Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Scroogle issues a plea for help with malware

  • Please log in to reply
1 reply to this topic

#1 Union_Thug


    Bleeps with the fishes...

  • Members
  • 2,355 posts
  • Gender:Male
  • Location:is everything
  • Local time:01:56 PM

Posted 05 July 2010 - 01:57 PM

Houston, we have another problem...

This time it's not Google, and we need some malware sleuths to take a look at this page.

Malware visits Scroogle.org

Google sucks Since June 24, 2010, www.scroogle.org has been visited by malware. This has nothing to do with Google itself, as none of these visits were passed to Google. This malware continues despite the shutdown of Scroogle, and our blocking continues because we would like to identify the source. After 11 days of this, we have blocks in place for 20,000 unique IPs from all over the world. This page is a summary of what we know about how this malware behaves.

It might be nearly impossible to identify the source of this malware. Our best guess is that a fairly popular website is infected by malware, and visitors to that site trigger the fetch to Scroogle from their own computer. We suspect that nothing is displayed at all, because we tried showing an alert page for a day, and then tried redirecting to a SWF file that played a sound for a day. Now we just redirect to a one-pixel GIF.

We don't think it is viral, and the visitor to the malware site might even have a clean computer. We are continuing to block as soon as we see this coming into Scroogle. At most, any particular IP address gets in only two quick hits before our nbbw.cgi program is able to place the block. However, even before we fine-tuned our blocking, we noticed that multiple hits from the same IP were the exception rather than the rule.

More at link.

Edited by Orange Blossom, 18 July 2010 - 06:53 PM.
Adjusted quote tag location. ~ OB

BC AdBot (Login to Remove)


#2 chromebuster


  • Members
  • 899 posts
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:01:56 PM

Posted 11 July 2010 - 10:51 PM

That's so strange that it's not even funny. in fact, with my growing knowledge of scripting, even I'm stumped. But that file they keep mentioning, Winhtp.dll, what is that? Well then, I'll have to do some searchs for nbbw.cgi and see what i get. I search bing, so hopefully, I don't get some stupid machine generated thingo.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users