Housekeeping: Malware Mea Culpa

Robert Farago (courtesy The Truth About Guns)

We still don’t know exactly what caused the malware misegos that bedeviled your browsers. We reckon malicious code buried in our ads was the culprit. As you can [not] see, we’ve killed all but two of our ads until we sort this out. This will turn our cash flow into a trickle, but needs must. (If you’d like to help keep the lights on, please use the PayPal donation button on the right of the home page.) But we apologize deeply and completely for the electronic imposition. The Truth About Guns didn’t get to be America’s most popular firearms blog by compromising on its editorial integrity or your privacy. Or letting evil actors interfere with our readers’ computers. While we work on this issue we will continue to provide firearms-related news, reviews and editorial. Your patronage, patience and understanding are most appreciated.


  1. You guys should start a “Best Conspiracy Theory” thread to explain all this and the wildest, most unbelievable theory will be awarded “Most Likely Explanation” because: conspiracy!

    1. avatar Wendy says:

      Heh. This would be awesome.

      1. avatar Jim R says:

        I bet I could spin a REALLY bizarre tale if properly inclined.

        1. avatar Greg says:

          A little Gentlemen Jack to start the process?

        2. avatar Jim R says:

          Nah. I don’t drink whiskey. I just sort of get these wild ideas now and then and occasionally put them to paper. (It’s more useful than you think–I do a lot of tabletop RPGs)

    2. avatar OakRiver says:

      OK everyone, start channeling your inner Alex Jones

      1. avatar Fler says:

        He recently broke the news about the Border Patrol providing the illegals with bus tickets into anywhere in the US, which was later picked up by Drudge, Fox News, and the AP.

        He also mentioned tons of things years ago, which are now mainstream news: TSA VIPR teams at sporting events, on the highways, and in cities (they were recently conducting harrassment/”security” on the streets of NYC and Pittsburgh, covered in the mainstream), text, email, and phone monitoring, and tons of other stories for which he – and his readers/listeners – have been ridiculed.

        But let’s not let those pesky facts get in the way.

  2. avatar Dracon1201 says:

    I bet Bloomburg ordered the attack, personally.

    1. avatar ready,fire,aim says:


    2. avatar Bob4 says:

      Too plausible. 🙂

    3. avatar Jus Bill says:

      Check for uploads from NYC-based IP addresses.

    4. avatar Doug says:

      Or, impersonally. Plausible deniability, y’know.

  3. avatar PMD says:

    I am a daily reader, although I don’t usually comment. My desktop has been doing some screwy things over the last couple of days. I’ve run both of the malware/virus tools that I use to no avail.

    A follow up article with your findings, the name of the offending code and how to neutralize it would be appreciated.

    1. avatar Commie IL says:

      @ PMD

      If you haven’t already, download and run a scan using Malwarebytes. Its free and available at

      Also check your web browser for malicious addons and extensions. Often Antivirus and Antimalware scans will not detect or remove these extensions such as search helpers and toolbars.

      1. avatar Felix says:

        And who has vetted Malwarebytes?

        1. avatar Rambeast says:

          IT professionals across the US. I use it regularly at the medical university that employs me.

        2. avatar GP1935 says:

          . It’s very well known, trust me, if Malwarebytes were ever infected, it would be big IT news.

        3. avatar Jus Bill says:

          If it’s good enough for the hacker community it’s good enough for me. They don’t play around.

      2. avatar PMD says:

        Malwarebytes Free is one of the two tools that I use. It didn’t find anything. And yes, I updated the database B4 I ran it.

      3. avatar Leadbelly says:

        Or just get an I-Pad. I had two lap tops rendered useless by infestations in three years. I bought an I-Pad four years ago and haven’t had a problem since.

  4. avatar Jim R says:

    I understand this stuff happens from time to time. This blog covers a politically volatile subject and there are legions who want you to shut up–and they’ll do whatever is in their power to make you shut up. Since it would be impractical (and highly stupid) to confront you directly know…guns…they instead choose an indirect method of attack–shutting down your site and attempting to infect every user who goes here.

