Browsing a website I saw something I havent seen for years, runaway popups and quirky behaviour.
It was a “specialist” website, one dealing with the dirty side of Rover SD1’s and the payload came through clicksor which seems to feature in their banner ads.
The infected pc was an odd mix of Vista/Firefox/AVG free, odd because I hate Vista but havent wiped it already.
AVG tried to catch it but its in there and hiding well from AVG, nothing on a full scan but it did spot Trojan Hider.MPT before saying the file was not found.
Stinger cannot find it either
I should just wipe it and start again but it interests me.
Opening Natwest banking brings up a different but convincing screen asking for all the login details in one, the whole pin number and the like.
Yeahh righto
All the while its port scanning for web servers on 172 addresses
Any anti virus sites resolve to 127.0.0.1 so dont work very well, I’m not sure how though, it hasnt modified drivers/ets/hosts and the dns server is correct.
nslookup from the command prompt works if you specify a nameserver but standard name resolution has been comprimised in some way.
makes me very glad I have a reasonable firewall between this and the important PC’s.
I think I’ll be building a linux firewall of some sort and capturing all its traffic for a bit.
Malwarebytes found the last nasty I encountered on a friends machine.
As to the other problem, going old-school, is there a file somewhere in the registry thats resolving the DNS settings? The virus might have created it. Scan the registry for 127.0.0.1
The hosts file is empty.
I tried adding mcafee to the hosts file so I could download stinger but it still didnt resolve.
same with avg forums which was a google hit for something I was searching for in relation to the symptoms.
Thats why I want to tinker with it, if somehow dns is redirected through interception in the TCP stack I will be impressed.
All the config looks correct :chin:
I suppose Natwest might be interested in it if this is a targeted banking attack.
Heres one for you to try.
Cold boot your PC
Have a coffee
open a DOS/cmd window (simple tools time)
run netstat -a
sounds like time to play with hi-jack this. still my favourite little virus finder, using hijackthis.de for a bit of interpreting was my normal way to make a few pounds chasing nasties
Well, I found bits of it scattered about.
Safely booted from trinity rescue kit
There is a javascript uploader of some sort loadorrndname.php
The file itself is a mix of binary and some sort of encoded text wher the text for some sort of menu seems to live
Using strings then od to look in a bit more detail shows this sort of thing
0227100 C 3 A 3 L 3 C 3 _ 3 P 3 O 3 P 3
0227120 U 3 P 3 \0 3 020 3 S 3 h 3 o 3 w 3
0227140 3 R 3 e 3 s 3 u 3 l 3 t 3 s 3
0227160 3 A 3 s 3 \0 3 \0 3 317 272 H 3 e 3
0227200 x 3 \0 3 \0 3 320 272 D 3 e 3 c 3 i 3
0227220 m 3 a 3 l 3 \0 3 200 3 321 272 M 3 a 3
0227240 t 3 c 3 h 3 3 T 3 o 3 o 3 l 3
With a squint you can read alternate bytes as CALC_POPUP and Show Results As Hex etc
In case you’re still looking at the system, here are a couple of ideas…
In addition to the hosts file there may also be a “hosts.ics” or a “lmhosts” file in the “drivers\etc” directory (that the virus would have created). These files have different purposes, but the same ability to redirect.
…Also (from lurking in the malware bytes forum), redirects can be coming from your router (if it wasn’t password protected). A simple router reset is the accepted solution for this.