Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Bald_Eagle1]

I THINK that speedtest.net has been recently compromised.

I used the site to run a speed test tonight & saw a window pop up reporting that 1file_saw.exe was running.

Following that a number of system programs & other programs were caught by my anti-virus program (AVG Free 2014) & quarantined & a number were completely deleted (i.e. not in Recycle Bin).

I ended up having to perform a system restore back to a recent date.

I tested this 3 times & the same thing happened each time.

This last time, I haven't been to the speedtest.net site & there have been no ill effects.

AVG did report that 1file_saw.exe & 2file_saw.exe were located in the C:\Users\Paul\Appdata\temp folder.
That's usually a 'hidden' folder, but I unhide those folders anyway & there they were, with very, very recent timestamps.

Performing a system restore did get rid of them though.



This is a great shame as speedtest.net is/was my favourite speed test site & I have recommended it to others in the past.

It's also unfortunate that AVG only partially caught this virus/malware.

So, make sure you have recent restore points if any of you are brave enough to risk using speedtest.net for the time being.


I did find a couple of articles mentioning that this had also happened to speedtest.net a few months ago too.
The filenames 1file_saw.exe & 2file_saw.exe weren't mentioned in the articles though.

[NewtronStar]

Same Here BE was quoted as 25000kbps on speedtest.net but BT speedtest shows as 28900kbps

[burakkucat]

Might it be worthwhile also posting your findings over at ThinkBroadband, so that maximum exposure is given to this potential problem? 

[kitz]

Thanks Paul.   Normally Id take a look as viruses have always intrigued me as I dabbled with them whilst doing my dissertation - slight side track off my main thesis paper, but one of the paths it led to.

However just right now I'll give it a very wide berth.
Its taken me several days of any spare time I had to do a clean install and Ive still not got everything set up how I want yet, so Im being cautious with what sites I visit until Ive completed everything...  at which point I will do a fresh system ghost.   Dont want to risk a rogue file somewhere.

[renluop]

And in the meantime, what alternative would be suggested? Also has Pingtest net also been compromised?

[roseway]

Have a look at http://speedof.me/

It doesn't use Java or Flash, which is very much to be applauded.

[Ronski]

Thanks for the heads up Paul 

Speedtest.net has been compromised in the past, here's an interesting write from last year. Whats very worrying about last years is that very few antivirus products detected it.

[covlad1987]

Have a look at http://speedof.me/

It doesn't use Java or Flash, which is very much to be applauded.

first time iv seen this one my first test on it
http://speedof.me/show.php?img=140304210506-32111.png

[kitz]

@ ronski, yes it is rather worrying.   

I suppose the likes of speedtest.net would be a prime target for these types of attacks as they rely on the user downloading some sort of file to the local machine in order for them to be able to test the throughput speed. It doesn't necessarily need to be a java or flash specific type attack, all it needs is for the server to be compromised and rogue code injected.  If a remote file is dumped on your pc, then you would expect your AV to pick it up.   

With speedtest.net, I suppose any hackers would have a choice of several servers to attempt to compromise... aside from their web server.

@ BE can you recall which server location you used?

[UncleUB]

Have a look at http://speedof.me/

It doesn't use Java or Flash, which is very much to be applauded.

That site gave me a slightly lower download reading of just over 20mb and a very low upload reading of just over 1.6mb

This is the one via Thinkbroadband




Other speedtests give me over 22mb download and over 8mb upload........This is on a 24/10mb fibre connection.

[Bald_Eagle1]

@ BE can you recall which server location you used?

Very likely to be a London server as it usually defaults to there based upon best ping times.

I'm with Plusnet, based in Sheffield, but I gather a lot of traffic is routed from their London server(s).
Hence the best ping being from a server located almost 200 miles from my home?

[Bald_Eagle1]

Speedtest.net has been compromised in the past, here's an interesting write from last year. Whats very worrying about last years is that very few antivirus products detected it.

Yes, that's one of the informational sites I found last night.

Since my final system restore & NOT revisiting speedtest.net, everything has been just fine.

It's a bit concerning that AVG detected the issue but failed to deal with it correctly.


Luckily I had a fairly recent restore point & it wasn't a major effort to get things back to normal.

[NewtronStar]

It's a bit concerning that AVG detected the issue but failed to deal with it correctly.

Luckily I had a fairly recent restore point & it wasn't a major effort to get things back to normal.

I don't know BE1, used speedtester.net 5/3/2014 at 1:05am nothing came up only a very slow test, the AV that I'm using is MS security essentials, so makes me wonder if AVG did not block the threat 

[Bald_Eagle1]

Is there any evidence in MSE that it had to deal with anything?

[Bald_Eagle1]

FWIW, I installed a Java update this evening - Version 7 Update 51 (build 1.7.0_51-b13)

On visiting speedtest.net again, I saw no issues whatsoever.

So either the exploit has gone or an updated version of Java has dealt with it.