Go Back  Bike Forums > Bike Forums > General Cycling Discussion
Reload this Page >

Anyone have problems after looking at the Orbea bikes website?

Notices
General Cycling Discussion Have a cycling related question or comment that doesn't fit in one of the other specialty forums? Drop on in and post in here! When possible, please select the forum above that most fits your post!

Anyone have problems after looking at the Orbea bikes website?

Old 08-03-12, 08:01 AM
  #1  
PatrickGSR94
Senior Member
Thread Starter
 
PatrickGSR94's Avatar
 
Join Date: Apr 2012
Location: Memphis TN area
Posts: 7,393

Bikes: 2011 Felt Z85 (road/commuter), 2006 Marin Pine Mountain (utility/commuter E-bike), 1995 KHS Alite 1000 (gravel grinder)

Mentioned: 25 Post(s)
Tagged: 0 Thread(s)
Quoted: 674 Post(s)
Likes: 0
Liked 13 Times in 13 Posts
Anyone have problems after looking at the Orbea bikes website?

I'm not sure if it's related to their site or what. I went to their website yesterday for the first time, and shortly after I started getting notifications about an Adobe Flash update, but the update was older than what was already installed on my machine. Shortly thereafter my Trend Micro AV client started going NUTS with notifications about blocking and/or quarantining files. The log shows 20 items blocked or quarantined since yesterday afternoon, when I haven't had any problems before now in the ~2 years we've been using Trend Micro at our office.
PatrickGSR94 is offline  
Old 08-03-12, 02:19 PM
  #2  
Gee3
Senior Moment Member
 
Gee3's Avatar
 
Join Date: Oct 2005
Location: Daly City, CA
Posts: 1,362

Bikes: Specialized Allez Elite Double & 2008 Look 555

Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 4 Post(s)
Likes: 0
Liked 0 Times in 0 Posts
Sounds like some virus is on Orbea's site... hopefully you were able to get rid of it. And i guess I'm not going to hit up Orbea's site anytime soon.

BTW, were you ever on Honda-Tech, or those types of Acura/Honda sites? You're user name looks familiar. Although I hadn't been on since I sold my '99 SSBlue GSR in 2006. I was also Gee3 on those websites.
Gee3 is offline  
Old 08-03-12, 07:59 PM
  #3  
mechBgon
Senior Member
 
mechBgon's Avatar
 
Join Date: Jul 2002
Posts: 6,957
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Likes: 0
Liked 5 Times in 5 Posts
I'm equipped for this, I'll check it out tonight if I have time.

The log shows 20 items blocked or quarantined since yesterday afternoon, when I haven't had any problems before now in the ~2 years we've been using Trend Micro at our office.
Trend Micro's detection rates are historically poor, and the fact is, antivirus software as a whole is a very marginal defense these days. Example: https://krebsonsecurity.com/2012/07/e...cks-july-2012/ Average detection rate on fresh malware samples is below 30% as an industry average. Old samples? Sure, the detection rates might be higher... once it's too late. The link in my sig has some security suggestions for the Windows platform, if this burden falls on your shoulders at work.
mechBgon is offline  
Old 08-03-12, 11:09 PM
  #4  
mechBgon
Senior Member
 
mechBgon's Avatar
 
Join Date: Jul 2002
Posts: 6,957
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Likes: 0
Liked 5 Times in 5 Posts
Ok, I had a look. It appears the site has been subverted with an exploit kit which will make a one-time attack using a variety of exploits, including Java and PDF exploits. If the target system has an out-of-date, vulnerable version of Java, Adobe Reader, Adobe Flash Player, or several other widespread softwares, then the exploit kit can use one of them to drop an executable file into the user's profile directory and attempt to launch it. If this is successful, the executable file gains the same privilege level as the user, or possibly higher in the case of Java.

I didn't see anything posing as a Flash Player update, but that's a common method of getting the computer's user to simply hand over the keys to the kingdom. Never run anything claiming to be an update unless you went to the official site yourself (such as Adobe.com) or have started the actual program and are using its built-in update function. Even that should be done only on a trusted network, to protect against an EvilGrade-style attack.

For a home user with a Windows system, your easy wins against exploit kits begin with uninstalling Java and never looking back, then installing Secunia's Personal Software Inspector and updating any out-of-date software it alerts you to. Hit the Windows PC security link in my signature for some additional suggestions.
mechBgon is offline  
Old 08-03-12, 11:20 PM
  #5  
PatrickGSR94
Senior Member
Thread Starter
 
PatrickGSR94's Avatar
 
Join Date: Apr 2012
Location: Memphis TN area
Posts: 7,393

Bikes: 2011 Felt Z85 (road/commuter), 2006 Marin Pine Mountain (utility/commuter E-bike), 1995 KHS Alite 1000 (gravel grinder)

Mentioned: 25 Post(s)
Tagged: 0 Thread(s)
Quoted: 674 Post(s)
Likes: 0
Liked 13 Times in 13 Posts
Wow man thanks a ton. So they really do have a problem with their site huh? Did you happen to contact them about it? How did you find that out anyway?

I do have my Adobe Flash set to automatically update, and it had already downloaded and installed a version newer than what was trying to be installed.

