Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Skype pop up spreading in the last 24 hours.


  • Please log in to reply
20 replies to this topic

#1 bass740

bass740

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 02 February 2014 - 01:59 PM

Hello guys, skype just produced this popup in FF on its own, after researching a bit, it seems its been an issue thats been spreading in the last 24 hours and only effecting skype users.
 
The URL is  Please dont click although all you will get is a 500 internal server error.
 
hxxp://wed322d2.e-windowsdefender.nl/index.php?key=328be294bb9bd20b5a9d591cfdce3b4d
 
Searching google for just hxxp://wed322d2.e-windowsdefender.nl
 
Reveales that skypes Ad service has been compromised, according to several posts.
 
All the posts regarding this popup have been created within the last 24 to 48 hours.
 
Any experts on this issue?
 
Thanks

Edited by Blade, 02 February 2014 - 02:02 PM.
disabled URLs


BC AdBot (Login to Remove)

 


#2 dls62

dls62

  • Members
  • 623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berkshire, UK
  • Local time:02:28 AM

Posted 02 February 2014 - 02:57 PM

Try installing AdBlockPlus for both Internet Explorer and Firefox.  That should block the ads showing up until Skype sort out the problem:

 

https://adblockplus.org/en/firefox

 

https://adblockplus.org/en/internet-explorer



#3 buddy215

buddy215

  • BC Advisor
  • 12,995 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:28 PM

Posted 02 February 2014 - 02:58 PM

If you have not installed NoScript and AdblockPlus add-ons for Firefox, suggest strongly you do that.

I would suggest that you disable any Skype extension or plugin in Firefox.

 

Some users are reporting ads for malicious programs showing up in Skype the last 24 hours.

I would suggest you check to make sure that Java...not java script...is up to date and if you don't use it, 

as most don't, to disable the Java plugin in Firefox or completely uninstall Java.

 

Cleanup your temp files, Firefox history, etc. using CCleaner. Use the default settings. Be sure to pay attention

while installing and UNcheck any offers of toolbars, etc. No need to use the Registry Tool and it may cause problems if used.

CCleaner - PC Optimization and Cleaning - Free Download

 

Never click on a link in a popup...


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:28 PM

Posted 02 February 2014 - 06:39 PM

Skype is a Peer-to-Peer (P2P) application.

Using any torrent, peer-to-peer (P2P) file sharing program (i.e. Limewire, eMule, Kontiki, BitTorrent, BitComet, uTorrent, BitLord, BearShare, Azureus/Vuze, Skype, etc) or visiting such sites is a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. In some cases the computer could be turned into a virus honeypot or zombie. File sharing networks are thoroughly infected and infested with malware according to Senior Virus Analyst, Norman ASA. As such, it is not uncommon for some anti-virus/anti-malware disinfection tools to detect torrent related files and programs as a threat and attempt to remove them.

The reason for this is that file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. This practice can make you vulnerable to data and identity theft, system infection and remote access exploit by attackers who can take control of your computer without your knowledge. Even if you change the risky default settings to a safer configuration, downloading files from an anonymous source increases your exposure to infection because the files you are downloading may actually contain a disguised threat. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install malware. Many malicious worms and Trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities. In some instances the infection may cause so much damage to your system that recovery is not possible and a Repair Install will NOT help!. In those cases, the only option is to wipe your drive, reformat and reinstall the OS.

Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The best way to eliminate these risks is to avoid using P2P applications and torrent web sites.

File sharing programs are often bundled with other software (sometimes without the knowledge or consent of the user) and can be the source of various issues and problems to include Adware, and browser hijackers as well as malware.

Using such programs is almost a guaranteed way to get yourself infected!!
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 buddy215

buddy215

  • BC Advisor
  • 12,995 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:28 PM

Posted 02 February 2014 - 09:39 PM

bass740....You and other users of Skype may not be able to hide or block the ads. I did a bit more looking at what

others were saying about the recent ads showing up on their Skype. I use a Skype portable phone that doesn't require

a computer....has its own modem. Those that use the video, calling and messenger service on their gadgets and computers

will be seeing more ads...from what I have read...lots of annoying ads.

 

Here is one site that has some useful info on what works and doesn't work to block the ads.

How to remove Skype ads | Konstantinos Gkoutzis

 

The last paragraphs from that site:

Conclusions

I didn’t mind the spammy ads until now but, at some point, it’s just too much. People generally want to feel at ease when they are typing a message, while they are attempting to write down and communicate their thoughts. These ads, apart from annoying, can also be distracting, which abolishes the whole concept of having a personal conversation.

