how-to block ads
|
katarina
join:2003-09-07
Houston, TX
| winxp-antivir-on-line-scan
Clicking on a Google search result took me to the following site instead of the expected site.
hxxp://winxp-antivir-online-scan.com/1/?id=20586
There was not a peep from either Avast or Windows Defender. I disconnected from the internet and ended the tasks from task manager.
Should there have been some type of notice from one or the other when it "appeared" that my system was being scanned?
XP Home SP2
IE 7 | |
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
 ·RoadRunner Cable
 ·AT&T Yahoo
edit:
September 7th, @09:04PM
| Not all AV software can detect fraudware site redirects, or
their install attempts. And the scan attempts are always
bogus, anyway.
And as long as you didn't click on anything, you're probably
OK. There was likely a hijacked ad on the search results, or
it could have been a spammed or fake blog that matched on
the search results. Best thing to do when one of these comes
up is to use the Task Manager to kill IE.
A hosts file will prevent many of these redirects, while
using Firefox with NoScript will stop nearly all of them.
Just in case something does get installed, Malware Bytes
Anti Malware seems to do a good job at removing these.
What site did you click on the Google search? If you could,
post the URL as hxxp...etc like the other one.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
| |
katarina
join:2003-09-07
Houston, TX
edit:
September 7th, @09:30PM
| Search for "davieshardware"
Hudson Valley Commercial Hardware - Davies HardwareSupplier of commercial, industrial architectural and residential hardware. Serving Dutchess and surrounding counties for over 100 years.
xxx.davieshardware.com/ - 10k - Cached - Similar pages
Edit: You have to actually click on the link from the Google Search results to make it happen. If you type the address in the IE address bar, you arrive at the proper site. | |
katarina
join:2003-09-07
Houston, TX
edit:
September 8th, @03:46AM
| reply to Doctor Four
said by Doctor Four  :... while using Firefox with NoScript will stop nearly all of them. Just in case something does get installed, Malware Bytes Anti Malware seems to do a good job at removing these. I was looking at NoScript today. I just haven't done it yet. I was also looking for Malware Bytes but was looking for a link to a valid download site. I'm always afraid that when I search with Google for security software that a copy cat site will lead me astray and I will land in the wrong place and download the wrong thing.
edit: for clarification | |
mysec
Premium
join:2005-11-29
| reply to katarina
AT least this exploit is not remote code execution, and brings up the File Download Box:
said by katarina :Edit: You have to actually click on the link from the Google Search results to make it happen. If you type the address in the IE address bar, you arrive at the proper site.
This is reminiscent the Google Referer exploit from last summer. In that one, the exploit worked by remote code execution: no download prompt. See here for an analysis.
»www.urs2.net/rsj/computing/tests/redirect
--- | |
Millenniumle
join:2007-11-11
Fredonia, NY
edit:
September 7th, @10:21PM
| If you load Davies Hardware directly, then use the Google link, Davies loads instead of the bogus site.
XP Pro IE6 SP3, scripts disabled. | |
therube
join:2004-11-11
Randallstown, MD
| reply to katarina
Why?
It is not Google, cause you can get the same results if you perform the search on Yahoo & open the site from there.
So if it is not Google & not Yahoo, then what?
And why is it that (sometimes) only the first time you attempt it, you are redirected.
davies has to be hacked, doesn't it?
Perhaps from a "gif"? Perhaps dealing with this line, onLoad="MM_preloadImages('images/sales_off-over.gif', ...
There are also various "MM" functions, like, function MM_preloadImages(). Their usage (in general, I don't know about on this site) appear legit.
That part of the code is run by JavaScript.
But you are redirected in SeaMonkey with NoScript blocking JavaScript, so that makes me believe it has something to do with the onLoad & a "gif"? | |
ravencajun
Premium
join:2004-08-12
Wylie, TX
edit:
September 9th, @02:47AM
| reply to katarina
you wanted the link to malwarebytes?
[Mod Note: Removed! No .exes! »Posting Rules - Security ]
edit: Opps I am so sorry I grabbed the direct link instead of the site link which is what I meant to post, was definitely a mistake on my part.  | |
mysec
Premium
join:2005-11-29
| reply to therube
said by therube :
Yes, it can be exploited in other search engines. See
»clsc.net/research/google-302-page-hijack.htm | |
Its a Secret
Rabidly yours
Premium
join:2008-02-23
Kelowna, BC | reply to katarina
Was this from a 'sponsored' link, or a regular link? That may provide another clue...
