calathea
join:2001-12-29
Corvallis, OR
 ·Comcast Formerly ..
 ·Earthlink TrueVoice
edit:
September 4th, @12:53AM
| Trojan Win32.Agent.pz from Stoneybrook Assisted Living site
FYI,
I went to the website of a national chain of assisted living facilities, the url was www.seniorlivinginstyle.com/community/stoneybrook.html.
On my home PC I clicked on a "coupon" and it tried to download a trojan onto my PC. The combination of Spybot Teatimer and ZoneAlarm Antivirus prevent it from installing. It launched an installer but I canceled it.
At work today I called the Stoneybrook in my town and let them know that their web page was hijacked. I went to the main site again, thinking I would just navigate part way to where the link was that I clicked so they would know approximately where it was, and ran into a trojan again! Unfortunately my work PC is running Symantec Endpoint Protection and it did not prevent an infection. My work PC is going to have to be reimaged and cost days of delay to my project.
More details:
Virus named by SpyBot: Win32.Agent.pz
Processes that take up 100% of my CPU until I kill them:
logWatnt.exe
uphclean.exe
I have also tried scanning with Trend Micro Housecall and SuperAntiSpyware. I found a post where it said to remove ntos.exe from the Windows/System32 directory by booting from a Windows cd and deleting the file outside of windows, but that file is not there on my PC.
I am not asking for help from this forum but wanted to pass on the info and express my sadness that hackers will even prey on the frail elderly. How low can you get. |
|
therube
join:2004-11-11
Randallstown, MD
edit:
September 4th, @12:25AM
| Google says, Diagnostic page for w ww.bayoupc.net/stoneybrook/.
Presumably if you went there using Firefox 3 or Google Chrome browsers you would have be alerted ahead of time.
Sad that endpoint misses it. Sad that these sites are open to infection/injection.
One of the decoder guys should be able to figure out what this does?
(code removed due to false positives)
I'm not sure what to make of it. I couldn't seem to make it load anything malicious, but then I'm not totally sure what the code is trying to do?
BTW, the code is located (physically) at the very bottom of their webpage. |
|
calathea
join:2001-12-29
Corvallis, OR | reply to calathea
Thank you for your comment, therube
The website was
www.seniorlivinginstyle.com/community/stoneybrook.html |
|
therube
join:2004-11-11
Randallstown, MD
edit:
September 4th, @12:41AM
| heh, in that case, it is not the only site, cause the one I looked at was a different one. |
|
therube
join:2004-11-11
Randallstown, MD
edit:
September 4th, @01:06AM
| Similar, Question about HTML/Framer.Z.
And these:
»www.google.com/safebrowsing/diag···.232.33/
»www.siteadvisor.com/sites/58.65.···=1084540
»safeweb.norton.com/report/show?u···&x=0&y=0 |
|
Craig08
join:2008-03-31
.
edit:
September 4th, @01:28AM
| reply to therube
said by calathea  :Thank you for your comment, therube The website was www.seniorlivinginstyle.com/community/stoneybrook.html Nah its ok, I went there and seen the coupon. I got a heuristics alert from my av, but I run it with the highest settings. I uploaded the file to virustotal and it isn't flagged by any other av except Antivir & webwasher (heuristic) Code looks ok |
|
zteardrop
join:2005-12-20
Brooklyn, NY
| I get a "MSIE ADODB.Stream Object File Installation Weakness" alert from NIS. That just goes to show that the virustotal site is not using the same scan engines a the real product.
--
The official Norton Forum from Symantec: »community.norton.com/norton/ - where you really are allowed to say good things about Norton without getting banned !! |
|
Kayrac
Premium
join:2001-09-29
Lee, NH | reply to calathea
I can't find the iframe on that website at
so they musta cleaned it up :)
-Brian |
|
calathea
join:2001-12-29
Corvallis, OR
·Comcast Formerly ..
·Earthlink TrueVoice
| The url I gave was not the exact link the trojan came from. I had gone further into the website and clicked on links. However I wasn't about to go in and try to find the same link again and risk infection.
