kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to moonpuppy
Re: foxnews.com infected?
I built a VM with XP SP2 and no patches, and surfed FoxNews in it, and it didn't take long to pick up the Vundo.
I got it when I hit the "scitech" link. But since the ads are rotated, it's luck of the draw.
But now my VM is running a "virus scan" that shows infections of all sorts... tee hee hee..
Next challenge, remove this sucker! 
--
To ISPs: Leave our ports alone! If I want ports blocked, I'll do it myself, thank you. |
|
Cant Tell You
| reply to kpatz
Re: foxnews.com infected?
said by kpatz  :Next challenge, remove this sucker! Start with ComboFix and follow with SuperAntiSpyware. Gets it everytime. I see this daily on machines that come into my shop.
The guys doing this are great. Its a shame their talents are put to use this way. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
1 edit | reply to moonpuppy
This one didn't sink its hooks in very deep... I just killed the pav.exe process, deleted the file and the shortcut, removed the run entry from the registry and it's gone. Maybe if I let it lurk for a while it would download more of the hard-to-remove crap. Or maybe this is one of the "easy-to-remove" variants. 
EDIT: Had to remove a BHO that was intercepting IE as well.
--
To ISPs: Leave our ports alone! If I want ports blocked, I'll do it myself, thank you. |
|
Cant Tell You
| Five minutes is all it usually takes and your done. If you can catch it in the first couple of minutes then you can beat it. But, how many users have any clue on how to do that? Most of my customers tell me they finally brought it in when they just couldn't deal with it any longer. Some last a couple of days! I don't know how they do it. It blows my mind when I can't get the annoying IE or Firefox popup to go away in the initial attempt at getting you to click to download. I always try to kill it without killing the process. I refuse to give in to it. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
1 edit | I re-infected my VM and will leave it on there a bit longer before attempting removal. I love challenges!
When I right-click the tray icon, it says "Open User Inteface". Malware makers never proofread their work... |
|
moonpuppy
join:2000-08-21
Glen Burnie, MD
 ·Verizon Online DSL
| reply to kpatz
said by kpatz :This one didn't sink its hooks in very deep... I just killed the pav.exe process, deleted the file and the shortcut, removed the run entry from the registry and it's gone. Maybe if I let it lurk for a while it would download more of the hard-to-remove crap. Or maybe this is one of the "easy-to-remove" variants. EDIT: Had to remove a BHO that was intercepting IE as well. I shut down my system as soon as I realized what was going on. This laptop has no AV but it is fully patched.
Glad I am not going crazy. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to moonpuppy
I was playing around in the VM, emailing a friend of mine, and noting the crazy "warnings" that my cool new anti-virus has been warning me of.
Here's a couple: quote:
Internet Explorers addon Shockwave Flash vs.3 found to be linking to the FormSpy website hosted at IP address 81.95.109.11 and installing FOrmSpy using an old VBS/Psyme exploit targeting Internet Explorer. These websites are believed to have been penetrated and modified by hackers. VBS/Psyme can be deleted proactively in Internet Explorer (IE). This is a detection for a malware that was discovered in the wild on July 24, 2009 (PST). Its installer was proactively detected as New Malware.ag (now Downloader-AXM). This addon tries to send your private information to attackers IP 72.95.109.11 (Malaysia)
So, they detect malware that won't be discovered for another 3+ months. 
quote:
"Windows Meta File Vulnerability - Vulnerability"
"The vulnerability itself is regarded as extremely critical (the highest possible rating). As yet, there is no patch for this vulnerability. Exploit this vulnerability are Trojan-Downloaders, which install other Trojan programs on the victim machine. At the moment, Trojan programs are being downloaded from unionseek.com and iframeurl.biz. New modifications of these programs may appear".
I'll leave the VM running overnight and then see if it's harder to remove tomorrow.
--
To ISPs: Leave our ports alone! If I want ports blocked, I'll do it myself, thank you. |
|
shopboss
@axeontech.com | reply to moonpuppy
Yeah, definitely infected. It's tried to hit he on two different PCs -just going to foxnews.com with IE7. No wonder we get so many cleanup jobs in our shop -a lot of wated talent there. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to moonpuppy
Well, on the second infection, removal was even simpler than the first time. I just killed the process and ran Hijack This, and found that it didn't reinstall the BHO or even the Run entry in the registry. Perhaps there were traces left behind that fooled the installer.
I'll have to revert to a pre-infection snapshot and try again.