    These things are going to continue to happen. As the anti-gun statists get more and more vehement with their rhetoric, it only makes sense that they’re going to step up their virtual game. Since nobody’s going to their site, they’ll make sure nobody’s coming here either.

    1. avatar Kevin der Kinderen says:

      This has my vote for the most well-reasoned and believable conspiracy theory.

      Ad subscriptions are a common carrier of malware. You (the site owner) are trusting your readers to systems you have no direct control of. But it is life on the Internet. And whether we are gun supporters, a knitting club or a blog about life in Timbuktu we’re subject to attack by bad guys. I’d certainly like to hear about what you find but i don’t suspect its anti-gunners making a direct attack. More likely a Russian or Chinese kid sitting in their bedroom hacking away without any real goals.

      1. avatar Jim R says:

        You’re more likely than not correct–but the possibility is there, and let’s be honest here. Do you really put it past them to try?

        1. avatar Kevin der Kinderen says:

          It will be interesting to see how it plays out. I’m sure TTAG will share their findings and I’ll learn something new. I don’t put it past the antis but the odds seem to be in favor of an ad that was hacked or intentionally malicious. That same ad, presented on any site (i liken them to ad syndication) would cause the same problems, guns or not. I just don’t see how it could be targeted like this. By the way, i didn’t experience any suspect activity so I think I’ve dodged a bullet.

  5. avatar The Brotherhood of Steel says:

    It was definitely Bloomberg.

    1. avatar bontai Joe says:

      I agree, he actually believes that he can do no wrong, and that he already has his spot in Heaven. That kind of ego, does not like/tolerate/accept opposing view points.

  6. avatar Glenn says:

    I browse TTAG all day from multiple devices and never get ANY malware OR warnings of such. What exactly are you folks seeing? TTAG, drop Google & go Bing; I bet that’ll fix it.

    1. avatar Jus Bill says:

      If ads are automatically blocked on your browser you’ll never see a problem. Like with the AdBlock extension that I use.

  7. avatar justAMan says:

    Pretty sure IE11 protected me. All studies have shown it is the most secure browser.

    -Yes I am a Microsoft employee. That however doesn’t change the facts.

    1. avatar Glenn says:

      Same here on both counts, IE11 & Microsoft employee. (& TTAG reader)

      1. avatar justAMan says:

        I probably see you on the gun alias. This is Drew.

        1. avatar Jayson says:

          That makes 3 daily TTAG reading Microsofties. I haven’t seen any issues either (IE 11 as well).

    2. avatar bigfinger76 says:

      Firefox on Linux kept me safe.

      1. avatar Jus Bill says:

        Same here. Linux also boots a LOT faster then WinDoze.

        1. avatar Fler says:


          Slashdot, circa 1999 called.

        2. avatar Travis says:


          I still don’t know what’s worse… The degredation of the /. community, or beta.

    3. avatar Jus Bill says:

      Pretty sure IE11 protected me. All studies have shown it is the most secure browser.

      -Yes I am a Microsoft employee. That however doesn’t change the facts.

      Yeh. You need to look at more facts.

  8. This happens from time to time with the ads on my site. There is very little you can do about it beyond dealing with it each time it happens. It’s almost never harmful to viewers and is occasionally just a bug tossed into an ad to specifically trip google’s blocking service (and do nothing else) and annoy the site owner.

  9. avatar GuyFromV says:

    John Titor

    177th TTU
    Tempus Edax Rerum

  10. avatar H-Dizzle says:

    Fix or change whatever system you use to create the site. When I visit TTAG on any Mac laptop, it instantly spins up the fans and the computer starts to heat up dramatically. I think it is related to either Flash or Java, something you guys are using. I can’t leave a browser open with TTAG or my fans will spin at full speed until it is closed, hours or days if I let it go.

    This is using Safari on the most popular laptop in America, a Mac. Not a small user population. It could have been related to the ads, actually… because as I write this… it is not freaking my laptop out.

    Anyhow. I want to leave my browser open to the site 24/7… so hopefully this can be fixed.

