These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
12Next page
 

Rootkits in Eve Survival and other mission help sites
Author
Previous Topic Next Topic
Celian MacReese
Penumbra Research and Development
Iron Crescent
#1 - 2012-12-08 23:56:14 UTC
Howdy,

I'm a fairly new player to Eve (March/April of this year) and mostly did mining and mission running until my computer was so overloaded and slowed by rootkits that I lost a faction BS with a deadspace loadout during a particularly challenging mission. I know you vets might chuckle and say "hey, that happens to me every day", but the experience was enough to make me leave Eve for quite a while. Incidentally, I was two full days trying to remove all the malware on my laptop.

I missed Eve, though, so I came back a week ago, sold a bunch of junk I'd apparently piled up and had enough to buy a Megathron and get rolling with L4 mission running again. Again, I visited sites like eve-survival.org to assist me with mission running and again, I found myself stuck with malware - more specificlaly, the Happili and Beesq redirect rootkits.

Has anyone else noticed that these sites harbor an inordinate amount of malware? I'd like to continue using sites to help me with the mission running, but not at the cost of endangering my computer and personal information (which these rootkits often harvest).
Niddengolliah
Limit Everyone Nowhere Kingdom
#2 - 2012-12-09 00:20:24 UTC
I don't think that the problem is with the sites, it is with your security setup....
You should always have an active antivirus software running in the background (Nod 32 is amazing, Windows Security Essentials does a good job too). Heck, I've been browsing fairly fishy sites for years, and I've only caught like 2 minor viruses... EVER!
I really doubt that such sites as eve-survival would have a lot of malware in them, as they have been used by lots of people for years!


Oh, and fun fact - without ANY protection (firewall disabled, no antivirus), you have a 50% chance to catch a virus within 1 hour. Without EVER opening a web browser.
Jonah Gravenstein
Machiavellian Space Bastards
#3 - 2012-12-09 00:22:57 UTC
Celian MacReese wrote:
Howdy,

I'm a fairly new player to Eve (March/April of this year) and mostly did mining and mission running until my computer was so overloaded and slowed by rootkits that I lost a faction BS with a deadspace loadout during a particularly challenging mission. I know you vets might chuckle and say "hey, that happens to me every day", but the experience was enough to make me leave Eve for quite a while. Incidentally, I was two full days trying to remove all the malware on my laptop.

I missed Eve, though, so I came back a week ago, sold a bunch of junk I'd apparently piled up and had enough to buy a Megathron and get rolling with L4 mission running again. Again, I visited sites like eve-survival.org to assist me with mission running and again, I found myself stuck with malware - more specificlaly, the Happili and Beesq redirect rootkits.

Has anyone else noticed that these sites harbor an inordinate amount of malware? I'd like to continue using sites to help me with the mission running, but not at the cost of endangering my computer and personal information (which these rootkits often harvest).


Nope been using eve survival for 3 years now, never got any malware from there, if you're using the ingame browser you shouldn't get any malware at all, it doesn't support flash because of the previous vulnerabilities of it, and afaik will not allow any nasties through as it is sandboxed (I could be wrong but that's my understanding of it), javascript and DHTML do work with the IGB but if it is sandboxed then that shouldn't open up any holes.

In the beginning there was nothing, which exploded.

New Player FAQ

Feyd's Survival Pack
Sarmatiko
#4 - 2012-12-09 00:32:40 UTC
First of all, I doubt this has something to do with eve-survival. You probably the first one who have this problem, and more likely your laptop is infested completely with various types of malware, and this causes problems when you visit Eve-survival.

Try running free Kaspersky Virus Removal tool. Even better solution - you can make boot-CD from the ISO image in the same page (if you have CD recorder and know how to burn ISO image + you know how to load PC from Boot-CD. If you dont - dont try.) For doublecheck try similar tool from Dr.Web.

This should help you at least with next decision. If there is too many incurable cases, sometimes it's better to backup your data and nuke OS then reinstall from scratch.
Bane Necran
Appono Astos
#5 - 2012-12-09 00:35:55 UTC
Pretty sure it's impossible to get a rootkit from a website, but i could be wrong.

"In the void is virtue, and no evil. Wisdom has existence, principle has existence, the Way has existence, spirit is nothingness." ~Miyamoto Musashi
Sturmwolke
#6 - 2012-12-09 00:56:42 UTC
eve-survival.org (aka Chepe Nolon) has been running a very minimalist site for years based on a modified wiki engine from Grismar (WikkaWiki iirc). The pages are almost purely text and it was designed that way for the original CCP IGB which had limited functionality. I've had no issues from it (it's almost what ...5-6 years?) and this is the first time I'm hearing of a rootkit story.