--
To ISPs: Leave our ports alone! If I want ports blocked, I'll do it myself, thank you. |
|
Tarheels Fan
Premium
join:2006-01-05
·Embarq
| reply to moonpuppy
Yep, I was prompted to download the AntiVir 2009 software which came while surfing Foxnews. I figured it was from one of the many ads.
On a side note, they really need someone to clean up that site. I feel like I am in 1999 when surfing that site. Old style pop-ups and banners everywhere... |
|
Sentinel
Premium
join:2001-02-07
Florida
| reply to moonpuppy
I have no problems ... but I do block all ads using a hosts file and I block all third party images using the Firefox block images setting. Doing that I have no problems on that site and I go there dozens of times a day.
Has anyone tried to notify the site admins about this? I am curious what their reply is. I'm guessing they have no idea what third party ad servers are dishing out in their name.
I got a virus on QVC.com once in an image. |
|
Jaded
@sbcglobal.net | reply to moonpuppy
I got a popup (something trying to run) yesterday just by viewing the page at foxnews.com. Now again today.
Crap. |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to moonpuppy
It must be several adds in rotation. About an hour ago while on this Foxnews.com page: »www.foxnews.com/story/0,2933,516877,00.html
This fake Anti Virus infection came up:
running from this link: >http://onlineproantispywarescannerv2.com/1/?id=2006-60&back=%3DzQ32TT5OQMNMI%3DM
Surprised that there are no search hits returns for the onlineproantispywarescannerv2.com domain, since it was registered back on 03/13
The assigned name server at the time of reg was NS1.S-HOSTING.BIZ & NS2.S-HOSTING.BIZ in the Ukraine. However when it went into infection action the NS was changed as follows:
-------------------------------------------
Authority records:
name class type data time to live:
onlineproantispywarescannerv2.com IN NS ns1.greatwallsupport.com 600s (10m)
onlineproantispywarescannerv2.com IN NS ns2.greatwallsupport.com 600s (10m)
onlineproantispywarescannerv2.com IN NS ns3.greatwallsupport.com 600s (10m)
Additional records
name class type data time to live
ns1.greatwallsupport.com IN A 85.17.254.136 600s (10m)
ns2.greatwallsupport.com IN A 203.174.83.75 600s (10m)
ns3.greatwallsupport.com IN A 115.126.5.10 600s (10m)
-------------------------------------------
Querying each of the name servers in order produced the folowing hosted IPs:
-------------------------------------------
ns1.greatwallsupport.com:
onlineproantispywarescannerv2.com IN A 78.47.91.153 600s (10m)
onlineproantispywarescannerv2.com IN A 94.76.213.227 600s (10m)
onlineproantispywarescannerv2.com IN A 94.247.3.40 600s (10m)
onlineproantispywarescannerv2.com IN A 78.47.172.66 600s (10m)
onlineproantispywarescannerv2.com IN A 92.62.98.20 600s (10m)
ns2.greatwallsupport.com:
onlineproantispywarescannerv2.com IN A 78.47.172.66 600s (10m)
onlineproantispywarescannerv2.com IN A 78.47.91.153 600s (10m)
onlineproantispywarescannerv2.com IN A 94.76.213.227 600s (10m)
ns3.greatwallsupport.com:
onlineproantispywarescannerv2.com IN A 78.47.91.153 600s (10m)
onlineproantispywarescannerv2.com IN A 94.76.213.227 600s (10m)
onlineproantispywarescannerv2.com IN A 78.47.172.66 600s (10m)
-------------------------------------------
MGD |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
 ·RoadRunner Cable
| reply to moonpuppy
I just checked same page as you MGD and saw an I-frame attempt that Symantec corp intercepted. Closed the page and tried to get it to do it again for screenshot but it would not reproduce
Friday 1:05AM pacific
-amy-
--
Proud Member of ASAP
DSLR Phishtracker |
|
moonpuppy
join:2000-08-21
Glen Burnie, MD | reply to MGD
That's what I saw MGD. That's the culprit. |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| said by moonpuppy :That's what I saw MGD. That's the culprit. Google has now picked up another post from last night of a user browsing foxnews.com
quote:
Disturbing spyware activity on Mac with 3.0.8 upgrade
Firefox version: 3.0.8 Operating system: OSX
While browsing on the web, An alert popped up claiming I had an infection and asked if I wanted the "PC" scanned and cleaned. I tried to close the alert but the screen starting showing something purporting to be a scanning operation so I shut Firefox down. I restarted Firefox and a screen saying I had now been upgraded to 3.0.8 came up followed by a restart of the "scanning" activity. I shut down the Mac and checked my Google web history using another PC. Google history shows me visiting foxnews.com and then onlineproantispywarescannerv2.com I have no idea how I could have gotten to that URL. A whois check shows that that URL is not even registered. I've been unsuccessful google searching for anything associated with this "url". Any ideas???
