Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[martinuzz]

For the past few weeks, malwarebytes regularily throws me messages that it has blocked malicious links to u.cubeupload.com when I browse these forums.  What's up with that?

[nenjin]

First guess would be someone's avatar hosting site? When do you get the alert?

(I was going to reflex report this post until I saw it was from you. I'm well trained.)

[Zangi]

Oddly, I got a u.cubeupload.com block after I looked at this page.  (Using malwarebytes too.)

(Was willfully ignoring this thread till I saw the name of the poster.  Hah)

[nenjin]

Specifically off this thread? Interesting. I don't see any mention of that URL in the page source.

[Starver]

This nudged my memory of something I read a while ago, and from where I've looked to confirm it I think MB has been blocking it (in Premium, at least) since at least 2017. The "u." site, that is. But it wasn't resolved why, and a quick poke on MB's forum seems to indicate that its staff don't want to explain further.

So I'm no wiser. And as I don't use Premium at all, I can only theorise that it has (in this thread) overdetected the plaintext (non-<a href...>) domain. Perhaps because you get "Just go to site.this.that" plaintext in fora that doesn't get translated to a link, by the meta-BBCode rules, but that many users know they can pick up through the paste-buffer and use manually. (And even they need protecting.)


Best, uninformed, guess is that there's excessive trackware in the u. site. Or maybe a historical security flaw injected 9ne time, and it's never been deemed safe to deblack(/grey)list it even after all this time.  Whether these problems are transmissable by the (suggested) avatar-hosting, I don't know. Total guesses anyway, might be utterly off-target, even if MB actually aint.

(Additionally, it seems nobody who tested their systems found anything on them attributable to having visited the u. site, so if anything is still 'wrong' with it then it isn't pushing anything (detectable) onto the visiting machine. Which doesn't guarantee it as an overly paranoid reaction, but doesn't at all prove it isn't either.)

[martinuzz]

I never saw this until I got a free premium trial for malwarebytes last week (which adds realtime protection).
I suspect as well it has something to do with some avatar hosting site, and read the malwarebytes forums too, but got none the wiser.
Was hoping some of the great minds over here could shed some light on it.
Malwarebytes scan shows no infections though (rootkit scan included), although I haven't downloaded some other anti mal/spyware tools yet like Spybot S&D

[Flying Dice]

I have MWB premium and haven't seen any of those blocks on B12.

I never saw this until I got a free premium trial for malwarebytes last week (which adds realtime protection).
I suspect as well it has something to do with some avatar hosting site, and read the malwarebytes forums too, but got none the wiser.
Was hoping some of the great minds over here could shed some light on it.
Malwarebytes scan shows no infections though (rootkit scan included), although I haven't downloaded some other anti mal/spyware tools yet like Spybot S&D

To preface: Malwarebytes saved my bacon in 2011 from a nasty piece of ransomware, I bought the premium version that same day for $20 and got grandfathered in for life when they went to the subscription model, so I've used it on every device I own for nearly a decade.

When the realtime protection module flags something on the internet, that's active active protection, as in MWB detected and blocked whatever the suspect process or element was trying to do. I haven't had a single malware infection on any of my computers since I first set it up, and all I use is the combination of that + the default Windows Defender stuff + uBlock Origin and Simple Popup Blocker on my browser.

It's pretty typical for shitty borderline-adware AV programs like McAfee and Norton to throw up constant false positives and outright fake "viruses" on their scans to try to convince you that you're in danger and they're stopping it (often while they ignore actual threats). If you're used to seeing the scan reports from one of those it does seem odd at first to never have any returns from MWB, but that's because the active protection and basic common sense while browsing (with a good adblocker in tow) are more than enough to keep anything from getting on your system in the first place.

For example, I used to watch a lot of stuff on KissAnime before it got taken down for good, and their ads were full of malicious shit. MWB would give me warnings about blocked processes on just about every page load, but nothing got through.

[Starver]

It's pretty typical for shitty borderline-adware AV programs like McAfee and Norton to throw up constant false positives and outright fake "viruses" on their scans to try to convince you that you're in danger and they're stopping it (often while they ignore actual threats).

I've got one machine here that hasn't been connected to anything (live[1]) for years. The free-version AV installed on it and that I haven't bothered uninstalling (identified as the 2012 version) occasionally[2] pops up a message saying I have been "protected from theats", and gives the actual count. Which it actually lists as zero. Must make note of the number of scans it tells me that was from, next time it pops up.

