“How did I get an infection?”

This is a question we hear quite often. It used to be that we could make the general recommendation “avoid adult, pirate software and file sharing sites”. That is no longer the case. Many argued the answer was Firefox because the viruses were being installed with ActiveX controls. When Internet Explorer cracked down on the installation of ActiveX controls, virus creators gave up on that.

Tonight I was researching a project. I clicked on a result in Google that took me to the page I wanted to go to. I did land on the correct page. However, at the same time Microsoft Security Essentials sprang into action and popped up a warning that a threat was detected in a web page it had saved in cache. The threat was a javascript infection imbedded in a web page (htm) file. Deleting the threat resulted in this message:

What’s interesting about this is that the website had no advertising, nor did it have any Adobe files on it. Yet here, on my computer, something is trying to use my Adobe Reader and Java (a .jar file is a Java file) to infect my computer. I performed a search to find out where 188.72.211.253 (the internet IP address) came from. As you can see in the following screenshot, the address is administered by Ripe in Amsterdam:

Amsterdam?? My web page was based in Idaho. Ripe Network controls half the internet. There’s more digging to be done here. Let’s search the Ripe database to find out where our little criminal mastermind is hiding their files:

Let’s all say hi to our friends in Turkey. Here’s the funny part. Go to http://www.imajhost.com/. The title of their page suggests “The Most Secure Network”. Really? Hmmm.

I do a little more digging and find this:

http://www.windowsecurity.com/articles/Prepare-MPACK.html

As it turns out, it’s a team of Russian hackers calling themselves the “Dream Coders Team” that developed a kit called Mpack retailing for $300 to $1000. A similar product first showed up in 2007 called Icepack, developed by the IDT group. It seems that Mpack and IcePack faded from the public eye in 2008 or so.

I did a little more digging and found these:

http://www.securelist.com/en/analysis/204792044/Bootkit_the_challenge_of_2008

http://research.zscaler.com/2010/03/recent-spike-in-neosploit-activity.html

In 2007 another web attack kit named Neosploit surfaced. It functions in a similar way to Mpack and Icepack and originally sold for $1000 to $3000. I’ve found references to Neosploit Toolkit as late as April 2010 being found on web servers.

Recently (May 4, 2010) the US Treasury website was hacked using the Eleonore Exploit Pack. You can read about that here. The Eleonore Exploit Pack was created by ExManoize in June 2009 and retails for about $1000 USD. It is updated once a month or so as new exploits are added. Currently he’s up to over a dozen of them in his “pack”.

The goal of these kits is to find vulnerabilities in websites and exploit them. PHPnuke, Wordpress, contact forms, Adobe Flash, ActiveX, third party widgets, etc. with security flaws are all targets of these tools.

The attackers hack the server the website is hosted on to install the tool’s manager and alter the webpage. What it does is add an “iframe” to any normal webpage. An Iframe can load a webpage that’s not related to the site you are viewing and can be hidden. What these guys are doing is altering normal web pages. As your proper webpage loads, the page loaded in the Iframe is redirecting you to a PHP server running the tool kit. This server determines what operating system you have, what browser you are using and what vulnerabilities you have on your computer. Once it figures that out, it launches the infection. It may keep trying until it finally finds an infection that works. A report is then sent back to the operator of which exploits were successful and which country you are from.

In my case the infections were hosted in Turkey and launched three different exploits. The first was a trojan downloader that would try to connect to different websites. The second, the JAR java file in the screenshot above, tries to start shell code and then starts the downloader. The third is a PDF exploit. It checks the version of Adobe Reader on my computer (unfortunately for them, Acrobat is my default PDF handler), downloads a PDF file, executes it with PDF reader and a a script in the file executes automatically.

Fortunately Microsoft Security Essentials caught it. These toolkits are constantly updated. The point of installing the manager on the infected web server is so that even when the website is fixed, it is reinfected by the attackers at regular intervals. If you are a web site owner, the way to protect yourself from these attacks is to change your FTP password at regular intervals and ensure all your applications are updated.