This guide can instantly/easily become obsolete if Microsoft decides to use other ports to receive marketing banners from the advertisers. The solution provided in this tutorial is only a quick patch/fix, but it should give you enough time to gradually break the Skype-habit, while you’re looking for less-intrusive alternatives.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#6 bass740

bass740
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 03 February 2014 - 02:50 AM

What a great forum and a great crew, thank you much for replying back guys, I do have ghostery installed indeed, and blocks most ads, the problem Iam having with this particular ad, is that it automatically opened a URL for me, without pressing anything on skype, it was just running and opened. I initially had no idea skype was the cause until I researhed parts of the URL. But again, the URL opening on its own is what triggered me to investigate. Ads inside the skype program that remain there are no bother. Also the URL led to a dead link, also raised another red flag for me. Iam seeing a growing number of folks doing more reporting of suspicious activity. I hope members of forums like this are equal in strength fighting such exploits. Will follow all instructions above, thank you Quiteman, DLS and Buddy. Cheers.

 

By the way Buddy ( thanks for the link)I was just noticing heavy traffic on port 443 from skype and even svchost, no browser was open. Ive been getting more acquianted with my firewall for the past few months and been doing just what that article mentions. Even though I blocked 443 in and out, some programs are still using it, so I guess they are in other allowed rules. I really have to master using the firewall. sorry if this is off topic but can this be a local ip 123.123.123.125:80, I got this ip trying to FTP  on a fresh windows install. The external ip leads to china, so I want to believe this is some legit ip. Will be hanging out in the firewall subforum more often. Thanks again to all.



#7 blackdove

blackdove

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 03 February 2014 - 04:01 AM

I don't think that this issue is getting the attention it deserves. I'd really like to get some more experts to look into it.

 

I recently got this popup, and created this account specifically to post about it, because it's so concerning.

 

The Skype ad indeed opened a browser page on my computer, with no interaction from me at all. Skype was simply on, and windowsdefender link opened up.

 

I've done some research and come across quite a bit of stuff related to this. I'll post what I've discovered so far.

 

First off, it appears to be from an ad. Secondly, here's what I found about the URL.

 

http://urlquery.net/report.php?id=9200380

 

http://ip-address-lookup-v4.com/ip/212.83.155.47

 

Apparently, it has links to the Netherlands as well as France.

 

Here's a virustotal link for the URL, but I don't know if the payload(if there is one) has been analyzed and if it's detectable.

 

https://www.virustotal.com/en/url/aa2a6b67e60b180f76708a9ba5ee960bcb264dbd2e8884a70d82a5b03813b61d/analysis/1391325973/

 

Here's some posts on the Skype forum with people reporting it:

 

http://community.skype.com/t5/Windows-desktop-client/Popup-Advertisements/td-p/2896167

 

http://community.skype.com/t5/Windows-desktop-client/Recently-been-experiencing-quot-Pop-up-quot-Ads-Plus-Fake-quot/td-p/2896637/page/2

 

http://community.skype.com/t5/Windows-desktop-client/When-Skype-Opens-Firefox-Opens-to-a-500-server-error/m-p/2897813/highlight/true#M229969

 

http://community.skype.com/t5/Security-Privacy-Trust-and/Skype-ads-in-rotation-have-been-compromised-and-contain-Malware/td-p/2894251

 

Are there any experts out there, with a virtual machine, who can get this mysterious thing to open through Skype, and see if it has a payload, or if it's really just a social engineering attempt that can be solved by ending iexplore.exe in the browser?

 

I'm afraid it's something designed to look like social engineering, but actually has a worse payload, since absolutely NO ONE has reported "being infected" by the fake windows defender, but everyone seems to get the popup.

 

I'm currently running Malwarebytes Pro with Microsoft Security Essentials, all security fixes, browser Java disabled, and Malwarebytes Anti-exploit. Despite all these precautions, I still managed to get a page opened up(not sure what kind of code needed to execute to do that without clicking).

 

I also ran a Malwarebytes anti-rootkit scan, and everything came back clean. I even used Adwcleaner by Xplode and got 0 results in there.

 

I installed EMET 4.1 and noticed something strange, however. When I enabled EMET's maximum security, I had to reboot. I quickly open task manager on booting, to see what's using HDD and networking, and I noticed two dllhost processes, which disappeared after a few seconds.

 

In EMET, there are also 3 dllhost's listed, but the bottom two can not be configured, giving me a "not a valid executable" error. Then those disappear from the list of EMET without having to hit refresh. Can someone who knows software really well tell me what to make of this?

