Malicious Site Warning
Write Idea
Posts: 292
in The Commons
I was looking at Crocodile Liu's artist page,and I clicked on his "dForce CO Kimono for Genesis 8 Female(s)" then my Norton popped up saying it would lead me to a malicious site.
Has anyone had these types of problems searching through Daz's store? I've been buying here for years and this is the first time.
Daz 3D is part of 
Connect
DAZ Productions, Inc.
224 S 200 W, Suite #250
Salt Lake City, UT 84101
Licensing Agreement | Terms of Service | Privacy Policy | EULA
© 2024 Daz Productions Inc. All Rights Reserved.
Comments
Most probably a false positive.
I tried to teach myself Java programming some years ago, and Norton flagged a bit of my own crap programming as the 'J-loop virus'. False positives are fairly common.
Sadly, it doesn't seem to be a false positive. It appears to be linkangood. I searched the forums and could only find one other mention of it from DAZ. It's some kind of browser hijacker. Yet, it only triggers when I visit that one website on DAZ.
That's correct. Malwarebytes flags and blocks it, too. Looking at the page source you see
Added a post to the only forum page Daz seems to monitor.
Thank you for verifying it, Sevrin. I've spent the last couple of hours cleaning my computer and making sure it hasn't done any serious harm. I don't know the intention of including this on the website, but I hope it gets resolved pronto.
Im not that computer literate, but what is the point of including this?
All of Daz3d.com should be marked as Malicious to your wallet.
We have reported it Kudos to the Daz guys for responding at silly-o-clock in DazLand
Um, @Sevrin ... why did you add a live link to that site in your quoted text?
Also, it would probably make the most sense to file a support ticket in the "Website" category; that way, you don't have to count on Daz staff seeing it in the forum.
It was probably done accidentally. It may be on someone's computer and got uploaded with a file. Linkangood tries to hijack and redirect browsers, and then dump malware onto any computer that's been hijacked. I hope Daz gets rid of that quickly, and can make sure that it's nowhere else on their site. Also, it would probably be good for Crocodile Liu to make sure that they clean their computer; depending on how Daz and PAs handle product uploads, it may also be on their computer, and from what I can find, Linkangood may be difficult to get rid of.
@Write Idea, thank you for the wake-up call. I get news feeds and click to read articles all the time. While I trust those sources, I really need to remember to be careful, I have had computers hit with malware before.
What worries me is my computer (and probably others) has been exposed to this malicious site. I do have virus protection and it said it blocked an attempt to download a large file of something into my computer. But I've been reading how to remove things from this site on my computer (not even knowing if there was something attached to my computer or not), but I don't even know if it was infected now or not
Who knows how long this webpage has been exposing people to it... I've shopped on Daz for many years. I check this site daily for deals and new products. I'm extremely disappointed that this happened. Yes, it might have been a mistake and unintentional, but when I come on this site, I don't expect my browser to be rerouted to malware.
Yeah, it's not a new item, either. I'd always assumed it was some false positive having to do with the Daz Deals plugin, without paying attention to what the page was. I reported in the thread for sales issues, as Cris and Chohole have a direct pipeline to Daz. Putting in a ticket would take a lot longer to resolve.
Interestingly, this was already reported back in December last year by @dragonfly_2004. So it's been around a while, and it sounds as if the CO Kimono might not be the only page on which it appears.
Looking at the page in question, it looks as if this is a deliberate attempt to trigger a 'drive-by download' -- i.e. an automatic download of a file to your computer that can be triggered just by visiting a page. I suspect that it probably won't work on modern browsers: the malicious link is given as the 'src' attribute for an image, but to prevent the image from showing up on the page, it has a 'style' attribute that specifies 'display: none' and 'visibility: hidden'. Modern browsers are smart enough that they won't download an image until it becomes visible on the page -- which this one never will.
There are actually two such links on the page in question. One of the URLs, interestingly, references a domain called 'pass.dazcentral.com'. The 'dazcentral.com' domain appears to be owned by DAZ (it just redirects to 'daz3d.com'). My guess is that the purpose of including that string in the URL is to let the linkangood.com owners know where their download was triggered from. It may provide a clue as to who has the actual infection that's inserting this junk into DAZ's pages. I suspect it may not be on the artist's machine, but possibly on a machine used by a DAZ content editor.