--
"In the future, that which is not mandatory will be illegal" | |
therube
join:2004-11-11
Randallstown, MD
edit:
September 8th, @12:36AM
| reply to therube
Maybe someone can make sense of this.
And as I thought, you are going to davies, but then sent to malware site.
| |
Its a Secret
Rabidly yours
Premium
join:2008-02-23
Kelowna, BC
·Shaw
edit:
September 8th, @12:02AM
| It looks to me like the referrer link has been encrypted/ scrambled so you can't see where it's pointed to. I may be wrong, but I don't think so.
Opinions on this?
PS - I used to use code like this to protect my private js from being nicked.
--
"In the future, that which is not mandatory will be illegal" | |
therube
join:2004-11-11
Randallstown, MD | reply to mysec
I'm not finished reading it yet, but it appears that we should see discrepancy in the listed search engine (green) URL & the actual website URL? But in this case, they are the same? | |
therube
join:2004-11-11
Randallstown, MD
edit:
September 8th, @12:28AM
| Ok, looks like it is going to be related to the search engine?
I manually open up davies.
I click the Product Line link, the & product.html page opens.
I manually open up davies.
I manually change the URL line to read davies/product.html (but do not press return).
I spoof the referrer to, »search.yahoo.com/.
The malware page opens.
Note that many times, after first doing this, it is not repeatable. | |
therube
join:2004-11-11
Randallstown, MD
edit:
September 8th, @12:56AM
| »www.msn.com/ works to.
So by using a spoofer, simply by setting the URL & the Referrer, I can get the malware site to load.
I've tried a number of other "likely" search engines as the referrer (including www.live.com & ask.com) but only Google, Yahoo, & MSN seem to make it click.
Now, mysec's link mentions 302's & so do my captures, HTTP/1.x 302 Found.
Note that /cache/ or cookies may have an affect on what you see or don't see. Like if a page is in /cache/ & I resend the spoof, I can't capture it again, until I clear /cache/.
(I see a "koma3504" to the left of this post. Does anyone else? What does it mean?) | |
mysec
Premium
join:2005-11-29
| reply to therube
said by therube :Maybe someone can make sense of this. And as I thought, you are going to davies, but then sent to malware site.
Yes, just like the old Google exploit. Here are the firewall alerts:
First, to google search:
Then clicking on the link to davieshardware.com:
Then a page 302 error redirects to the site that calls out for the WinAntiVir files. From therube's code:
hxxp://87.248.180.90/in.html?s=ipw2
WhoIS:
said by Its a Secret :It looks to me like the referrer link has been encrypted/ scrambled so you can't see where it's pointed to. I may be wrong, but I don't think so. Probably - I don't see a URL in therube's code but the firewall shows:
WhoIS:
Not much info - can someone else search for this?
Now we are at the cleverest part of the exploit because no html page is cached in IE. (I cannot get the exploit to run in Opera).
Only the .gif files and the .js files are cached which do the work:
If you look at the screen after everything is loaded, it is a series of .gif files but no html file and no source code.
But if I load directly into the browser:
hxxp://87.248.180.90/in.html?s=ipw2
I get the the html file and can watch the code loading everything (thanks therube for getting that URL):
Now, can someone explain how these images are loaded onto my browser screen and there is no html file cached?
--- | |
Its a Secret
Rabidly yours
Premium
join:2008-02-23
Kelowna, BC
·Shaw
| said by mysec : Now, can someone explain how these images are loaded onto my browser screen and there is no html file cached? It may be here in the code:
HTTP/1.x 200 OK
Date: Mon, 08 Sep 2008 03:46:27 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
----------------------------------------------------------
--
"In the future, that which is not mandatory will be illegal" | |
mysec
Premium
join:2005-11-29 | Thanks -- very clever in covering tracks, don't you think?
Another thing - why doesn't the last URL 66.232.126.192 appear in that code?
--- | |
Its a Secret
Rabidly yours
Premium
join:2008-02-23
Kelowna, BC
·Shaw
edit:
September 8th, @01:21AM
| said by mysec : Another thing - why doesn't the last URL 66.232.126.192 appear in that code? Maybe why? It looks like it self-refers to the doc (page) in question...maybe?
if(self.parent.frames.length!=0){self.parent.location=document.location}
--
"In the future, that which is not mandatory will be illegal" | |
therube
join:2004-11-11
Randallstown, MD
edit:
September 8th, @01:21AM
| reply to mysec
Two shots, one direct, one spoofed. | |
-
|
