Dangerous trojans on the loose

Useful for the hosts file, but I'm the other way and prefer to block an address range at the firewall, good work though.

 

Thanks Schwab. That saved me heaps of work.

I'll add them to the hosts file I install for risk taking users

 

New 0 Day Exploit (MSA-935423)
Vulnerability in Windows Animated Cursor Handling

New domains:
ykitaofg02.com @ 195.238.242.95
cesyqpritwso.com @ 195.238.242.39
mjccu4mvye.com @ 195.238.242.29
oaolj32dkkm.com @ 195.238.242.10

 

Thanks GmG for the domains.

I've been blocking that range for awhile :
195.238.242.0
To:
195.238.242.255

(195.238.242.0/24)

 

Noticed that one of my firewall rules was activated for the first time today...with the IPs from this thread. The IP in question: 85.255.115.221.

I did a Google search for Sloan's Nursery:
http://www.google.com/search?hl=en&q=sloan's%20nursery

On the first link result if I right click the link *mangled* (hxxp://sloantreefarms.com/, copy and paste it into IE's address bar I go straight to the site. If I LEFT click on the link on the Google results page I get a 302 and redirect: (I changed the http:// below to hxxp://)

HTTP/1.1 302 Found
Date: Mon, 21 May 2007 23:47:03 GMT
Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.8a PHP/4.4.6 FrontPage/5.0.2.2510
Location: hxxp://85.255.115.221/ind.htm?src=250&surl=www.sloantreefarms.com&sport=80&suri=%2Findex%2Ehtml

...this may require a refresh or two after the page first loads. In the first case (copy link and paste into IE6SP2 address bar) I go direct to site and refreshes stay on the site. In the second case, the eventual redirect is blocked by my firewall rule.

(Using XPSP2 with IE6SP2, javascript enabled.)

 

Hello noway,

You sure picked a whoozy!

See if this is related to your situation. Note in the google screen shot how the address below is different than what the URL title shows:

http://www.dslreports.com/forum/remark,18366099

I could not get any of the redirects to work, but I tried your link pasting directly in the browser.

First in Opera: The WinAntiVirus page loaded but the frameset code did not run.

When pasting to IE, the Sloan page loaded - no redirect (?) Remembering another similar incident, I logged off my ISP (dialup) and logged on again. The redirect worked. I confirmed this three times. Something on the hijacked page notes the IP and will not let the page redirect a second time.

Redirect Test

Please explain how your firewall alerted to the redirect.

regards,

-rich

 

I created a firewall rule when this thread was started to block (with log/alert) in/out, tcp/udp, all ports to/from the address ranges in this thread...this one matches my blocked range 85.255.112.0-85.255.127.255.

 

Here is a pic of the search results page. If I hover over the link I get (mangled url) hxxp://sloantreefarms.com/

 

...and a pic after I've clicked on the link and the firewall has blocked access to the redirect (note the redirected address in the address bar) :
Since I use Proxomitron, it's custom error page is used when the firewall blocks access to the site.
Later, as a test, I changed my DNS server to a completely different ISP and rebooted and got the same result. If the Sloan's site itself is hacked by Inhoster.com, I am confused why it only happens when clicked on from Google search results and not from when I copy the link for Sloan's and paste it into IE's address bar. If I paste the link into IE's address bar I can press the refresh button all day and never get redirected but if I click on the Google result I get redirected if not immediately, then on subsequent presses of the refresh button. BTW, I only use a local proxy, not my ISP's proxy.

 

OK, I had to re-read the thread to refresh my memory

This is different from the screen shot in the DSLR thread I referenced, where the URL below is clearly different than what the search result shows.

Nothing looked out of the ordinary in the page code.

Then, it must be Search Engine Spamming if it's all in the URL from Google. See TNT's post #57 in the thread. Did you look at the source code of the Google page carefully?

Someone else may have an idea. It certainly is a clever spoof.

What solutions are there, in addition to yours - which requires knowing the IP range?

Does hovering the mouse always reveal the mangled URL? We would have to be careful and check every URL before we click in Google.

The last stand would be something in place to block the caching/running of the first dropper. Let that through, and you've got a big mess on your hand!

regards,

-rich

 

Nothing unusual noted.

Hovering over the link to show the url doesn't show any redirect stuff, just shows the original (correct) site, not the bad one. So I don't know where it's going until it's already gone.

 

I just went there several times with default IE7 as shown above with no problems or redirects.

 

All of this activity has occurred with javascript enabled with IE6SP2. As an experiment, I switched off javascript and clicked on the Google search result with the firewall disabled and got 2 redirects. One (silently) to inethoster and then inethoster (silently) redirects it back to the original Sloan's Nursery website, without infecting my computer with the Backdoor.Win32.Small.na. I would assume that their web server is compromised (Sloan's is doing the redirect) and that using IE with Javascript enabled, etc. makes the exploit work.

Just for fun I tried it with the firewall disabled and javascript enabled and the file ~.exe was downloaded to Windows/system 32 and I got a prompt for action from Kaspersky, when the WinAntivirus Pro page was being displayed.

Although the firewall can protect me from these issues I think from now on I will disable Javascript too, like I did long ago for ActiveX. It's just too dangerous now to use. Even for trusted sites. At least with IE.

 

Hello noway,

If this were so, why don't I get redirected?

