Sites containing spyware

Next up was Winfo....

"Winfo uses null sessions to remotely try to retrieve lists of and information about user accounts, workstation/interdomain/server trust accounts, shares (also hidden), sessions, logged in users, and password/lockout policy, from Windows NT/2000/XP. It also identifies the built-in Administrator and Guest accounts, even if their names have been changed"

"One of the features is the -n switch, which activates null session mode. Without this switch, Winfo can be used to retrieve the information mentioned, but using an already established connection to the other computer. For example, if null sessions have been restricted but you have a valid user account, you can connect first and then use Winfo to retrieve the information you need. "

 

and Winzapper....

WinZapper lets you erase event records selectively from the Security Log in Windows NT 4.0 and Windows 2000.

 

Just tried all the links mentioned in this post to test AntiMalware.

I set IE's internet zone to it's default security setting (medium), then I put ShadowUser into total mode (nothing excluded), and shut down everything except for AntiMalware, and Nod32....I then visited all the links in this thread, and got warnings from Nods32 (so I know the pages were working).

I then switched off Nod32.

After (re)visiting each of the webpages - which never seemed to open fully - I then ran a HJT log, Nod32scan, TrojanHunter scan and MSAS scan. They all came up clean.

I decided I'd run KAV's online scanner too (I have it's activex component downloaded on my computer prior to installing AM)...it appeared to start to download...and then was stopped dead.

IE runs in AM's bufferzone.

edit : Just found out...if you want to use something like KAV's online scanner, it's simply a matter of temporarily making IE trusted.

 

Do these links still work?

hxxp://195.225.177.33/0036.html
hxxp://195.225.177.33

I am using ViGuard with Win XP Home SP2 and visited them with no firewall, no antivirus, no anti trojan and then went to housecall.trendmicro.com/housecall/start_corp.asp and did a scan and it found nothing. Maybe the sites are not working or maybe ViGuard is just that good Any other links would be appreciated or if you have some that can't be posted here feel free to pm me with them. I'm really trying to see what it takes to break ViGuard.

Thanks,

Chris

 

Hi Chris

The second one works (the first link in the thread), that was what gave me the alert from Nod32 just today. I switched Nod32 off after that link, so not sure about the others

 

Thats cool. It looks like I'll definately be keeping ViGuard installed then. This really is a great app.

Thanks,

Chris

 

WOW that's a cracker of a test site StevieO!

i decided to conduct some tests on a barebones test rig running just xp-pro and IE with no security to see what happens.

i linked to your site and ka-pow things started happening all over the place - a permanent sex popup with no way of getting rid of it - a "TNS" sex and gambling toolbar added to IE - new windows opening up all over the place linking to porn sites - message asking me to install "Telexcharge"

i decided to go to lavasoft to clean up - typed in google to get the link and google was replaced with "porn google" which showed only porn links

tried altavista search engine and that too was shunted out and replaced by "porn google"

still more windows opening up to porn and gambling sites.

type in the lavasoft address and download ad-aware - run it and it finds....

ZToolbar (1 object)
Crack Spider (4)
win32.trojan.zolker
Coolwebsearch (24)

clean up and rerun scan - still finds crackspider - still getting the odd popup window.
IE is poorly - home page gone - manually starting a new IE window - gets an error message but does open and can be used.

**********************************************************

ok scrub the system - reload windows - reboot

now for part 2.... download All-Seeing Eye - i want to see how well it does as i'm thinking of installing it on my main system.

ok All-Seeing-Eye installs briskly and goes into learning mode - doesn't take long to get ready for action.

go to test site with IE....

here come the messages from ASE....

1 - unauth process - web.exe
2 - unauth process - windows\system32\cvxh8jkdq7.exe
3 - unauth process - windows\sp2yvx1.exe
4 - ...................................\system32\cvxh8jkdq2.exe
5 - ...............................................................1.exe
6 - .................................................\latest.exe
7 - .................................................\vxgamet1.exe
8 - .................................................\74111640.exe
9 - BHO ...........................................\zolker011.dll
10-BHO ...........................................\ztoolb011.dll
11-unauth process.............................\sysvcs.exe
12-system log alert - telephony
13-system log alert - remote access connection manager service was successfully sent a start control.
14-system log alert - remote access connection manager service entered the running state.
15-autostart entry - sysvcs.exe
16-unauth process - windows\system32\~update.exe
17-autostart entry - cvxh8jkdq2.exe
18-autostart entry - c\winstall.exe
19-unauth process - windows\system32\gamet2.exe
20-system log alert - windows installer service enters stopped state
21-unauth process - windows\system32\sysvcs.exe
22-unauth dll - StimEng.dll

i replied terminate to all messages (except log alerts)

then tested IE - all A-OK - no toolbars - no popups etc etc

All-Seeing Eye has successfully prevented the nasties from installing.

the malware has all downloaded but has not been allowed to execute - so clean up with Ad-Aware. (if this was for real i would clean up with a variety of other scanners too)

 

Hi Top,

Yes you can say that again lol. It nearly scared the pants off me !

I'm really impressed with your reports, such as the test you've just done above. I think it's important to include as much info as possible when posting things like this so we all get a clearer picture of what Did/Can occur.

I know others do too, but it would benefit everybody if more of us did ! This helps in assessing where our weaknesses may be, and how to tighten things up. And also makes us more aware of an Apps potential.

I had DL All-Seeing-Eye several weeks ago, but as it's for XP no can do. From your initial experience with the App it seems to be definately worth keeping.

