Sites containing spyware

Discussion in 'other anti-malware software' started by Avail, Sep 22, 2005.

Thread Status:
Not open for further replies.
  1. Avail

    Avail Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    29
    Would you know if there is a particualr site you can go too where there are spyware?? All types? Dangerous ones too! :) So I can test to see how good is OA and other recommeneded products.. someone should do this, hey?

    See what leaks through and what doesn't..

    Any recommnendation/warnings/tips,etc before commencing?? :)

    THank you!!
    Avail
     
  2. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Recommendation: Keep your children away from the computer while testing.

    Warning: Prepare to be flooded with porn.

    Tip: Make a full system backup.

    ;)
     
  3. StevieO

    StevieO Guest

    Hi Avail,

    It's funny you should ask that, as only yesterday a friend wanted to know the same thing.

    I wouldn't advise you or ANYBODY to attempt it unless you have your PC securely locked down, and with a good AV And/Or AT, and after having done a FULL backup first.

    If you're ABSOLUTELY Sure of the above, here's one which will start some fireworks, as it did for me. Change the x's to t's.

    hxxp://195.225.177.33

    If anybody does visit that site, then it is THEIR resposibility, NOT mine or anyone elses !!!

    It's one of the best tests against my defences yet, which i'm very happy to say i got through unscathed, but with lots of warnings and alerts from KAV.

    Proceed with the UTMOST caution, if you CHOOSE to go there !!!


    StevieO
     
  4. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Make sure Deepfreeze of Shadowuser is activated ?? :D :D :D
     
  5. rawr

    rawr Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    128
    Location:
    Illinois, U.S.A
    Browsing porn sites as well as cracking sites will get you infected with plenty..
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, a good test -

    First, an executable was blocked from downloading.

    Then, I let it run and a fake .chm file (really an executable) executed from the cache and attempted to send out back to the same site.

    What does it do? Did KAV identify it?

    Edit:
    Done.

    -rich
    ________________
    ~~Be ALERT!!! ~~
     

    Attached Files:

    Last edited: Sep 22, 2005
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Visit the websites mentioned in IE-SPYAD, MVPS Hosts, ... and put your browser on maximum vulnerability.
     
  8. StevieO

    StevieO Guest

    Hi Rmus,

    Yes it is a good test, almost scared the pants off me lol !

    This is what i found in KAV's Backup.

    I got a few more alerts than just for those shown, but i can't remember what they were.


    StevieO
     

    Attached Files:

  9. Avail

    Avail Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    29
    Thank you so much!!! : ) Wonderful! Someone ask you too! :) Could you advise me what sort of setup I should have for windowo_O Create a new Partion with your defence program installed? So if spyware hops on, you can delete partion if something goes wrong?

    What defence program will you need?? Will OA be sufficient.

    What spyware is on it?? Is there a list?

    What other sites do you know? I do not like dirty naked sites. Your asking for trouble! :) About yourself I mean. Addiction and so forth...keep your self clean from all these junk..

    Avail
     
  10. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    If you unpack win32.exe and view its contents, you will see what it downloads to your system:

    "h**p://**/vx/allload.php h**p://**/vx/uniqload.php h**p://**/vx/soft/proxy.exe h**p://**/vx/soft/tool.exe h**p://**/vx/soft/tibs.exe h**p://**/vx/soft/tibsit.exe h**p://**/vx/soft/winlogon.exe h**p://**/vx/soft/search.exe"

    As an example, BOClean's on-demand scanner identifies winlogon.exe as "SPYSCAM67".

    Nick
     

    Attached Files:

  11. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Thanks for the dangerous link StevieO!
    Finally I could test my config for this kind of attack.<img>
    To be on the sure side, I blocked that (ukranian) IP-range in my firewal config :)
     
  12. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    Opera didn't even open the page that Steve wrote down. A blank page with nothing. is that any good? ;)
     
  13. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I've seen that more than a month ago, and it's still on. :doubt:

    It's the worst I had ever seen; there's more here hxxp://195.225.177.33/0036.html and there definitely might be more. It's a Coolwebsearch affiliate, by the way. The exploits/trojans are so many I almost lost the count.

    Also, this same site spreaded through defacements, i.e. they hacked a few web servers and 'injected' a hidden iframe in the html page; the iframe contained that 0036.html page with those exploits. I wonder if there is some sarcasm in that 'Update completed - Microsoft' alert they show. More info here (though it's in Italian and my long post is not in the Google archives as I used the X-no-archive header).

    I was protected enough, so didn't catch anything. :D
     
    Last edited: Sep 23, 2005
  14. StevieO

    StevieO Guest

    Avail

    Glad you liked it. Yes i'm keeping nice and clean thanks !

    You could run your browser etc in a Sandbox enviroment. Do a search on here for them, as there are threads about them, and some are Free. Here's something similar, also Free https://www.wilderssecurity.com/showthread.php?t=96996

    OA is very good too.

    nick s

    I couldn't find win32.exe on my PC ?

    sukarof

    Glad you survived too. You can also put them in your HOSTS file.

    Edwin024

    I too get a blank page in IE, but the stuff still trys to DL.

