Friday, March 13, 2009

Malware attack avoided

And now something appropriate for Friday the 13th!

Last weekend I was checking the news on a few sites using fully patched IE6 on XP when I went to my local major news site. Before the page finished loading, I saw this message in a standard popup dialog box with OK and Cancel:

"For the further viewing of page it's needed to set an update.
To update it immediately press OK."

Immediate strongly suspicious (the POOR English was also a clue), I looked on the lower left bar of IE and saw "84654321(dot)cn/vparivatel.php" (I replaced the period with dot so you won't accidentally click on it -- DO NOT go to that URL -- it's still alive). The CN extension was enough for me to know that something no good was happening. I quickly wrote it down and used Task Manager to kill iexplore.exe. Then I restarted and cleaned out IE's cache.

Killing IE is the best way to deal with things like this because as you will discover below, hitting Cancel was just as bad as hitting OK on that dialog box.

Next, I fired up NetScanTools Pro and went to URL Capture. This tool brings in the text from a website and does not run scripts or download images. It simply downloads the raw text and displays it. So I entered the URL and retrieved it. Inside the script tags was this:

function last(){
if (confirm('\nFor the further viewing of page it\'s needed to set an update.\nTo update it immediately press OK.'))

You can see that whether you press OK or Cancel or red X, it appends ?a to the URL and activates it. So next I used URL Capture to do just that, manually of course. And guess what, MALWARE. Here is the start of what comes back:

Server: Apache/2
X-Powered-By: PHP/5.2.8
Accept-Ranges: bytes
Content-Length: 43241
Content-Disposition: inline; filename=1.exe
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/octet-stream
MZ followed by lots of barely printable characters, then part of a regular webpage.

MZ are the first two characters of an executable Windows file, and IE was being told that it was an application. So if I had not killed IE, it would have infected my computer with this executable. Needless to say I contacted the news site webmaster, but they didn't reply. I suspect it came through an ad that was rotated through.

Don't go to that URL because if you do, you will get this MALWARE executable -- it is still alive today.

Searches on 1.exe and vparivatel reveal that it does something similar to that other MALWARE I reported on where there is a forced redirect (hijack) to a bogus AV or security product.

The moral of all this is that you can get these things even from what you think are trusted sites. If those sites are running ads from other 3rd parties, you cannot totally trust the site. And the second thing is to kill your browser with Task Manager rather than trying to shut it down normally -- oh and don't forget to clean the browser's cache -- immediately.

Tuesday, March 10, 2009

NetScanTools (TM) Pro 10.82 Published

NetScanTools Pro 10.82 was completed and published on February 28. The USB patch was ready on March 2. This was an urgent release fixing an obvious problem that we missed in 10.81: nslookup was not showing results. A couple other minor changes were also done in this release.

10.81 (released just 5 days before) had several fixes, the biggest was fixing the Windows 7 crash problem. It was happening because we were not correctly identifying the new operating system and reverting to older code usable only on Windows 2000. Windows 7 didn't tolerate those old function calls at all, so the program crashed. The second most important addition was a warning message that now appears when you click on a results link in URL Capture. Other minor changes were made and all databases were updated.