Dangerous trojans on the loose

Discussion in 'malware problems & news' started by TNT, Jun 22, 2006.

Thread Status:
Not open for further replies.
  1. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Useful for the hosts file, but I'm the other way and prefer to block an address range at the firewall, good work though.
     
  2. DDCchik

    DDCchik Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    39
    Thanks Schwab. That saved me heaps of work.

    I'll add them to the hosts file I install for risk taking users :eek:
     
  3. GmG

    GmG Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    48
    Location:
    Italy
    New 0 Day Exploit (MSA-935423)
    Vulnerability in Windows Animated Cursor Handling


    New domains:
    ykitaofg02.com @ 195.238.242.95
    cesyqpritwso.com @ 195.238.242.39
    mjccu4mvye.com @ 195.238.242.29
    oaolj32dkkm.com @ 195.238.242.10
     
  4. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Thanks GmG for the domains.

    I've been blocking that range for awhile :
    195.238.242.0
    To:
    195.238.242.255

    (195.238.242.0/24)
     
  5. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    433
    Noticed that one of my firewall rules was activated for the first time today...with the IPs from this thread. The IP in question: 85.255.115.221.

    I did a Google search for Sloan's Nursery:
    http://www.google.com/search?hl=en&q=sloan's%20nursery

    On the first link result if I right click the link *mangled* (hxxp://sloantreefarms.com/, copy and paste it into IE's address bar I go straight to the site. If I LEFT click on the link on the Google results page I get a 302 and redirect: (I changed the http:// below to hxxp://)

    HTTP/1.1 302 Found
    Date: Mon, 21 May 2007 23:47:03 GMT
    Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.8a PHP/4.4.6 FrontPage/5.0.2.2510
    Location: hxxp://85.255.115.221/ind.htm?src=250&surl=www.sloantreefarms.com&sport=80&suri=%2Findex%2Ehtml

    ...this may require a refresh or two after the page first loads. In the first case (copy link and paste into IE6SP2 address bar) I go direct to site and refreshes stay on the site. In the second case, the eventual redirect is blocked by my firewall rule.

    (Using XPSP2 with IE6SP2, javascript enabled.)
     
    Last edited: May 22, 2007
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Hello noway,

    You sure picked a whoozy!

    See if this is related to your situation. Note in the google screen shot how the address below is different than what the URL title shows:

    http://www.dslreports.com/forum/remark,18366099

    I could not get any of the redirects to work, but I tried your link pasting directly in the browser.

    First in Opera: The WinAntiVirus page loaded but the frameset code did not run.

    When pasting to IE, the Sloan page loaded - no redirect (?) Remembering another similar incident, I logged off my ISP (dialup) and logged on again. The redirect worked. I confirmed this three times. Something on the hijacked page notes the IP and will not let the page redirect a second time.

    Redirect Test

    Please explain how your firewall alerted to the redirect.

    regards,

    -rich
     
    Last edited: May 22, 2007
  7. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    433
    I created a firewall rule when this thread was started to block (with log/alert) in/out, tcp/udp, all ports to/from the address ranges in this thread...this one matches my blocked range 85.255.112.0-85.255.127.255.
     

    Attached Files:

  8. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    433
    Here is a pic of the search results page. If I hover over the link I get (mangled url) hxxp://sloantreefarms.com/
     

    Attached Files:

  9. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    433
    ...and a pic after I've clicked on the link and the firewall has blocked access to the redirect (note the redirected address in the address bar) :
    Since I use Proxomitron, it's custom error page is used when the firewall blocks access to the site.
    Later, as a test, I changed my DNS server to a completely different ISP and rebooted and got the same result. If the Sloan's site itself is hacked by Inhoster.com, I am confused why it only happens when clicked on from Google search results and not from when I copy the link for Sloan's and paste it into IE's address bar. If I paste the link into IE's address bar I can press the refresh button all day and never get redirected but if I click on the Google result I get redirected if not immediately, then on subsequent presses of the refresh button. BTW, I only use a local proxy, not my ISP's proxy.
     

