Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User Bald_Eagle1
(experienced) Wed 05-Mar-14 06:27:04
Print Post

WARNING - speedtest.net possibly compromised?


[link to this post]
 
I THINK that speedtest.net has been recently compromised.

I used the site to run a speed test last night & saw a window pop up reporting that 1file_saw.exe was running.

Following that, a number of system programs & other programs were caught by my anti-virus program (AVG Free 2014) & quarantined & a number were completely deleted (i.e. not in Recycle Bin).

I ended up having to perform a system restore back to a recent date.

I tested this 3 times & the same thing happened each time.

This last time, I haven't been to the speedtest.net site & there have been no ill effects.

AVG did report that 1file_saw.exe & 2file_saw.exe were located in the C:\Users\Paul\Appdata\temp folder.
That's usually a 'hidden' folder, but I unhide those folders anyway & there they were, with very, very recent timestamps.

Performing a system restore did get rid of them though.



This is a great shame as speedtest.net is/was my favourite speed test site & I have recommended it to others in the past.

It's also unfortunate that AVG only partially caught this virus/malware.

So, make sure you have recent restore points if any of you are brave enough to risk using speedtest.net for the time being.


I did find a couple of articles mentioning that this had also happened to speedtest.net a few months ago too.
The filenames 1file_saw.exe & 2file_saw.exe weren't mentioned in the articles though.
Standard User XRaySpeX
(eat-sleep-adslguide) Wed 05-Mar-14 18:11:52
Print Post

Re: WARNING - speedtest.net possibly compromised?


[re: Bald_Eagle1] [link to this post]
 
No problem here. You sure you gone to right site http://www.speedtest.net/ and not some Google result?

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User Bald_Eagle1
(experienced) Wed 05-Mar-14 19:17:56
Print Post

Re: WARNING - speedtest.net possibly compromised?


[re: XRaySpeX] [link to this post]
 
100% certain.

I always use the actual address & never Google for speedtest.net


Register (or login) on our website and you will not see this ad.

Standard User j3214
(learned) Wed 05-Mar-14 19:27:17
Print Post

Re: WARNING - speedtest.net possibly compromised?


[re: Bald_Eagle1] [link to this post]
 
Wouldn't it be an individual server that is compromised and not the speedtest site itself? I'm not sure, but just throwing it out there, into the open.

Edit: I haven't noticed anything abnormal myself, but that doesn't mean that there isn't a problem.

Edited by j3214 (Wed 05-Mar-14 19:31:40)

Standard User Bald_Eagle1
(experienced) Wed 05-Mar-14 19:36:27
Print Post

Re: WARNING - speedtest.net possibly compromised?


[re: j3214] [link to this post]
 
From what I have been able to gather, it's likely to be a Java exploit, initiated via malware containing advertisments on the main site.

So it may have been a one-off or a permanent 'feature' until resolved.
Standard User Zadeks
(experienced) Wed 05-Mar-14 19:36:34
Print Post

Re: WARNING - speedtest.net possibly compromised?


[re: Bald_Eagle1] [link to this post]
 
http://www.google.com/safebrowsing/diagnostic?site=s...

You should scan your machine for vulnerable software because drive-by attacks often target out of date plug-ins. Have a look at Secunia PSI.
Standard User j3214
(learned) Wed 05-Mar-14 19:47:00
Print Post

Re: WARNING - speedtest.net possibly compromised?


[re: Bald_Eagle1] [link to this post]
 
Ah, that too would make total sense. Just another reason to why blocking ads is sometimes a good thing.
Standard User pcoventry76
(knowledge is power) Wed 05-Mar-14 21:16:51
Print Post

Re: WARNING - speedtest.net possibly compromised?


[re: Bald_Eagle1] [link to this post]
 
In reply to a post by Bald_Eagle1:
From what I have been able to gather, it's likely to be a Java exploit, initiated via malware containing advertisments on the main site.

So it may have been a one-off or a permanent 'feature' until resolved.


3words.

Add Block plus..
Standard User j3214
(learned) Wed 05-Mar-14 21:29:31
Print Post

Re: WARNING - speedtest.net possibly compromised?


[re: pcoventry76] [link to this post]
 
Or just the original AdBlock will do. laugh
  Print Thread

Jump to