You say that Trend isn't that great, but it caught the threats and quarantined them such that I was able to get rid of them, with a bit of work. Also I did have a weird file in my user profile that kept trying to run after I rebooted the first time. I had to boot into Safe Mode in an Admin account to get rid of that file. What's crazy is that the file name was nowhere to be found with Google. It's like it didn't even exist on the entire Internet until I posted about it yesterday on Sevenforums.com. The file was beacucqitear.exe
PatrickGSR94 is offline  
Old 08-03-12, 11:22 PM
  #6  
PatrickGSR94
Senior Member
Thread Starter
 
PatrickGSR94's Avatar
 
Join Date: Apr 2012
Location: Memphis TN area
Posts: 7,393

Bikes: 2011 Felt Z85 (road/commuter), 2006 Marin Pine Mountain (utility/commuter E-bike), 1995 KHS Alite 1000 (gravel grinder)

Mentioned: 25 Post(s)
Tagged: 0 Thread(s)
Quoted: 674 Post(s)
Likes: 0
Liked 13 Times in 13 Posts
Originally Posted by Gee3 View Post
Sounds like some virus is on Orbea's site... hopefully you were able to get rid of it. And i guess I'm not going to hit up Orbea's site anytime soon.

BTW, were you ever on Honda-Tech, or those types of Acura/Honda sites? You're user name looks familiar. Although I hadn't been on since I sold my '99 SSBlue GSR in 2006. I was also Gee3 on those websites.
Heh yeah I use to be a mod in there with about 25K posts, but haven't been on much at all in the past year. Still driving my GSR tho since 2001!
PatrickGSR94 is offline  
Old 08-03-12, 11:47 PM
  #7  
mechBgon
Senior Member
 
mechBgon's Avatar
 
Join Date: Jul 2002
Posts: 6,957
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Likes: 0
Liked 5 Times in 5 Posts
Originally Posted by PatrickGSR94 View Post
Wow man thanks a ton. So they really do have a problem with their site huh? Did you happen to contact them about it? How did you find that out anyway?
In this case, I took a very basic approach: I logged into my dedicated malware-research account on my home system, fired up Microsoft Network Monitor 3.4, and visited Orbea's site to capture the network traffic and observe the user experience. The first cue it's an exploit kit is that the browser reported the site uses Java. The second was an Adobe Reader EULA (that account hadn't used Reader before). That pretty much wraps up the question of what's going on there. I didn't contact them about it, I expect they're already hearing all about it.

If I wanted to get all fancy, I'd set up a Win2000 or WinXP box loaded with lots of vulnerable, out-of-date software (old versions of Reader, Java, QuickTime, etc). When I hunted malware daily, I had one I could re-image in a few minutes for the next run.

I do have my Adobe Flash set to automatically update, and it had already downloaded and installed a version newer than what was trying to be installed.
Remember, anything can appear on your screen and claim it's a Flash update. I used to hunt fresh versions of those Trojans every evening as a hobby. They claimed to be all sorts of plausible-sounding stuff. And they still use those tactics today, because as obvious as they are, they work. Why bother trying to overcome your system's security features when they can take an end-run around them...

You say that Trend isn't that great, but it caught the threats and quarantined them such that I was able to get rid of them, with a bit of work. Also I did have a weird file in my user profile that kept trying to run after I rebooted the first time. I had to boot into Safe Mode in an Admin account to get rid of that file. What's crazy is that the file name was nowhere to be found with Google. It's like it didn't even exist on the entire Internet until I posted about it yesterday on Sevenforums.com. The file was beacucqitear.exe
You made my point for me. Trend Micro was missing the weird file you described. Upload that file to VirusTotal.com if you still have a copy. The results will probably underline my point about the hit-and-miss nature of antivirus protection. If you want to arbitrarily forbid that sort of thing from happening, it can be done with Software Restriction Policy or Parental Controls. In either case, you'll need to use a non-Admin-class user account for them to be effective; create a separtate Admin account that's only for Admin duties.
mechBgon is offline  
Old 08-04-12, 10:48 PM
  #8  
PatrickGSR94
Senior Member
Thread Starter
 
PatrickGSR94's Avatar
 
Join Date: Apr 2012
Location: Memphis TN area
Posts: 7,393

Bikes: 2011 Felt Z85 (road/commuter), 2006 Marin Pine Mountain (utility/commuter E-bike), 1995 KHS Alite 1000 (gravel grinder)

Mentioned: 25 Post(s)
Tagged: 0 Thread(s)
Quoted: 674 Post(s)
Likes: 0
Liked 13 Times in 13 Posts
Well sure Trend missed it. It hadn't even been discussed on the entire internet it was so new. I wouldn't expect anything to have caught it. Thank goodness for Win7's UAC that stopped it from running/installing automatically. I just Googled the file again and there are a *few* more hits but not many.
PatrickGSR94 is offline  
Old 08-04-12, 11:44 PM
  #9  
mechBgon
Senior Member
 
mechBgon's Avatar
 
Join Date: Jul 2002
Posts: 6,957
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Likes: 0
Liked 5 Times in 5 Posts
Originally Posted by PatrickGSR94 View Post
Well sure Trend missed it. It hadn't even been discussed on the entire internet it was so new. I wouldn't expect anything to have caught it. Thank goodness for Win7's UAC that stopped it from running/installing automatically. I just Googled the file again and there are a *few* more hits but not many.
Be aware that 1) malware files often are given randomly-generated names, and 2) in many cases today, the malware is custom-recompiled for each individual victim at the server, on the fly, to thwart simple detection based on its file hash. Someone else could have the same file with a different name, or a functionally-identical file with a different MD5 hash.

Speaking of Win7's UAC, if anyone on that computer is still using an Administrator-level user account, I suggest maxing out UAC to the "Always notify" level. You'll find that in Control Panel > User Accounts And Family Safety > User Accounts > Change User Account Control Settings. If you make a Standard User account, UAC will automatically be maxed out for the Standard User.

Last edited by mechBgon; 08-04-12 at 11:48 PM.
mechBgon is offline  
Related Topics
Thread
Thread Starter
Forum
Replies
Last Post
1989Pre
General Cycling Discussion
4
10-08-14 03:44 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information -

Copyright 2021 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.