    1. avatar Geoff PR says:

      “When I visit TTAG on any Mac laptop, it instantly spins up the fans and the computer starts to heat up dramatically. I think it is related to either Flash or Java, something you guys are using.”

      Nah, it’s the smok’n hot content from Robert, Dan, Nick, and the gang.

      Or it’s Ralph’s snarky cracks.

    2. avatar Jus Bill says:

      Anyhow. I want to leave my browser open to the site 24/7… so hopefully this can be fixed.

      Easy – get a real laptop.

  11. avatar H-Dizzle says:

    I take that back, it’s spinning it up and the CPU heat is cranking up again. It’s the code for the site that is the problem.

    1. avatar bigfinger76 says:

      I think it’s your laptop.

    2. avatar tmm says:

      I see my laptop running hot too (PC, not MAC), ie and Mozilla. This site and some others. I typically see clock cycles spin up which will cause the cpu fan to step up, particularly with multiple tabs. Doesn’t react the same on a desktop, as far as running hot, because desktop cpu fans would be better able to dissipate the heat (laptop cpu fans have to cool processors with much smaller fans, and are therefore more susceptible to running hot). However, with minimal ad content today, there is very little cpu action on the browser processes.

      I can dig the reason for ads, of course. Running a little hot means I have to manage viewing. Sometimes, though, my browser security plugin blocks bad/suspicious content. Sometimes an outright redirect will occur, even as I’m reading a page. Not recent development, this will happen from time to time. If I see it (outright redirect) happen again, I’ll try to get some details.

    3. avatar Jus Bill says:

      Please contact your Level Two Help Desk. Or call the nearest Chinese Embassy, Military Liaison Section. And finally, try leaving a message in .dev null. We don’t do remote diagnostics in this forum.

  12. avatar Matt in FL says:

    Also, we got absolutely hammered by spam comments between about 0500 and 0930 this morning. We’re talking 3000+ comments in three hours, when 3-500 per month is the norm.

    The system got briefly overwhelmed and sent a bunch of real comments into the Moderation queue (which is separate from the Spam folder). I’ve cleaned out Moderation and rescued a few more from the spam filter, but if you left a comment in the past 8-10 hours and it didn’t show up, email us with something about the spam filter in the subject line and I’ll go fishing for it.

    Also also, thank you to those of you who hit the PayPal button, in amounts both large and small (and small and recurring, which made me laugh). Cheers.

    1. avatar Jus Bill says:

      THAT tells me DoS attack. Not a random skiddie.

  13. avatar Accur81 says:

    The site is much more responsive without the ads. Kind of a Catch-22,eh?

    1. avatar Kevin der Kinderen says:

      It is fast loading now. I can see how the Liberty Ammo ad comes up quickly but the Kentucky gun ad adds a delay to finishing the page load. Maybe not everyone sees the same ads I do. But without those other ads things are pretty swift.

  14. avatar JimmyDelta says:

    Your 3rd party ad services are to blame. It’s also not just you – several popular pro-gun sites and marketplaces are seeing increased malicious ad content.

    [soapbox] I’ve had conversations with tech contacts at several of gun-related sites and no one is ready to declare this to be targeted just yet. The criminals who are behind these campaigns often focus on “verticals”, industries or “affinity groups” until the site operators respond and increase the criminal’s cost of doing business, forcing them move on to greener pastures. Industries or communities with formalized information/intelligence sharing frameworks (security working groups, ISACs and private, vetted mailing lists) tend to fare better. As those organizations push the criminals away from their collective estates, the less mature areas become juicier targets. Seems to be our turn in the barrel.

    A surprising number of my fellow IT/cyber/info security nerds are very pro-gun and are here to help.

    1. avatar Mark N. says:

      What is it that these criminals gain by engaging in these activities?

      1. avatar Kevin der Kinderen says:

        Control. Bragging rights. Disruption of business. Accidents. Fun. Training. Many more reasons. Many of which have little to do with the actual target. For some it is nothing more than the same cheap thrill you get TPing someone’s tree or egging their car on halloween. Sometimes it really is a coordinated effort to disrupt business like banks, corporate sites, government sites, etc.).