Now keep in mind, the current IGB isn't as secure as Firefox + NoScripts (n relative terms) even with the disabled flash functionality. Personally, I almost never use it ... and NEVER grant any trust relationship for any website that asks for it. I know that eliminates several useful IGB sites, but the paranoia stance is, imo worth the minor inconvenience.

Have you checked other avenues for the infection?
Ekscalybur
Templar Services Inc.
#7 - 2012-12-09 01:00:39 UTC
Bane Necran wrote:
Pretty sure it's impossible to get a rootkit from a website, but i could be wrong.


Someone probably said the same thing about downloading a patch and suddenly your 'puter won't boot up.






:P

nerf Veldspar!
ashley Eoner
#8 - 2012-12-09 01:00:51 UTC
Bane Necran wrote:
Pretty sure it's impossible to get a rootkit from a website, but i could be wrong.
You are wrong but that's irrelevant as this guy didn't get his problems from eve survival.

Might I suggest you browse your free pron sites with firefox with the noscript flashblock and adblock add ons.. or you could stop visiting shady sites..

Do consider the above mentioned anti-virus protection and such.
Sri Nova
Sebiestor Tribe
Minmatar Republic
#9 - 2012-12-09 01:52:04 UTC  |  Edited by: Sri Nova
Persistent and or reoccurring infections usually stem from compromised sources ,

such as the mbr of your system.

use tdss killer from kapersky and awsmbr from avast to check and remove .


also these infections can come through tool bars and certain add servers on websites .

another point of infections is peer to peer downloads ,shady game utilities or mods and/or certain types of freeware that serves adds.

to aid in prevention the core internet technology on your machine should be up to date as possible

flash player 11.5

adobe reader 11

java 7.9

and internet explorer 9 or 10 (rather you use it or not )
and the latest version of your favorite browser

also recommend a full scan with comodo cleaning essentials cce 32bit or 64bit to pick out iffy software .

if you still find your self getting compromised either take your machine to a professional or do a full clean install with a mbr wipe. .

monitor the sites you go to and the programs you use . most likely it is a adserver or a shady piece of software reinfecting you .

that is is of course you are not infected with something residing in your mbr.
Celian MacReese
Penumbra Research and Development
Iron Crescent
#10 - 2012-12-09 01:56:41 UTC
ashley Eoner wrote:
Bane Necran wrote:
Pretty sure it's impossible to get a rootkit from a website, but i could be wrong.
You are wrong but that's irrelevant as this guy didn't get his problems from eve survival.

Might I suggest you browse your free pron sites with firefox with the noscript flashblock and adblock add ons.. or you could stop visiting shady sites..

Do consider the above mentioned anti-virus protection and such.


Thank you very much for your undeserved ad hominem attack.

No, this isn't from porn or shady Internet sites. I don't visit them. I also have a pretty robust antivirus system installed. As you correctly note, rootkits can be introduced through mere website visits and, as you do not point out, are not always detected by antivirus software. If I remember correctly, a couple of years back CBS was hosed pretty badly by such infiltration. It took a while for the site to be cleaned up and the antivirus software to evolve to change the threat.

Now, I do realize that correlation does not mean causation. But it's pretty strong circumstantial evidence that I got torn up when I last used eve-survival.org in April, did heavy web surfing from that day to this with no problems, and began experiencing redirects almost immediately after visiting the site again a couple days ago. It's at least worth being on guard, especially if you were accessing through Chrome as I was and not the in-game browser.

Anyway, there's your heads up. Take the warning for what you will. I'd be happy to be wrong.
Jonah Gravenstein
Machiavellian Space Bastards
#11 - 2012-12-09 02:13:30 UTC
IGB is technically Chromium with a few bits disabled, Chrome is based on Chromium.

In the beginning there was nothing, which exploded.

New Player FAQ

Feyd's Survival Pack
Bane Necran
Appono Astos
#12 - 2012-12-09 02:14:23 UTC  |  Edited by: Bane Necran
Celian MacReese wrote:
are not always detected by antivirus software


There's little reason to even have antivirus software these days, as it's all malware/rootkits now. Viruses are so 90's.

I would recommend using noscript and firefox like they suggested. I've been doing so for years and have apparently fallen a little behind on how rootkits propagate, because i never get infected with anything. On top of that, i highly recommend COMODO internet security, which has the best of everything you could want in one bundle, and is completely free.

Most of the vulnerabilities you're referencing were caused by ads on otherwise trusted sites, and EVE survival doesn't even run any ads, or any kind of scripts i can see, and is basically just text on pages, so you can scratch that from your possible infection points based just on that.

"In the void is virtue, and no evil. Wisdom has existence, principle has existence, the Way has existence, spirit is nothingness." ~Miyamoto Musashi
Karsa Egivand
Sebiestor Tribe
Minmatar Republic
#13 - 2012-12-09 02:26:02 UTC
Celian MacReese wrote:
ashley Eoner wrote:
Bane Necran wrote:
Pretty sure it's impossible to get a rootkit from a website, but i could be wrong.
You are wrong but that's irrelevant as this guy didn't get his problems from eve survival.

