quote:

---

............a brief analysis of the campaign which now appears to have been removed by FoxNews.

---

quote:

---

1) Scripting disabled. (Javascript, not Java).

If I enable Javascript in Firefox's Options and in Opera's Preferences, nothing happens: this exploit (and the WinAntiVirus exploit) fails at this point.

---

bcastner

•the one on the Fox News site is web-based

•others arrive by email where the user/victim decides to open the file.

said by FiOS Dan :

said by Sentinel :

...I use a hosts file to block ads as well.

Methinks that's the ticket.

quote:

---

Comment by Anita in VA
April 18th, 2009 at 6:52 am
Good morning fellow bloggers–

I have a quick question–have any of you experience, when first accessing the Greenroom Blog, a Windows Explorer popup windows, saying you need to run a virus scan on your computer?

I had it happened last saturday, when on work travel, from my work computer, and then again this morning, from my home computer.

Comment by Jimmy
April 18th, 2009 at 6:54 am
yes Anita…..it a shame…ran my program…no infections….they bother you to try to grt you to buy their program….do not load the program

Comment by Anita in VA
April 18th, 2009 at 6:59 am
jimmy/all–yes, that was actually the FakeAlert Trojan–

other bloggers–if you also got that popup, run a REAL virus scan of your computer, even if you X’d out of it. You’re probably now infected with the FakeAvAlert Trojan

Alisyn/Foxnews–
Please scan your website pages, it was definitely a link/ad on your pages that produced the popup that infects with the FakeAVAlert Trojan.

---

quote:

---

Registration Service Provided By: REGISTER SERVICES
Contact: +001.8882106539

Domain Name: LORENTRIO.COM

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 29-Mar-2009
Expiration Date: 29-Mar-2010

---

quote:

---

"Malicious software is hosted on 3 domain(s), including 2mdn.net/, s3.wordpress.com/, llnwd.net/."

---

Snapped 2009-04-21 00:45:11

»www.google.com/safebrowsing/diag···news.com

quote:

---

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 1 domain(s), including foxnews.com/.

---

Snapped 2009-04-21 00:44:54

»www.google.com/safebrowsing/diag···ess.com/

said by mysec :

....
Note that this is an Acrobat Reader exploit, not a browser exploit. The browser just loads the PDF file. This exploit works in all browsers. Be sure and configure your file types to Prompt for Download, or "Always Ask"
..
----
rich

quote:

---

[Adobe Reader 6.0 from your computer wants to
connect to plathost.ru [78.109.25.217], port 80]

---

Snapped 2009-04-20 16:11:32

»translate.google.com/translate?h···6hl%3Den

Snapped 2009-04-20 16:13:50

»translate.google.com/translate?j···_state0=

said by kpatz :

---

Internet Explorers addon Shockwave Flash vs.3 found to be linking to the FormSpy website hosted at IP address 81.95.109.11 This addon tries to send your private information to attackers IP 72.95.109.11 (Malaysia)

---

quote:

---

IP address country: 81.95.109.11
IP address country flag Czech Republic
IP address state: Hlavni Mesto Praha
IP address city: Praha

---

quote:

---

IP address 72.95.109.11
IP country code: US
IP address country: flag United States
IP address state: Maine
IP address city: Orono
IP address latitude: 44.879101
IP address longitude: -68.733002
ISP of this IP [?]: Fairpoint Communications
Organization: Fairpoint Communications

---

quote:

---

The fake antivirus exploit prompts for a download in IE, Opera, and Firefox because the download is an executable file for which these browsers prompt by default. I showed Opera in a previous post.

---

quote:

---

The other exploits I found are automatically triggered (drive-by download):

IE exploits against the browser as I showed in the previous post.

PDF exploit in Firefox. This is from a previous exploit. Note that it is Acrobat calling out for the trojan and not Firefox:

Note that this is an Acrobat Reader exploit, not a browser exploit. The browser just loads the PDF file. This exploit works in all browsers. Be sure and configure your file types to Prompt for Download, or "Always Ask"

---

quote:

---

Be sure and configure your file types to Prompt for Download, or "Always Ask"

---

quote:

---

Yes, for clarification, If you decline the scan, it will do the fake scan anyway and impose a full screen in your browser. If you then choose "cancel" for the recommended install, it will proceed with the download. The warning that the user will get is from their system alerting them to the dangers of allowing an .exe file to run. They should be able to use their system at that point to block the install. However, prior to that point, "cancel" and "no" means "Yes".

