Malwarebytes Anti-Malware is blocking the image-hosting website Imgur as of this morning. Malwarebytes Anti-Malware has the capability to block malicious websites in the 14-day trial of the free version or with a Premium license.
Upon trying to visit the site or a direct image, Malwarebytes will intercept the traffic and block the outbound connection. My visit was blocked in Chrome.
After the block notice, visitors are directed to block.malwarebytes.org with the logo and statement that says “Malwarebytes Anti-Malware has blocked a potentially malicious website.”
The Learn More link takes you to a generic page on IP Blocking from the company, where as I wish it would explain the reason why a site is being blocked. For that information, we can piece together the rest of the puzzle.
Imgur was exploited September 21st and was first discovered with a thread on Reddit. The site was compromised in such a way that viewing certain images uploaded to Imgur would result in opening hundreds of connections to 4chan and 8chan. As one explanation broke the process down:
Thanks to a security hole in imgur involving MIME magic, the hacker can inject JS. (Basically, thanks to imgur’s code that lets you link to GIF’s as PNG’s, your browser renders an invisible HTML file containing your image and some invisible JS without telling you)
The JS loads an iframe from 8chan, acting as part of a ddos. The iframe contains a Flash file. Flash can create and modify local storage for 8Chan, even if you’ve never visited it. It then flags the rest of the malicious file as a “favorite”. (Because the hacker was a chan lurker, the file also contained easter eggs like dancing pokémon and a private key containing the string imsorrybrennan)
The JS then causes your browser to ping 8Chan. 8Chan loads the content of your “favorites” on the page, no sanitization at all.
This lets a div containing a script tag finish executing the JS.
The JS then pings 8ch.pw, the hacker’s domain, (not 8Chan) which can serve it any JS payload it wants.
The JS then lies dormant in your local storage until it receives a go code, or a self destruct code that causes it to be replaced with another payload from 8ch.pw.
Imgur stated in a blog post that the vulnerability was patched that evening and the site is no longer serving affected images. Malwarebytes is taking a more conservative approach and not unblocking the site until the root cause is addressed according to the Malwarebytes forums.
To be sure that you are secure, you will need to clear your local storage if you have been visiting Imgur.