Does this look like a drive-by expoit to you?

Discussion in 'ESET NOD32 Antivirus' started by jimwillsher, Dec 6, 2010.

Thread Status:
Not open for further replies.
  1. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Hi all,

    One of our users just got hit with the TDSS rootkit. Screenshot below is taken from ISA Server 2004 and shows this user's internet activity, in chronological order.

    As you can see, something on homestansted.co.uk has linked into URLs at iniinn.in and downloaded a variety of nasty stuff (symptom: corrupt disk, corrupt sectors, pay to fix etc).

    We'll flatten the box, but as ESET didn't catch it I'm wondering what I should block in ISA ?

    Many thanks,



    Jim
     

    Attached Files:

  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It seems so. There was an attempt to download a pdf exploit for which detection was added on Oct 28. The other malware (Win32/Kryptik.IPY) was added in the db version 5671. So I assume a user opened a compromised website with an undetected java script that subsequently downloaded the other stuff.
     
  3. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Hi Marcos,

    Thanks for the quick reply. However the user has definition 5677 (with 4.64.12) , so how come the mentioned updates "Oct 28" or "5671" didn't catch any of the exploits? I can understand an undetected JS as I know these can self-modify, but neither of the exploits was caught.

    It's a remote computer, 300 miles away, so it needs to get shipped to me for me to flatten and reinstall it and ship it back, so it's a bit annoying really.

    Many thanks,



    Jim
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Not sure what exactly happened but there's no chance the pdf would have gotten there undetected if ESET was up to date and web/real-time protections enabled.
    If an on-demand scan didn't find anything, the malware is probably not on the disk (unless it's protected with a rootkit). Maybe a log from SysInspector would shed more light. I think it should be possible to clean it remotely.
     
  5. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Hmmm...web/real-time protections were enabled and ESET was up to date. But it still got infected.

    I'll try to get a sysinspector log, although pretty much everything is unusable on it just now so I'm not sure how successfully I will be. I can use pslist and pskill to terminate tasks but they just restart.


    Jim
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    At any rate, browsing on servers is quite dangerous today. Even on workstations I'd recommend using sandboxing and non-admin accounts.
     
  7. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Agreed re: non admin accounts. But this was Windows XP and we have some rubbish legacy software which requires admin rights - we've tried granting permissions to all necessary files and registry keys but still it won't run unless local admin.

    XP, fully patched. ESET up to date.

    I'm trying to arrange to get the PC rebooted so I can run SysInspector etc.


    jim
     
  8. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Ok I've managed to get a copy of the offending file. ESET shows it as clean, as do most other VirusTotal-listed engines (9/3 detect it). PrevX detects it, as does our beloved Microsoft :) ESET doesn't, nor does Kasperksy.

    Can someone remind me the best way to submit a file please? I know there more than one way, and the mods here have said that files submitted via one method are completely ignored, but I forget which :)

    Many thanks,



    Jim
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please submit it per the instructions here.
     
  10. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Perfect, thanks Marcos.

    .exe submitted, with reference to this thread.


    Jim
     
  11. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    I obtained malicious pdf sample. VT detection: 11/ 43 (25.6%)
    ESET NOD32 detects it as: PDF/Exploit.Pidief.PBK.Gen
    Kaspersky (on my computer with on-demand scan) detects it as: HEUR.Exploit.Script.Generic
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Thank you, it's already detected internally as Win32/Kryptik.IRD trojan and the signature will be released in the next update.
     
  13. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    I've just received notification that it'll be detected in the next update. Nice, fast response ESET, thank you. I'm impressed. :thumb:

    Code:
    Dear Jim Willsher,
    
    Thank you for your submission.
    The detection for this threat will be included in our next signature update.
    
    5872578.exe - Win32/TrojanDownloader.Prodatect.AU trojan 
    
    Shame it wasn't detected in the last update, but everything has to start somewhere....


    Jim
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hard to say what it actually does, at the first sight it looks like a rogue tool that pretends to detect problems on your computer and thus lure the user into purchasing it. It didn't download anything but some short data files so hard to say what they serve for without an in-depth analysis.
     

    Attached Files:

  15. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Screenshots and removal guide at Bleeping Computer here
     
  16. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    covered here
     
Thread Status:
Not open for further replies.