---

quote:

---

Fully patched OS, IE, Java, FLASH, etc. I saw multiple popups and I did not click no but the "X" of the window. When I realized what was happening, I immediately shut the laptop down HARD. I pressed the power button until it shut off completely and restarted the system with the wi-fi off. When I saw no activity, I turned the wi-fi back on and immediately headed here to do some cleaning and that's when I found the issues I mentioned earlier. I then posted here about it.

---

quote:

---

Since many users are not aware of the fact that if they try to tell the pop-up "no thanks" by clicking on the usual "close" or "Cancel" buttons they see on their screen, they will probably get the download/install anyway ... I would think that it is a threat to even those with patched machines.

Not everyone knows to use Task Manager or other methods to get out of its grasp.

---

quote:

---

19.04.2009 16:57:21 Network Shield: blocked access to malicious site 78.47.132.222/a12/index.php?url=http://truconv.com/?a=125&s=4a12 [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 3388 ) ]

---

Snapped 2009-04-19 23:32:14

»toppromooffer.com/vsm/index.html

quote:

---

Has this network hosted sites that have distributed malware?

Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 85 site(s), including, for example, toppromooffer.com/, bestantimalwarelivescanner.com/, bonuspromooffer.com/, that infected 5596 other site(s), including, for example, portalby.net/, noreastcycling.com/, asiaspa.ie/.

---

 
Domain Name:                                 S-HOSTING.BIZ
Domain ID:                                   D17077428-BIZ
Sponsoring Registrar:                        DIRECTI INTERNET SOLUTIONS PVT. LTD. 
 D/B/A PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID:                303
Domain Status:                               ok
Registrant ID:                               DI_5578081
Registrant Name:                             Nikolay Tabakov
Registrant Organization:                     Stephani hosting
Registrant Address1:                         Topolevaya str. 17, app.6
Registrant City:                             Odessa
Registrant State/Province:                   Odessa Oblast
Registrant Postal Code:                      65009
Registrant Country:                          Ukraine
Registrant Country Code:                     UA
Registrant Phone Number:                     +380.487198431
Registrant Facsimile Number:                 +380.964635373
Registrant Email:                            admin@stephani.od.ua
Administrative Contact ID:                   DI_5578081
Administrative Contact Name:                 Nikolay Tabakov
Administrative Contact Organization:         Stephani hosting
Administrative Contact Address1:             Topolevaya str. 17, app.6
Administrative Contact City:                 Odessa
Administrative Contact State/Province:       Odessa Oblast
Administrative Contact Postal Code:          65009
Administrative Contact Country:              Ukraine
Administrative Contact Country Code:         UA
Administrative Contact Phone Number:         +380.487198431
Administrative Contact Facsimile Number:     +380.964635373
Administrative Contact Email:                admin@stephani.od.ua
Billing Contact ID:                          DI_5578081
Billing Contact Name:                        Nikolay Tabakov
Billing Contact Organization:                Stephani hosting
Billing Contact Address1:                    Topolevaya str. 17, app.6
Billing Contact City:                        Odessa
Billing Contact State/Province:              Odessa Oblast
Billing Contact Postal Code:                 65009
Billing Contact Country:                     Ukraine
Billing Contact Country Code:                UA
Billing Contact Phone Number:                +380.487198431
Billing Contact Facsimile Number:            +380.964635373
Billing Contact Email:                       admin@stephani.od.ua
Technical Contact ID:                        DI_5578081
Technical Contact Name:                      Nikolay Tabakov
Technical Contact Organization:              Stephani hosting
Technical Contact Address1:                  Topolevaya str. 17, app.6
Technical Contact City:                      Odessa
Technical Contact State/Province:            Odessa Oblast
Technical Contact Postal Code:               65009
Technical Contact Country:                   Ukraine
Technical Contact Country Code:              UA
Technical Contact Phone Number:              +380.487198431
Technical Contact Facsimile Number:          +380.964635373
Technical Contact Email:                     admin@stephani.od.ua
Name Server:                                 NS1.S-HOSTING.BIZ
Name Server:                                 NS2.S-HOSTING.BIZ
Created by Registrar:                        ESTDOMAINS INC
Last Updated by Registrar:                   DIRECTI INTERNET SOLUTIONS PVT. LTD. 
D/B/A PUBLICDOMAINREGISTRY.COM
Last Transferred Date:                       Mon Dec 01 13:54:54 GMT 2008
Domain Registration Date:                    Wed Mar 28 15:23:46 GMT 2007
Domain Expiration Date:                      Sat Mar 27 23:59:59 GMT 2010
Domain Last Updated Date:                    Fri Mar 20 23:52:33 GMT 2009

