Site cleansed or with HTML:Script-inf?

See: http://zulu.zscaler.com/submission/show/7ca724e5e931116954d8c594837174f8-1331541214
Malware has been up since: 2012-03-12 01:30:05
See: htxps://www.virustotal.com/url/d3be23bfd014be86b260407df40d61a5d8ec06decbe3286f8fdfe5a5b5f55741/analysis/
and
htxps://www.virustotal.com/file/4bb81720f8c340a8a909c5b12275664c2a5f25464134817aa8c304ec7af7f8f1/analysis/ (8 hrs ago)
but also: htxp://vscan.urlvoid.com/analysis/9a537f81711d0f36435748461c2310ff/aW5kZXg=/

polonus

Right now it’s reported clean on Sucuri…
http://sitecheck.sucuri.net/results/http://peterplysonline.dk/

This was the status for 2012-03-10 18:05:00 htxp://www.peterplysonline.dk/ 4266451E7F405ABA73F85DFD4D3CBB41 195.128.175.0 DK HTMLRce.Gen
Suspicious here: htxp://urlquery.net/report.php?id=30502

polonus

I ran a bootscan this evening which turned up the HTML:Script-inf infection you mentioned together with this one: JS:ShellCode-AF Here’s the scan result for both files (I only changed my Username):

  • File C:\Documents and Settings{Username}\Local Settings\Application Data\Mozilla\Firefox\Profiles\qx84cimq.default\Cache\1\4A\46996d01|>{gzip} is infected by HTML:Script-inf, Deleted
  • File C:\Documents and Settings{Username}\Local Settings\Application Data\Mozilla\Firefox\Profiles\qx84cimq.default\Cache\7\FB\A57A1d01|>{gzip} is infected by JS:ShellCode-AF [Expl], Deleted

This is interesting because I’ve scheduled a full system scan to take place every Thursday and the last one reported a clean machine. So sometime between then and now, I picked these two up.

Microsoft reports that the latter file freqently triggers in the user’s Internet cache which is what appears to have happened in my particular case: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=JS/ShellCode

I would hasten to add that AVAST is in no way to blame for this because I have knowingly disabled all shields because I find them to be a bit of a pain, but in the light of what has just taken place, I will have to have reconsider that decision I think.

It’s odd though because apart from making a few contributions on Bleeping Computer and Adobe, I’ve only visited my usual security sites like h-online.com, isc.sans.org, securitytracker.com and a few news media sites like bbcnews.com, so I don’t know where the infection came from unfortunately.

Hi Xircal,

This could be a FP. But for a second op, you could do a scan with DrWeb’s CureIt from : http://majorgeeks.com/Dr._Web_CureIT_d4783.html

polonus

That’s a nifty little tool too.

Not surprisingly, it didn’t find anything though. I’d already run a full Malwarebytes scan and a Sophos Anti-Rootkit freebie, both of which drew a blank.

As an added precaution, I installed a Firefox add-on called VtZilla which can be used to scan the site you’re already on, or scan before you go there and also to scan a file before you download it: https://www.virustotal.com/documentation/browser-extensions/

I also tried a couple of these: http://www.malwarehelp.org/anti-malware-bootable-rescue-cd-dvd-download.html namely the F-Secure rescue USB and the DrWeb LiveUSB. But in both cases, all I got was a ‘boot error’ when attempting to run them. That could possibly be due to my USB stick, but I haven’t got another one, so no way to check. I looked at the AVAST Bart CD, but it dates from 2008 which sounded a bit out of date. I deleted the Firefox cache as an added precaution anyway.

It’s interesting though because in all my years of working with operating systems which started way back when with MS-DOS, this is the first time I’ve unknowingly picked up a virus. I think it came about from clicking a link on a forum somewhere while trying to help somebody with a problem. I shall be more careful next time.

Anyway. thanks for the tip about Dr.Web Cure It.

Hi Xircal,

You are welcome. As I see you are quite an experienced user and know quite a bit about safehex yourself,. You should realize that there is a lot of drive by malcode that is just session related to stay in memory just for the session and may invite some residental friends. Always a good thing as something alerts you to do a full scan of the local browser folder.
The mem malcode could not survive the next boot but as long as it sits there it can assist other malcode to load. Your best policy is to keep your OS software and third party software up to date and fully patched. Do you use secunia? Go to this online service here: http://secunia.com/vulnerability_scanning/online/ Good to give that a swirl from time to time. Thanks for the feedback,

polonus

Hi polonus,

Having picked up this parasite, I’m intrigued as to where it came from. I’ve been going through my history to check links I’ve clicked during the past three days, but haven’t come across anything suspicious so far.