    TNT

    A blank page is all i get at hxxp://195.225.177.33/0036.html and nothing happens ! Nice to hear that you didn't catch anything either.

    I went back again and this time captured screen shots of all the alerts and warnings i recieved.


    StevieO
     

    Attached Files:

  15. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Are you using IE with Javascript on? The site uses some (obfuscated) javascript to exploit some vulnerabilities, it first checks that you're using IE; it's possible that nothing happens at all because you're patched, though. "De-obfuscation" of the code should be done manually, doesn't take that long. The last time I checked (a month ago) it was:

    mcXrRZv.jar/BlackBox.class - infected by Exploit.Java.ByteVerify
    mcXrRZv.jar/VerifierBug.class - infected by Exploit.Java.ByteVerify
    mcXrRZv.jarBeyond.class - infected by Trojan-Downloader.Java.OpenConnection.aa

    uBsmpgr.php/[From <x>]/html - infected by Exploit.VBS.Phel.i

    0036.exe - infected by Trojan-Downloader.Win32.Small.awa

    It might have been modified since, though.
     
  16. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Ok, I just found out that I still had an encrypted archive of 535 files I was able to download from that site; and some are actually missing 'cause I submitted them to Ewido and deleted them when I saw they included them in their next update. If anyone wants them (and knows what he's doing!), contact me:

    EDIT: I just checked:

    hxxp://195.225.177.33/mcXrRZv.jar
    hxxp://195.225.177.33/uBsmpgr.php
    hxxp://195.225.177.33/0036.exe

    are still there.

    DO NOT OPEN/RUN THESE FILES!!!
     
    Last edited: Sep 23, 2005
  17. StevieO

    StevieO Guest

    Hi TNT,

    No not me, Java, and Active everything is disabled on my PC, and i recommend that to everyone.

    You can keep the archive, but thanks for asking lol.


    StevieO
     
  18. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Well, I was just saying just in case some anti-spyware vendors might be interested. :)
     
  19. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    FWIW, from Jotti's...
     

    Attached Files:

  20. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    and another one...
     

    Attached Files:

  21. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Jesus... F-Prot finds nothing. We use that at work (not my decision), and it's becoming a pain in the a**; we keep submitting stuff that it does not find.
     
  22. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    newgrounds.com has A LOT i got a dialer from it
     
  23. StevieO

    StevieO Guest

    TNT

    Yes i knew what you meant lol.

    cheater87

    I went to hxxp://www.newgrounds.com and nothing bad happened. It has ActiveX embedded in some of it's pages, it also uses SWF and Active Scripting. All are potential doorways to nasties unless you have these disabled as i have.

    I didn't spend too much time there, but couldn't resist seeing what might occur when i clicked on this.


    ANNA KOURNIKOVA CALENDAR SHOOT - Does this really require any explanation?


    You then get taken to here hxxp://www.ifilm.com/ifilmdetail/2665988?showw=no&refsite=6166

    I tried to play the film but as i also have Active Scripting Disabled it didn't work. I enabled it and just got lots of pages trying to refresh with ads that didn't show. I presume it's because they are in my HOSTS block file. I had enough of this after about five refreshes and disabled Scripting again.

    I clicked on this, Trouble Playing Video? Click Here for Help... and found this amusing, but which will be a Very scary experience i imagine to the unwary if they do follow their advice.

    It takes you to here hxxp://www.ifilm.com/?sctn=help&pg=player

    . . .

    A NOTE ABOUT NORTON SECURITY SOFTWARE: Norton Internet Security (NIS) 2003 and Norton Anti-Virus/Firewall 2003 will prevent the IFILM media player from working. You must temporarily disable the "Security" option in these products in order to play IFILM video. To do this, select the NIS Security Center option within your Norton software and turn the first option under "Security" to "Off". Then refresh your browser (Ctrl-Refresh) before trying once again to play IFILM video.

    If you have a different firewall installed (software that protects your computer from viruses, etc.) this may be responsible for the problem. Try temporarily disabling it.

    . . .

    I'd already seen enough, well not what i thought i might lol, but enough to not want to spend any more time there, and left.

    So no dailer DL etc for me, but who knows what might happen to some people who lurk there unsecured !


    StevieO
     
  24. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    here's a little site with some cool little tools to test out your box.

    i downloaded tini (backdoor) - avg detected it pretty quickly.

    but one weird thing about this tini 4k file. i tried to upload it to virus total and VT refused to accept it saying it was over 10 megs??

    i then tried to upload to jotti's and it too refused it saying the file had zero bytes??

    now i have used both of these to test a variety of trojans and i've never had this before??

    also my system wouldn't allow me to copy tini to a floppy either - again i've never had this problem before??
     
  25. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    i then downloaded snitch (password ripper) AVG did not detect this - again uploaded it to jotti's - the upload just hung and did not complete.

    i then tried VT - this time VT accepted the file and started the scan - this took an inordinately long time for such a small file.

    i was able to copy this file to floppy so AVG was probably preventing tini from being copied and uploaded?
     

    Attached Files:

    • sn.jpg
      sn.jpg
      File size:
      95.5 KB
      Views:
      381
    Last edited: Sep 29, 2005
Loading...
Thread Status:
Not open for further replies.