        I’ll be a little surprised if this turns out to be an intended attack on TTAG or pro-gun sites in general.

        1. avatar Jus Bill says:

          This is close to graduation time at one of the overseas schools. Maybe a class project…

          I wish they’d have picked Everytown/MAIG/MDA and the like instead [HINT].

      2. avatar rosignol says:

        It varies. In some cases, it’s yet another box to relay spam through. In other cases, they want to drop a keylogger and try to snatch login credentials. Sometimes, they’ll enable the OS’s built-in http server and use the infected machine to host nastiness to infect even more people.

        It almost always comes down to money in the end. Spam-for-hire, identity theft, and rent-a-botnet are all for-profit activities these days.

    2. avatar Geoff PR says:

      “A surprising number of my fellow IT/cyber/info security nerds are very pro-gun and are here to help.”

      Not surprising at all. Call of Duty and the other FPS games are heavily influencing folks in a very good way…

      IT/cyber/info security nerds understand the concept of being under attack and the need for defensive firepower.

    3. avatar Jus Bill says:


  15. avatar geoffb says:

    What I saw at 11:28 pm eastern last night and sent as an email.

    “This evening for the first time my browser, “Pale Moon,” labeled TTAG as an “Attack Site” and blocked it”

    Mr. Farago responded quickly that they were “On it.”

  16. avatar former water walker says:

    I wish I had $ to send. I figured it might be an ad. My wife has a fairly large diy/ decorative antique blog. Lots of BS in the last year. The WORST offender has been Yahoo. I never had a problem logging in on Bing & commenting but only on mobile android FWIW.

  17. avatar NY Steve says:

    Meanwhile at The Legion of Doom. Lex Luthor and Michael Bloomberg are developing the Skynet Virus. The early beta version was tested on TTAG website. Infected computers will form a network that will use satellites to scramble your brain. The only way to combat this is to cover your cranium with common household aluminum foil. This will prevent the mental disorder known as Liberalism.

    1. avatar Jus Bill says:

      LOD is/was a pretty active haxor group in Germany and the Netherlands. Just ask NASA.

  18. avatar cdotson says:

    I have to say that the site is playing much more nicely with my phone’s browser without the third party content. I can hardly ever make more than two or three clicks without it crashing the browser but this morning it is running great.

    Galaxy S3 with built in browser

  19. avatar Dirk Diggler says:

    My browser @ workwas going crazy and kept me from loading TTAG and browsing. I sent several texts to Dan Zimmerman after wife’s mac freaked out at home.

    I, To, blamed the billionaire midget.

    As for the paypal thing, do those who contribute the most get more leeway with respect to their posts being moderated? :-).

    1. avatar Matt in FL says:

      No promises, but you’re welcome to try. The bar is already pretty high.

      1. avatar Dennis says:

        Good reply Matt!

  20. avatar Model66 says:

    I know of other sites that provide the option to view the site free of ads if the viewer chooses to donate to the site. Any chance of that happening here? Is that already an option that I’m just not aware of?

    1. avatar JimmyDelta says:

      That’s an option. AdblockPlus is also free and a huge help. Works with all browsers.

      1. avatar Rambeast says:

        Adblock Plus and ghostery addons for firefox will filter out 99% of the nasties you may run into in cyberspace.

        1. avatar Tommyr says:

          This is true. I mosly surf from my Linux machine using Firefox with adblock so all is good here. On the Winblows lap I use the same setup.

      2. avatar Rich Grise says:

        I use a hosts file. It blocks almost everything!

        And I never click on ads, period.

        1. avatar Jus Bill says:

          That works great until .hosts becomes corrupted. Which WILL happen one day.

        2. avatar Rich Grise says:

          “That works great until .hosts becomes corrupted.”

          Well, if they’ve hacked my administrator account, then dumb ads are the least of my worries. You guys do know about setting up a user account without administrator privileges, right?

        3. avatar Jus Bill says:

          You do know about hard drive medium deterioration, don’t you? And Windows’ propensity to randomly “commit suicide” periodically? Every catastrophic failure is NOT caused by an external source.

