MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
1 edit | reply to Cometcom1
Re: foxnews.com infected?
I can confirm what other recent posters have experienced today. I now categorize foxnews.com as infested. Remember that a user need only visit a page at foxnews.com to trigger the malware popup. It is not the result of clicking on any add.
While on this page at 16:57 EST »www.foxnews.com/story/0,2933,517084,00.html the following was generated:
quote:
19.04.2009 16:57:21 Network Shield: blocked access to malicious site 78.47.132.222/a12/index.php?url=http://truconv.com/?a=125&s=4a12 [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 3388 ) ]
Allowing the process to proceed generated this:
Then the page hijacking scan:
A download process of vsm_free_setup.exe also began from toppromooffer.com
While there are many who classify these fake AV programs as "Scareware", I disagree. While the the first phase of the process will involve charging a victim's card ~ $70, followed by numerous other charges in the following days and weeks. I have yet to see an infected system that did not have subsequent installs of key loggers, and back door trojans that turned it into a bot and enabled remote access. That observation is supported by the repeated analysis of these payload installs.
The downloaded file vsm_free_setup.exe was already in VrusTotal's database from a recent submit, and a fresh analysis of this file generated: »www.virustotal.com/analisis/26be···95f80e26 However if you review the related ThreatExpert analysis: »www.threatexpert.com/report.aspx···47a88f8f
Take note of the following excerpts:
------------------------------
Analysis of the file resources indicate the following possible countries of origin:
Russian Federation
Ukraine
------------------------------
Possible Security Risk
Attention! The following threat categories were identified:
•A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
•A program that downloads files to the local computer that may represent security risk
------------------------------
It is indeed disingenuous to only classify these as "Scareware", that undermines the severity of the crime.
The download location also hosts a benign page for the malware:
Many of the same locations as were listed in the earlier post are showing up once again. AS24940 HETZNER is a repeated cesspool for this genre of virus infections:
Added excerpt for emphasis:
quote:
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 85 site(s), including, for example, toppromooffer.com/, bestantimalwarelivescanner.com/, bonuspromooffer.com/, that infected 5596 other site(s), including, for example, portalby.net/, noreastcycling.com/, asiaspa.ie/.
Yes, that is: We found 85 site(s), including, for example, toppromooffer.com that infected 5,596 other site(s
Some more observations to follow.
MGD
Edit= Added text |
|
mysec
Premium
join:2005-11-29
1 edit | Thanks for the information!
The Fox News link you gave must be fixed - it didn't redirect anywhere; I used your malware links manually.
I get different results, depending on the browser.
said by MGD  :A download process of vsm_free_setup.exe also began from toppromooffer.com
Using Opera, all that happens is the display of a Prompt to Download, which maybe is what you meant:
The victim still has to initiate the download.
BTW - the exploit requires JavaScript to be enabled:
Without these files, nothing happens. To test, I disabled JavaScript in Opera and got a blank page.
Using IE6 with 78.47.132.... that you gave, the browser locked up and then an alert to a remote code execution exploit:
The Page Code has this (excerpt):
With some help from Wepawet:
The 3rd exploit (aka MS06-014) is the one I was served up. The clue is:
Special Folder 2 is code for the Temp folder and in the alert you can see that this file was not found because aff_12 was blocked from downloading and renaming to w32NOFJCyliz5mm5R.exe
According to the analysis, all exploits downloaded the same payload.
VirusTotal Result: 2/40
»www.virustotal.com/analisis/178d···a2f50448
It is rather common today that a malware site determines the browser and serves up exploits accordingly. All of these are IE6 exploits which would have no effect on other browsers.
This is the 3rd exploit I've seen recently where the exact same thing happens: IE6 gets served a batch of exploits looking for an unpatched vulnerability, Opera gets something else.
This shows a level of sophistication and efficiency on the part of the malware community these days.
I recently downloaded Firefox to test sites. This is what occurred with Javascript enabled in Options:
Even clicking "Ignore" would not load the page. It took me awhile to find the security setting.
Trying again, I'm served up a PDF exploit. From the code analysis:
But it requires the Acobe Acrobat Javascript plugin which I've removed:
Different browser, different exploit. And that might change at any time!
And so it goes...
Edit: added code excerpt
----
rich |
|
Cometcom1
join:2009-04-18
denmark
| reply to moonpuppy
Just to confirm. Still being targeted here as well. Fake antivirus type redirection.
As I expected, there's likely a reinfection timer that checks when an IP was last infected to avoid reinfection over at least 24 hours. - My tests seem to indicate that this is not done with cookies. |
|
Sentinel
Premium
join:2001-02-07
Florida | reply to moonpuppy
I still have no problems on FoxNews.com. I am using Firefox with NoScript and FlashBlock and I use a hosts file to block ads as well. |
|
Cometcom1
join:2009-04-18
denmark
| reply to moonpuppy
Nothing against foxnews - it's their advertising that is acting up and spreading the malware. Likely without them even realizing this is going on.
