Previous Post
Next Post

Robert Farago (courtesy The Truth About Guns)

We still don’t know exactly what caused the malware misegos that bedeviled your browsers. We reckon malicious code buried in our ads was the culprit. As you can [not] see, we’ve killed all but two of our ads until we sort this out. This will turn our cash flow into a trickle, but needs must. (If you’d like to help keep the lights on, please use the PayPal donation button on the right of the home page.) But we apologize deeply and completely for the electronic imposition. The Truth About Guns didn’t get to be America’s most popular firearms blog by compromising on its editorial integrity or your privacy. Or letting evil actors interfere with our readers’ computers. While we work on this issue we will continue to provide firearms-related news, reviews and editorial. Your patronage, patience and understanding are most appreciated.

Previous Post
Next Post


  1. You guys should start a “Best Conspiracy Theory” thread to explain all this and the wildest, most unbelievable theory will be awarded “Most Likely Explanation” because: conspiracy!

      • He recently broke the news about the Border Patrol providing the illegals with bus tickets into anywhere in the US, which was later picked up by Drudge, Fox News, and the AP.

        He also mentioned tons of things years ago, which are now mainstream news: TSA VIPR teams at sporting events, on the highways, and in cities (they were recently conducting harrassment/”security” on the streets of NYC and Pittsburgh, covered in the mainstream), text, email, and phone monitoring, and tons of other stories for which he – and his readers/listeners – have been ridiculed.

        But let’s not let those pesky facts get in the way.

  2. I am a daily reader, although I don’t usually comment. My desktop has been doing some screwy things over the last couple of days. I’ve run both of the malware/virus tools that I use to no avail.

    A follow up article with your findings, the name of the offending code and how to neutralize it would be appreciated.

    • @ PMD

      If you haven’t already, download and run a scan using Malwarebytes. Its free and available at

      Also check your web browser for malicious addons and extensions. Often Antivirus and Antimalware scans will not detect or remove these extensions such as search helpers and toolbars.

        • IT professionals across the US. I use it regularly at the medical university that employs me.

        • . It’s very well known, trust me, if Malwarebytes were ever infected, it would be big IT news.

        • If it’s good enough for the hacker community it’s good enough for me. They don’t play around.

      • Malwarebytes Free is one of the two tools that I use. It didn’t find anything. And yes, I updated the database B4 I ran it.

      • Or just get an I-Pad. I had two lap tops rendered useless by infestations in three years. I bought an I-Pad four years ago and haven’t had a problem since.

  3. I understand this stuff happens from time to time. This blog covers a politically volatile subject and there are legions who want you to shut up–and they’ll do whatever is in their power to make you shut up. Since it would be impractical (and highly stupid) to confront you directly know…guns…they instead choose an indirect method of attack–shutting down your site and attempting to infect every user who goes here.

    These things are going to continue to happen. As the anti-gun statists get more and more vehement with their rhetoric, it only makes sense that they’re going to step up their virtual game. Since nobody’s going to their site, they’ll make sure nobody’s coming here either.

    • This has my vote for the most well-reasoned and believable conspiracy theory.

      Ad subscriptions are a common carrier of malware. You (the site owner) are trusting your readers to systems you have no direct control of. But it is life on the Internet. And whether we are gun supporters, a knitting club or a blog about life in Timbuktu we’re subject to attack by bad guys. I’d certainly like to hear about what you find but i don’t suspect its anti-gunners making a direct attack. More likely a Russian or Chinese kid sitting in their bedroom hacking away without any real goals.

      • You’re more likely than not correct–but the possibility is there, and let’s be honest here. Do you really put it past them to try?

        • It will be interesting to see how it plays out. I’m sure TTAG will share their findings and I’ll learn something new. I don’t put it past the antis but the odds seem to be in favor of an ad that was hacked or intentionally malicious. That same ad, presented on any site (i liken them to ad syndication) would cause the same problems, guns or not. I just don’t see how it could be targeted like this. By the way, i didn’t experience any suspect activity so I think I’ve dodged a bullet.

    • I agree, he actually believes that he can do no wrong, and that he already has his spot in Heaven. That kind of ego, does not like/tolerate/accept opposing view points.