        4. avatar Rich Grise says:

          That’s OK. We’ve got backups of important crap, and still have the “official” Win XP source disk, so I can reinstall if needed.

  21. avatar Tommy Knocker says:

    IRS audits are stage two (and if you think I am joking your wrong).

  22. avatar Tom from Georgia says:

    Okay. So it’s all the ads. Would it be better if we went back to Israeli supermodels by any chance (sorry, ladies! no harm no foul)?

    Also let’s see if this goes through on Chrome without a 500 syntax error or not…nope, had to go through Firefox instead. Is this a problem on my end? Does anyone know?


    1. avatar Jus Bill says:

      Chrome on Fedora is doing fine.

  23. avatar Tom in Oregon says:

    I finally saw what you all are talking about last night.
    I used google to do some research on a rifle (TC-Icon).
    The second or third hit was a TTAG article by Joe Grine.
    When I clicked on it, google directed me to a warning page and wouldn’t let me go to the page.
    So, I used TTAG’s search function. Problem solved.

  24. avatar Dave says:

    Am I the only one left that still uses the Lynx browser?

    Probably a safe bet I am one of the very few that still uses pine/alpine for email too!

    1. avatar Kevin der Kinderen says:

      Yes. You are one of the very few. Pine too? I’m picturing a DEC VT100 terminal maybe hooked to a PDP-11/45?

    2. avatar J E says:

      You aren’t alone. CLI FTW

    3. avatar Jus Bill says:

      Pretty close. WOW, but that brings back fond memories.

    1. avatar DJ9 says:

      I’m going to say no, as that article is dated two years old.

      I think Google is more nimble than that.

      Especially when they want to be evil.

    2. avatar DJ9 says:


      Below is a brand-new change to Google’s advertising policies (still subject to modification, starts in Sep). No more guns (even airsoft/paintball/BB guns), gun accessories, even knives.

      Excerpt for the gun stuff:

      “Guns & parts

      Disapproval and suspension reason: “Guns & parts”

      – Functional devices that appear to discharge a projectile at high velocity, whether for sport, self-defense, or combat
      (Note that we err on the side of caution and apply this policy to sporting or recreational guns that can cause serious harm if misused, or that appear to be real guns.)
      — Examples: Handguns, rifles, shotguns, hunting guns, functioning antique guns, airsoft guns, paintball guns, bb guns

      – Any part or component that’s necessary to the function of a gun or intended for attachment to a gun
      — Examples: Gun scopes, ammunition, ammunition clips or belts”

  25. avatar Mark N. says:

    I have yet to get a malware warning using IE 11 and getting here through a book mark/ favorite. However, the site has been running achingly slow, making it difficult and sometimes impossible to post. Letters refuse to appear, and by the time I’ve managed to correct all of the typing errors, the site locks up. Frustrating. For me, it has always been associated with active content on the AdChoice ads. The worst offenders have been the video ads; they slow the loading of any page, sometimes they start running in the middle of watching a video, resulting in two soundtracks running at once, refuse to shut off or pause, or reload and start running again after having been paused.

  26. avatar Ren says:

    I had the warning from both Chrome and Firefox. And just now I had the same warning while trying to access (which is a mainsteam video site like youtube but not quite as popular).

    So my guess is either ads are getting nastier or people are getting more stringent picking up the nasties.

  27. avatar Steven says:

    Good to see TTAG take the step of dropping the ads. I had my security scanner let me know the attack on my computer was a Java exploit. Interested in the log?

    Category: Intrusion Prevention
    Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
    2014-06-27 21:23:23,High,An intrusion attempt by 5eb9:502b::18f3:7886:100:e0 was blocked.,Blocked,No Action Required,Web Attack: Suspicious Jar Download 15,No Action Required,No Action Required,”5eb9:502b::18f3:7886:100:e0, 8590″,,”c0a8:fe1f:c470:be85:100:e0:a070:be85, 52872″,5eb9:502b::18f3:7886:100:e0,”TCP, Port 8590″
    Network traffic from matches the signature of a known attack. The attack was resulted from DEVICEHARDDISKVOLUME3PROGRAM FILESJAVAJRE7BINJAVA.EXE.

