gotroot.ca warning

[Gyro]

I've been seeing intermittent warnings from Malwarebytes browser guard about potentially malicious activity from gotroot.ca, when viewing eevblog over the past few days. I'm wondering if anyone else has experienced this?

It has just showed up twice in a row when opening page 7 of the 'YouTube runs experiment addressing users with ad blocker thread'...

https://www.eevblog.com/forum/chat/youtube-runs-experiment-addressing-users-with-ad-blocker/msg5118930/?topicseen#msg5118930

I don't know, but it may be that this the thread that I have opened each time I've seen the error previously - this is the first time I have had the presence of mind to do a quick screen capture of the brief warning.

Malwarebytes is usually pretty reliable and not prone to false detections. The thing that triggered me to post is that on searching the web, a lot of the hits link to eevblog (the MicroCap now free as beer thread) and also links to hacking Rigol scopes. A cautious attempt to access the catroot.ca site is immediately blocked with a Trojan warning.

I'm running Firefox, fairly locked down with uBlock Origin, Noscript, DuckDuckGo privacy essentials, and Ghostery, and of course virus scanner running (which hasn't detected anything).

Flagging it and reporting the post to Mods anyway in case it is something that needs fixing.

[Whales]

Looks to be a forum member:

https://www.gotroot.ca/rigol/riglol/

I think it's this user's avatar:

https://www.eevblog.com/forum/profile/?u=17762
http://gotroot.ca/media/oinkav.png

I didn't realise avatars could be hosted offsite.

I suspect it's a false positive.  It probably triggered because it's a small site, has few hyperlinks and doesn't look like the standard harmless baseline (doesn't have 1000 SEO blogspam articles ). 

[thm_w]

Either whitelist it in malwarebytes or use ublock to block the users avatar.

Its just a PNG image, unlikely to cause any harm.

edit: https://www.virustotal.com/gui/domain/gotroot.ca

[Veteran68]

I've seen that warning too.

I expect it's something in MBAMs filter lists about that specific domain, beyond it just being a small unknown site thing. Other than a temporary period on imgur due to an upload script issue, I self-host most all of my content on one of my several web hosts with vanity domains. Including the images that I use online here and at other forums/sites. Those have never triggered a warning across any of my computers nor others' that I'm aware of.

EDIT: I'm also getting a SSL protocol error on that domain with Chrome. It may be running an outdated TLS version, or no TLS at all, which Chrome now requires by default.

[gnif]

Malware software it terrible these days, I had them (malware bytes, defender and several others) not only block a subdomain of mine but my entire domain because my open source software I was serving binaries for was not code signed. The trigger that was setting it off was building with msys/gcc for windows. Google flagged my domain costing me several thousand $ in lost work.

This looks like another false positive.

[Whales]

my open source software I was serving binaries for was not code signed.

Wat.  As in any self-generated cert would be enough?  Or did they want a big corp to sign you into their chain?

[gnif]

my open source software I was serving binaries for was not code signed.

Wat.  As in any self-generated cert would be enough?  Or did they want a big corp to sign you into their chain?

It needed to be a real code sign cert that Microsoft would accept. Self signed would not do.

[Gyro]

Thanks for checking it out guys. It just seemed a bit of a subject coincedence that a search for gotroot.ca brought up mostly electronics related topics, Rigol hacks, Microcap, etc, not just on eevblog but also Instructables, Hackaday and similar.

I'm happy to ignore it (it only pops up for a few seconds) as a false positive now gnif has had a look too.

[magic]

During a recent thread about Google Internet Explorer completely blocking pages containing a mere link to some former commercial domain, now supposedly hijacked for phishing, an evil thought came to my mind to link it in my forum signature and kick GIE users out of every thread I've ever posted in

The god complex of those people is getting ridiculous.

[gnif]

Sorry I was at the hospital when I was alerted to this thread. I just had a closer look and yeah, it's certainly a false positive. VirusTotal shows URLQuery flags the image, no idea why. Pulled and inspected the image, it's clean.

As to why I was at the hospital... who would have thought a mosquito bite in Australia could have resulted in this?  :
https://twitter.com/geoffrey_mcrae/status/1714561693492388234

[RoGeorge]

That link is working normally from my FF/Ubuntu/EU/Romania.

Might be some geofencing for Canada only.

Suspecting this because Canada is heading to dictatorship faster than the rest of the western world.  I've read a week ago that Canada now wants bloggers to register to the government, same as during Ceausescu dictatorship all typewriting machines had to be registered and provide a type sample paper to the state (for just in case a typewriter was used to type something against the Romanian Communist Party).

Try visiting the same links from outside Canada, using a VPN, or TOR (onion network), to see if it's something from your settings, or something specific to Canada.

In case it is not Canada only, then make sure you disabled "protect me against bla bla" in FF settings:

Security
Deceptive Content and Dangerous Software Protection
Block dangerous and deceptive content

[RoGeorge]

As to why I was at the hospital... who would have thought a mosquito bite in Australia could have resulted in this?  :
https://twitter.com/geoffrey_mcrae/status/1714561693492388234

Ouch!  Not a doctor, but my first thought was that it looks like an allergic reaction.  Usually that's from a bee sting, or a spider bite.  Never seen anything alike from a mosquito.  Did you know for sure it was a mosquito, have you seen it biting?

Anyway, maybe it will go away by itself until tomorrow.  Get well soon!

[Gyro]

Sorry I was at the hospital when I was alerted to this thread. I just had a closer look and yeah, it's certainly a false positive. VirusTotal shows URLQuery flags the image, no idea why. Pulled and inspected the image, it's clean.

As to why I was at the hospital... who would have thought a mosquito bite in Australia could have resulted in this?  :
https://twitter.com/geoffrey_mcrae/status/1714561693492388234

Ouch, evil little B***s. Likewise on the recovery!

I've heard rumors of malware code getting inserted into JPGs, but I can't see anything getting squeezed into a little low res PNG.

Thanks.

[Whales]

Aside: We have some unique mosquito borne diseases here (in the land of Gnif).  You don't hear about them much as they're not too common.

A family member of mine was incorrectly diagnosed with carpel tunnel and underwent surgery (to no effect).  This led them to instead be diagnosed with a mosquito borne illness and told the only solution was to wait.

[Gyro]

Continuing aside: Over here there is an alarming rise in tick borne diseases in Southern England - particularly the New Forest area. Encephalitis virus (TBEV) is the worrying one, flu like symptoms in most people but can be fatal. I think Lyme disease is another one. Advice is to tuck your trousers into your socks when walking.

[RoGeorge]

Here, in Bucharest, there is no tick infestation AFAIK, but for just in case, outside areas were sprayed preventively - there are posters in the green areas informing what anti-ticks treatment was applied.  Usually there are anti-mosquito spraying too during the summer, though those were never marked by posters, only that I see the spraying cars during night.

For mosquitos there is another way to keep their population under control, by releasing massive populations of sterile mosquito males.  There are labs that produces sterile male mosquitoes by the millions (Bill Gates too has such labs , not kidding).  Males mosquito don't bite, yet they compete with fertile males.  As a result, the next generation of eggs mostly won't hatch.

[tom66]

My guess is that the antivirus software flagged the domain because it hosts the Rigol keygen, and "keygens are bad because hackers are bad".

[Whales]

I really really hope that keygen has some good cracktro art and music.