Malware False Positive Attack

Lurkette · Oct 19, 2017

guys i'm p sure he got rid of the miner, so that's probably why the alerts are stopping now
js

TaterBot · Oct 19, 2017

So the miner is gone? I see no difference from when it was here and when it isn't. Yesterday I was running 80%, never had any problems of any kind., never had any alarms.

Ryker · Oct 19, 2017

uBlock Origins only just now threw a wobbly for me.

Whitelist or disable for Kiwi Farms and business as usual.

Fuck that certain someone Null mentioned.

Null · Oct 19, 2017

Ryker said:
uBlock Origins only just now threw a wobbly for me.

Whitelist or disable for Kiwi Farms and business as usual.

Fuck that certain someone Null mentioned.

Because your "Malware Domain" list just updated.

www.malwaredomainlist.com/hostslist/hosts.txt
http://www.malwaredomainlist.com/contact.php

Xylitol · Oct 19, 2017

Don't forget about hpHosts through US-CERT. so you can blame Stefan from the emergency response team for the EMD malware domain classification.

CIA Nigger · Oct 19, 2017

Just had to disable ublock origin on KF, wew lad.

Strelok · Oct 19, 2017

Ruin said:
How did this happen exactly? Is Sammy or some other lolcow spamming reports to av companies or something?

I prefer to use the KISS technique. What's the simplest explination? That would probably be some adblocker or AV with webshield feature detected something on the page eating a boatload of CPU cycles, and went "oh they're hijacking brower cpu cycles for coins" and it propagated from there. Because this kind of thing is done constantly on many sites suffering from ad revenue problems now, just they don't TELL you they're doing it and ask your permission. And an automated flagging system isn't gonna read the TOS.

Hell I've seen poorly coded flash players trigger some of the more aggressive heuristics just because how shitty and bloated they are. Just as I've seen homebrew dwarf fortress plugins do it because they technically function the way a hijacker would to inject changes into the game.

Echo_Ender · Oct 19, 2017

Had to completely Whitelist the site through uBlock Origin. Which means that it's gonna be blocked by Adblock Plus and all the apps that use that framework. Someone did a hell of a smear-job on the site.

For people having trouble understanding what happened...

Basically, some butthurt lolcow somewhere got the site added to a ton of "Master Lists" of malware-sites-to-block. They cited the bitcoin miner as "Malicious Code Injection" to justify it, even though the miner is harmless and optional.

Koby_Fish · Oct 19, 2017

can't even whitelist via MBAM (premium version).

CWCissey · Oct 19, 2017

Cisco Umbrella is another one that's affected.

Xylitol · Oct 19, 2017

Echo_Ender said:
Basically, some butthurt lolcow somewhere got the site added to a ton of "Master Lists" of malware-sites-to-block.

Stefan from hpHosts/US-CERT who added the initial entry doesn't seem like a lolcow.

I help manage cybercrime-tracker.net but we did not include this entry as we don't yet track domains for mining. Just don't start controlling any botnets using this domain as a callback server and we're gucci.

JSGOTI · Oct 19, 2017

Xylitol said:
Stefan from hpHosts/US-CERT who added the initial entry doesn't seem like a lolcow.

I help manage cybercrime-tracker.net but we did not include this entry as we don't yet track domains for mining. Just don't start controlling any botnets using this domain as a callback server and we're gucci.

So, are you saying that Stefan is patient zero, and where it all began?

Xylitol · Oct 19, 2017

JSGOTI said:
So, are you saying that Stefan is patient zero, and where it all began?

Depends. This entry appeared on the first day alongside MalwareDominList which are both high up there on the totem pole. MalwareDomainList accepts tips/suggestions, hpHosts does not. He's the actual employee who performed the analysis and made the entry. So it's his job.

Echo_Ender · Oct 19, 2017

Xylitol said:
Depends. This entry appeared on the first day alongside MalwareDominList which are both high up there on the totem pole. MalwareDomainList accepts tips/suggestions, hpHosts does not. He's the actual employee who performed the analysis and made the entry. So it's his job.

If he just flagged it for "Code Injection" without looking at the site or seeing what code it actually injects, then this is pretty possible.

Really unfortunate, though. It's apparently a massive pain in the ass to get this blacklisting reviewed/removed.

HG 400 · Oct 19, 2017

Echo_Ender said:
If he just flagged it for "Code Injection" without looking at the site or seeing what code it actually injects, then this is pretty possible.

They consider mining without 'informed consent' to be malware. Null needs some kind of redirect page that makes ppl click "Okay I understand" before they're allowed to use KF, because these aren't false positives ; it's getting flagged as malware because it fits the definition of malware these services are using.

Lurkette · Oct 19, 2017

Xylitol said:
Depends. This entry appeared on the first day alongside MalwareDominList which are both high up there on the totem pole. MalwareDomainList accepts tips/suggestions, hpHosts does not. He's the actual employee who performed the analysis and made the entry. So it's his job.

why don't you just
fix it
or like
talk to stefan
he's just in the next cubicle over right?

Fiber-Rich Vegetable · Oct 20, 2017

The miner made me feel like i was in constant company of a purring cat. now the silence makes me sad and paranoid.

ive had no problem with this what so ever btw. i havent seen my anti-virus software being mentioned here though, so maybe thats got to do with it?

Xylitol · Oct 20, 2017

Lurkette said:
why don't you just
fix it
or like
talk to stefan
he's just in the next cubicle over right?

Because I have. It was a correct verdict. Since the script was pulled off recently they've reevaluated their entry on hpHosts. So the latest evaluation date is now 10-20.
However the classification remains the same.

Database Record
IP On Record: 104.24.17.94
IPOR PTR: Resolution failed
ASN: 13335 104.24.16.0/20 CLOUDFLARENET - CloudFlare, Inc., US
Added: 18-10-2017
Added By: Stefan
Updated: 20-10-2017
Classification: EMD (What is this?)

Given that the Admin here is saying the script is coming back in essentially the same implementation code-wise, I guess it doesn't matter. Was not interested in code I provided.

Dynastia said:
They consider mining without 'informed consent' to be malware. Null needs some kind of redirect page that makes ppl click "Okay I understand" before they're allowed to use KF, because these aren't false positives ; it's getting flagged as malware because it fits the definition of malware these services are using.

And this is why. Thread title could use an update.

I emailed Admin here initially a few days ago reiterating this exact point. This is why CoinHive released their new 'AuthedMine' variation after consulting with AV vendors. Non-AuthMine implementations were open season for malware classification following that Oct 17th release. I advised this too but was told in reply by Admin that it was not possible because of some sort of cyberbully?

Xylitol · Oct 20, 2017

Oh and I was told to 'neck myself' for showing my waifu here and she got deleted.

Collections Agent · Oct 20, 2017

@Null

Malwarebytes is now blocking Kiwifarms.net

Still no malware on here?

Malware False Positive Attack

Lurkette

Professional Depression

TaterBot

Ryker

Broken, dissolute, misanthropic scum...but lovely!

Null

Ooperator

Xylitol

CIA Nigger

Not a fed, just a random object on the street.

Strelok

Perfectly Cromulent Poster

Echo_Ender

Doggo

Koby_Fish

The advice of the GALACTICALLY STUPID

CWCissey

Charming Man

Xylitol

JSGOTI

Just Some Guy On The Internet

Xylitol

Echo_Ender

Doggo

HG 400

Guest

Lurkette

Professional Depression

Fiber-Rich Vegetable

Staying up until 11pm

Xylitol

Xylitol

Collections Agent

I've Come To Collect!