ABC of how people easily get infected

Happens every day to countless numbers of people. This is just one example of the steps involved in this particular exploit. User interaction is required, but as you will see it wouldn't automatically ring alarm bells to lots of people, i imagine. Scripting is also needed, but for most people, it would already be running by default

The site is what you might call, a little risque, so if you are offended by such things don't visit. And if you do at your own risk.




Click on ANY image, ample to choose from, blank fake player placeholder appears







Next post

 

If instead you click



Click ANY option



You still get the nasty, no surprise there then

Unfortunately, to the unsuspecting the update alert process etc, ALL looks very authentic and something they might well have seen on a legit Flash update www.

flash_player.exe = Trojan.Win32.Ransom = VT Result = 22/41 (53.66%)

Ransomware = Not good

 

Whilst i was doing all this, i was using ShadowDefender.

After i had finished taking all the sceenies and posting the above, i tried to run flash_player.exe ProcessGuard lept in with allow/deny, clicked allow and my comp froze Did a hard reboot and all traces of my last session eliminated

I doubt if that's what they intended to happen I'm not sure right now why the nasty didn't take hold ? But that doesn't mean it wouldn't on another comp, maybe yours, or someone you know

 

So there's people dumb enough to allow a foreign version of ADODE FLASH on their machine's ?

 

played around w/ this file on sandboxie no match at all, just click terminate all programs and viola!.... @CloneRanger ... the website link on your screenshots should have been removed. Somebody who thinks he is an expert might try this one and end up screwing himself.

 

Who knows, maybe, but this is just an example of how things can happen that appear in EVERY way to be genuine ! Imagine if it was in a persons local language and/or one they understand. I think lots of people could very well be taken in by it and/or something similar, in fact they do Every day in Large numbers Not many people on here of course, but out there, well that's a different matter.

They are NOT clickable and neither are ALL the ones you included in your screenie

 

Hey I went to the site and had a blast.

This is a quite common method to lure people in to downloading malware.

 

... if you have new ones mind sharing the fun w/ me? (PM the link if you would) Thanks.

 

One of the most common and easy to fall for infection vectors that most PC newcomers encounter= P2P borne installs/infections.

So today I searched a random string(Topical string but random none the less) and oh my look at all these files that are returned on the search results.

Now at this point take it for granted that if i had used another random search term or in fact a legitmate search term those very same files would be returned in the search results(albeit with the new string inserted in the file title) as that is how they are spammed.

 

Hello, Ade,

Are all of those files infected with malware?


thanks,

----
rich

 

Hi ya Rich,

Of various descriptions...

The Zips + Torrent are all sources for the installer executable for the Tracur botnet.

The media files are a mix of Wimads exploits(prompts for file download of Tracur installer MZ under some phoney name) and License acqusition downloaders are mostly grabbing Mirar,PlayMP3z or Hotbar adware bundle installers.




Unfortunetly as all victims find out after installing the file,there is no free media at the end of trail.Just an annoying adware install that serves up ads around every 30-60 secs

 

Thanks, Ade, for your continuing good work!

So, do people using P2P have to scan everything before daring to install anything? This sounds like a nightmare!

----
rich

 

Hey Rich heres another OMG moment for some vendors

I fired up Limsey and searched "Codec" in all programs search.



Top results are 3 zips containing Tracur trojan as forecasted in my first post.

The next group of zips, all around ~3500kb all contain the IFrame$ bundle downloader=Yellow key icon executable that imports TDSS rooter,FraudPack ABC downloader,Hiloti and a backdoor bot that has password stealing capabilities.

That not the OMG part for me tho its the next lot of executable files listed(~10000kb+) that knocked my socks off when i first found them.

Limewire by operations will not list the same MD5 twice even if the files have different names,so each line represents one unique binary.

Here goes then, I went to one of the 10,000kb executables listing and selected browse host,standard practice when hunting malware on P2P land



Not sure if its visble in the picture or not but when i took the screenshot the number of executable files on that host had exceeded 30000 but was still rising.

A quick look through the directory confirms that they are all related to the ones seen under Codec's search but now we have shedloads of different search terms seeded. 30,000 unique trojan binaries= Why P2P is a high risk practice unless folks are clued up as to what they are doing

 

I didn't think many people used closed programs such as LimeWire anymore. Haven't most people moved on to acquiring "trusted" torrents from either private websites or public websites that have a large userbase that comment on nearly every torrent uploaded?

Thanks.

 

To be honest Rich,

No executable should be trusted from P2P land whether downloaded intentionally or imported by a media file.The risks out-weigh the gains by a country mile.

The PlayMp3 installer had 11/42 hits at VT just now and the 2 biggest AV companies on the web and there alledged 100's of researchers just failed.