Added emphasis
Ref:»support.mozilla.com/tiki-view_fo···orumId=1
Though I saved that foxnews page sourcecode shortly afterwards, it is impossible to tell which of the various adservers were responsible for hoarding this attack script. Someone needs to clean up their act though, as this is apparently a persistent vector with a large potential for exposure.
MGD |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to moonpuppy
This appears to be a "stealth" infection operation. A few hours ago the authoritative NS for onlineproantispywarescannerv2.com ns1, 2, & 3.greatwallsupport.com began denying all knowledge of its existance.:
NsLookup
----------------------------------
domain: onlineproantispywarescannerv2.com
server: ns1.greatwallsupport.com [85.17.254.136] returned a non-authoritative response in 125 ms:
Query refused
----------------------------------
Within the past few minutes:
NsLookup
----------------------------------
onlineproantispywarescannerv2.com
server: ns1.greatwallsupport.com
Address lookup for ns1.greatwallsupport.com failed: Host not found
----------------------------------
I suspect that they are rotating in malicious ads with a pool of various domains hosting the infections. Each malware advertisement is only active for several hours to minimize exposure. Matching DNS services are set active during the exposure period, and are then withdrawn in an coordinated attempt to hide the trail.
While the infection vector was active on foxnews.com
The authoritative NS for onlineproantispywarescannerv2.com was
ns1.greatwallsupport.com at IP 85.17.254.136
ns2.greatwallsupport.com at IP 203.174.83.75
ns3.greatwallsupport.com at IP 115.126.5.10
During that active period the greatwallsupport.com name servers were directing request for onlineproantispywarescannerv2.com to the following IPs:
78.47.91.153 static.153.91.47.78.clients.your-server.de
[Prior history includes hosting: fullantispywareproscan.com/ "loader" &
securedradiostation.cn/soft.php "iframe" and more]
78.47.172.66 static.66.172.47.78.clients.your-server.de
[A sampling of prior history includes hosting: antivirus360-protection.com, securedantivirusonlinescanner.com, securedliveuploads.com, softwarforgoodusers.cn, trustedpaymentsystem.com, and more]
92.62.98.20 ns1.tallinnblog.org
[No priors, according to domaintools.com these domains are hosted there:
1. Blogcash.org
2. Help-now.org
3. Paul-schoenle.com
4. Tallinnblog.org ]
94.76.213.227 94-76-213-227.static.as29550.net
[Nefarious history of hosting similar malware according to Dancho Danchev's Blog and more]
94.247.3.40 hs.3-40.zlkon.lv
[Extensive prior history of similar Anti Virus malware hosting]
Though onlineproantispywarescannerv2.com and greatwallsupport.com were projected as being hosted at various places around the globe, and only while the infection was being actively pushed, the cyber birthplace of both criminal domains are in the Ukraine at S-HOSTING.BIZ on:
IP 194.54.83.78 [reverse DNS - server.s-hosting.biz]
Domain Name: S-HOSTING.BIZ
Domain ID: D17077428-BIZ
Sponsoring Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD.