    In real life I am a Computer Systems Administrator so one of the ads was running back to the server See the WhoIs information here

    1. avatar GuyFromV says:

      This is the reason that Firefox makes it clear that the Java VM is deliberately crippled by default and makes it a bitch to get it running “correctly”, because its the most severe security hole ever seen online that hardly anyone ever seems to know about for some reason. There needs to be an alternative or Adobe needs to man up and fix their broken crap. Even with my minimal defenses of just using Mozilla with AdBlock and NoScript it still prevented port 8590 from opening. Does anyone know if that is it’s usual vector or maybe one of several?

      1. avatar Jus Bill says:

        Just one of several. The code can call any port; that’s one of the fingerprints.

      2. avatar Julian says:

        Not Adobe, but Oracle, who bought Sun, who developed Java. I’m not sure Oracle is all that interested in fixing Java, it was Sun that really loved it.

    2. avatar Jus Bill says:

      Thanks Steven – interesting run. Looks like a hijacked account there would be my guess. You can rent of buy them for peanuts if you’re too lazy to DIY.

  28. avatar 'liljoe says:

    Would it be feasible to set up some kind of subscription status on the site (maybe allow those who have it earlier access to articles and reviews or unlimited comments vs a limited number) and therefore decrease the ad content overall by diverting the revenue stream from other sources? OOoo, look, I spoke corporate for a second 🙂

  29. avatar TiC says:

    This kind of thing is why you should be running Firefox with NoScript. This combo helps avoid malware and drive by downloads.

    Combined with AdBlockPlus, this also strips out the obnoxious ads on this site and others.

    1. avatar GuyFromV says:

      Yeah what this guy said if I would have just scrolled down a little before posting stuff a second ago that I just repeated and stuff.

    2. avatar rlc2 says:

      Here is the CNET video on No Script. Its a bit of a hassle, because you have to click to allow sites, but its worth it, if you are really worried about malicious scripts. I dont like to use this for casual news reading, as its a bit of a pain, but if we start to see more problematic ads, or targeting by those who dislike TTAG (I would be very surprised NOT to see this more in future).

      Another option is to search using StartPageSSL, and click on use Ixquick proxy.
      This disables javascripts, so no vids, and unfortunately also disables viewing comments.

      I pay for ESET Nod32, because its lightweight, catches most everything, and is much cleaner and non-intrusive – got rid of BitDefender, as I saw no difference in detections on two laptops, and BitDefender was clunky and I had concerns about the business model, and the way the software actually ran was clunky.

      I also run CCleaner Pro, just to clean up temp files, and so on,

      Not a computer administrator, nor do I play one in the movies.

    3. avatar Jus Bill says:

      AND Ghostery. All set to auto-update. Makes you as tight as you can reasonably be.

  30. avatar Zeffie says:

    Gotta hate that when it happens.

    I do this stuff for a living.
    I strongly suggest you find someone more then a zippy Kid that you can contact when emergencies like this arise. Sounds like this was not related you your server, however since we don’t have any or much data at this time, who knows. Band aid fixes like “turning everything off” and breaking the bank are not the answer. The right thing to do is call it in right away to someone that can investigate, solve, and restore normal operation to the “object” your site in this case.

    You might also want to consider looking into your own server.. that’s looking a little funky from over here too.

  31. avatar rlc2 says:

    PS: I’d consider a subcription pay model also, for a small amount. Like buying books on Kindle- I hesitate to try an author unknown, for a hard copy at say $20, but have no problem trying things on for $0.99.

    A small monthly fee would screen some of the trolls, and generate a predictable revenue stream, from PayPal. I pay for SOFREP this way, and dont mind it, as I can always turn it off.

    Maybe for comments access, without ads, hosted on your serve,
    vs the free with ads on Fakebook?

    I dont know whats involved, so if this is too hard, I understand. I will say that I refuse to use Fakebook, so if that becomes the free model, that might screen problems from that side as well.

