Malware drive-by at Cracked.com. Have you visited it lately?

[Fairportfan]

Cracked.com Had Malware; Clean Up Your Computer Now!

If you've visited popular humor website Cracked.com over the last few days, it's possible you may have been hit by a drive-by-download attack, according to researchers at Barracuda Labs. Scan your computer right away!

A researcher discovered on Nov. 10 that Cracked.com was hosting a drive-by download which delivered malware to site visitors with vulnerable systems, Barracuda Networks researchers Daniel Peck and Paul Royal wrote on the Barracuda Labs blog. It appears the attackers may have had access to the site as early as Nov. 4.

A drive-by-download occurs when malicious code on the Web page targets vulnerabilities in the software running on a user's computer. Unlike other Web-based attacks which require a user to click on a link or open a file, a drive-by can download malware or execute commands without any user action. The user is infected just by visiting the page.

A site administrator on Cracked.com posted to the user forums indicating the problem has been resolved as of Tuesday evening. "Yeah we stopped getting complaints about it and Google took us off the malware warning list or whatever was triggering it. Is anybody else getting it again?"

Barracuda's Peck confirmed to SecurityWatch that the site was not currently compromised, but said that after looking into past issues with Cracked.com, these kinds of attacks "appear to be a recurring problem for them."

Details of the Attack
In this case, malicious JavaScript code on Cracked.com would request a malicious page from a different site owned by the attackers called crackedcdm.com. At this point, the attack page uses "a blend of malicious PDF, Java, and HTML/JavaScript files" to try to compromise the browser. Once the browser is compromised, the malware downloads and installs itself. At the time of publication, 24 out of 47 major antivirus vendors detect the malware, according to VirusTotal.

The only indication the user has that something may be wrong is by noticing that the Java plugin has launched and a message appears that system is low on memory.

Barracuda Labs warns that the "thousands of visitors" may have been exposed to the attack. Statistics collected by Alexa ranks Cracked.com as the 289th most popular site in the United States, and 654th in the world.

Peck said that initial findings indicate the attackers were using techniques and exploits similar to what is found in the Nuclear Exploit Pack. Many of the antivirus vendors also appear to be detecting the malware as part of the Androm botnet, he noted.

Trusted Site
If you visited Cracked.com in the past 10 days, update your antivirus signatures and scan your machines right away. It appears several of the major antivirus suites, including Kaspersky Lab, F-Secure, Trend Micro, Symantec, McAfee, and BitDefender, updated their signatures today to detect this malware, according to VirusTotal.

Also make sure you are staying on top of the updates for popularly targeted software, such as Adobe Reader, Java, and your Web browser, since these drive-by download depend on your having unpatched software. Many Web browsers, such as Google Chrome, also display big red warning screens about malware being detected on the site. If you are receiving a malware warning from your security software or browser, take it seriously and don't access the site. That funny article will keep.

It appears from looking at the Cracked.com forum postings that many people saw the warning and clicked the "Proceed" button anyway to get to the site. Don't do that!

The fact that Cracked.com doesn't proactively alert site visitors about these incidents, or provide remediation steps to clean up the systems "tends to indicate that Cracked.com should be avoided if you're concerned with malware," Barracuda Labs concluded in its post.

Oddly enough, the first time in months that i visited the site was last week. Malwarebytes is running a scan even as i type, after which i'll do an AVG scan as well.

[Atomic]

Firefox Add-on "NoScript". No Javascript unless you authorize it. But of course, if a trusted site gets corrupted....

Ah well. As someone said, Gazelles exist because of Cheetahs.

[MerchManDan]

I actually haven't visited Cracked.com recently, so I might be OK. Thanks to Atomic for suggesting NoScript, I just installed it; currently looking into NotScripts for Chrome, but the reviews are very mixed.

[Fairportfan]

I actually haven't visited Cracked.com recently, so I might be OK. Thanks to Atomic for suggesting NoScript, I just installed it; currently looking into NotScripts for Chrome, but the reviews are very mixed.

If you go to the original article - did i post a link? - you see a screenshot of Chrome saying "Don't go there, stupid".

=================

Yes, i did. Thought i had.

407424-chrome-blocks-cracked.jpg (41.31 KiB) Viewed 3355 times

[MerchManDan]

I didn't click the link; I trust you enough that I don't believe you made up the entire thing.

[Fairportfan]

I include the links on this sort of thing, even if i quote the full thing, because sometimes the comments can be useful or amusing.