I've now established contact with foxnews and they are looking into this very seriously.
Cometcom1 |
|
MR Opus IT
| reply to moonpuppy
I left my Home Laptop on over night on Foxnews.com (Nothing Else open) and my Laptop Antivirus (Symantec) Picked Up Bloodhound.Exploit. Also, a user in my office was slammed with 3 different maleware issues (She claimed came from Foxnews) and after i cleaned them all I installed the latest Symantec EndPoint Protection and went back to Foxnews.com and sure enough it picked up 3 different maleware trojans. It stopped all three and I then removed any IE7 Add-Ons and went back to the site and nothing happened. There is something about that site. |
|
fatness
subtle
Janitor
join:2000-11-17
fishing
 ·EarthLink
Host:
Earthlink DSL
TekSavvy
Forum Feature Requ..
Need Site Help?
Rants, Raves, and ..
| reply to moonpuppy
Maybe this will provide more of a push for Fox News to deal with this problem: »FoxNews.com Serving Up Infected Ads?
--
goodbye dad |
|
JsMOM
@rr.com
| reply to moonpuppy
I unfortunately had to ask my entire company to stop visiting FOXNEWS. We will probably end up blacklisting it today via OpenDNS. FOXNEWS better make this a huge priority as I'm certain we are not the first, nor will be the last company to do so. Vundo, Bloodhound, etc all have been blocked by Symantec AV, however others have crept in and Malewarebyte's AM was used in safemode as well as Symantec AV to scrub the little PITA's out.
Infection seems to occur via FF and IE7. I'm not in the mood to install adblockers or noscript company wide. |
|
evergreek
Boeing Rocks
join:2003-05-25
Hialeah, FL
clubs: | reply to moonpuppy
I received the same pop up yesterday! Scanned my pc, everything seems ok. |
|
Bobby_Peru
Premium
join:2003-06-16
| reply to JsMOM
Re: foxnews.com infected?
said by JsMOM :
Infection seems to occur via FF and IE7. I'm not in the mood to install adblockers or noscript company wide.
Once upon a time, pre Adblock (in it's actual block calling and downloading iteration), WebWasher had an application for central deployment that you might want to check out. Just a thought. |
|
HowDoesItWork
@inet.fi
|  reply to mysec
So how does this infection work and is it really such a big deal? How does it actually infect your system?
Doesn't it just exploit some vulnerabilities in the usual suspects (IE, Adobe Reader, Flash, Java etc) or try to cheat the user to first click yes to the download prompt and then execute their scamware executable? If your software is patched and you have smarts enough to not click yes to everything, is this thing any threat at all? Or ks this a problem just for that mass of people who run with unpatched IE under admin account...
Thanks. |
|
katarina
join:2003-09-07
Houston, TX
| said by HowDoesItWork :
If your software is patched and you have smarts enough to not click yes to everything, is this thing any threat at all?
Since many users are not aware of the fact that if they try to tell the pop-up "no thanks" by clicking on the usual "close" or "Cancel" buttons they see on their screen, they will probably get the download/install anyway ... I would think that it is a threat to even those with patched machines.
Not everyone knows to use Task Manager or other methods to get out of its grasp. |
|
moonpuppy
join:2000-08-21
Glen Burnie, MD
·Verizon Online DSL
| reply to HowDoesItWork
said by HowDoesItWork :
So how does this infection work and is it really such a big deal? How does it actually infect your system?
Doesn't it just exploit some vulnerabilities in the usual suspects (IE, Adobe Reader, Flash, Java etc) or try to cheat the user to first click yes to the download prompt and then execute their scamware executable? If your software is patched and you have smarts enough to not click yes to everything, is this thing any threat at all? Or ks this a problem just for that mass of people who run with unpatched IE under admin account...
Thanks.
I thought my system was fully patched.
I will say that I did NOT initiate any download and I NEVER click on pop-ups or any ads. In fact, IF I see something I like, I will manually copy the link and Google it first. |
|
HowDoesItWork
@inet.fi
| reply to katarina
quote:
Since many users are not aware of the fact that if they try to tell the pop-up "no thanks" by clicking on the usual "close" or "Cancel" buttons they see on their screen, they will probably get the download/install anyway ... I would think that it is a threat to even those with patched machines.
Not everyone knows to use Task Manager or other methods to get out of its grasp.