  32. avatar Micah Rubin says:

    Deep breath…..geezus….so glad I found you all. It’s rough out there. This is my first comment posted ever, anywhere. Figures it would be on a gun website. My computer has been under attack since Wednesday when I started browsing for any information about an Erma-Werke 68A that my father left me. Malwarebytes, IE and Kaspersky have been working overtime. All is well, but I nearly had a stroke when I got a blue screen with the words “real time malicious threat; saving files to blah blah blah, computer shutting down in 10..9..8… ‘–at which point I turned the laptop off and went for the liquor cabinet. I love my Malwarebytes, but dagnabbit! It shouldn’t be that stressful to do some research! Good thing it updates every hour or so.

    Last night, I read about Google banning gun ads, etc., and it ticked me off so bad, I deleted my history and started searching anything gun-related, knife-related, C-4 related, etc. I typed “guns guns guns” in the search bar and thank God and the Lord, TTAG came up. After reading Mr. Farago’s post, it finally occurred to me, that I too, have been a victim of ‘the midget Bloomberg’.

    I almost forgot to ask where I could find a clip for the 68A Luger! Any and all suggestions would be appreciated.

    Keep the faith, Mr. Farago. I’ll be headed over to the PayPal after this.

  33. avatar blah says:

    I found you looking up “”. I saw quite a few workstations come in that picked up malware from there early Friday evening for about a two hour period.

    I only got to look at the history of a couple of them but it looks like it may have through Pubmatic (not sure if you use them).

  34. avatar mrT says:

    How about a paid subscription option for a total ad-free ttag?

    I am running adblock anyways as to protect myself from these attacks but that also means that my hourly visits to the site do not support it in any financial sense.

    1. avatar MaxHedrm says:

      This sounds like an excellent option.

  35. avatar Erasmus says:

    No sweat, you guys are the best!

  36. avatar jim says:

    TTAG ads were so out of control the site forced me to install ad blocker a few weeks ago just because it would hang up my browser constantly when I had sites open in other tabs. Might want to consider approaching a few industry sponsors directly.

  37. avatar Kim says:

    An Apple a day keeps the virus away.

    1. avatar Tommyr says:

      The Penguin is also good at it!

  38. avatar Robert Wyman says:

    Is this about clicking a link to TTAG and Firefox blocked me with “Attack Site Run Away”? I clicked the “Butt Out” and then another page says “Google Said So, Run Away”. I went to Firefox and asked “How dare you”, if there is an attack site it is Google itself. Mint-munching Poodle walkers the whole bunch. I told Firefox they are to be browser for a couple more days… Sick of the a**holes in this country up in my face, in my business and hiding behind “Contact Us” buttons. Fed up. The key word in the original link was “Shannon whats-her-face” the liar and child abuser, the money hungry whore who is using our good air to breathe only by the grace of God apparently. I pity her young son who had to be her test lab rat to show “guns are bad”. She is the bad one…child abuser.

  39. avatar ccw says:

    Ok just sent a jackson, I was not affected, I have adblock pro and the ghostery plugins so I never see any ads, but I like your articles.

  40. avatar 2hotel9 says:

    RF? I did not realize y’all had ads! I have adblocker running on all my devices, and had my Geek put some claymore-like, super ninja security crap on, too. Don’t know what it is called or how it works it just DOES.

    And don’t feel lonely, appears a LOT of places are experiencing major malware/virusi attacks during the last couple of weeks.

    1. avatar MaxHedrm says:

      People running adblock are the reason they have to accept intrusive ads from shady sources to keep the lights on. So thanks.

      1. avatar Rich Grise says:

        “People running adblock are the reason they have to accept intrusive ads from shady sources to keep the lights on. So thanks.”

        And you really believe that forcing obnoxious/intrusive ads down people’s throats will induce them to buy your product? What color are the unicorns on your planet?

        1. avatar 2hotel9 says:

          Not to mention all the malware, trojans and virusi.

        2. avatar Rich Grise says:

          I use the hosts file trick.
          It blocks everything that even _looks_ like an ad!

