dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
35
share rss forum feed

mysec
Premium
join:2005-11-29
kudos:4

1 edit

1 recommendation

reply to HowDoesItWork

Re: foxnews.com infected?

The fake antivirus exploit prompts for a download in IE, Opera, and Firefox because the download is an executable file for which these browsers prompt by default. I showed Opera in a previous post. Here are IE and Firefox:







The other exploits I found are automatically triggered (drive-by download):

IE exploits against the browser as I showed in the previous post.

PDF exploit in Firefox. This is from a previous exploit. Note that it is Acrobat calling out for the trojan and not Firefox:




Note that this is an Acrobat Reader exploit, not a browser exploit. The browser just loads the PDF file. This exploit works in all browsers. Be sure and configure your file types to Prompt for Download, or "Always Ask"

Opera:




Firefox:




----
rich


Airborne29th

join:2008-10-20
Staunton, VA
Has this been cleaned? Ive gone all through foxnews on our test computer to see if our antivirus will catch it, and nothing is coming up.. Either that or its silently being stopped, tried with adblock plus and without, IE and Firefox.

bobince

join:2002-04-19
DE
reply to mysec
quote:
Be sure and configure your file types to Prompt for Download, or "Always Ask"
You can also disable the plugin for all browsers from Reader's “Edit->Preferences->Internet->Display PDF in browser” option, or use a different PDF reader that doesn't install a plugin. (Who wants to read a PDF stuck inside a browser window anyway?)

As always, if you aren't using a plugin, remove it, and you'll reduce the attack surface of your browser and the number of things you have to worry about keeping updated. Do you really need PDF, Java, QuickTime and Real plugins? Probably not.


HowDoesItWork

@dhcp.inet.fi
reply to mysec
quote:
The fake antivirus exploit prompts for a download in IE, Opera, and Firefox because the download is an executable file for which these browsers prompt by default. I showed Opera in a previous post.
Ok, so there is a download prompt and you get a chance to cancel the whole thing, in those cases where it attempts to make you download an exe file instead of serving a browser or plugin exploit. That is good news.

quote:
The other exploits I found are automatically triggered (drive-by download):

IE exploits against the browser as I showed in the previous post.

PDF exploit in Firefox. This is from a previous exploit. Note that it is Acrobat calling out for the trojan and not Firefox:

Note that this is an Acrobat Reader exploit, not a browser exploit. The browser just loads the PDF file. This exploit works in all browsers. Be sure and configure your file types to Prompt for Download, or "Always Ask"
Ok, so the actual drive-by downloads (no user consent required) of this badware are based on exploits in either the browser or some other related program like PDF viewers, as usual. And the PDF exploits you can stop just by having the browser prompt for download of pdf files instead of opening them in the proper program, or even just by not giving the PDF viewer permission to go online when your firewall prompts for it. Good news, again!

Thanks for all the advice, guys, I think I understand how this thing operates now. If I got it right, this thing is not a threat as long as you
- have your browser set to prompt for download for exes, pdfs etc instead of having the browser run them at once, and cancel any suspicious, unwanted downloads, and
- have a fully patched browser that isn't vulnerable to the browser exploits this thing tries, such as the latest Opera version.

Or in other words, it's a pretty basic baddie. Sounds like I'm good to go, and have nothing to worry about this malware. It should be easy to avoid this thing: just keep the browser patched (and preferably use Opera) and have it set to prompt for downloading stuff, or disable all the pointless plugins we don't need like Adobe Reader etc.

Still, Foxnews should get their ads cleaned right the F now. It's inexcusable for a big outfit like that to serve crapware via ads. I wonder if a popup blocker would help against these things.

MGD
Premium,MVM
join:2002-07-31
kudos:9
reply to mysec
said by mysec:

....
Note that this is an Acrobat Reader exploit, not a browser exploit. The browser just loads the PDF file. This exploit works in all browsers. Be sure and configure your file types to Prompt for Download, or "Always Ask"
..
----
rich
Great write up !

I was particularily interested in this driveby:

quote:
[Adobe Reader 6.0 from your computer wants to
connect to plathost.ru [78.109.25.217], port 80]

as that location has come to my attention on several occasions.

IP 78.109.25.217

appears to be hosting 3 domains: »whois.domaintools.com/78.109.25.217

1. Nevervhudo.ru »whois.domaintools.com/nevervhudo.ru

2. Socksps.ru »whois.domaintools.com/Socksps.ru

3. Stopgam.cn »whois.domaintools.com/Stopgam.cn

Due to the name, Socksps.ru aroused some curiosity, however, the main page only offers a log in:




If one can overcome that restriction an account holder can purchase the use of compromised machines around the globe to use as a secure proxy:




This may be where some of the compromised victim machines are leveraged for additional income:

The master list of available for rent machines is several pages long:




You can sort the available hijacked machines by country, and then buy access, daily or monthly to mask your true origin for any nefarious purpose:

USA:




UK:




Iran:




Note the banner add for "carding Conference" at cashing.cc:

This may be where the compromised extracted financial data ends up for sale:




It appears that the only way to obtain a log in account in order to use the services of Socksps.ru is to contact ICQ 431278403

Or you can resond directly to his promotion on forum.zloy.org a cyber criminals one stop shop for carding, hacking exploits, money transfers, banking etc.

His translated add posting on the forum.zloy.org for Socksps.ru services is here:



The main zloy.org page is translated here:



MGD