  4. I browse TTAG all day from multiple devices and never get ANY malware OR warnings of such. What exactly are you folks seeing? TTAG, drop Google & go Bing; I bet that’ll fix it.

    • If ads are automatically blocked on your browser you’ll never see a problem. Like with the AdBlock extension that I use.

  5. Pretty sure IE11 protected me. All studies have shown it is the most secure browser.

    -Yes I am a Microsoft employee. That however doesn’t change the facts.

  6. This happens from time to time with the ads on my site. There is very little you can do about it beyond dealing with it each time it happens. It’s almost never harmful to viewers and is occasionally just a bug tossed into an ad to specifically trip google’s blocking service (and do nothing else) and annoy the site owner.

  7. Fix or change whatever system you use to create the site. When I visit TTAG on any Mac laptop, it instantly spins up the fans and the computer starts to heat up dramatically. I think it is related to either Flash or Java, something you guys are using. I can’t leave a browser open with TTAG or my fans will spin at full speed until it is closed, hours or days if I let it go.

    This is using Safari on the most popular laptop in America, a Mac. Not a small user population. It could have been related to the ads, actually… because as I write this… it is not freaking my laptop out.

    Anyhow. I want to leave my browser open to the site 24/7… so hopefully this can be fixed.

    • “When I visit TTAG on any Mac laptop, it instantly spins up the fans and the computer starts to heat up dramatically. I think it is related to either Flash or Java, something you guys are using.”

      Nah, it’s the smok’n hot content from Robert, Dan, Nick, and the gang.

      Or it’s Ralph’s snarky cracks.

    • Anyhow. I want to leave my browser open to the site 24/7… so hopefully this can be fixed.

      Easy – get a real laptop.

  8. I take that back, it’s spinning it up and the CPU heat is cranking up again. It’s the code for the site that is the problem.

    • I see my laptop running hot too (PC, not MAC), ie and Mozilla. This site and some others. I typically see clock cycles spin up which will cause the cpu fan to step up, particularly with multiple tabs. Doesn’t react the same on a desktop, as far as running hot, because desktop cpu fans would be better able to dissipate the heat (laptop cpu fans have to cool processors with much smaller fans, and are therefore more susceptible to running hot). However, with minimal ad content today, there is very little cpu action on the browser processes.

      I can dig the reason for ads, of course. Running a little hot means I have to manage viewing. Sometimes, though, my browser security plugin blocks bad/suspicious content. Sometimes an outright redirect will occur, even as I’m reading a page. Not recent development, this will happen from time to time. If I see it (outright redirect) happen again, I’ll try to get some details.

    • Please contact your Level Two Help Desk. Or call the nearest Chinese Embassy, Military Liaison Section. And finally, try leaving a message in .dev null. We don’t do remote diagnostics in this forum.

  9. Also, we got absolutely hammered by spam comments between about 0500 and 0930 this morning. We’re talking 3000+ comments in three hours, when 3-500 per month is the norm.

    The system got briefly overwhelmed and sent a bunch of real comments into the Moderation queue (which is separate from the Spam folder). I’ve cleaned out Moderation and rescued a few more from the spam filter, but if you left a comment in the past 8-10 hours and it didn’t show up, email us with something about the spam filter in the subject line and I’ll go fishing for it.

    Also also, thank you to those of you who hit the PayPal button, in amounts both large and small (and small and recurring, which made me laugh). Cheers.

    • It is fast loading now. I can see how the Liberty Ammo ad comes up quickly but the Kentucky gun ad adds a delay to finishing the page load. Maybe not everyone sees the same ads I do. But without those other ads things are pretty swift.

  10. Your 3rd party ad services are to blame. It’s also not just you – several popular pro-gun sites and marketplaces are seeing increased malicious ad content.

    [soapbox] I’ve had conversations with tech contacts at several of gun-related sites and no one is ready to declare this to be targeted just yet. The criminals who are behind these campaigns often focus on “verticals”, industries or “affinity groups” until the site operators respond and increase the criminal’s cost of doing business, forcing them move on to greener pastures. Industries or communities with formalized information/intelligence sharing frameworks (security working groups, ISACs and private, vetted mailing lists) tend to fare better. As those organizations push the criminals away from their collective estates, the less mature areas become juicier targets. Seems to be our turn in the barrel.