D/B/A PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID: 303
Domain Status: ok
Registrant ID: DI_5578081
Registrant Name: Nikolay Tabakov
Registrant Organization: Stephani hosting
Registrant Address1: Topolevaya str. 17, app.6
Registrant City: Odessa
Registrant State/Province: Odessa Oblast
Registrant Postal Code: 65009
Registrant Country: Ukraine
Registrant Country Code: UA
Registrant Phone Number: +380.487198431
Registrant Facsimile Number: +380.964635373
Registrant Email: admin@stephani.od.ua
Administrative Contact ID: DI_5578081
Administrative Contact Name: Nikolay Tabakov
Administrative Contact Organization: Stephani hosting
Administrative Contact Address1: Topolevaya str. 17, app.6
Administrative Contact City: Odessa
Administrative Contact State/Province: Odessa Oblast
Administrative Contact Postal Code: 65009
Administrative Contact Country: Ukraine
Administrative Contact Country Code: UA
Administrative Contact Phone Number: +380.487198431
Administrative Contact Facsimile Number: +380.964635373
Administrative Contact Email: admin@stephani.od.ua
Billing Contact ID: DI_5578081
Billing Contact Name: Nikolay Tabakov
Billing Contact Organization: Stephani hosting
Billing Contact Address1: Topolevaya str. 17, app.6
Billing Contact City: Odessa
Billing Contact State/Province: Odessa Oblast
Billing Contact Postal Code: 65009
Billing Contact Country: Ukraine
Billing Contact Country Code: UA
Billing Contact Phone Number: +380.487198431
Billing Contact Facsimile Number: +380.964635373
Billing Contact Email: admin@stephani.od.ua
Technical Contact ID: DI_5578081
Technical Contact Name: Nikolay Tabakov
Technical Contact Organization: Stephani hosting
Technical Contact Address1: Topolevaya str. 17, app.6
Technical Contact City: Odessa
Technical Contact State/Province: Odessa Oblast
Technical Contact Postal Code: 65009
Technical Contact Country: Ukraine
Technical Contact Country Code: UA
Technical Contact Phone Number: +380.487198431
Technical Contact Facsimile Number: +380.964635373
Technical Contact Email: admin@stephani.od.ua
Name Server: NS1.S-HOSTING.BIZ
Name Server: NS2.S-HOSTING.BIZ
Created by Registrar: ESTDOMAINS INC
Last Updated by Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD.
D/B/A PUBLICDOMAINREGISTRY.COM
Last Transferred Date: Mon Dec 01 13:54:54 GMT 2008
Domain Registration Date: Wed Mar 28 15:23:46 GMT 2007
Domain Expiration Date: Sat Mar 27 23:59:59 GMT 2010
Domain Last Updated Date: Fri Mar 20 23:52:33 GMT 2009
.
Questions
name class type
greatwallsupport.com IN ANY
Answer records
name class type data time to live
greatwallsupport.com IN NS ns1.s-hosting.biz 826s
greatwallsupport.com IN NS ns2.s-hosting.biz 826s
.
194.54.83.78 [reverse DNS - server.s-hosting.biz]
.
IP Information for 194.54.83.78
IP Location: Ukraine Realon Service Llc
Resolve Host: server.s-hosting.biz
IP Address: 194.54.83.78
Reverse IP: 242 other sites hosted on this server.
Blacklist Status: Clear
.
Whois Record
inetnum: 194.54.80.0 - 194.54.83.255
netname: REALON-UA
descr: Realon Service LLC
remarks: www.server.ua
country: UA
org: ORG-BEAR1-RIPE
admin-c: PRO-RIPE
tech-c: PRO-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: SERVER-MNT
mnt-routes: SERVER-MNT
mnt-domains: SERVER-MNT
source: RIPE # Filtered
.
organisation: ORG-BEAR1-RIPE
org-name: Realon Service LLC
org-type: OTHER
address: 54001, PBOX 297, Mykolayiv - 001
address: UA, Mykolayiv, Mykolaiv Oblast
e-mail:
mnt-ref: SERVER-MNT
mnt-by: SERVER-MNT
source: RIPE # Filtered
.
person: Alexey Provorny
address: 54001, PBOX 297, Mykolayiv - 001
address: Mykolayiv, Ukraine
phone: +380 512 71-18-36
phone: +380 44 360-00-44
fax-no: +380 512 71-18-36
nic-hdl: PRO-RIPE
mnt-by: RX-MNT
source: RIPE # Filtered
.
route: 194.54.80.0/22
descr: SERVER UA UKRAINE DEDICATED SERVICE
origin: AS41671
mnt-by: BEARNET-MNT
mnt-by: SERVER-MNT
source: RIPE # Filtered
.
ns1.greatwallsupport.com IP 85.17.254.136 [no reverse DNS set]
----------------------------------
IP Information for 85.17.254.136
IP Location: Netherlands Amsterdam Leaseweb
IP Address: 85.17.254.136
Blacklist Status: Clear
Whois Record
inetnum: 85.17.0.0 - 85.17.255.255
org: ORG-OB3-RIPE
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
netname: NL-LEASEWEB-20050311
descr: LeaseWeb B.V.
country: NL
status: ALLOCATED PA
remarks: Please send email to for complaints
remarks: regarding portscans, DoS attacks and spam.
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: LEASEWEB-MNT
mnt-routes: LEASEWEB-MNT
source: RIPE # Filtered
organisation: ORG-OB3-RIPE
org-name: LeaseWeb B.V.
org-type: LIR
address: Ocom B.V.
