IE9 asking about a JS -- do not open or run

[harrydangler]

Not sure where to put this but BP is trying to drop a file on my computer. It says "Do you want to open or save ****.js (21 bytes from www.******.com."

It appears to be happening on a lot of forums so probably a sql injection or something.

 

[Clarity]

Not sure where to put this but BP is trying to drop a file on my computer. It says "Do you want to open or save ****.js (21 bytes from www.******.com."

It appears to be happening on a lot of forums so probably a sql injection or something.

Everything appears to be clean. Where are you when you experience this? Does it happen in more than one browser?

Putting this link here so I can follow the thread:
Norton.com forum thread on the subject -- http://bit.ly/yUUOzZ

(LATER EDIT)
It seems there's a bad ad out there somewhere. It may have passed through here briefly yesterday, and it was wide-spread across the net on the 15th including a ton of different forums. It only seems to affect IE9. Either way, if you're prompted to open or run a file here or on any other site, decline. Clearing your temp internet files (and your cookies if you want to cover all the bases) is reported (per Norton.com) to clear the issue. If you want to Google the issue, you can click on the above bit.ly link to go to Norton's site and see the subject matter there. I've removed specific references here for the sake of lowering our visibility regarding this issue.

 

[Clarity]

Doing more digging:

More dicussion (Avast):
http://forum.avast.com/index.php?topic=95643.0

Source:
http://www.privacychoice.org/companies/index/298/adnetik

The good news is it's not coming directly from us. The bad news is I don't yet know how to fix it for you. It appears (based on limited poking around) to be something unhappy between IE and this ad tracking company and/or a specific bad ad that may have passed through a major ad network.

I would not allow it to install. I've gone through our ad partners and don't see adnetik as one of the campaigns in the system.

I've changed the threads subject line to reflect the topic so others can better find it as necessary.

Will continue to investigate. This seems to be a widespread issue, perhaps adnetik got injected or something and their ad stuff has been compromised. Just no idea at the moment.

 

[MililaniBuckeye]

NEVER allow an unknown .js (java script) file to install or open.

This problem is cropping up all over the web on forums...

 

[Clarity]

I wonder if a bad ad is floating across the net or something. I see a lot of activity about this today on sites ranging from Anandtech to Norton.

Either way, I'll continue to track this 'event' and if it can be isolated to a given ad or ad partner I'll nuke those immediately.

I just loaded all of our ad partners directly in IE9 (and poked around BP) but couldn't reproduce the issue. I did check our templates, plugins, and cache and all appears to be healthy. I'll continue to do so periodically until this is resolved.

Harry, I assume you've virus scanned your system today as a result of all of this.

---

Without regard to the source or cause, sorry anyone is having problems with this.

 

[Clarity]

Just to be clear for any late joins to the party:

IF YOU ARE PROMPTED TO DOWNLOAD OR RUN ANY HERE OR ANYWHERE ELSE ONLINE, DO NOT.

BP itself appears to be clean. The other sites I've visited while investigating (Anandtech and a few other biggies) appear to be so as well. Nonetheless, it's out there in the wild and I don't know what it's trying to do.

We'll continue to track this.

 

[Clarity]

It appears the Java Script was in ads on many many websites including forums as a Drive-by download, It could be that the Java Script is still in your browser settings and loads now no matter what website you are going to.

Try clear the Browser Cache and Temp Internet Files etc.

Clearing your cache and temp files *if* you've been prompted anywhere for this download seems smart to me, but then I'm not an IT type. Either way, the above rings true to me.

 

[Clarity]

Okay, so it seems like some ad wandered across the internet today (likely here as well, given how widespread it was it must have been on a major ad network) that had a bad drive-by download attached to it. That, at least, is my read on the situation after the last few hours.

It seemed to be limited to a small pocket of time across the net, and I haven't had any other reports here beyond the OP. In the OPs case, it hasn't happened since -- that mirrors the reporting across the net which was more or less isolated to this afternoon.

IF you were exposed (which is to say that if you were prompted to download such a .js here or on any other site) then you should clear your browser cache, delete your temporary internet files, and for good measure run a full system virus scan. The first two steps has been successful in terms of clearing out the prompt for others on Norton:

GWRick wrote:

Duh and TY, Cleared history and its gone!!

No problem, Browser keep files for websites so it's faster to load objects etc. next time.

Quads

Hopefully that will be the last we hear of it. Thanks to HD for the original report.

 

[Clarity]

Good generally related info:

http://bit.ly/yUUOzZ -- link to the thread quoted below.

I've seen some posts about this on other forums that are being unfairly critical of Norton for not blocking this popup. In truth, it is a browser issue. Norton does not block j.script - if it did, 99% of the websites you visit would not work properly because j.script is used by almost all modern websites to display content. However, a malicious ad can also use j.script to redirect a viewer's browser to a site hosting malware. If you have j.script allowed globally in your browser, as most users - especially IE users - do, then the ****.JS popup results from having browser settings that allow all domains on a page to run scripts, and is not a failing of Norton. The best defense against such an attack is to configure your browser to limit the use of j.script to certain trusted sites only. For example, if you use the NoScript extension in Firefox, you can allow scripting for a specified trusted site, while still blocking any j.script in ads and other third-party content that also appear on the page. In this context the ****.JS popup would not have run. For a good explanation of how to control j.script in some of the popular browsers, please see the following article:

http://bit.ly/jzond9

 

[Clarity]

I'm removing specific references to the offending script and its host. Any prompt to download any js on any site is going to be bad if it isn't a known quantity, so specificity only works against us.