I checked the links in question (using the 'curl' command-line tool, rather than a web browser), and they each appear to trigger a download of a very small GIF file. File scanners say that the GIF isn't itself malicious -- my guess is that it's probably just a 1x1 transparent GIF or something like that. However, that means nothing. 'linkangood.com' could very well be configured to serve up different files based on which browser you're using: if you access it with a browser that it knows it can't infect, it just serves up a transparent GIF; if it detects that you're using a browser that it can compromise, it'll give back a file with a malicious payload in it.
Tentative conclusion: this will probably have been harmless to most DAZ users, but people with older browsers and no virus protection might have been put at risk. That odd reference to 'dazcentral.com' in the malicious URL makes me think that the infection might actually be somewhere in DAZ's own production workflow, i.e. on a PC that's used to prepare content for the site.
The gif is used for tracking. https://en.wikipedia.org/wiki/Web_beacon
Thanks for the detailed analysis, @bytescapes. The major concern I have is that Norton flagged it from linkangood as a high threat level. I can't post pictures right now since my computer is in safe mode and I'm doing a deep scan (so many DAZ files to go through). I can't find anything dangerous on my computer just yet.
It's definitely a threat. It's never good to have content on your site that you didn't put there, and doubly bad when that content includes links to a known malicious site. So you should absolutely do a thorough scan. All I'm saying is that I think the threat was relatively small, and probably targeted specific older browsers. It's also possible that the malicious code inserted was incomplete and included only the tracking beacons, not the stuff that would trigger an actual malicious download.
So if the scan comes up clean, then I think you can feel pretty confident that your machine wasn't infected, and you needn't worry that the scan missed anything.
Yea Kudos for making sure the site and their customers weren't at risk from a hack, Kudos for all that after all the loss of trust only tends to impact on trade and we aren't in a period when trade and finance are at all at risk.
I'm not the most tech savvy person out there, so please forgive my lack of precise terminology.
In a nutshell, I visited the product page on DAZ and my browser said it was a dangerous website. I assumed it was my computer since I couldn't find anything on the forums relating to the problem, aside from the old post from 2019. I researched the problem to remove the potential infection and it said to remove any new programs (which there weren't any), go into safety mode, and clear the cache from my browser and set it back to default. Then I went back to the product page to see if it was infact just my computer and then my Norton popped up and said there was a high level threat from the linkangood website and some high amount of data usage (or something like that) and to do a deep clean search (some special tool from Norton that never pops up). Did that and nothing. I'm back in safe mode and doing a regular scan.
I wouldn't be so concerned if Norton hadn't popped up the second time.
But thank you for the information! I've been awake all night and it's just nerve wrecking.
The "high amount of data usage" is a little worrying, because it suggests that the malicious site might have tried to download something large to your computer.
So I definitely think you're doing the right thing in doing a thorough scan. The good news is that because Norton is aware of this specific site as a potential threat, it probably also knows how to recognize the kind of malware that the site likes to download. So I would be cautiously optimistic that Norton can detect and neutralize anything nasty associated with this site.
You should make sure that Norton's virus definitions are up to date, and pay attention to any warnings it gives you, but I don't believe you need to panic at this point. It sounds as if your defenses are responding appropriately.
Malwarebytes just blocked the site outright. Getting the premium version was one of my better security investments, especially since it's a one-time expense.
How do you get it for a one time expense ? The last time I checked all I could find was a yearly subscription.
yes I renew it every year. There is a free version however.
Years ago, when they were first starting to make inroads into the market they had a perpetual liscence. Even ran some really good deals (got mine for $14 one valentines). Not sure if they still offer perpetual or not though.
Unless they've changed it sometime in the last few years the free version doesn't do live protection or website protection however. It'll only let you scan your computer on demand.
True. I have the free version and periodically run manual scans. In addition I use Avast free for live protection.
Thanks for the heads up, but I would try to find something by someone other than Norton. Norton hosed one of my PCs years ago while optimizing it. I can never recommend them now.
Yeah, I upgraded to paid in 2011 for 25 USD. I didn't know they'd moved to a subscription model.
I hope it cannot infect an ipad
because I of course looked, and worse looked at the linked 0x0 pixel image link in Sevrin's post
Have now removed the link as this seems to be solved.
...
I had to remove the Malwarebytes real-time-protection -- it had a bad habit of removing the owner and privileges information from files, so you couldn't delete them and couldn't take ownership of them. It did it to both Daz Studio and DIM so they couldn't be updated. And it didn't give any indication that it was done by malwarebytes -- I only discovered it by chance from a discussion of Malwarebytes. Very disappointing, as Malwarebytes is normally excellent.