    A surprising number of my fellow IT/cyber/info security nerds are very pro-gun and are here to help.

      • Control. Bragging rights. Disruption of business. Accidents. Fun. Training. Many more reasons. Many of which have little to do with the actual target. For some it is nothing more than the same cheap thrill you get TPing someone’s tree or egging their car on halloween. Sometimes it really is a coordinated effort to disrupt business like banks, corporate sites, government sites, etc.).

        I’ll be a little surprised if this turns out to be an intended attack on TTAG or pro-gun sites in general.

        • This is close to graduation time at one of the overseas schools. Maybe a class project…

          I wish they’d have picked Everytown/MAIG/MDA and the like instead [HINT].

      • It varies. In some cases, it’s yet another box to relay spam through. In other cases, they want to drop a keylogger and try to snatch login credentials. Sometimes, they’ll enable the OS’s built-in http server and use the infected machine to host nastiness to infect even more people.

        It almost always comes down to money in the end. Spam-for-hire, identity theft, and rent-a-botnet are all for-profit activities these days.

    • “A surprising number of my fellow IT/cyber/info security nerds are very pro-gun and are here to help.”

      Not surprising at all. Call of Duty and the other FPS games are heavily influencing folks in a very good way…

      IT/cyber/info security nerds understand the concept of being under attack and the need for defensive firepower.

  11. What I saw at 11:28 pm eastern last night and sent as an email.

    “This evening for the first time my browser, “Pale Moon,” labeled TTAG as an “Attack Site” and blocked it”

    Mr. Farago responded quickly that they were “On it.”

  12. I wish I had $ to send. I figured it might be an ad. My wife has a fairly large diy/ decorative antique blog. Lots of BS in the last year. The WORST offender has been Yahoo. I never had a problem logging in on Bing & commenting but only on mobile android FWIW.

  13. Meanwhile at The Legion of Doom. Lex Luthor and Michael Bloomberg are developing the Skynet Virus. The early beta version was tested on TTAG website. Infected computers will form a network that will use satellites to scramble your brain. The only way to combat this is to cover your cranium with common household aluminum foil. This will prevent the mental disorder known as Liberalism.

  14. I have to say that the site is playing much more nicely with my phone’s browser without the third party content. I can hardly ever make more than two or three clicks without it crashing the browser but this morning it is running great.

    Galaxy S3 with built in browser

  15. My browser @ workwas going crazy and kept me from loading TTAG and browsing. I sent several texts to Dan Zimmerman after wife’s mac freaked out at home.

    I, To, blamed the billionaire midget.

    As for the paypal thing, do those who contribute the most get more leeway with respect to their posts being moderated? :-).

  16. I know of other sites that provide the option to view the site free of ads if the viewer chooses to donate to the site. Any chance of that happening here? Is that already an option that I’m just not aware of?

      • Adblock Plus and ghostery addons for firefox will filter out 99% of the nasties you may run into in cyberspace.

        • This is true. I mosly surf from my Linux machine using Firefox with adblock so all is good here. On the Winblows lap I use the same setup.

        • “That works great until .hosts becomes corrupted.”

          Well, if they’ve hacked my administrator account, then dumb ads are the least of my worries. You guys do know about setting up a user account without administrator privileges, right?

        • You do know about hard drive medium deterioration, don’t you? And Windows’ propensity to randomly “commit suicide” periodically? Every catastrophic failure is NOT caused by an external source.

        • That’s OK. We’ve got backups of important crap, and still have the “official” Win XP source disk, so I can reinstall if needed.

  17. Okay. So it’s all the ads. Would it be better if we went back to Israeli supermodels by any chance (sorry, ladies! no harm no foul)?

    Also let’s see if this goes through on Chrome without a 500 syntax error or not…nope, had to go through Firefox instead. Is this a problem on my end? Does anyone know?


  18. I finally saw what you all are talking about last night.
    I used google to do some research on a rifle (TC-Icon).
    The second or third hit was a TTAG article by Joe Grine.
    When I clicked on it, google directed me to a warning page and wouldn’t let me go to the page.
    So, I used TTAG’s search function. Problem solved.

