Java & Viruses (again)

So my last topic post about bottom banner ads causing Java to execute and install malicious applications and trojans without user consent was deleted in the recent Forum SNAFU. Since then Jacob has fixed the issue.

Until today, where the exact thing happened about ten minutes ago while I was browsing some Manga information.

I wasn't able to take screenshots as clearly as last time because I paniced since my firewall was disabled. But here is a screenshot of what was installed onto my computer. Both applications were also running for a short time when I had my task manager open.



https://www.fakku.net/image-404/images/382723-A6SYY38.jpg

I noticed an ad on the right side of the manga information screen but forgot what it was. Perhaps that was the culprit?

The original post I made a few weeks ago can be found Here (Hopefully Google Cache will hold it for a while)

Here are some pictures I had of the previous incident.

Strange. We completely dropped the ad company that was letting those ads through. Most of the current ads are hosted on our servers. So there really shouldn't be an issue anymore.

Give me a few minutes and I'll see if I can find out exactly what happened.

I'd laugh if you were allowing cookies.

Unfortunately, I was unable to recreate the event so hopefully it fixed itself.
All I could find were some changes to my comptuer services (and who knows what else) that I had to reverse.



This computer is different from the one I'm usually on so I couldn't look at COMODO's event logs. All I can say was that what happened was exactly the same as what happened before...






This computer isn't mine so I didn't block cookies.
Just deleted all of them too.

EDIT:

I don't know if this helps but here are the links that I was browsing before it happened. After a few F5's, none of them are causing any trouble though.

got a few of these in the past few days... thankfully Firefox asks me before installing anything.

for some reason java pops up every time i go online... random scanned my program sub and i have five trojans with java site licenses.

Well, be sure Java, your browser, OS, and whatever other software is up-to-date. Just because you have an AV program and/or firewall doesn't mean you should be using old unpatched software.

And cookies aren't malware.

I'd also scan your whole computer, not just the Programs sub. It may have been from somewhere else other than Fakku.

Some are tracking cookies/adware but meh, one click with Ccleaner and that shits gone.

But are cookies really bad? From what I heard, it helps to decrease the time it takes to load the pages. And my Internet is slow, so I'd say that cookies are good if that's true.

There's this script that constantly runs in the background: http://edge(dot)quantserve(dot)com/quant.js


According to WoT: http://www.mywot.com/en/scorecard/edge.quantserve.com

That's dangerous. I've blocked it since...forever, but what exactly does that edge.js really do?

Quantcast is a visitor counter/tracker. It also tries to do some fancy math to guess what kind of people visit the site. It gives Jacob or whoever admin's Fakku some statistics about the site, although some people may think it's an invasion of privacy for whatever reason.
http://www.quantcast.com/fakku.net

Not sure why WOT users are marking it as malware...

SiteAdvisor says it's Green for no detected malware or spam, although there are a few overly sensitive users complaining about it setting a tracking cookie:
http://www.siteadvisor.com/sites/quantserve.com/msgpage

I'm pretty sure that some statistics service doesn't need to download and then run two applications with randomly generated names that starts to change yor computer's services.

As far as I know, these are TROJANS. I don't think Avira AVG and COMODO can both be wrong.

Did your AV/firewall programs say it was specifically from Quantcast?

They detected something, but did they know where the source of the file was from?

I'm trying to narrow down the source of the problem.

I'm not saying it can't be Quantcast, but there has to be some evidence that the specific .js file from the "quantserve.com" server actually activated Java and tried to run a program...

No it did not say it was from any recognizable program. The detected Trojans were always randomly named executables. If you can still look at my old thread in my OP linked to google cache, I would appreciate If you did. I explained in there how I never had a problem with java+viruses together before visiting FAKKU. I also confirmed, with a few other users, that the previous problems were caused by a specific advertisement (most likely).

This time I'm just not sure what caused it...

Maybe im stupid but shouldn't this be enough evidence to assume its not quantcast and instead it is something else.

edge.quantserve.com Is Hosted by Quantcast Corporation
# Hosting: Quantcast Corporation host the domain edge.quantserve.com
# IP Address: 64.94.107.60
# Name Servers: map-js.quantserve.com.akadns.net, anycast-americas.quantserve.com.akadns.net


quantcast.com Is Hosted by Quantcast Corporation

* Hosting: Quantcast Corporation host the domain quantcast.com
* IP Address: 64.94.107.18
* Name Servers: asia9.akam.net, ns1-95.akam.net, ns1-188.akam.net, eur5.akam.net, usc1.akam.net, usc2.akam.net, use4.akam.net, usw4.akam.net

I thought this might be related to what happened before, but I'm not sure if it's anything big. Army.jpg doesn't sound like anything malicious.



Here is what the Ad looks like, I rolled my mouse over to see the hyperlink.

Update to the newest java, something about version3.4 let's shit in.

Well, that server, "xashtinks" is located in Hong Kong, but registered in Germany through a company in the Ukraine. I'd say that's the site causing the problem.

It's also possible that the .jpg file is actually a Java app with a false extension...