I then uploaded one of the large executables to VT and got 17/42 hits(Mostly heuristic detections and only a couple positive identifications).

That is the lay of the land today but i have seen 1000's of new malware binaries from the P2P land over the years either have none or dismal detections when sent to VT...

 

Some have migrated onto such practices where as others stay with what they know\have known.

Reputation based downloads is one way of reducing risks but that said even reputation ratings can be manipulated so all risks are not mitigated.

 

Fascinating! Thanks for the explanations.

rich

 

Maybe these people don't care because they can reformat and reinstall Windows again (this procedure because they probably know squat about imaging/restore software and anyway couldn't be bothered with the time it takes. Their out of date Nortons (sic) will save their butts ...LOL). Oh well, they will for sure get their movies, games, music and any codecs they need eventually, even if it takes getting slaughtered by a few malware files along the way. Heck, they can't be expected to tame all that adrenalin The way I perceive it, there are safe (within reason) p2p sites just as there are safe porn sites. It takes a bit of moxie is all to spot them

 

LimeWire is still used by lots of people i come across, and that's mainly, but not everywhere, they get blasted from.

In nearly every case i've seen, it's usually teenagers looking for pirated music/films/apps/scr's etc. Serves them right Trouble is, a lot of them don't learn, or want to, thinking they were just unlucky those times, and next time will be different. Not

*

By the way, the www is still up and offering a nasty as a Flash update

*

@fcukdat

Thanks for the extra info and screenies

 

WOW, this turned in to a enlightening and educational thread.

Amazingly I have several friends who download from "trusted" P2P and never scan. Then they spend days clearing up an infection; the kicker is nothing learned in the process. They go right back to their old habits.

 

Here's an example of a perfectly legit www that has been compromised with a nasty, and according to MDL it's a zeus v3 trojan



There is a file called ban00.jpg on there which is associated in some way with an .exe file

I didn't get to DL the actual .exe but did grab the code - MZ@!L!This program cannot be run in DOS mode etc etc

virscan.org Scanner results : 39% Scanner(s) (14/36) found malware!

I presume the ban00.jpg might be in one of the Gallery pages ? as i didn't have time to go through them all.



Naturally the .exe would have to run to infect, but i imagine as people were viewing a legit www many would allow it, or it "might" auto run

 

I couldn't get that page to load, but found references to that .jpg file elsewhere.

Why do you suppose a site would have an .exe file spoofed as .jpg?

You can't click to open because the default .jpg editor will throw an error:

​

I use a text editor to double check:

​

Usually spoofed executables are used in remote code execution exploits. (such as the current .lnk exploit where DLLs are seen as .tmp files on the USB drive).

I used the MS06-014 exploit to demonstrate. The code attempts to dl the .jpe file, then rename it to an .exe, and then execute it:

​

Since ban00.jpe was blocked from downloading, the code cannot create the svchost.exe file, hence, the error.


----
rich

 

Hi rich, this is my experience with that www, whether it's a spoofed .jpg or not ? But something funny is happening on there

I had the www, including /ban00.jpg appended to it, scanned here



The MZ file was detected, DL'd the Zip and uploaded it to virscan.org and got 14/36 hits as shown in my last post.

Went back today and with the /ban00.jpg appended www i see this



and even with scripting, nothing happens, and i don't see anything in the source ?

I again DL'd 4a14b881d9d7fb2a7c0531bc917381f75bcc9ac6.zip from jsunpack and converted it to ban00.txt and also a copy of it. Then opened ban00.txt with metapad and deleted everything between PK and MZ and renamed it ban00.exe. Then renamed copy of ban00.txt to ban00.jpg



Uploaded seperately all 3 files to VT

File ban00.jpg - Result: 17/42 (40.48%)

File 4a14b881d9d7fb2a7c0531bc917381f75 - Result: 17/41 (41.47%)

File ban00.exe- Result: 0/41 (0%)

The detects are variously listed as ZeroDayThreat/Trojan/BackDoor/Sinowal

Now either all those detects are FP's ? or something nasty is on that www.

Regards

 

Just had the wwww.etc/ban00.jpg scanned here



http://anubis.iseclab.org/?action=result&task_id=19453ec8abcc8b9a49dbb8933ab2c3759&format=html

Looks very dodgy to them

Noticed they used IE, so tried it with IE6 and scripting





Even without scripting the MZ page appears.

As i was using FF before, i guess that's why i didn't see etc anything, it's an IE exploit

 

"MZ@!L!This program cannot be run in DOS mode"
This string found in an .exe .sys .dll would be normal?

In a .jpg should send off alarm bells?