Something else I discovered as well which is bit alarming is that during a full system scan, not all packers are scanned by default. Since in my particular case, the shellcode was zipped with Gzip which is primarily used to zip Linux files, it wasn’t being scanned during my weekly scheduled scans. So now I’m thinking that the malware may have been there for a lot longer than the three days I mentioned earlier. I’ve checked my firewall logs, but only see one blocked UDP scan which took place yesterday.

But my own research has turned up some other interesting stuff. It seems that “drive-by cache” as opposed to “drive-by downloads” are much more hazardous since the malware doesn’t download any files, but rather inserts the shellcode into the browser cache where it sits waiting to be executed. According to http://spy.wareremoval.com/tag/shell-code/ it’s much more difficult for AV to detect it in this way since the browser will load an infected page in the background and without any user intervention. The report on the Amorize blog (link on the same page) is fairly old and Adobe patched the zero day vulnerability some time ago, but since my own system is up to date and fully patched, I’m wondering if this is a new one doing the rounds. According to a post on Adobe’s forum at http://forums.adobe.com/message/4287764#4287764, there’s a new Flash Player patch due out shortly, so expect some more fireworks soon.

As regards Secunia’s PSI; yes I’ve used it in the past, but since Java is a major target these days and PSI requires it to be installed, I’ve stopped using it. But I keep track of updates to apps I use, don’t worry.

Java is no longer required for PSI which is why I have just re-installed it ;D

Hi essexboy,

That’s wonderful news.
While lots of users won’t have any need for java,
they still can enjoy what PSI to keep their OS and third party software fully updated and patched.
I hope a lot of users that come here will go and use it (again),

polonus

Still no good to me because it requires Microsoft Automatic Updates to be enabled. I prefer to have complete control over my own system and not allow MS to decide what’s good for me.

EDIT: to polonus,

For some strange reason, I appeared to be banned from sending personal messages, so regretably I cannot respond to yours I’m afraid.

This is becoming a bit of a game. The JS/Shellcode rogue I mentioned above paid me a visit again today.

After the first experience and because I was somewhat intrigued by the whole episode having never had a virus on my system before, I created a custom scan to scan all packers in my Firefox cache folder where the JS/Shellcode rogue had landed so that after a browsing session, I could simply click the appropriate button and have AVAST scan the cache. I did that several times today and just drew a blank. But my last session which took place between 14:45:32 and 18:31:05 revealed the same culprit once again. It also went to the same location and used the same name, namely A57A1d01 as in my post above.

I subsequently downloaded “MozillaHistoryView” from Nirsoft which can read the sites and times the user visited them. Link in case anyone’s interested: http://www.nirsoft.net/utils/mozilla_history_view.html
Since you can right click and load a URL directly from within the utility, I reloaded every site I’d visited between those two times checking the location the rogue has landed on in between each visit. Unfortunately, on this occasion, it didn’t want to play ball and didn’t reappear. I ran an AVAST cache scan as a precaution, but drew a blank on that too.

Oddly enough, I’d read about this particular exsploit quite some time ago, but had forgotten all about it until now. Here’s the report: http://www.h-online.com/security/news/item/Exploit-on-Amnesty-pages-tricks-AV-software-1230724.html

But I shall perservere since I’m determined to catch the bugger.

Hi Xircal,

I explained this to you. The general rule is that every user cannot post PMs but after posting a total of 20 messages, So 3 more and you are entitled to use Personal Message. That is a general precautionairy measure for all new users. That is all, nothing related to a ban or whatever. Considering the malware, sometimes these campaigns are only take place during a short period and/or may be randomly played out. Maybe the site that triggered it has been cleansed or no longer give this malware response (closed malware). PM me after you have posted 20 messages,

polonus

Sorry, I thought this was a discussion forum, but obviously not. I won’t post here again.

This is the Avast Support forum. :slight_smile: Have no idea why you have such a short fuse ???