Might I suggest you browse your free pron sites with firefox with the noscript flashblock and adblock add ons.. or you could stop visiting shady sites..

Do consider the above mentioned anti-virus protection and such.


Thank you very much for your undeserved ad hominem attack.

No, this isn't from **** or shady Internet sites. I don't visit them. I also have a pretty robust antivirus system installed. As you correctly note, rootkits can be introduced through mere website visits and, as you do not point out, are not always detected by antivirus software. If I remember correctly, a couple of years back CBS was hosed pretty badly by such infiltration. It took a while for the site to be cleaned up and the antivirus software to evolve to change the threat.

Now, I do realize that correlation does not mean causation. But it's pretty strong circumstantial evidence that I got torn up when I last used eve-survival.org in April, did heavy web surfing from that day to this with no problems, and began experiencing redirects almost immediately after visiting the site again a couple days ago. It's at least worth being on guard, especially if you were accessing through Chrome as I was and not the in-game browser.

Anyway, there's your heads up. Take the warning for what you will. I'd be happy to be wrong.



Suggesting you visit p0rn-themed sites is hardly an attack at all, considering that we all do it...


Now, moving on topic again, eve-survival is not your problem. It's basically a straight text-based website, with hardly any way to inject the required code. A lot of people here use it, if there was malware on there for such a stretch of time, we'd have heard about it... It's most likely just a coincidence.

Moving along, what could actually be the source?


  • Version a, your rootkit never left. It is still hiding in your master boot record or on your Motherboard (flashable BIOS).
  • Version b, you got reinfected via local storage media (usb-sticks !!!, an external hardrive, etc.)
  • Version c, you got reinfected via the same web-based source again. Again, eve-survival is a VERY unlikely cause. Knowing nothing about your web-habits... its hard to make a good guess.


How did you clean your PC? Did you completely wipe your drive? Preferably reset your BIOS? Did you clean all your usb-based flash drives as well?
Fearless M0F0
Incursion PWNAGE Asc
#14 - 2012-12-09 02:29:18 UTC
I just did a quick check on eve survival and it outputs plain ol' html, not even script tags in the markup of any of the pages i visited. There is no way you got infected with anything from there.

Most likely, your computer got owned and you haven't cleaned it up correctly so the spyware is likely injecting its own scripts to any websites you visit. I suggest you backup, wipe and reinstall from factory image or get a buddy to burn you an antivirus boot image.

Best way to deal with windows spyware?.... install linux, works wonders Bear
Nanatoa
#15 - 2012-12-09 02:30:08 UTC  |  Edited by: Nanatoa
Sri Nova wrote:
to aid in prevention the core internet technology on your machine should be up to date as possible

flash player 11.5

adobe reader 11


"Core internet technology" my ass. Those two programs are the work of the Devil. Try and live without them, if you can. Adobe Reader has pretty good alternatives (Foxit Reader for example), Flash is a bit more difficult to do without - let's just hope enough websites will switch to HTML5 in a decent timeframe.

"Stay the course, we have done this many times before." - (CCP) Hilmar, June 2011
Mallak Azaria
Caldari Provisions
Caldari State
#16 - 2012-12-09 02:55:31 UTC
Since when were missions difficult? And deadspace on a highsec mission boat?

This post was lovingly crafted by a member of the Goonwaffe Posting Cabal, proud member of the popular gay hookup site somethingawful.com, Spelling Bee, Grammar Gestapo & #1 Official Gevlon Goblin Fanclub member.
Jonah Gravenstein
Machiavellian Space Bastards
#17 - 2012-12-09 03:03:54 UTC
Mallak Azaria wrote:
Since when were missions difficult? And deadspace on a highsec mission boat?


He's lucky that only NPC's got in on the kill, shiny mods attract trouble like poo attracts flies

In the beginning there was nothing, which exploded.

New Player FAQ

Feyd's Survival Pack
Mirajane Cromwell
#18 - 2012-12-09 04:36:14 UTC
Be sure to install Adblocks to your browsers - there's been lately some ads that infect your computer with viruses/malware ie. basically any site that has google ads element is a potential virus source. This was even mentioned in several IT news sites this week...
Ginger Barbarella
#19 - 2012-12-09 04:40:46 UTC
OP, the problem lies between your chair and your keyboard.

If you don't know how to protect your computer while surfing you need to hang it up and get a job at McDonalds.

"Blow it all on Quafe and strippers." --- Sorlac
Ifly Uwalk
Perkone
Caldari State
#20 - 2012-12-09 06:10:16 UTC
Celian MacReese wrote:
I'd be happy to be wrong.

You're wrong.

Now be happy surfing all those pr0n sites you say you're not surfing.
12Next page