Shouldn't the browser still display a download dialog prompt, even if the popup is set to download anyway when you click on anything, including the no thanks button? Seems to me that it should, unless there's a serious flaw in the browser that makes it possible to download stuff without the user accepting the download. I mean, even if you click yes on the crapware popup, shouldn't there still be a download prompt from the browser, unless the browser is just insecure by design? Like this:
- you get served with the infected ad and popup
- you realize what's up and click on the X mark to close the popup
- the popup still tries to push the download on you
- your browser should alert you now that someone wants you to download something, and ask if you want to download the file, download and run it, or to just cancel the whole download
If it does work that way, then it's no threat to those who practice basic safe surfing. But I just don't know how this one works.
To moonpuppy, are you saying that you got infected by doing just browsing the site, not accepting any downloads, with a fully patched browser and fully patched plugins (flash, java, the usual)? If so, how does this thing do that? I'm confused. |
|
MR Opus IT
| reply to moonpuppy
This is and FYI to all. After I cleaned my users PC and upgraded to the newest version of Symantec End Point Protection. The only thing I did was open IE7, type www.foxnews.com, hit enter and immediately Symantec caught 3 different maleware files coming from the site. I didn't even have a chance to click. I am setting up another PC to test with to see if it was a combination of add-ons and IE7 or just IE7. |
|
Cometcom1
join:2009-04-18
denmark
|  reply to HowDoesItWork
The actual infection is pretty nicely covered with the existing comments here, but how does this malware actually hide?
The advertising is loaded from the advertising servers, i.e. it might be hosted there or it might be external contents that is injected in an iframe.
There are two ways that the fake av is initiated after this initial advertising loading.
Javascript redirect - done by hacking the server containing the ad and adding or modifying existing script files.
.htaccess redirect - done by hacking the server containing the ad and forcing a redirect based on the referrer. i.e. The ad can be displayed on multiple sites, but only if it is embedded in particular sites, will it trigger a redirect. - This is most often seen on search engine redirects. |
|
amungus
Premium
join:2004-11-26
America
clubs:
| I am also interested in how it "hides" as well...
Last infection I got on one of my machines (first one in years), was likely due to an iframe. That, or the unlikely chance that an infected gmail "news ticker" (whatever its called above the inbox - which I've disabled since then...) did it.
iframes have also been forbidden in noscript ever since that.
Agree with a post earlier - this is why I have zero qualms about using adblockplus, and especially noscript. Two of the best plugins IMHO.
Was shocked, however, to still get an infection with these two plugins......
iFrames have only been "forbidden" on the one machine I saw the infection on. On others, I've left noscript at its default settings for the most part. |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to HowDoesItWork
said by HowDoesItWork :
... Shouldn't the browser still display a download dialog prompt, even if the popup is set to download anyway when you click on anything, including the no thanks button? Seems to me that it should, unless there's a serious flaw in the browser that makes it possible to download stuff without the user accepting the download. ... Yes, for clarification, If you decline the scan, it will do the fake scan anyway and impose a full screen in your browser. If you then choose "cancel" for the recommended install, it will proceed with the download. The warning that the user will get is from their system alerting them to the dangers of allowing an .exe file to run. They should be able to use their system at that point to block the install. However, prior to that point, "cancel" and "no" means "Yes".
Be aware that as mysec points out, the initial popup redirect will also avail of the opportunity to look for several available exploits in the users system configuration.
The IP 78.47.132.222 also contains a frame that sources from: >http://redirectclicks.com/?accs=845&tid=338
redirectclicks.com is associated with multiple malware:
»www.google.com/search?hl=en&q=%2···o.com%22
Redirectclicks.com is hosted once again on Hetzner Online AG (AS24940) at IP 88.198.69.115 [static.88-198-69-115.clients.your-server.de] alongside Traffic-go.com »www.google.com/search?hl=en&q=%2···G=Search
Both of those criminal domains have infected thousands of sites. While the current focus is on the exploitation of foxnews.com. This is a global problem that infects users every where:
Fox needs to quickly identify the responsible advertiser/s and remove and suspend them. You can find victim reports of infection attacks from Fox going back well over a month.
Incidentally, while wading through the cesspools of cyberspace following the trail of toppromooffer.com I bumped into our friend "Cactus" from Moscow. Small world!!
MGD |
|
moonpuppy
join:2000-08-21
Glen Burnie, MD
·Verizon Online DSL
| reply to HowDoesItWork
said by HowDoesItWork :
To moonpuppy, are you saying that you got infected by doing just browsing the site, not accepting any downloads, with a fully patched browser and fully patched plugins (flash, java, the usual)? If so, how does this thing do that? I'm confused.
Fully patched OS, IE, Java, FLASH, etc. I saw multiple popups and I did not click no but the "X" of the window. When I realized what was happening, I immediately shut the laptop down HARD. I pressed the power button until it shut off completely and restarted the system with the wi-fi off. When I saw no activity, I turned the wi-fi back on and immediately headed here to do some cleaning and that's when I found the issues I mentioned earlier. I then posted here about it. |
|