P.O. Box 93054
1090 BB Amsterdam
Netherlands
phone: +31 30 2369745
fax-no: +31 20 4889458
admin-c: SPW1-RIPE
admin-c: gj907-ripe
admin-c: LSW1-RIPE
mnt-ref: OCOM-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
person: RIP Mean
address: P.O. Box 93054
address: 1090BB AMSTERDAM
address: Netherlands
phone: +31 20 3162880
fax-no: +31 20 3162890
abuse-mailbox:
nic-hdl: LSW1-RIPE
mnt-by: OCOM-MNT
source: RIPE # Filtered
route: 85.17.0.0/16
descr: LEASEWEB
origin: AS16265
remarks: LeaseWeb
mnt-by: OCOM-MNT
source: RIPE # Filtered
----------------------------------
ns2.greatwallsupport.com IP 203.174.83.75 [reverse DNS - 203-174-83-75.rev.ne.com.sg]
----------------------------------
IP Information for 203.174.83.75
IP Location: Singapore Singapore Newmedia Express Pte Ltd Singapore Web Hosting Provider
Resolve Host: 203-174-83-75.rev.ne.com.sg
IP Address: 203.174.83.75
SSL Cert: 2001-10-20 SSL Certificate has expired.
Blacklist Status: Clear
Whois Record
inetnum: 203.174.80.0 - 203.174.87.255
netname: NEWMEDIAEXPRESS-AP
descr: NewMedia Express Pte Ltd, Singapore Web Hosting Provider
descr: Singapore
country: SG
admin-c: SW640-AP
tech-c: SW640-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-SG-NEWMEDIAEXPRESS
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: 20060426
source: APNIC
person: Shian Loong Woo
nic-hdl: SW640-AP
e-mail:
address: 20 Ayer Rajah Crescent
address: #08-12
address: Singapore 139964
phone: +65 68730128
fax-no: +65 68730129
country: SG
changed: 20060401
mnt-by: MAINT-SG-NEWMEDIAEXPRESS
source: APNIC
----------------------------------
ns3.greatwallsupport.com IP 115.126.5.10 [no reverse DNS set]
----------------------------------
IP Information for 115.126.5.10
IP Location: Hong Kong Hong Kong Hkntcm-291-091pvt
IP Address: 115.126.5.10
Blacklist Status: Clear
Whois Record
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: >whois://whois.apnic.net
NetRange: 115.0.0.0 - 115.255.255.255
CIDR: 115.0.0.0/8
NetName: APNIC-115
NetHandle: NET-115-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS-SEC.RIPE.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
RegDate: 2007-10-29
Updated: 2007-11-12
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail:
== Additional Information From whois://whois.apnic.net ==
inetnum: 115.126.5.0 - 115.126.5.255
netname: HKNTCM-291-091PVT
country: HK
descr: hknetcom.biz
admin-c: BA144-AP
tech-c: BA144-AP
status: ALLOCATED NON-PORTABLE
changed: 20081224
mnt-by: MAINT-HK-FNCL
source: APNIC
route: 115.126.0.0/17
descr: Forewin Telecom Group Limited, ISP at HK
origin: AS38186
mnt-by: MAINT-HK-FTG
changed: hostmaster@hkt.cc 20090306
source: APNIC
person: Shian Loong Woo
nic-hdl: BA144-AP
e-mail:
address: No. 400 Post Office Tuen Mun N
address: Hong Kong
phone: +852-3597-9799
country: HK
changed: 20081224
mnt-by: MAINT-HK-FNCL
source: APNIC
----------------------------------
A copy of the page source code of >http://www.foxnews.com/story/0,2933,516877,00.html http://www.foxnews.com/story/0,2933,516877,00.html from where the malware popup originated at was taken within a few minutes of the event:
 FoxnewsSourc···code.txt 71158 bytes
However, it is inconclusive if any of the embedded links were responsible.
MGD |
|
buttoni
Premium
join:2005-08-16
Temple, TX
·AT&T Yahoo
·AT&T DSL Service
| reply to moonpuppy
So now that you guys have proven something's up with Foxnews.com who's gonna contact Foxnews.com so their tech folks can clean it up? |
|
DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT | Fox News isn't necessarily serving the infected ad. Their techs might be able to take it out of rotation on the site, but to take the ad down the originating server needs to be identified and disinfected. |
|