 

I should also mention that users of Malwarebytes and other anti-malware and antivirus programs seem to be getting no infections detected, and are posting about this on their forums, not just the Skype forum. I'm not sure if the fact that they're not getting any detections is a good thing, or a really bad thing.


Edited by blackdove, 03 February 2014 - 04:26 AM.


#8 buddy215

buddy215

  • BC Advisor
  • 12,995 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:28 PM

Posted 03 February 2014 - 06:54 AM

To find out if the ads/ popups are coming from within Skype and not from another source, you can stop

Skype from opening when starting up your computer. Then not open Skype manually until you have determined

that the ads are coming from within Skype or not. How do you stop Skype opening when you start up your PC? - Telegraph

 

You can completely uninstall Skype by using the directions here: How can I completely uninstall and then reinstall Skype for Windows desktop?

 

You can get an older version of Skype such as this: Download Skype 6.3.0.107 - OldApps.com (released 9 months ago)

I downloaded and scanned that file using Virus Total which scanned using 50 security programs. Zero out of 50....clean...


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#9 bass740

bass740
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 03 February 2014 - 07:29 AM

It was a one time deal for almost everyone, hard to duplicate, but new posts are flourishing the forums all over regarding this specific link and skype.

 

This member claims skype was infiltrated and their ads system may have been compromised. We will see more posts or more members joining this thread.

 

http://community.skype.com/t5/Windows-desktop-client/When-Skype-Opens-Firefox-Opens-to-a-500-server-error/td-p/2897813

 

Firewall and port block anything suspicious.



#10 blackdove

blackdove

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 03 February 2014 - 08:42 AM

I've already made sure Skype isn't going to run on startup, and I'm not going to use it anymore. It basically is malware, but I use it for helping people fix their PC's, since it has screen sharing that's fairly easy to use.

 

Here's why I want someone who is a real expert to attempt to replicate the ad's behavior.

 

What if this is a really bad APT, which has now taken control of all these peoples' computers, but is completely undetectable to most anti-virus or anti-malware programs?

 

The dllhost thing saying "not a valid executable" in EMET and then disappearing from the list is beyond my level of knowledge.

 

How a browser can open from an ad loading is beyond my level of knowledge.

 

Knowing if Malwarebytes Anti-exploit protected me or not, is beyond my level of knowledge, since it doesn't say it blocked an attempt.

 

No one seems to be infected, which makes me worry about really bad malware, that's almost undetectable. If anyone knowledgeable in coding and these sorts of malware can comment, that would be appreciated.

 

All I managed to get was these links, which I got by googling the URL that popped up:

 

http://urlquery.net/report.php?id=9200380

 

http://ip-address-lookup-v4.com/ip/212.83.155.47

 

https://www.virustotal.com/en/url/aa2a6b67e60b180f76708a9ba5ee960bcb264dbd2e8884a70d82a5b03813b61d/analysis/1391325973/


Edited by blackdove, 03 February 2014 - 08:48 AM.


#11 buddy215

buddy215

  • BC Advisor
  • 12,995 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:28 PM

Posted 03 February 2014 - 09:25 AM

Firefox uses Google Safe Browsing to identify and keep you from going to malicious sites as noted by

several of the programs including GSB in Virus Total's report you posted.

How does built-in Phishing and Malware Protection work? | Mozilla Support


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#12 bass740

bass740
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 03 February 2014 - 05:57 PM

Bitdefender online detected it as malware, I have BD on my machine and it allowed it to go through. Also to note, everyone who posted this had different numbers at the end of their link.



#13 blackdove

blackdove

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 04 February 2014 - 12:58 AM

Here's some more info to something with the same popup:

 

https://www.youtube.com/watch?v=MDSn_PezapU&list=UUUBf5hEkSOMIEOAQktD9YnQ&feature=c4-overview

 

http://www.invincea.com/2014/01/dailymotion-com-redirects-to-fake-av-threat/



#14 buddy215

buddy215

  • BC Advisor
  • 12,995 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:28 PM

Posted 04 February 2014 - 08:21 AM

The Invincea.com notice doesn't mention Skype. Today is the 4th....right...or 5th in Australia.

But Invincea gives the date of their first catching this as As of the time of this blog (1:30 EST 1/7/14) :crazy:


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#15 bass740

bass740
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 04 February 2014 - 02:31 PM

We need a new communicator, this is the result of a company knowing its users have no other choices and unfortunately skype is now used by millions and there is no real competition. A great opportunity for a startup.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users