Did you do any AV/ATscans Off/Online afterwards, as just relying on Ad-Aware seems a little brave !

Did you have a FW running, and if so what happened there ?

Nice work, thanks


Stevieo

 

Just to let you know I went to the hxxp://195.225.177.33 site in my VMware XP Pro session using latest firefox and latest KIS Beta. KAV kicked in right away.
WHat I love about Vmware is that I install my security apps on the host system. In my case XP Home, then they still monitor my Vmware sessions with only a tiny bit of tweaking. On this test setup my host has Boclean, KIS Beta & PG installed. This saves installing everything over again on each VM. VMware was kinda wierd to learn at first but is actualy very simple. JUst as you use system restore with your regular OS (host) you can use it for the VMsession or just use a snapshot to revert back to.
I have not use any of the teams yet but may when I get more time.
They have a Linux version also.
Anyways just thought I would mention the Firefox thang.

controler

 

hi Stevio - partly i wanted to keep it very simple and partly it was a bit of a rush job due to time constraints - it's quite time consuming to log all the data - if i had had more time i would have tried an AV + FW too.

primarily i wanted to see first see what happened to the system if there was no security at all - anyone visiting that site without security would be completely screwed - the user can only sit and watch helplessly as IE is relentlessly and completely taken over - one is submerge in a sea of porn and gambling popups - search engines are redirected.

secondly i wanted to test some freebies - Ad-Aware to see how well it coped with a complex situation.

and thirdly ASE to see if it could cope with the flood or whether it would crash. it took me quite a time to log and reply to all the event alerts - then to check the state of IE.

i learned just how easy it is to get infected - and how a good real time HIPS or AV/AT is essential in coping with a deluge of events like this.

if this was for real i would be cleaning up with a lot more than Ad-Aware to make sure everything was found - as it was a test rig all i needed to do was reload windows/reboot to a clean machine

if anyone else wants to give it a go with their favourite FW/AV/Browser be my guest. (but don't try it on your main system unless you are 100% certain of your security setup)

 

ok for all you masochists out there here's a list of dodgy sites....

193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bannedhost.net, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwebsearch., coolwwwsearch., couldnotfind.com, defaultsearch.net, dev.ntcor.com, drvvv.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, globesearch.com, gratis-porn-movie.com, hardloved.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mature50.com, mommykiss.com, mywebsearch.net, noblindlinks.com, nocensor.com, ok-search.com, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchnow.ws, searchv.com, searchxp.com, sharempeg.com, sixroads.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, and yourbookmarks.ws.

http://www.spywareinfoforum.com/articles/cws

 

NsLookup
195.225.177.33

33.177.225.195.in-addr.arpa name = ip177-33.netcathost.com.

Authoritative answers can be found from:
177.225.195.in-addr.arpa nameserver = ns1.netcathost.com.
177.225.195.in-addr.arpa nameserver = ns2.netcathost.com.
ns1.netcathost.com internet address = 66.250.107.2
ns2.netcathost.com internet address = 66.250.171.66

 

i reran the all seeing eye test today - this time it did not stop the malware from loading which is very odd because it did seem to the first time i tried it?

not only that a number of additional dlls and processes started?

the topnetsearch (TNS) toolbar was installed on IE and a TNS window popped up offering a number of spyware removal links (including one of the top 4 antivirus company spyware product) as well as various porn links.

ASE did terminate the running processes and startup entries but opening any IE window started the whole porn window cycle again.

the home page was replaced with c:\windows\blank.mht - and the ability to change it back was disabled. numerous folders were added to favourites.

i also got an IE window stating that security update for internet explorer q382192 had been successfully installed - it included a whole list of fixes.

numerous icons were placed on the desktop....

blowjob
car insurance
cigarrettes discount
credit card
forex trading
free ringtones
gift ideas
group sex
home loan
mp3 download
online casino
online dating
phentermine
play poker
popup blocker
porn dvd
real estate
sport betting
spyware remover
texas holdem
viagra

 

i also tried Winsonar - now this does work ! (i tried it 3 times) if the kill unknown processes box is ticked then the malware gets no chance to download - the moment the link is clicked winsonar kills the IE window and nothing downloads.

apart from the window closing the only other indication that anything has happened is the little web alert box on the winsonar control panel changes from green to red.

 

Exploit site revisited

The question came up in another thread, Can a web site trigger a download with no user action?

I decided to revisit this site and pay more attention to what happened.

Here's the test

Can someone else confirm this?

EDIT: FF and Opera users - have you figured out why the site doesn't do anything to you??

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Hi Rmus,

I tried your test with IE6 and Security Level set to medium. I ran with no security apps active.

When I got to the site 3 boxes with scroll bars appeared. I checked the TIF's and found the .ani file. There was no sign of win32.exe or the new service.exe anywhere on the HD.

I then added win32.exe to the address and was asked to run/save etc. I paused, still no sign of win32.exe or service.exe. I saved it to my Desktop and ran win32.exe. Service.exe appeared in the system32 folder.

I don't know why my results are different to yours.

 

Hi SpikeyB,

What patches for IE have you installed this year?


-rich

 

I've not installed any IE patches since I installed SP2 for XP.

 

Thanks for running the test.

This web site exploits the animated cursor vulnerability. If allowed to run, the .ani file downloads the win32.exe file.

According to Microsoft, WinXP SP2 is not vulnerable. Prior to that requires a patch for IE, OE, Outlook. There are worse things that a cursor or icon file can do. See Microsoft Security Bulletin MS05-002

regards,

-rich
________________
~~Be ALERT!!! ~~