Sites containing spyware

Would you know if there is a particualr site you can go too where there are spyware?? All types? Dangerous ones too! So I can test to see how good is OA and other recommeneded products.. someone should do this, hey?

See what leaks through and what doesn't..

Any recommnendation/warnings/tips,etc before commencing??

THank you!!
Avail

 

Recommendation: Keep your children away from the computer while testing.

Warning: Prepare to be flooded with porn.

Tip: Make a full system backup.

 

Hi Avail,

It's funny you should ask that, as only yesterday a friend wanted to know the same thing.

I wouldn't advise you or ANYBODY to attempt it unless you have your PC securely locked down, and with a good AV And/Or AT, and after having done a FULL backup first.

If you're ABSOLUTELY Sure of the above, here's one which will start some fireworks, as it did for me. Change the x's to t's.

hxxp://195.225.177.33

If anybody does visit that site, then it is THEIR resposibility, NOT mine or anyone elses !!!

It's one of the best tests against my defences yet, which i'm very happy to say i got through unscathed, but with lots of warnings and alerts from KAV.

Proceed with the UTMOST caution, if you CHOOSE to go there !!!


StevieO

 

Make sure Deepfreeze of Shadowuser is activated ??

 

Browsing porn sites as well as cracking sites will get you infected with plenty..

 

Yes, a good test -

First, an executable was blocked from downloading.

Then, I let it run and a fake .chm file (really an executable) executed from the cache and attempted to send out back to the same site.

What does it do? Did KAV identify it?

Edit:

Done.

-rich
________________
~~Be ALERT!!! ~~

 

Visit the websites mentioned in IE-SPYAD, MVPS Hosts, ... and put your browser on maximum vulnerability.

 

Hi Rmus,

Yes it is a good test, almost scared the pants off me lol !

This is what i found in KAV's Backup.

I got a few more alerts than just for those shown, but i can't remember what they were.


StevieO

 

Thank you so much!!! : ) Wonderful! Someone ask you too! Could you advise me what sort of setup I should have for window Create a new Partion with your defence program installed? So if spyware hops on, you can delete partion if something goes wrong?

What defence program will you need?? Will OA be sufficient.

What spyware is on it?? Is there a list?

What other sites do you know? I do not like dirty naked sites. Your asking for trouble! About yourself I mean. Addiction and so forth...keep your self clean from all these junk..

Avail

 

If you unpack win32.exe and view its contents, you will see what it downloads to your system:

"h**p://**/vx/allload.php h**p://**/vx/uniqload.php h**p://**/vx/soft/proxy.exe h**p://**/vx/soft/tool.exe h**p://**/vx/soft/tibs.exe h**p://**/vx/soft/tibsit.exe h**p://**/vx/soft/winlogon.exe h**p://**/vx/soft/search.exe"

As an example, BOClean's on-demand scanner identifies winlogon.exe as "SPYSCAM67".

Nick

 

Thanks for the dangerous link StevieO!
Finally I could test my config for this kind of attack.<img>
To be on the sure side, I blocked that (ukranian) IP-range in my firewal config

 

Opera didn't even open the page that Steve wrote down. A blank page with nothing. is that any good?

 

I've seen that more than a month ago, and it's still on.

It's the worst I had ever seen; there's more here hxxp://195.225.177.33/0036.html and there definitely might be more. It's a Coolwebsearch affiliate, by the way. The exploits/trojans are so many I almost lost the count.

Also, this same site spreaded through defacements, i.e. they hacked a few web servers and 'injected' a hidden iframe in the html page; the iframe contained that 0036.html page with those exploits. I wonder if there is some sarcasm in that 'Update completed - Microsoft' alert they show. More info here (though it's in Italian and my long post is not in the Google archives as I used the X-no-archive header).

I was protected enough, so didn't catch anything.

 

Avail

Glad you liked it. Yes i'm keeping nice and clean thanks !

You could run your browser etc in a Sandbox enviroment. Do a search on here for them, as there are threads about them, and some are Free. Here's something similar, also Free https://www.wilderssecurity.com/showthread.php?t=96996

OA is very good too.

nick s

I couldn't find win32.exe on my PC ?

sukarof

Glad you survived too. You can also put them in your HOSTS file.

Edwin024

I too get a blank page in IE, but the stuff still trys to DL.

TNT

A blank page is all i get at hxxp://195.225.177.33/0036.html and nothing happens ! Nice to hear that you didn't catch anything either.