Another free-AV I've used (on less isolated machines, but not important enough to be up-protected to the next level) does an annual "renew your free licence" thing that is always trying to misguide the user to 'temporarily' use the Premium Trial, which it's all too easy to do by clicking on the 'obvious' hotspots. And then if I (or the people using it at the time) don't notice and manually revert, a month or so later there's demand for payment.  I rather dislike Trial Premium systems, because of tricks like this. Full Paid, or let me (or the other poor victim) keep with the Free Version I selected, please.

And because I've always had a different monitoring AV already, MBAM has only ever been useful to me as an on-demand scanner, every now and then, for which the Premium is truly a waste.


The jury is out whether this topic's complaint is a false negativepositive or not (your other systems may have intercepted whatever URI-fingering MBAM actually picked up), but while I rate MalwareBytes highly (well, the last time I thought I might need it I did) I know there's no single answer. And McAfee/Norton have more often been the problem in years past. (Like almost a whole university department needed me to help remove a nasty rootkit installed alongside a "Watch the World Cup for free!" BHO/menu-bar trojan thing a few years back that got entirely past whichever 'big name' all-bells'n'whistles AV it was that the Uni had plumped for. Probably every other faculty too, but they were officially someone elses' problems.)

My rule of thumb: Stay away from the big guns (those two, primarily, others on advisement and according to recent experience/info) and preferably avoid any AV whose name starts with "A" (and especially "AV") as 'too obvious'. But that's just in my particular circumstances, probably not advice I'd give to anyone else, totally out of context.





[1] And only via sneakernet from protected machines.
[2] Yearly? Not as frequent as monthly, and don't think it's quarterly, so it's probably annual.

[feelotraveller]

Browser specific?  I'm not seeing any trace of it with Firefox and several security plugins.

[martinuzz]

I am using Firefox with NoScript addon. And Avast! antivirus (Free version).
The popup is not consistent, it just pops up every once in a while when browsing the forums.

[George_Chickens]

These small, free upload sites often have poor moderation and get flooded with malware. Antivirus companies overzealously block them because of this. It's an innocent image that is being filtered by the premium firewall because of the site.

[Reelya]

Best, uninformed, guess is that there's excessive trackware in the u. site.

but 'u.' isn't any sort of site. That's a subdomain. u.google.com for example would be a completely different beast to u.facebook.com. There's absolutely no connection there whatsoever.

Looking through forum posts it seems that a while ago some hackers hid malware in a 'picture' on cubeupload.com and hot linked that somewhere else for nefarious purposes, and as a result the domain got blocked. This was supposed to have been resolved and cupeupload.com fixed the issues but maybe it's a thing that recurred.

[Starver]

Best, uninformed, guess is that there's excessive trackware in the u. site.

but 'u.' isn't any sort of site. That's a subdomain. u.google.com for example would be a completely different beast to u.facebook.com. There's absolutely no connection there whatsoever.

You misunderstood my intention there.

It appeared that u.cubeupload.com (wherever or however it ends up served differently from straight cubeupload.com, www.cubeupload.com, anything.else.cubeupload.com, once you get into DNS territory) was being commented upon as provoking this response while its 'parent' domain and/or various sibling domains were not tripping MBAM’s alarms.

At least in the inconclusive analysis I'd seen, which obviously wasn't as detailed as what you found.

And I didn't want to write the domain in full (even if it wasn't technically a link and probably wouldn't have altererd any representation on a search engine listing, given it was already mentioned as full in the thread title), I was refering to just this subdomain by the simplest way I could (obviously not the most obvious). Like, in context I could mentioned simple.wikipedia.org[1] or any explicit mobile-version site[2].

But that's academic, really. It just shows that I am clearly bad at trying to shorten my explanations to the bare minimum, when I actually try to be considerate that way.

[1] e.g. "Is it right that the simple. page lacks the <whatever> that the main wikipedia page has?"
[2] "The stylesheets provided through the m. site seem to assume portrait mode for everything. I could quite easily use the sidebarred filter config from the www., but it now takes up the top ofthe page and forces me to scroll down past it!"

[nogoodnames]

This started happening to me too. I tracked it down to Dostoevsky's avatar. Sent him a PM about it.

[Dostoevsky]

Ugh, hopefully I haven't caused anyone any problems. Had trouble finding a hosting service that'd work with this site, and picked that one after doing some research. To be on the safe side I'll disable it.