I hope they cleaned up the website -- but will leave it to someone else to verify it. |
|
mysec
Premium
join:2005-11-29
edit:
September 5th, @03:06AM
| reply to therube
said by therube :I'm not sure what to make of it. I couldn't seem to make it load anything malicious, but then I'm not totally sure what the code is trying to do?
The URL in the code you posted calls out to cache another file with URLs which in turn attempt to download a trojan. This method is typical of the SQL injected pages. Each of the URLs attempts to find a vulnerability. Here is whatt your URL caches:
The first attempts to download an executable:
__________________________________________________
This is the page code that does the work. The code is obfuscated to help it avoid detection by AV. Note the error messages that the user sees - since these are remote code execution exploits which run in the background, the user would not suspect anything is wrong.
__________________________________________________
The second URL also attempts to download an executable:
___________________________________________________
And the code - a Java exploit:
____________________________________________________
And the third:
_____________________________________________________
If I let the file download, it is blocked when attempting to execute and has a different filename:
_____________________________________________________
This is typical of many exploits. Here is the code (excerpts) - note:
--> the URL to download the executable
--> setting the new file name - gtkbiv.exe
--> setting the CLSID attribute
--> setting the Shell Object which will run the executable from %windrr%
--> command to run gtkbiv.exe
Also, the error message which attempts to fool the user that nothing is happening.
_____________________________________________________
Here is a description of a typical exploit showing how the CLSID attributes are set to inject the malicious code into memory:
»www.viruslist.com/en/viruses/enc···21780349
I uploaded both counter.php and gtkbiv.exe to VT and they are the same file - classified by VT as another name:
»www.virustotal.com/analisis/fd88···c0c17f1b
_____________________________________________________________
Most of these remote code execution exploits download trojan executables, and thus are easily prevented with any type of execution prevention program, or Software Restriction Policies.
--- |
|
Craig08
join:2008-03-31
.
moderated:
September 4th, @04:31PM
| reply to calathea
Whoa, well I'm seeing some completely different things today since i enabled java and went to hxxp://www.seniorlivinginstyle.com/community/stoneybrook.html. Would some of the resident pros around here check this for calathea ?
Ok sorry about the image earlier. I'm now seeing a java security certificate warning in opera, plus a couple other explots I believe.
mod note: fixed image attachment |
|
mysec
Premium
join:2005-11-29 | Can you elaborate/post screenshots as to what these couple of other exploits are?
--- |
|
calathea
join:2001-12-29
Corvallis, OR
·Comcast Formerly ..
·Earthlink TrueVoice
| reply to calathea
This morning I booted up with the LAN cable disconnected and used task manager to kill logWatnt.exe and uphclean.exe before connecting to the internet. The machine was functional, except the digital badge had gotten corrupted. I installed a new digital badge (which worked) but it quit working after about 10 minutes. I need that to get to most of the websites at work
Then I reinstalled Symantec, because I had uninstalled it to run some other security software. It didn't show up on the taskbar so I rebooted. This trojan seems like it goes after Symantec.
This time (the second time I rebooted w/o a network connection) the task manager didn't work. There was an icon for it in the system tray but no dialog window. Symantec wouldn't launch at all. At this point I gave up and walked it down to support to be reimaged. |
|
Craig08
join:2008-03-31
.
| Ok, on the testbed PC, I had an older version of Java 5.0 Update 15 but latest opera. So when I went there and clicked that coupon, I got a Java security alert with a security certificate that wanted to install. When I allowed the certificate to install, it was transferring data from hxxp:guidetosuccess.name , and immediatelt afterward, windows security center said the xp firewall was turned off...
Still not sure of everything thats going on, but maybe someone can take it from there. Was going to get the rest of screenshots but I not seeing this everytime. |
|
therube
join:2004-11-11
Randallstown, MD | reply to calathea
Yet another detailing, Bitten by an iframe downloader virus.
They hint at a correlation to IPower (web hosting). |
|
therube
join:2004-11-11
Randallstown, MD
| reply to mysec
Thanks for the detailed explanation.
But how are you coming up with that information?
index.php I have no problem with.
And from there I can see the 3 other iframe links.
But thats about where it ends for me.
I can open each of those 3 pages & see, well basically nothing?
I'm not seeing anything JavaScript nor Java related, no code, other then the bogus "404" like messages.