IP Information for 194.54.83.78
IP Location:   Ukraine Realon Service Llc  
Resolve Host:  server.s-hosting.biz  
IP Address:  194.54.83.78       
Reverse IP:  242 other sites hosted on this server.  
Blacklist Status:  Clear  
.
Whois Record
inetnum:        194.54.80.0 - 194.54.83.255
netname:        REALON-UA
descr:          Realon Service LLC
remarks:        www.server.ua
country:        UA
org:            ORG-BEAR1-RIPE
admin-c:        PRO-RIPE
tech-c:         PRO-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         SERVER-MNT
mnt-routes:     SERVER-MNT
mnt-domains:    SERVER-MNT
source:         RIPE # Filtered
.
organisation:   ORG-BEAR1-RIPE
org-name:       Realon Service LLC
org-type:       OTHER
address:        54001, PBOX 297, Mykolayiv - 001
address:        UA, Mykolayiv, Mykolaiv Oblast
e-mail:         
mnt-ref:        SERVER-MNT
mnt-by:         SERVER-MNT
source:         RIPE # Filtered
.
person:         Alexey Provorny
address:        54001, PBOX 297, Mykolayiv - 001
address:        Mykolayiv, Ukraine
phone:          +380 512 71-18-36
phone:          +380 44 360-00-44
fax-no:         +380 512 71-18-36
nic-hdl:        PRO-RIPE
mnt-by:         RX-MNT
source:         RIPE # Filtered
.
route:          194.54.80.0/22
descr:          SERVER UA UKRAINE DEDICATED SERVICE
origin:         AS41671
mnt-by:         BEARNET-MNT
mnt-by:         SERVER-MNT
source:         RIPE # Filtered

FoxnewsSourc···code.txt 71,158 bytes

said by moonpuppy :

That's what I saw MGD. That's the culprit.

quote:

---

Disturbing spyware activity on Mac with 3.0.8 upgrade

Firefox version: 3.0.8 Operating system: OSX

While browsing on the web, An alert popped up claiming I had an infection and asked if I wanted the "PC" scanned and cleaned. I tried to close the alert but the screen starting showing something purporting to be a scanning operation so I shut Firefox down. I restarted Firefox and a screen saying I had now been upgraded to 3.0.8 came up followed by a restart of the "scanning" activity. I shut down the Mac and checked my Google web history using another PC. Google history shows me visiting foxnews.com and then onlineproantispywarescannerv2.com I have no idea how I could have gotten to that URL. A whois check shows that that URL is not even registered. I've been unsuccessful google searching for anything associated with this "url". Any ideas???

---

quote:

---

Internet Explorers addon Shockwave Flash vs.3 found to be linking to the FormSpy website hosted at IP address 81.95.109.11 and installing FOrmSpy using an old VBS/Psyme exploit targeting Internet Explorer. These websites are believed to have been penetrated and modified by hackers. VBS/Psyme can be deleted proactively in Internet Explorer (IE). This is a detection for a malware that was discovered in the wild on July 24, 2009 (PST). Its installer was proactively detected as New Malware.ag (now Downloader-AXM). This addon tries to send your private information to attackers IP 72.95.109.11 (Malaysia)

---

quote:

---

"Windows Meta File Vulnerability - Vulnerability"
"The vulnerability itself is regarded as extremely critical (the highest possible rating). As yet, there is no patch for this vulnerability. Exploit this vulnerability are Trojan-Downloaders, which install other Trojan programs on the victim machine. At the moment, Trojan programs are being downloaded from unionseek.com and iframeurl.biz. New modifications of these programs may appear".

---