I went back again and this time captured screen shots of all the alerts and warnings i recieved.


StevieO

 

Are you using IE with Javascript on? The site uses some (obfuscated) javascript to exploit some vulnerabilities, it first checks that you're using IE; it's possible that nothing happens at all because you're patched, though. "De-obfuscation" of the code should be done manually, doesn't take that long. The last time I checked (a month ago) it was:

mcXrRZv.jar/BlackBox.class - infected by Exploit.Java.ByteVerify
mcXrRZv.jar/VerifierBug.class - infected by Exploit.Java.ByteVerify
mcXrRZv.jarBeyond.class - infected by Trojan-Downloader.Java.OpenConnection.aa

uBsmpgr.php/[From <x>]/html - infected by Exploit.VBS.Phel.i

0036.exe - infected by Trojan-Downloader.Win32.Small.awa

It might have been modified since, though.

 

Ok, I just found out that I still had an encrypted archive of 535 files I was able to download from that site; and some are actually missing 'cause I submitted them to Ewido and deleted them when I saw they included them in their next update. If anyone wants them (and knows what he's doing!), contact me:

EDIT: I just checked:

hxxp://195.225.177.33/mcXrRZv.jar
hxxp://195.225.177.33/uBsmpgr.php
hxxp://195.225.177.33/0036.exe

are still there.

DO NOT OPEN/RUN THESE FILES!!!

 

Hi TNT,

No not me, Java, and Active everything is disabled on my PC, and i recommend that to everyone.

You can keep the archive, but thanks for asking lol.


StevieO

 

Well, I was just saying just in case some anti-spyware vendors might be interested.

 

FWIW, from Jotti's...

 

and another one...

 

Jesus... F-Prot finds nothing. We use that at work (not my decision), and it's becoming a pain in the a**; we keep submitting stuff that it does not find.

 

newgrounds.com has A LOT i got a dialer from it

 

TNT

Yes i knew what you meant lol.

cheater87

I went to hxxp://www.newgrounds.com and nothing bad happened. It has ActiveX embedded in some of it's pages, it also uses SWF and Active Scripting. All are potential doorways to nasties unless you have these disabled as i have.

I didn't spend too much time there, but couldn't resist seeing what might occur when i clicked on this.


ANNA KOURNIKOVA CALENDAR SHOOT - Does this really require any explanation?


You then get taken to here hxxp://www.ifilm.com/ifilmdetail/2665988?showw=no&refsite=6166

I tried to play the film but as i also have Active Scripting Disabled it didn't work. I enabled it and just got lots of pages trying to refresh with ads that didn't show. I presume it's because they are in my HOSTS block file. I had enough of this after about five refreshes and disabled Scripting again.

I clicked on this, Trouble Playing Video? Click Here for Help... and found this amusing, but which will be a Very scary experience i imagine to the unwary if they do follow their advice.

It takes you to here hxxp://www.ifilm.com/?sctn=help&pg=player

. . .

A NOTE ABOUT NORTON SECURITY SOFTWARE: Norton Internet Security (NIS) 2003 and Norton Anti-Virus/Firewall 2003 will prevent the IFILM media player from working. You must temporarily disable the "Security" option in these products in order to play IFILM video. To do this, select the NIS Security Center option within your Norton software and turn the first option under "Security" to "Off". Then refresh your browser (Ctrl-Refresh) before trying once again to play IFILM video.

If you have a different firewall installed (software that protects your computer from viruses, etc.) this may be responsible for the problem. Try temporarily disabling it.

. . .

I'd already seen enough, well not what i thought i might lol, but enough to not want to spend any more time there, and left.

So no dailer DL etc for me, but who knows what might happen to some people who lurk there unsecured !


StevieO

 

here's a little site with some cool little tools to test out your box.

i downloaded tini (backdoor) - avg detected it pretty quickly.

but one weird thing about this tini 4k file. i tried to upload it to virus total and VT refused to accept it saying it was over 10 megs??

i then tried to upload to jotti's and it too refused it saying the file had zero bytes??

now i have used both of these to test a variety of trojans and i've never had this before??

also my system wouldn't allow me to copy tini to a floppy either - again i've never had this problem before??

 

i then downloaded snitch (password ripper) AVG did not detect this - again uploaded it to jotti's - the upload just hung and did not complete.

i then tried VT - this time VT accepted the file and started the scan - this took an inordinately long time for such a small file.

i was able to copy this file to floppy so AVG was probably preventing tini from being copied and uploaded?