    Attached Files:

    Last edited: May 22, 2007
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    OK, I had to re-read the thread to refresh my memory :oops:

    This is different from the screen shot in the DSLR thread I referenced, where the URL below is clearly different than what the search result shows.

    Nothing looked out of the ordinary in the page code.

    Then, it must be Search Engine Spamming if it's all in the URL from Google. See TNT's post #57 in the thread. Did you look at the source code of the Google page carefully?

    Someone else may have an idea. It certainly is a clever spoof.

    What solutions are there, in addition to yours - which requires knowing the IP range?

    Does hovering the mouse always reveal the mangled URL? We would have to be careful and check every URL before we click in Google.

    The last stand would be something in place to block the caching/running of the first dropper. Let that through, and you've got a big mess on your hand!

    regards,

    -rich
     
  11. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    433
    Nothing unusual noted.

    Hovering over the link to show the url doesn't show any redirect stuff, just shows the original (correct) site, not the bad one. So I don't know where it's going until it's already gone.
     
  12. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    I just went there several times with default IE7 as shown above with no problems or redirects.
     
  13. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    433
    All of this activity has occurred with javascript enabled with IE6SP2. As an experiment, I switched off javascript and clicked on the Google search result with the firewall disabled and got 2 redirects. One (silently) to inethoster and then inethoster (silently) redirects it back to the original Sloan's Nursery website, without infecting my computer with the Backdoor.Win32.Small.na. I would assume that their web server is compromised (Sloan's is doing the redirect) and that using IE with Javascript enabled, etc. makes the exploit work.

    Just for fun I tried it with the firewall disabled and javascript enabled and the file ~.exe was downloaded to Windows/system 32 and I got a prompt for action from Kaspersky, when the WinAntivirus Pro page was being displayed.

    Although the firewall can protect me from these issues I think from now on I will disable Javascript too, like I did long ago for ActiveX. It's just too dangerous now to use. Even for trusted sites. At least with IE.
     
    Last edited: May 22, 2007
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Hello noway,

    If this were so, why don't I get redirected?

    What is the exact search term you are typing into Google?

    BTW - you are famous - when I type "sloan's nursery" your thread is the third result!

    -rich
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Hello noway,

    This is definitely a URL spoof and not dependent on the web site.

    Take the first part of the URL

    hxxp://85.255.115.221/ind.htm?src=250&surl=

    and add any URL to that. I added a reference site I use:

    www.wordsmyth.net

    and the exploit worked, attempting to download the same trojan:

    http://www.urs2.net/rsj/computing/imgs/redirect.gif

    Why your Google search page is affected is a mystery, but you might have something to go on now.

    regards,

    -rich
     
  16. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    433
    Not sure why but possibly I'm missing a patch, although I have the latest cumulative IE patch installed.

    Also, I don't get redirected every time I click on the Google results link. Most of the time but not always.

    Here's how I do it:

    Close IE.
    Control Panel-Internet Options-Empty Temporary Internet Files
    -Clear History

    Verify that javascript is enabled in Internet Zone (Scripting-Active Scripting-Enable)


    Search Google Web for: sloan's nursery (no quotes)

    Click on the first link.

    If you don't get redirected with a 302 the first time, press the back button and try again. If necessary close IE, empty the cache, etc. and try again. I often don't get the redirect until the second time I try it. Or if you are lucky enough to get to the proper site, try pressing Ctrl and Refresh at the same time...that will do a full refresh and may get you redirected.

    Also, I use Google quite a bit and have only seen this redirect in this one case and have been watching out for Gromozon/Inhoster for months now without finding anything.
     
    Last edited: May 23, 2007
  17. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    I just went there several times with Firefox 2.0.0.3 (NoScript 1.1.4.8.070521, Firekeeper 0.2.10) as shown above (http://www.google.com/search?hl=en&q=sloan's%20nursery) with no problems or redirects.

    Mike
     
  18. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    I see what you mean. I have the 85.221 range blocked out in my firewall and it just prompted me.
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    OK, I see I've not been persistent enough.

