[donb]

This warning is going out to anyone using imageshack to host your images.

When accessing some of the images posted at imageshack, a popup opens with the header labeled "about:blank". This is known to be a spyware worm that over time will destroy the contents of your hard drive including the OS. I'm not aware of any method that will remove it other than re-formatting the hard drive.

I don't know for cetain that the about:blank worm is actually attached to the popup. If you are using imageshack to host your images, please notify the site of this potential problem. I for one will not open any image hosted there as the risk to my computer is too high. I hope noone has been a victim of this problem either.

DonB

[Maximus3D]

Hmm.. that sounds pretty nasty, but what's this spyware thingy called ?! it'd be interesting to find out more info about it.

/ Max

[-Adrian]

Thanks for the headsup donb.

Would be interesting to know what vulnerabilites are necessary to get infected, you definitely need Microsoft Windows, but do alternative browsers keep you safe in this case?

Edit: just verified that Firefox nor Opera open any popups.

[Maximus3D]

[Edit] : Sorry, my mistake. I posted the wrong url.

Btw, if that's the case that we might get viruses or stuff from Imageshack links in the photo thread then closing it and archiving it would be a good idea. So no other people get infected by something nasty from it.

/ Max

[zoppo]

sounds like a hoax to me.

and spybot removes spy- or adware - nothing else. so it won't help against a "worm". best thing to do: use a up-to-date patched firefox or opera.

[blueplanetdesign]

No hoax.

My antivirus software has blocked a worm each time I visit the daily photo thread.

I thought it was an imageshack intrusion. Seems it is.

[zoppo]

strange. i got nothing like that. but with firefox i got no pop-ups at all.

[JDHill]

Don't get too worried...all that 'about:blank' means in this case is that a browser window has opened a page where the HTML has no <title> attribute. To avoid being brought somewhere where you might actually get a virus, it's best to close the ad window by using right-click>Close on it's entry in the Taskbar, rather than clicking anywhere on the client-area of the browser window.

Regarding ImageShack thumbnails, I'm sure it's not an approved practice (not approved by ImageShack, that is), but when you post, choose the'Thumbnails for Forums (1)' link, which will look like this:

[ URL=http://img524.imageshack.us/my.php?image=maxwellnf3.png][ IMG ]http://img524.imageshack.us/img524/9820 ... nf3.th.png[ /IMG ][ /URL ]




...then you can edit the [ URL ] link to look like this:

[ URL=http://img524.imageshack.us/img524/9820/maxwellnf3.png][ IMG ]http://img524.imageshack.us/img524/9820 ... nf3.th.png[ /IMG ][ /URL ]




...in which case, you're skipping the /my.php redirection page, and setting the link value to the actual image location, which is the same as that of the thumbnail, save for the .th in the thumbnail address.


Cheers.

~JD

[aitraaz]

Hey that's a useful tip...but the Judas Priest inspired maxwell render logo?!? Mid august drinking bin?!?...

[donb]

JDHill,

Sorry, but I have to disagree with you. If there is no title tags in the HTML (or there is no text between title tags) then no text should be displayed at all. Instead the IP address is displayed followed by the words Microsoft Internet Explorer.

Of course, the real question is why is imageshack is putting popups in its code. Surely they are aware of how annoying they are and of the potential danger they pose (that's assuming imageshack is responsible for the popup and not the spyware). Perhaps if everyone woud use another hosting site the folks at imageshack would get the hint that this is not a suitable method of posting advertisements.

Edit: What make me more suspicious is that our firewall should have blocked the popup but didn't. To do that the producer of the popup had to make an extra effort to violate our security protocols.

DonB

[JDHill]

Hi DonB,

You're right about the <title> tags...I was winging it.

About:blank is likely being shown as the page address because the link that the popup is supposed to point to is non-existent in the code generated for the ImageShack page. It is also possible that your defensive software, while not preventing the popup itself, is preventing the downloading of the page, leaving the browser generating a <HTML></HTML> page, and setting the title to about:blank. If you want to see this behavior in a completely safe environment, just create a new .htm file on your hard drive and put only the following code in it:

<body onload='window.open()' />

When you open it, a couple of things should happen (in IE):

- the browser you are opening it with should complain that a popup window was encountered
- the fake page, which has no location, will open in another browser window, and you will be shown the about:blank page, due to the lack of a url being specified in the window.open() function.

I assume this is similar to the behavior you have observed, based on your last remark.

The About:Blank ad/spy-ware that you are worried about is one of a family of malicious browser-hijackers (CoolWebSearch, etc.) that, if installed, change your browser's home page, and cause your browser to come up reading 'about:blank' when you first open it, generally followed by an immediate popup window to some adware site. Along with other possible effects such as modifying favorites, etc. , they will also prevent you from re-setting your home page in Internet Options. This is not related to the about:blank that you're seeing here, which is just the browser's way of failing gracefully when pointed to a non-existent url. If you run any kind of anti-spyware at all (Spybot, etc.), the chances are pretty much nil that you will get one of these hijackers installed in the first place. However, if you think you might be dealing with this breed of malware, see http://cwshredder.net/cwshredder/cwschronicles.html and http://www.trendmicro.com/cwshredder/ for some useful information.

That said, it is annoying that ImageShack uses click-through advertising...but...I suppose that they've got to generate revenue somehow. Even so, the current situation allows a fairly easy workaround, as indicated above.

Cheers.

~JD


@aitraaz...it's Iron Maiden...and...you can't be insinuating that there's something wrong with a little mid-summer bender? Impostor!!! Who are you...and what have you done with the real aitraaz?!?

[donb]

Hi JD,

We tried creating remotely hosted popups with no title and came up with just empty (blank) title field. Our IS guy is gonna run some more tests to see if the firewall is blocking something malicious and inserting the about:blank text as you suggest.

to be continued...