wonder if your security works???

Discussion in 'other security issues & news' started by budfox, Sep 24, 2005.

Thread Status:
Not open for further replies.
  1. budfox

    budfox Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    103
    I found this site from another poster (sorry dont know who) who put up the IP of a site that is pretty dangerous. If you are brave and want to see if your antivirus/ security is working give it a go. If you are unsure stay away!


    195.225.177.33

    This site will attemp to access your memory through your browser, and will inject 2 trojans into your java folder.. Have fun!

    AVK by Gdata and Process Guard blocked this sites attack......
     
  2. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Actually, I recommend that ANYBODY stays away from that (Coolwebsearch affiliate) site unless they are very protected, with all the latest patches and definitely with more than simple antivirus protection (it might be not enough!). On that site there is much more than two trojans, by the way.

    And don't assume that if you get infested with that (without using something like Deep Freeze, that is) you'll be able to recover your system, because most probably you won't.
     
  3. budfox

    budfox Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    103
    What else?
     
  4. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Without counting the ones that WILL be downloaded if you get infected, there is at least:

    Exploit.VBS.Phel.aa
    Trojan-Downloader.Win32.Ani.c
    Exploit.Java.ByteVerify
    Trojan-Downloader.Java.OpenConnection.aa
    Exploit.VBS.Phel.i
    Trojan-Downloader.Win32.Small.awa

    And I'm forgetting something, for sure. In fact, one month ago I was doing research on malware sites when I stumbled upon this one. I was able to download more than 500 files, containing more than 1000 infected objects, and without even getting infected (the trojan downloaders would have definitely have downloaded something I missed if I actually ran them). Though many were variants of the same trojans, there is a SCARY amount of nasty stuff on there.
     
  5. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Hi,

    In regards to "195.225.177.33" if you're not running IE type of browser and your java is set to ask you to run the application or applet and have an AV running your not going to get infected.

    Regards,
    fluxgfx.com
     
  6. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Yay, finally got the source code.

    Figured out NOD32 was blocking it xD

    Will take a look for anything that my security pack misses. So far, my security pack for Proxomitron basically neutered it ;)
     
  7. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Hi,

    Having java disabled and javascript off will limit the possibility of being infected. Using a browser other then IE will also help. Having an AV on hand would minimize the possible impact.

    Nothing special about this website as many other trusted site it can happen anywhere.

    Regards,
    fluxgfx.com
     
  8. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    What I should experience when there?
    I just see an empty page... :ninja:
     
  9. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Hi,

    You shouldn't see anything, just some java exploit, vbs runtime that will take IE holes to access and run on your system etc.. The usual spyware/worm type of activity.

    Regards,
    fluxgfx.com
     
  10. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    uuuhm, ok now I see....same problem as someone else.....NOD
    :-*
     
  11. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Yes, it attacks IE, but "an AV running" doesn't mean anything. F-Prot or AVG don't detect those trojans as they should, for instance; relying on generic antivirus protection is most certainly not enough.
     
  12. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I only use IE, but I went to that site and absolutely nothing happened!

    In fact I've been to several so called bad sites with IE and have never been infected from them - it depends how your browser is configured.
     
  13. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Hi,

    Just to make a note, AvG, F-Prot etc... have all detected the malicious attempts. Get some of the facts straight. I run several of em.

    Regards,
    fluxgfx.com
     
  14. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    In my opinion going to a known bad site to see if you can become infected is like running into a power pole to see if your airbag works in your car. Doesn't make much sense does it? :doubt:
     
  15. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Is this not against the TOS to post this address?
     
  16. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    It could be against it at some level. Will see what the mods think about it.

    Regards,
    fluxgfx.com
     
  17. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    No, you get your facts straight:

    hxxp://195.225.177.33/vx/win32.exe
    http://img324.imageshack.us/img324/2290/immagine5fq.gif


    hxxp://195.225.177.33/mcXrRZv.jar
    http://img286.imageshack.us/img286/3553/immagine4wp.gif

    hxxp://195.225.177.33/vx/sploit.anr
    http://img119.imageshack.us/img119/7807/immagine5qh.gif

    hxxp://195.225.177.33/uBsmpgr.php
    http://img119.imageshack.us/img119/2655/immagine4qo.gif
     
  18. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    As Bigc's post states above, we're not real supportive on the idea of people "testing" their security by going to an infected site to see what happens. However, at a certain level such posts might open up an intelligent discussion that could be worth having, so on a case by case basis, we'll look at the context and decide whether such a post should remain.

    This one was a fine line, of course. In the end, I thought to leave the IP address for these reasons... First, it's not an active link. (In cases where someone reports an infected site using a clickable link here, you'll often see Mods editing the link to make it unclickable but leaving the link in place.) Second, the link is to a site that is spyware infected, but it is not a "hacker site". (What I mean is that it's not a site with links to lists of trojans, "How To" guides for hacking your friends and neighbors, download links to "kits" for building malware, or assembling your own malware library, etc. Nor is it a porn library or a warez / cracks site.) Third, there are plenty of warnings in the posts here saying that it is dangerous to browse to that site, and also not the smartest thing in the world to do.

    So, in this context I decide to leave this one in place (although moved from the firewalls forum since it really didn't belong there).

    The spirit of the TOS is really to prevent the advertising or glorifying of such things as cracks, warez, porn, hacking tools and guides, criminal activities, and so on. But, it's not to prevent the mere mention of such things including the address of an infected site, or to deny that they exist. That said, there is a limit to how much of this would be considered reasonable. An occasional thread like this, in a similar context, would probably be allowed. If we suddenly get lots of such threads, then we'd probably remove them.
     
  19. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Protowall blocked this site on my machine*puppy*

    Info by Protowall:

    195.225.176.000 - 195.225.179.255 Deny Netcat Hijackers Hosting Ukraine, ip176-3.netcathost.com[Trojan.Moo.B], w.w.w.omega-search.com[CWS-Spy] Spyware List 0000001024 255.255.252.000 /22 00014
     
  20. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Thank you LowWaterMark.
     
  21. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Hi,

    Yes I can see your printscreen image. Of what you are demonstrating which was detected on my end by both F-Prot and AVG.

    Regards,
    fluxgfx.com
     
  22. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Huh? Translation, please.
     
  23. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Please note that Jotti's Virus Scanners run on Linux.
     
  24. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Well, it might be that the Windows version has more comprensive database, but that's hardly an excuse: the Linux version is supposed to protect Windows machines anyway. More, a few months ago at work we had a Coolwebsearch infestation run amok on a Windows 2000 machine with F-Prot up to date, and F-Prot was completely unable to stop it. Given that antivirus applications miss always something (and some are not, well... as good as the best) I think an advice like "the antivirus will take care of it" is unwise.
     
  25. budfox

    budfox Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    103
    Does anyone have any clue when the site tries to access memory through firefox ... if there is any exploit there through the memory accesso_O
     
Loading...
Thread Status:
Not open for further replies.