@owenp2004 If the js file was never run, then it is unlikely to cause any harm, though when that happened to me, I did a complete wipe of my SSD and reinstalled Windows since I don't really trust Windows security. If you were running an up to date Linux based OS and a prudent user of the OS, then you don't have much to worry about since the js file most likely has codes to download the actual payload (executable of the malware) meant for Windows. I'm not sure about how Windows 10 security deals with javascript files, but if you never ran the file, then it probably is safe, but probably a good idea to back up your files now just in case you need to do a complete wipe and reinstall. I dealt with a ransomsware before, and it is annoying AF. Oh and remember my name...
Posts made by operaequalstrash
-
RE: Drive-by download attackOpera for Windows
-
RE: Drive-by download attackOpera for Windows
@pauli133 This means Opera still doesn't make "Ask where to save each file before downloading" as the default setting, nor has it done anything to patch against this drive by vulnerability. Remember my name...
-
RE: Drive-by download attackOpera for Windows
@burnout426 That should be the default setting, given how easily hijacked pages can pull a drive-by.
-
RE: Drive-by download attackOpera for Windows
@burnout426 the hijacked page must be doing a crude browser fingerprinting before rendering the fake update page, since you are getting one for Chrome, but not Opera, whereas I got one on Opera. All I can tell you about the condition that triggered the page for me on Opera was that I installed Opera 1 week prior to that, and everything was on its default setting - no additional plug ins.
In fact, this situation is identical to this user's : https://forums.opera.com/topic/33351/opera-automatic-webpage-redirect-to-update-page-that-auto-downloaded-a-javascript-file
He got the hijacked page on Opera, and you got the hijacked page on Chrome. I suspect that the hijacked page rotates the target browser so as not to alert the site admin that it was hijacked. That way if one user on Chrome gets the drive-by and alerts the admin only for the site admin to check out the site on Opera, he would see a normal page with no driveby and would more likely suspect that it was the user's machine that was hijacked rather than the site. Either way, at least I know that Chrome will ask it's users if he wants to proceed with the download, if there is an attempt at a drive-by download. So in this regard, Chrome isn't as trashy as Opera.
-
RE: Drive-by download attackOpera for Windows
@burnout426 it seems like WSH is enabled by default on Windows, and I had never disabled it when this drive-by happened. Either way, I secure erased my SSD, and reinstalled Win10 since there were some work files that are security sensitive.
If Opera shows a save as dialog for executable files by default as @leocg mentioned, shouldn't it show a dialog for a Jscript file when a webpage is trying to download it onto my machine? I get that it isn't much of a concern unless I execute the downloaded file, but this is just another way for an attack to bypass the browser sandbox, and get one step closer to having it executed (whether by mistake by the user or whatever). I reported the incident to Opera.
-
RE: Drive-by download attackOpera for Windows
@leocg Yessir. The page that rendered was a somewhat official looking Opera update page that said my browser is out of date, click here to update. The js file just downloaded even without me clicking on anything...
-
RE: Drive-by download attackOpera for Windows
@burnout426 https://www.google.com/url?sa=t&source=web&rct=j&url=https://fantasticservicesgroup.com.au/blog/how-to-clean-mould-off-bathroom-sealant/%23:~:text%3Dsoda%2520and%2520vinegar.-,Vinegar,and%2520finally%2520rinse%2520with%2520water.&ved=2ahUKEwjVjp3A5vfvAhVdyjgGHVrlBEIQFjABegQIAxAF&usg=AOvVaw267HvzCCIl7hRTgOibLWS7
I got there by clicking on a Google search result (as above). Like the other user experienced in 2019, the hijacked page looked 'professional' like a real Opera page with logos, but just with obviously dodgy link urls. The page was asking me to update Opera because it's outdated. I did not click on anything on the page, but it drive-by downloaded a js file into my Download folder.
I am not sure about what exactly this drive-by did to my system, but nonetheless I Secure Erased my SSD this morning, and I'll have to reinstall Win10 later. It's a minor inconvenience, but I am more annoyed that Opera browser is vulnerable to an exploit like this. I was using it on its default setting with no downloaded plugins. The irony is that I started using Opera for it's supposedly good security - haha what a joke of security it has. The last time I saw a drive-by like this was on IE on Windows XP.
-
RE: Drive-by download attackOpera for Windows
@leocg it was auto-downloaded to the Download folder, so no, I was not prompted whether to download the file. I noticed it because of the blue dot on the top right side of the browser window that shows up when something finishes downloading. The file name was something like Update.4.2.1.5.244.js. I Secure Erased the SSD this morning so I didn't take any screenshots.
-
Drive-by download attackOpera for Windows
I happened upon a compromised website while browsing the internet on Opera that redirected to a fake Opera page that asked me to update the browser supposedly for being outdated. The real webpage I was meant to be taken to (from a Google search) was meant to be a page on washing machine maintenance (so I wasn't browsing anything dodgy). The hijacked webpage had an obviously dodgy url and the download link for the fake update also had an obviously dodgy url, so I didn't click on anything, but I noticed that it did a drive-by download of a js file. Windows Defender didn't pick up anything, and I immediately deleted the js file. I searched on Opera forums to see if anyone else experienced a similar drive-by attack, and it seems like someone had an identical experience after visiting another compromised website. The user explains the experience here:
That user had the drive-by attack in 2019, and I am disappointed that this hasn't been looked into and patched already. I am assuming my operating system (Win 10) to be compromised now, and I have to reformat the whole damn thing, and I only started using Opera since last week! Opera security must be like Swiss cheese, because I haven't had this problem on Safari, Firefox, Edge or Chrome. Just because the browser has a much smaller userbase doesn't mean it won't be exploited for vulnerability. Besides, someone posted about this vulnerability back in 2019, and it still haven't been patched. Opera is Trash