  19. Am I the only one left that still uses the Lynx browser?

    Probably a safe bet I am one of the very few that still uses pine/alpine for email too!

    • I’m going to say no, as that article is dated two years old.

      I think Google is more nimble than that.

      Especially when they want to be evil.

    • However…

      Below is a brand-new change to Google’s advertising policies (still subject to modification, starts in Sep). No more guns (even airsoft/paintball/BB guns), gun accessories, even knives.

      Excerpt for the gun stuff:

      “Guns & parts

      Disapproval and suspension reason: “Guns & parts”

      – Functional devices that appear to discharge a projectile at high velocity, whether for sport, self-defense, or combat
      (Note that we err on the side of caution and apply this policy to sporting or recreational guns that can cause serious harm if misused, or that appear to be real guns.)
      — Examples: Handguns, rifles, shotguns, hunting guns, functioning antique guns, airsoft guns, paintball guns, bb guns

      – Any part or component that’s necessary to the function of a gun or intended for attachment to a gun
      — Examples: Gun scopes, ammunition, ammunition clips or belts”

  20. I have yet to get a malware warning using IE 11 and getting here through a book mark/ favorite. However, the site has been running achingly slow, making it difficult and sometimes impossible to post. Letters refuse to appear, and by the time I’ve managed to correct all of the typing errors, the site locks up. Frustrating. For me, it has always been associated with active content on the AdChoice ads. The worst offenders have been the video ads; they slow the loading of any page, sometimes they start running in the middle of watching a video, resulting in two soundtracks running at once, refuse to shut off or pause, or reload and start running again after having been paused.

  21. I had the warning from both Chrome and Firefox. And just now I had the same warning while trying to access (which is a mainsteam video site like youtube but not quite as popular).

    So my guess is either ads are getting nastier or people are getting more stringent picking up the nasties.

  22. Good to see TTAG take the step of dropping the ads. I had my security scanner let me know the attack on my computer was a Java exploit. Interested in the log?

    Category: Intrusion Prevention
    Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
    2014-06-27 21:23:23,High,An intrusion attempt by 5eb9:502b::18f3:7886:100:e0 was blocked.,Blocked,No Action Required,Web Attack: Suspicious Jar Download 15,No Action Required,No Action Required,”5eb9:502b::18f3:7886:100:e0, 8590″,,”c0a8:fe1f:c470:be85:100:e0:a070:be85, 52872″,5eb9:502b::18f3:7886:100:e0,”TCP, Port 8590″
    Network traffic from matches the signature of a known attack. The attack was resulted from DEVICEHARDDISKVOLUME3PROGRAM FILESJAVAJRE7BINJAVA.EXE.

    In real life I am a Computer Systems Administrator so one of the ads was running back to the server See the WhoIs information here

    • This is the reason that Firefox makes it clear that the Java VM is deliberately crippled by default and makes it a bitch to get it running “correctly”, because its the most severe security hole ever seen online that hardly anyone ever seems to know about for some reason. There needs to be an alternative or Adobe needs to man up and fix their broken crap. Even with my minimal defenses of just using Mozilla with AdBlock and NoScript it still prevented port 8590 from opening. Does anyone know if that is it’s usual vector or maybe one of several?

      • Not Adobe, but Oracle, who bought Sun, who developed Java. I’m not sure Oracle is all that interested in fixing Java, it was Sun that really loved it.

    • Thanks Steven – interesting run. Looks like a hijacked account there would be my guess. You can rent of buy them for peanuts if you’re too lazy to DIY.

  23. Would it be feasible to set up some kind of subscription status on the site (maybe allow those who have it earlier access to articles and reviews or unlimited comments vs a limited number) and therefore decrease the ad content overall by diverting the revenue stream from other sources? OOoo, look, I spoke corporate for a second 🙂

  24. This kind of thing is why you should be running Firefox with NoScript. This combo helps avoid malware and drive by downloads.

    Combined with AdBlockPlus, this also strips out the obnoxious ads on this site and others.

    • Yeah what this guy said if I would have just scrolled down a little before posting stuff a second ago that I just repeated and stuff.

    • Here is the CNET video on No Script. Its a bit of a hassle, because you have to click to allow sites, but its worth it, if you are really worried about malicious scripts. I dont like to use this for casual news reading, as its a bit of a pain, but if we start to see more problematic ads, or targeting by those who dislike TTAG (I would be very surprised NOT to see this more in future).