Nothing of substance seems to be ending up in my SeaMonkey /cache/.
Does this rely on IE from the onset? And if you're not running IE, you're not seeing this content that you're coming up with?
If I go to w ww.bayoupc.net/ stoneybrook/ using SeaMonkey, disable Adblock Plus, allow scripts globally in NoScript, refresh the page, & nothing happens?
It does, doesn't it. It's IE isn't it!
I go there in IE, I get a popup that the page uses Java. (I don't have Java.) I hear disk activity. The notification bar shows, Microsoft Data Access - Remote Data Services Dat.... 'from 'Microsoft Corporation'.
TIF has various .HTM files. Talk of ActiveX & Java & your BaaaaBaa.class & ...
It requires IE!?
eScan (anti-virus) finds a number of goodies:
(I really shouldn't mess with such things. I know about zilch of IE. Sure hope Sandboxie works.) |
|
mysec
Premium
join:2005-11-29
edit:
September 5th, @12:24AM
| said by therube :Thanks for the detailed explanation. But how are you coming up with that information?... I'm not seeing anything JavaScript nor Java related, no code, other then the bogus "404" like messages. Does this rely on IE from the onset? And if you're not running IE, you're not seeing this content that you're coming up with? If I go to w ww.bayoupc.net/ stoneybrook/ using SeaMonkey, disable Adblock Plus, allow scripts globally in NoScript, refresh the page, & nothing happens? It does, doesn't it. It's IE isn't it!... It requires IE!?
You guessed it!
The code reveals the secrets. For example, in the counter.php page the CLSID
refers to the Microsoft Data Access Components (MDAC) exploit MS06-014. Also known as ADODB.Stream Object exploit.
Sometimes the numbers are separated as segments:
or heavily obfuscated in hopes it will by pass AV protection.
This exploit is widely flagged by AV as zteardrop showed from his NIS alert so that the page is prevented from loading/executing code if the AV is on the ball. Also, if the user's IE is patched, nothing runs.
Think of this: MS06-014 is two years patched, yet this exploit is still very successful since it appears in many examples of malware. What does that tell you about security for the average user? No wonder the botnets have millions of compromised computers at their disposal!
Another CLSID identified a Java exploit.
said by therube :(I really shouldn't mess with such things. I know about zilch of IE. Sure hope Sandboxie works.)
It should work from what I've seen tested at Wilders.
Many of the IE exploits exploit ActiveX vulnerabilities.
--- |
|
mysec
Premium
join:2005-11-29
| reply to Craig08
said by Craig08 : Ok, on the testbed PC, I had an older version of Java 5.0 Update 15 but latest opera. So when I went there and clicked that coupon, I got a Java security alert with a security certificate that wanted to install.
I got the same result using Opera. Nothing malicious attempted to download.
In IE, I don't get a java security certificate alert, and nothing suspicious was cached. Just the ususal advertising and cookies stuff.
--- |
|
Craig08
join:2008-03-31
.
| I was able to pick up a couple files that are pretty much widely detected. »www.malwaredomainlist.com/mdl.ph···ess.name shows the Java file and this other one »virscan.org/report/003b47a99dd50···e7b.html
Not too knowledgeable about the certificates and how they work with IE./Opera |
|
therube
join:2004-11-11
Randallstown, MD
edit:
September 5th, @12:37AM
| reply to mysec
Ok, good information. But I'm still confused.
How is it doing it?
I don't see CLSIDs or anything like that - at all - in SeaMonkey when I load the pages/look through the source ...
If it were JavaScript, I would see it in the page source, or at least a called reference to it, which generally I should be able to obtain the source of that called script. And with that, should be able to learn all the niceties that it accomplishes.
Is it like a server-side php script (not that I understand what that is) or something like that, something unknown to the client (me) that is differentiating between IE & SeaMonkey (Mozilla) browsers?
When it "sees" IE, it sees the easy mark & it goes about its' business. When it sees SeaMonkey it simply says, not worth the trouble, don't bother.
If I spoof SeaMonkey's useragent, I changed it to Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1), THEN I do see, well 1 piece of trash ended up in my SeaMonkey /cache/ directory: (pic at top of post)
PHP
Server-side scripting |
|
