Malware False Positive Attack -

  • There is a bug with the post editor. Images pasted from other websites from your clipboard will automatically use the [img] tag instead of uploading a copy as an attachment. Please manually save the image, upload it to the site, and then insert it as a thumbnail instead if you experience this.

    The [img] should essentially never be used outside of chat. It does not save disk space on the server because we use an image proxy to protect your IP address and to ensure people do not rely on bad third party services like Imgur for image hosting. I hope to have a fix from XF soon.

TaterBot

need a different country
True & Honest Fan
kiwifarms.net
So the miner is gone? I see no difference from when it was here and when it isn't. Yesterday I was running 80%, never had any problems of any kind., never had any alarms.
 

Ryker

Broken, dissolute, misanthropic scum...but lovely!
kiwifarms.net
uBlock Origins only just now threw a wobbly for me.

Whitelist or disable for Kiwi Farms and business as usual.

Fuck that certain someone Null mentioned.
 

Xylitol

kiwifarms.net
Don't forget about hpHosts through US-CERT. so you can blame Stefan from the emergency response team for the EMD malware domain classification.

tfaqmu.PNG
 

Strelok

Perfectly Cromulent Poster
kiwifarms.net
How did this happen exactly? Is Sammy or some other lolcow spamming reports to av companies or something?

I prefer to use the KISS technique. What's the simplest explination? That would probably be some adblocker or AV with webshield feature detected something on the page eating a boatload of CPU cycles, and went "oh they're hijacking brower cpu cycles for coins" and it propagated from there. Because this kind of thing is done constantly on many sites suffering from ad revenue problems now, just they don't TELL you they're doing it and ask your permission. And an automated flagging system isn't gonna read the TOS.

Hell I've seen poorly coded flash players trigger some of the more aggressive heuristics just because how shitty and bloated they are. Just as I've seen homebrew dwarf fortress plugins do it because they technically function the way a hijacker would to inject changes into the game.
 

Echo_Ender

Doggo
kiwifarms.net
Had to completely Whitelist the site through uBlock Origin. Which means that it's gonna be blocked by Adblock Plus and all the apps that use that framework. Someone did a hell of a smear-job on the site.

For people having trouble understanding what happened...

Basically, some butthurt lolcow somewhere got the site added to a ton of "Master Lists" of malware-sites-to-block. They cited the bitcoin miner as "Malicious Code Injection" to justify it, even though the miner is harmless and optional.
 

Xylitol

kiwifarms.net
Basically, some butthurt lolcow somewhere got the site added to a ton of "Master Lists" of malware-sites-to-block.

Stefan from hpHosts/US-CERT who added the initial entry doesn't seem like a lolcow.

I help manage cybercrime-tracker.net but we did not include this entry as we don't yet track domains for mining. Just don't start controlling any botnets using this domain as a callback server and we're gucci.
 

JSGOTI

Just Some Guy On The Internet
Global Moderator
True & Honest Fan
kiwifarms.net
Stefan from hpHosts/US-CERT who added the initial entry doesn't seem like a lolcow.

I help manage cybercrime-tracker.net but we did not include this entry as we don't yet track domains for mining. Just don't start controlling any botnets using this domain as a callback server and we're gucci.
So, are you saying that Stefan is patient zero, and where it all began?
 

Xylitol

kiwifarms.net
So, are you saying that Stefan is patient zero, and where it all began?

Depends. This entry appeared on the first day alongside MalwareDominList which are both high up there on the totem pole. MalwareDomainList accepts tips/suggestions, hpHosts does not. He's the actual employee who performed the analysis and made the entry. So it's his job.
 

Echo_Ender

Doggo
kiwifarms.net
Depends. This entry appeared on the first day alongside MalwareDominList which are both high up there on the totem pole. MalwareDomainList accepts tips/suggestions, hpHosts does not. He's the actual employee who performed the analysis and made the entry. So it's his job.
If he just flagged it for "Code Injection" without looking at the site or seeing what code it actually injects, then this is pretty possible.

Really unfortunate, though. It's apparently a massive pain in the ass to get this blacklisting reviewed/removed.
 
H

HG 400

Guest
kiwifarms.net
If he just flagged it for "Code Injection" without looking at the site or seeing what code it actually injects, then this is pretty possible.

They consider mining without 'informed consent' to be malware. Null needs some kind of redirect page that makes ppl click "Okay I understand" before they're allowed to use KF, because these aren't false positives ; it's getting flagged as malware because it fits the definition of malware these services are using.
 

Lurkette

Professional Depression
True & Honest Fan
kiwifarms.net
Depends. This entry appeared on the first day alongside MalwareDominList which are both high up there on the totem pole. MalwareDomainList accepts tips/suggestions, hpHosts does not. He's the actual employee who performed the analysis and made the entry. So it's his job.

why don't you just
fix it
or like
talk to stefan
he's just in the next cubicle over right?
 

Xylitol

kiwifarms.net
why don't you just
fix it
or like
talk to stefan
he's just in the next cubicle over right?

Because I have. It was a correct verdict. Since the script was pulled off recently they've reevaluated their entry on hpHosts. So the latest evaluation date is now 10-20.
However the classification remains the same.

Database Record
IP On Record: 104.24.17.94
IPOR PTR: Resolution failed
ASN: 13335 104.24.16.0/20 CLOUDFLARENET - CloudFlare, Inc., US
Added: 18-10-2017
Added By: Stefan
Updated: 20-10-2017
Classification: EMD (What is this?)


Given that the Admin here is saying the script is coming back in essentially the same implementation code-wise, I guess it doesn't matter. Was not interested in code I provided.

They consider mining without 'informed consent' to be malware. Null needs some kind of redirect page that makes ppl click "Okay I understand" before they're allowed to use KF, because these aren't false positives ; it's getting flagged as malware because it fits the definition of malware these services are using.

And this is why. Thread title could use an update.

I emailed Admin here initially a few days ago reiterating this exact point. This is why CoinHive released their new 'AuthedMine' variation after consulting with AV vendors. Non-AuthMine implementations were open season for malware classification following that Oct 17th release. I advised this too but was told in reply by Admin that it was not possible because of some sort of cyberbully?
 
Last edited:
Top