What is the exact search term you are typing into Google?

BTW - you are famous - when I type "sloan's nursery" your thread is the third result!

-rich

 

Hello noway,

This is definitely a URL spoof and not dependent on the web site.

Take the first part of the URL

hxxp://85.255.115.221/ind.htm?src=250&surl=

and add any URL to that. I added a reference site I use:

www.wordsmyth.net

and the exploit worked, attempting to download the same trojan:

http://www.urs2.net/rsj/computing/imgs/redirect.gif

Why your Google search page is affected is a mystery, but you might have something to go on now.

regards,

-rich

 

Not sure why but possibly I'm missing a patch, although I have the latest cumulative IE patch installed.

Also, I don't get redirected every time I click on the Google results link. Most of the time but not always.

Here's how I do it:

Close IE.
Control Panel-Internet Options-Empty Temporary Internet Files
-Clear History

Verify that javascript is enabled in Internet Zone (Scripting-Active Scripting-Enable)


Search Google Web for: sloan's nursery (no quotes)

Click on the first link.

If you don't get redirected with a 302 the first time, press the back button and try again. If necessary close IE, empty the cache, etc. and try again. I often don't get the redirect until the second time I try it. Or if you are lucky enough to get to the proper site, try pressing Ctrl and Refresh at the same time...that will do a full refresh and may get you redirected.

Also, I use Google quite a bit and have only seen this redirect in this one case and have been watching out for Gromozon/Inhoster for months now without finding anything.

 

I just went there several times with Firefox 2.0.0.3 (NoScript 1.1.4.8.070521, Firekeeper 0.2.10) as shown above (http://www.google.com/search?hl=en&q=sloan's%20nursery) with no problems or redirects.

Mike

 

I see what you mean. I have the 85.221 range blocked out in my firewall and it just prompted me.

 

OK, I see I've not been persistent enough.

Indeed, I can get it to redirect even using Opera, although the obfuscated javascript code will not work to download the trojan.

A look at the Sloan Page code doesn't show anything obvious. I even have flash disabled, so the two .swf objects don't load, and I still get the same redirect in Opera - this would seem to eliminate flash as the culprit.

I have confirmed this, also in Opera, so doesn't this mean that this exploit starts with Google?

Otherwise, it would seem that the exploit should work from the Sloan page no matter how you got to it.

Have you contacted Sloan? or Google?

The fact that the spoofed URL will work directly with any URL appended to the end shows that this attack could work on any web site. How they get it to work is the question.

regards,

-rich

 

No redirects with Opera and Proxomitron together, (15 times) although the website didn't load too well with Proxomitron enabled. I've learned to always take that setback as a compliment.

 

The exploit also uses this IP:

http://www.urs2.net/rsj/computing/imgs/sloan-3.gif
________________________________________________________________

http://www.urs2.net/rsj/computing/imgs/sloan-1.gif
________________________________________________________________

Which downloads the WinantiVirus page:

http://www.urs2.net/rsj/computing/imgs/sloan-2.gif
________________________________________________________________

This is the redirected URL which originates the page.

hxxp://6950172115.hbison.com/sp/fpa/

Info on hbison.com

----------------------------------
Initiating server query ...
Looking up IP address for domain: hbison.com
The IP address for the domain is: 69.50.184.59
Query complete.
----------------------------------

http://64.233.161.103/search?q=cach...cklogic.net.pdf hbison.com&hl=en&ct=clnk&cd=5

Working at home, using Lynx to safely handle the URLs and avoid infection, I did some analysis on
the exploit traffic. The IP web server’s IP address appears to be a virtual Apache 1.3.33 server
running on a host named 85255113174.hbison.com. Interestingly, this server seems to refuse
connection attempts from Linux browsers; I was able connect from Lynx but not from any other
browser under Linux.
______________________________________________________________________________________________
http://www.bluetack.co.uk/forums/index.php?showtopic=3884&pid=28442&mode=threaded&show=&st=&
your-searcher.com

[CWSTrojan]:69.50.184.50-69.50.184.50
esthost.com[CWSTrojans]:69.50.179.217-69.50.179.217
nns1.hbison.com:69.50.184.50-69.50.184.50
nns2.hbison.com:69.50.184.51-69.50.184.51
______________________________________________________________________________________________

http://www.computing.net/security/wwwboard/forum/8931.html
The domain is registered to someone is Finland. Email address is domains@hbison.com
Administrative
Henry Bison
Kauppakatu
Suomussalmi, -- 89600
Finland -- FI
email: domains@hbison.com
______________________________________________________________________________________________

http://www.siteadvisor.com/sites/hbison.com/

User Review Summary for hbison.com
Adware, spyware, or viruses

User Reviews
Rating: Adware, spyware, or viruses
______________________________________________________________________________________________

Does anyone know how to report this? Evidently hbison.com's exploits have been known since 2005

regards,

-rich

 

Ok I tried it with IE 6, XP SP2, JS enabled.

Very nice to see an attack prompt from GesWall. Lot of Antivir popups.

 

Here is GeSWall log.

 

Link Scanner flags the spoofed URL and IPs in the 85.221 range. Very nice.

 

Hi Rmus! Why AE prompted here. Was it execution of ur image viewer to open gif image? Why the reason written is "copy"?