A site to collect many malware samples.

Using a PC with a Windows install you don’t care about, aim your browser at navitotal.com The advertisements on it are doing a bang-up job at drive-by infestation.

It started with amatuerish attempts with automatic redirects to spam sites. Then it escalated to fake virus warnings. Next up came the sneak attacks but with easily cleaned malware. A few weeks ago I got nailed with a rootkit that sailed right past Avast and MSE. That took quite a bit of work to hunt down and remove.

I went back Sunday, May 1, 2011 and got nailed again. This time with malware that’s blocking Microsoft Security Essentials from running and it’s redirecting Yahoo and Google results through annogigheort.com which bounces through two or more additional sites that vary. Avast and MSE were alerting like crazy (for the first time on navitotal, they’d been completely silent on it previously) but at least one still got past.

Nothing I’ve scanned with, TDSSKiller, Avast, Malware Bytes, ComboFix finds a bleeping thing. Spybot S & D twigs to a registry entry with a notice about MSE being disabled, but it can’t fix it. HitMan Pro found rsopn.dll in Windows\System32 as a trojan but it’s 30 day free trial on the current download is pre-expired.

I used Unlocker to force-delete it then I used attrib to remove its system, hidden and read only attributes then put it in Avast’s chest to submit. From what little I could dig up on it, it appears to be from Russia.

Anyway, I think it’d be a good thing for the Avast people (and all other AV companies) to visit that site and allow it to massively infect a PC just to collect what’s new in nastiness. Going by reports by users of the navitotal forum, the drive-by attacks may be set to be for specific IP ranges. I’m in the USA.

Edit: Forgot to mention this malware also deleted all my System Restore points so I couldn’t just kick it back to last Friday or Saturday.

http://www.google.com/safebrowsing/diagnostic?site=www.navitotal.com/

What happened when Google visited this site?
Of the 301 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-05-01, and the last time suspicious content was found on this site was on 2011-05-01.

Malicious software includes 4 exploit(s), 1 scripting exploit(s).

Malicious software is hosted on 8 domain(s), including asofr. net/, aospr. net/, 173. 193.250.0/.

3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including clicksor.com/, aeiuxortzy.net/, clicksor.net/.

This site was hosted on 3 network(s) including AS48211 (MTLM), AS49335 (NCONNECT), AS6623 (CNET).</blockquote>

just the Chinese version of the site is up, English and German versions are down.

Couldn’t get anything on my VM

Hi essexboy,

The status of domain name is currently LOCKED, hosted by Mir Telematiki Ltd…
see: http://www.downforeveryoneorjustme.com/http://www.navitotal.com
Recently, well on 1/16/2011, for instance it had this malware, re: http://xml.ssdsandbox.net/view/304ad95c91e7059ce03182e24efaf528 = W32/Dropper.LOT!tr

polonus

Hi folks,

Site is up again, watch your clicks,

pol