      Another option is to search using StartPageSSL, and click on use Ixquick proxy.
      This disables javascripts, so no vids, and unfortunately also disables viewing comments.

      I pay for ESET Nod32, because its lightweight, catches most everything, and is much cleaner and non-intrusive – got rid of BitDefender, as I saw no difference in detections on two laptops, and BitDefender was clunky and I had concerns about the business model, and the way the software actually ran was clunky.

      I also run CCleaner Pro, just to clean up temp files, and so on,

      Not a computer administrator, nor do I play one in the movies.

  25. Gotta hate that when it happens.

    I do this stuff for a living.
    I strongly suggest you find someone more then a zippy Kid that you can contact when emergencies like this arise. Sounds like this was not related you your server, however since we don’t have any or much data at this time, who knows. Band aid fixes like “turning everything off” and breaking the bank are not the answer. The right thing to do is call it in right away to someone that can investigate, solve, and restore normal operation to the “object” your site in this case.

    You might also want to consider looking into your own server.. that’s looking a little funky from over here too.

  26. PS: I’d consider a subcription pay model also, for a small amount. Like buying books on Kindle- I hesitate to try an author unknown, for a hard copy at say $20, but have no problem trying things on for $0.99.

    A small monthly fee would screen some of the trolls, and generate a predictable revenue stream, from PayPal. I pay for SOFREP this way, and dont mind it, as I can always turn it off.

    Maybe for comments access, without ads, hosted on your serve,
    vs the free with ads on Fakebook?

    I dont know whats involved, so if this is too hard, I understand. I will say that I refuse to use Fakebook, so if that becomes the free model, that might screen problems from that side as well.

  27. Deep breath…..geezus….so glad I found you all. It’s rough out there. This is my first comment posted ever, anywhere. Figures it would be on a gun website. My computer has been under attack since Wednesday when I started browsing for any information about an Erma-Werke 68A that my father left me. Malwarebytes, IE and Kaspersky have been working overtime. All is well, but I nearly had a stroke when I got a blue screen with the words “real time malicious threat; saving files to blah blah blah, computer shutting down in 10..9..8… ‘–at which point I turned the laptop off and went for the liquor cabinet. I love my Malwarebytes, but dagnabbit! It shouldn’t be that stressful to do some research! Good thing it updates every hour or so.

    Last night, I read about Google banning gun ads, etc., and it ticked me off so bad, I deleted my history and started searching anything gun-related, knife-related, C-4 related, etc. I typed “guns guns guns” in the search bar and thank God and the Lord, TTAG came up. After reading Mr. Farago’s post, it finally occurred to me, that I too, have been a victim of ‘the midget Bloomberg’.

    I almost forgot to ask where I could find a clip for the 68A Luger! Any and all suggestions would be appreciated.

    Keep the faith, Mr. Farago. I’ll be headed over to the PayPal after this.

  28. I found you looking up “”. I saw quite a few workstations come in that picked up malware from there early Friday evening for about a two hour period.

    I only got to look at the history of a couple of them but it looks like it may have through Pubmatic (not sure if you use them).

  29. How about a paid subscription option for a total ad-free ttag?

    I am running adblock anyways as to protect myself from these attacks but that also means that my hourly visits to the site do not support it in any financial sense.

  30. TTAG ads were so out of control the site forced me to install ad blocker a few weeks ago just because it would hang up my browser constantly when I had sites open in other tabs. Might want to consider approaching a few industry sponsors directly.

  31. Is this about clicking a link to TTAG and Firefox blocked me with “Attack Site Run Away”? I clicked the “Butt Out” and then another page says “Google Said So, Run Away”. I went to Firefox and asked “How dare you”, if there is an attack site it is Google itself. Mint-munching Poodle walkers the whole bunch. I told Firefox they are to be browser for a couple more days… Sick of the a**holes in this country up in my face, in my business and hiding behind “Contact Us” buttons. Fed up. The key word in the original link was “Shannon whats-her-face” the liar and child abuser, the money hungry whore who is using our good air to breathe only by the grace of God apparently. I pity her young son who had to be her test lab rat to show “guns are bad”. She is the bad one…child abuser.