To read more about how these types of infection work, see this article and this article

It’s very easy to get your hands on these toolkits. It didn’t take me long before I found and downloaded Neosploit 2 to confirm the download link was still active. Script kiddies all over the world are wreaking havoc on the internet by having easy access to these tools.

Another problem we’ve seen a lot of is infected banner ads. Attackers are exploiting third party advertising sites such as Interclick to spread their vicious payloads.

So why do this? The answer is money. One scenario is that the attackers can affiliate themselves with sites like Clickbank. Clickbank will give them a little commission for each product they are responsible for selling. One product that pops up on Clickbank on a regular basis is fake antivirus software. Using Mpack, the hackers (well, script kiddies is more like it) can infect your computer with the fake antivirus. When you purchase it they get a commission. Alternatively the makers of the software themselves can use Mpack to spread their scumware. In the end, the result is the same. They make money with their crime…and the chances of getting caught are very, very low.

So what is the solution? We’re still working on that, but your best defence is to keep your Windows and browser software up to date. You can also view this list of known domains participating in these scams to add to your HOSTS file (if you’re unsure how to do this, bring your computer into us for servicing and we can do it for you). It’s also critical to keep Adobe Reader, Adobe Flash and Java up to date. When you see a popup to update them, it’s important to do so. It re-emphasizes the importance of having legitimate Microsoft software to make certain you get the proper updates. It also helps ot have the best antivirus installed. We currently recommend Kaspersky Internet Security or Microsoft Security Essentials.

Share

Save

We passed the test!

Last year, unbeknownst to us, Microsoft sent a secret shopper to our location to find out if we sold genuine software or pirated it. As most of our clients know, we only offer genuine Microsoft products to our clients, including all relevant packaging. The reasoning is simple. It is to your advantage for security and functionality.

Pirated software means you don’t get valuable updates which include security fixes. It means your system is vulnerable to attack. It also can result in reduced functionality. One example we’ve seen numerous times is Microsoft Office, where you can only open documents, but not save them or send emails.

We’ve seen several vendors in classifieds such as Kijiji selling computers or computer repair with pirated software. We strongly recommend that with every new computer you purchase (this does exclude off lease or used computers) that the vendor provides you a VALID license key sticker, manual and disk. If they don’t, we encourage you to report them to Microsoft’s Piracy hotline at 1-800-RU-LEGIT or http://www.microsoft.com/piracy

Our secret shopper reported back that we were offering legitimate Microsoft software. When you purchase a new system or computer repair from Northern Protocol, you purchase security and piece of mind.

Read the letter we received from Microsoft.

Share

Save

The unfortunate reality of amateur computer sales / repair (Kijiji, etc)

It’s a fairly regular occurence. Someone gets sucked in by the “cheap” prices they see in classified publications like Kijiji and ends up getting taken for a ride. We’ve seen numerous examples of it over the years but this one really stood out.

Our client was referred to one of these scam artists by their neighbour. Everything seemed fine on the surface. The fellow came across as legit, knowing the right words to say. Our client paid their money and then sat back and waited.. and waited. Six weeks of persistent phone calls later this excuse of a computer showed up at the door.

It came to us because it kept crashing until finally it wouldn’t load into Windows at all.

There are some things to note about this computer.

• The wiring is everywhere. It was thrown together in five minutes
• The power supply is a $10 MIOS piece of junk
• The rear fan isn’t connected. Bad air flow results in premature hardware failure.
• The main drive, a Western Digital, is failing badly and needs to be replaced
• None of the drives are fastened on both sides. The fellow didn’t even bother taking the time
• Half of the motherboard stand off supports and/or screws are missing.
• There is no Windows license on the computer
• The backing plate was improperly installed and the clips were bent outwards

Unfortunately there’s no regulation of the industry, especially on sites like Kijiji. I’m sure there’s the occasional person on there that’s legit and can actually do a decent job, but we’ve yet to see it. If this isn’t the “expert”, “elite” or “quality” computer repair that you’re looking for, our only recommendation at this point is that any of these people that are advertising cheap computers or services in free classified websites and publications should be avoided.

Share

Save