Does this look like a drive-by expoit to you?

Hi all,

One of our users just got hit with the TDSS rootkit. Screenshot below is taken from ISA Server 2004 and shows this user's internet activity, in chronological order.

As you can see, something on homestansted.co.uk has linked into URLs at iniinn.in and downloaded a variety of nasty stuff (symptom: corrupt disk, corrupt sectors, pay to fix etc).

We'll flatten the box, but as ESET didn't catch it I'm wondering what I should block in ISA ?

Many thanks,



Jim

 

It seems so. There was an attempt to download a pdf exploit for which detection was added on Oct 28. The other malware (Win32/Kryptik.IPY) was added in the db version 5671. So I assume a user opened a compromised website with an undetected java script that subsequently downloaded the other stuff.

 

Hi Marcos,

Thanks for the quick reply. However the user has definition 5677 (with 4.64.12) , so how come the mentioned updates "Oct 28" or "5671" didn't catch any of the exploits? I can understand an undetected JS as I know these can self-modify, but neither of the exploits was caught.

It's a remote computer, 300 miles away, so it needs to get shipped to me for me to flatten and reinstall it and ship it back, so it's a bit annoying really.

Many thanks,



Jim

 

Not sure what exactly happened but there's no chance the pdf would have gotten there undetected if ESET was up to date and web/real-time protections enabled.
If an on-demand scan didn't find anything, the malware is probably not on the disk (unless it's protected with a rootkit). Maybe a log from SysInspector would shed more light. I think it should be possible to clean it remotely.

 

Hmmm...web/real-time protections were enabled and ESET was up to date. But it still got infected.

I'll try to get a sysinspector log, although pretty much everything is unusable on it just now so I'm not sure how successfully I will be. I can use pslist and pskill to terminate tasks but they just restart.


Jim

 

At any rate, browsing on servers is quite dangerous today. Even on workstations I'd recommend using sandboxing and non-admin accounts.

 

Agreed re: non admin accounts. But this was Windows XP and we have some rubbish legacy software which requires admin rights - we've tried granting permissions to all necessary files and registry keys but still it won't run unless local admin.

XP, fully patched. ESET up to date.

I'm trying to arrange to get the PC rebooted so I can run SysInspector etc.


jim

 

Ok I've managed to get a copy of the offending file. ESET shows it as clean, as do most other VirusTotal-listed engines (9/3 detect it). PrevX detects it, as does our beloved Microsoft ESET doesn't, nor does Kasperksy.

Can someone remind me the best way to submit a file please? I know there more than one way, and the mods here have said that files submitted via one method are completely ignored, but I forget which

Many thanks,



Jim

 

Please submit it per the instructions here.

 

Perfect, thanks Marcos.

.exe submitted, with reference to this thread.


Jim

 

I obtained malicious pdf sample. VT detection: 11/ 43 (25.6%)
ESET NOD32 detects it as: PDF/Exploit.Pidief.PBK.Gen
Kaspersky (on my computer with on-demand scan) detects it as: HEUR.Exploit.Script.Generic

 

Thank you, it's already detected internally as Win32/Kryptik.IRD trojan and the signature will be released in the next update.

 

I've just received notification that it'll be detected in the next update. Nice, fast response ESET, thank you. I'm impressed.

Code:

Dear Jim Willsher,

Thank you for your submission.
The detection for this threat will be included in our next signature update.

5872578.exe - Win32/TrojanDownloader.Prodatect.AU trojan 

Shame it wasn't detected in the last update, but everything has to start somewhere....


Jim

 

Hard to say what it actually does, at the first sight it looks like a rogue tool that pretends to detect problems on your computer and thus lure the user into purchasing it. It didn't download anything but some short data files so hard to say what they serve for without an in-depth analysis.

 

Screenshots and removal guide at Bleeping Computer here

 

covered here