  32. Ok just sent a jackson, I was not affected, I have adblock pro and the ghostery plugins so I never see any ads, but I like your articles.

  33. RF? I did not realize y’all had ads! I have adblocker running on all my devices, and had my Geek put some claymore-like, super ninja security crap on, too. Don’t know what it is called or how it works it just DOES.

    And don’t feel lonely, appears a LOT of places are experiencing major malware/virusi attacks during the last couple of weeks.

  34. What’s funny is that the malicious code has been embedded for quite some time. Over the last month or two, when I’ve visited the site, I’ve been redirected after some browsing to a page that tells me to update my browser or some plug-in in order to view the site. Of course, I never did, knowing it was malware, but it sounds like some were not so diligent with internet common sense reasoning.

    Some of the blame is with quality control. With so many ‘moderators’/contributors on this site, is it too much to ask to check for these issues, or only accept ads from TRUSTED sources and not anyone willing to pay $X per view/click in order to spread the bad code? I know the site depends on ad revenue, but that still doesn’t excuse the lack of due-diligence to make sure they aren’t malicious.

  35. That was my guess. The ads on this site have continued to get more intrusive and aggressive, so I am not surprised they caused issues. You should probably be more careful who you accept money from.

  36. Well, you’ve just learned that when this active-web-y stuff works it’s nice, but, when it has one of its infrequent problems, it’s pretty bad, pretty quick.

    Now you know.


    Maintain a “stack, content and security” page perhaps off of “about us.” You end up seeing the same info after similar debacles time and again.

    I’m beginning to think than any responsible community-based site should do this. Seems like the infestations have become cost of doing business. Maybe this is a mitigation.


    Perhaps you could recruit a bunch of the “I do this for a living” cohort hereabouts as a nerd-pool, to appeal to when things get odd, and even maintain the info identified above.

    I’d do it for the byline, I think, although I would use my “nom de interwebs” for the public face, I think.

    “I kind of do this for a living
    so will also hold forth”:

    The issue is that various kinds of “federated” and “service-ized” internet content and function really mean you are putting *running code of some kind* from 3rd parties into your web site, and from your web site into people’s client computers.

    Ideally, this is confined to their browsers, but the more you want the browser to act like a whole computer – store things like forms data, run stuff like games, etc – the more it can be used to take over your whole world. (One term of art here is “surface area.”) Particular extensions that do additional stuff, have the same leakiness problem, and as the extensions act more like whole computers, they have more surface to exploit, and can do more stuff.

    The top four, more or less are: javascript, a complete, interpreted programming language embedded in your browser; java – no relation – the embeddable JVM of which is a bit “holey”, and flash, which, because flash games are kewl, acquired an event-based(-ish) more or less complete programming language, and microsoft “active-whatever” plug-ins. (Before I get swarmed by the softies, yes it’s been getting way better, and no, I’m not using the exact current terminology. Still, more integration w/ the platform breaks encapsulation, and more function is more surface … however good the implementation – and it was awful back in the day – they tend to make more extensive exploit, and more opportunity for error, respectively.)

    Ad networks, metrics collection, integration with content services, and even little “hit count” widgets in a web page, all propagate 3rd party code from those “services” through your web site, into client computers. It’s all looked up and loaded dynamically(-ish many details) on demand, after a page “hit.” So, it’s hard to only propagate a known, scrubbed (which improves confidence, but is not certain) pile of “mobile code.” (Another term of art.)

    Ad networks are prime targets because they propagate code all over the place, and often their development is – er – not done with robust security the foremost consideration.


    Yr balancing annoyance vs. safety. My default config balancing annoyance with relative safety is:

    – FireFox on Linux
    – NoScript
    – Ads, cookies, and redirects blocked by default.
    – Ask before loading plug-ins
    – Subscription to at least one “malicious site” lookup features in the browser.
    – A reverse-dns plug-in, which displays the country of origin of a link or page.
    – A firewall.
    – A run-time process monitor.

    – No browser history, password management or forms data.
    – Patch check & update for whole stack at least daily.
    – Roughly quarterly rebuilds of machine.


Please enter your comment!
Please enter your name here