    Indeed, I can get it to redirect even using Opera, although the obfuscated javascript code will not work to download the trojan.

    A look at the Sloan Page code doesn't show anything obvious. I even have flash disabled, so the two .swf objects don't load, and I still get the same redirect in Opera - this would seem to eliminate flash as the culprit.

    I have confirmed this, also in Opera, so doesn't this mean that this exploit starts with Google?

    Otherwise, it would seem that the exploit should work from the Sloan page no matter how you got to it.

    Have you contacted Sloan? or Google?

    The fact that the spoofed URL will work directly with any URL appended to the end shows that this attack could work on any web site. How they get it to work is the question.

    regards,

    -rich
     
  20. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    No redirects with Opera and Proxomitron together, (15 times) although the website didn't load too well with Proxomitron enabled. I've learned to always take that setback as a compliment.
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    The exploit also uses this IP:

    http://www.urs2.net/rsj/computing/imgs/sloan-3.gif
    ________________________________________________________________

    http://www.urs2.net/rsj/computing/imgs/sloan-1.gif
    ________________________________________________________________

    Which downloads the WinantiVirus page:

    http://www.urs2.net/rsj/computing/imgs/sloan-2.gif
    ________________________________________________________________

    This is the redirected URL which originates the page.

    hxxp://6950172115.hbison.com/sp/fpa/

    Info on hbison.com

    ----------------------------------
    Initiating server query ...
    Looking up IP address for domain: hbison.com
    The IP address for the domain is: 69.50.184.59
    Query complete.
    ----------------------------------

    http://64.233.161.103/search?q=cach...cklogic.net.pdf hbison.com&hl=en&ct=clnk&cd=5

    Working at home, using Lynx to safely handle the URLs and avoid infection, I did some analysis on
    the exploit traffic. The IP web server’s IP address appears to be a virtual Apache 1.3.33 server
    running on a host named 85255113174.hbison.com. Interestingly, this server seems to refuse
    connection attempts from Linux browsers; I was able connect from Lynx but not from any other
    browser under Linux.
    ______________________________________________________________________________________________
    http://www.bluetack.co.uk/forums/index.php?showtopic=3884&pid=28442&mode=threaded&show=&st=&
    your-searcher.com

    [CWSTrojan]:69.50.184.50-69.50.184.50
    esthost.com[CWSTrojans]:69.50.179.217-69.50.179.217
    nns1.hbison.com:69.50.184.50-69.50.184.50
    nns2.hbison.com:69.50.184.51-69.50.184.51
    ______________________________________________________________________________________________

    http://www.computing.net/security/wwwboard/forum/8931.html
    The domain is registered to someone is Finland. Email address is domains@hbison.com
    Administrative
    Henry Bison
    Kauppakatu
    Suomussalmi, -- 89600
    Finland -- FI
    email: domains@hbison.com
    ______________________________________________________________________________________________

    http://www.siteadvisor.com/sites/hbison.com/

    User Review Summary for hbison.com
    Adware, spyware, or viruses

    User Reviews
    Rating: Adware, spyware, or viruses
    ______________________________________________________________________________________________

    Does anyone know how to report this? Evidently hbison.com's exploits have been known since 2005

    regards,

    -rich
     
    Last edited: May 23, 2007
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Ok I tried it with IE 6, XP SP2, JS enabled.

    Very nice to see an attack prompt from GesWall. Lot of Antivir popups.
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      31 KB
      Views:
      704
    • 1 (1).jpg
      1 (1).jpg
      File size:
      31.3 KB
      Views:
      697
    • 00055.jpg
      00055.jpg
      File size:
      25.6 KB
      Views:
      694
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Here is GeSWall log.
     

    Attached Files:

    Last edited: May 23, 2007
  24. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Link Scanner flags the spoofed URL and IPs in the 85.221 range. Very nice.
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Hi Rmus! Why AE prompted here. Was it execution of ur image viewer to open gif image? Why the reason written is "copy"?
     

    Attached Files:

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.