        3. avatar 2hotel9 says:

          I honestly don’t know what our Geek put on our computers last year, it works, though! We tried sandboxie and did not like it. Run CCleaner every time computers are turned on and Malwarebytes runs automagically, along with whatever internals he put on.

      2. avatar 2hotel9 says:

        You speak with forked tongue, minimalheadspace.

  41. avatar Ed says:

    What’s funny is that the malicious code has been embedded for quite some time. Over the last month or two, when I’ve visited the site, I’ve been redirected after some browsing to a page that tells me to update my browser or some plug-in in order to view the site. Of course, I never did, knowing it was malware, but it sounds like some were not so diligent with internet common sense reasoning.

    Some of the blame is with quality control. With so many ‘moderators’/contributors on this site, is it too much to ask to check for these issues, or only accept ads from TRUSTED sources and not anyone willing to pay $X per view/click in order to spread the bad code? I know the site depends on ad revenue, but that still doesn’t excuse the lack of due-diligence to make sure they aren’t malicious.

  42. avatar MaxHedrm says:

    That was my guess. The ads on this site have continued to get more intrusive and aggressive, so I am not surprised they caused issues. You should probably be more careful who you accept money from.

  43. avatar Jim Bullock says:

    Well, you’ve just learned that when this active-web-y stuff works it’s nice, but, when it has one of its infrequent problems, it’s pretty bad, pretty quick.

    Now you know.


    Maintain a “stack, content and security” page perhaps off of “about us.” You end up seeing the same info after similar debacles time and again.

    I’m beginning to think than any responsible community-based site should do this. Seems like the infestations have become cost of doing business. Maybe this is a mitigation.


    Perhaps you could recruit a bunch of the “I do this for a living” cohort hereabouts as a nerd-pool, to appeal to when things get odd, and even maintain the info identified above.

    I’d do it for the byline, I think, although I would use my “nom de interwebs” for the public face, I think.

    “I kind of do this for a living
    so will also hold forth”:

    The issue is that various kinds of “federated” and “service-ized” internet content and function really mean you are putting *running code of some kind* from 3rd parties into your web site, and from your web site into people’s client computers.

    Ideally, this is confined to their browsers, but the more you want the browser to act like a whole computer – store things like forms data, run stuff like games, etc – the more it can be used to take over your whole world. (One term of art here is “surface area.”) Particular extensions that do additional stuff, have the same leakiness problem, and as the extensions act more like whole computers, they have more surface to exploit, and can do more stuff.

    The top four, more or less are: javascript, a complete, interpreted programming language embedded in your browser; java – no relation – the embeddable JVM of which is a bit “holey”, and flash, which, because flash games are kewl, acquired an event-based(-ish) more or less complete programming language, and microsoft “active-whatever” plug-ins. (Before I get swarmed by the softies, yes it’s been getting way better, and no, I’m not using the exact current terminology. Still, more integration w/ the platform breaks encapsulation, and more function is more surface … however good the implementation – and it was awful back in the day – they tend to make more extensive exploit, and more opportunity for error, respectively.)

    Ad networks, metrics collection, integration with content services, and even little “hit count” widgets in a web page, all propagate 3rd party code from those “services” through your web site, into client computers. It’s all looked up and loaded dynamically(-ish many details) on demand, after a page “hit.” So, it’s hard to only propagate a known, scrubbed (which improves confidence, but is not certain) pile of “mobile code.” (Another term of art.)

    Ad networks are prime targets because they propagate code all over the place, and often their development is – er – not done with robust security the foremost consideration.


    Yr balancing annoyance vs. safety. My default config balancing annoyance with relative safety is:

    – FireFox on Linux
    – NoScript
    – Ads, cookies, and redirects blocked by default.
    – Ask before loading plug-ins
    – Subscription to at least one “malicious site” lookup features in the browser.
    – A reverse-dns plug-in, which displays the country of origin of a link or page.
    – A firewall.
    – A run-time process monitor.

    – No browser history, password management or forms data.
    – Patch check & update for whole stack at least daily.
    – Roughly quarterly rebuilds of machine.

Write a Comment

Your email address will not be published. Required fields are marked *

button to share on facebook
button to tweet
button to share via email