottom of the thread here at BleepingComputer.com (from quietman7, Jun 9 2009, 06:22 AM, contains a ton of links to Antivirus resources.

I'm told that the movie guys were working on restoring their website. Could someone with greater ability than me take a look and see if it's (currently) clean?

#41 ::: Zack ::: (view all by) ::: June 19, 2009, 12:35 PM:

As of about ten minutes ago, the site is not clean: there is still a Javascript fragment on the top-level index.html that pulls malicious code from 91.212.65.148. It is obfuscated to look like it has something to do with Google Analytics, but if you actually decode it it proves to be nothing of the sort.

I also see a very large number of spam links in /LEGEND.html, and further obfuscated Javascript that may also wind up triggering virus attacks (it is not as easy to decode as the stuff in index.html, so I haven't bothered).

The other HTML pages that are reachable from index.html (EXPEDITION.html, MESSAGE.html, NEWS.html, TRAILER.html) do not appear to contain any malicious code. They do have other problems: broken links (including not a few references to files on the website designer's local hard drive), and use of Javascript instead of CSS :hover styles for image rollovers (breaking the site for people who turn JS off).

As noted, the site is very Flash-heavy. I don't have the tools or skills to inspect Flash files for malware.

#42 ::: Clifton Royston ::: (view all by) ::: June 19, 2009, 12:50 PM:

It could have been whacked via the hosting server. My employer had a problem a while ago where their web site got on the Google-sponsored malware list, again due to weird stuff inserted in framing code. When I searched the forums there, I found that a couple other sites on the same IP address (i.e. hosted on the same physical server) had been reported with the identical problem. I suspected the web server machine was cracked or had outdated software on it; I ended up getting the company to move hosting providers.

#43 ::: Vince ::: (view all by) ::: June 19, 2009, 08:55 PM:

I managed to get Bloodhound.Exploit.196, several trojans, as well as the dreaded Spyware Protect 2009. It has taken me three days to clean up the machine, since Spyware Protect wormed its way into both the registry and the System Restore files.

Ah well. It's good to know that a trailer for a horror film creates actual horror. Somehow this seems right, in our post-digital age.

#44 ::: James D. Macdonald ::: (view all by) ::: November 04, 2009, 09:27 AM:

The film is Yellow Brick Road. It has an official trailer, now, that you can see at http://www.youtube.com/watch?v=RfX78jrrmi8

At IMDB it's http://www.imdb.com/title/tt1398428/

And they have a MySpace page at http://www.myspace.com/yellowbrickroadthemovie

Later on, maybe, I'll tell you about my two days as set medic.

Welcome to Making Light's comment section. The moderators are Avram Grumer, Teresa & Patrick Nielsen Hayden, and Abi Sutherland. Abi is the moderator most frequently onsite. She's also the kindest. Teresa is the theoretician. Are you feeling lucky?

Comments containing more than seven URLs will be held for approval. If you want to comment on a thread that's been closed, please post to the most recent "Open Thread" discussion.

You can subscribe (via RSS) to this particular comment thread. (If this option is baffling, here's a quick introduction.)

Post a comment.
(Real e-mail addresses and URLs only, please.)

HTML Tags:
<strong>Strong</strong> = Strong
<em>Emphasized</em> = Emphasized
<a href="http://www.url.com">Linked text</a> = Linked text

Spelling reference:
Tolkien. Minuscule. Gandhi. Millennium. Delany. Embarrassment. Publishers Weekly. Occurrence. Asimov. Weird. Connoisseur. Accommodate. Hierarchy. Deity. Etiquette. Pharaoh. Teresa. Its. Macdonald. Nielsen Hayden. It's. Fluorosphere. Barack. More here.















(You must preview before posting.)

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 by Patrick & Teresa Nielsen Hayden. All rights reserved.