HTTP Mailicious Toolkit Variant Activity on my Web site

I run a Web site: www.TeamRCIA.com. Two people in the last week have told me they are getting "malicious toolkit" warnings when they log onto the site. Everything was fine when I signed on, and I asked several other people to log on from their computers. Also fine.

I use Firefox, so I installed IE8 to see if that mattered. When I logged on in IE8, Norton gave me a warning: "An intrusion attempt by NICK-PC was blocked. Application path \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\AVG\AVG8\AVGNSX.EXE"

I posted a screenshot of the full alert here: http://bit.ly/iQLtU

NICK-PC is my desktop. I am running Vista. The site is hosted by 1and1.com and it uses a WordPress template.

Thanks for your help.

Nick Wagner
e-mail address removed to protect from spambots. ~ OB

Edited by Orange Blossom, 31 May 2009 - 04:30 PM.

Hello NickWagner,

We can't see the image because that link goes to a Yahoo log-in page and not to the image.

Orange Blossom

Sorry. Try this:

Hello NickWagner,

We can't see the image because that link goes to a Yahoo log-in page and not to the image.

Orange Blossom

Edited by Orange Blossom, 31 May 2009 - 05:23 PM.

This time, I was able to see the image. I've changed the link so that it is the image only so we don't get to a page of ads in addition to the image. I also used BB code so the image appears in the post.

The image is pretty fuzzy. Can you type out the text after "Attacker URL" and "Destination Address"?

Also, do you have AVG Internet Security installed on the computer the "attack" is coming from? If so, is the "link scanner" installed?

Orange Blossom

p.s. By the way, what are you using to come up with those short URL's?

Okay, here it is.

Attacker URL: ibalefo.net/?click=3F7ED2

Destination Address: ibalefo.net (201.245.239.24, 80)

I do have AVG Internet Security installed and the LinkScanner is active.

You can find the short URL tool at http://bit.ly (no .com). They have an applet you can drag to your toolbar. Whenever you click on it, it gives you a short URL of the page you're looking at. If you Twitter, you can also post directly from there.

Nick

This time, I was able to see the image. I've changed the link so that it is the image only so we don't get to a page of ads in addition to the image. I also used BB code so the image appears in the post.

The image is pretty fuzzy. Can you type out the text after "Attacker URL" and "Destination Address"?

Also, do you have AVG Internet Security installed on the computer the "attack" is coming from? If so, is the "link scanner" installed?

Orange Blossom

p.s. By the way, what are you using to come up with those short URL's?

Okay, I'm stretching the bounds of what I know and how to go about finding answers at this post.

Here is what I've found:

ibalefo.net appears to be a bad site. According to the following link, that site has injected malicious code into legitimate sites.

http://google.com/safebrowsing/diagnostic?site=ibalefo.net/

Norton says that that site has a bloodhound exploit.

http://safeweb.norton.com/report/show?name=ibalefo.net

Now, what I find odd here is that the "source" of the attack according to the screen shot is this: PROGRAM FILES\AVG\AVG8\AVGNSX.EXE" which is not a webpage.

AVGNSX.EXE is connected with AVG Security Suite and that file in particular with the link scanner. It is also in the appropriate folder, so it is unlikely that it is malware.

http://www.processlibrary.com/directory/files/avgnsx/

http://www.file.net/process/avgnsx.exe.html

I hope that you don't have both Norton AV and AVG AV running as having more than one AV creates serious problems. If you do have more than one AV installed, please uninstall one of them.

It is not a good idea to have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.


In any case, I'm going to suggest that you disable the link scanner or uninstall it and see if that resolves the issue. If it doesn't, I'll have some other folks look this over to troubleshoot this further.

Orange Blossom

Edited by Orange Blossom, 31 May 2009 - 11:30 PM.
Add a sentence and two links for information about AVG file. ~ OB

I DID have both Norton and AVG installed. I uninstalled AVG, and that seems to have fixed the problem. One of the people who reported a problem to me says she is no longer getting a warning. I'm still waiting to hear from the other person.

Do you have a recommendation between Norton and AVG? Which is better to use?

Thanks for your help with this.

Nick

Hello NickWagner,

I'm glad your issue appears to be resolved.

I really cannot say which AV is better. Indeed, what works quite well on one person's computer may not work at all well on another's.

A case in point: Windows Defender. This is a good anti-spyware program for a lot of people. For me, however, it caused nothing but trouble. It uses a lot of resources, and I've but 256 MB RAM, and it always crashed when I tried to update the program. So that program went bye-bye for me.

Another thing to consider is that I have a stand-alone computer. If you are on a network and you scan the various computers from a master computer or server, you may need something different than I do. Each computer, in that case, will have to have the same AV product installed on it. I know that Symantec has a corporate version that can be used on a network as does Sophos. I don't know if AVG does.

Really the best thing to do is to trial different products and see what works best with your configuration and software mix.

Keep in mind: 1 3rd party software Firewall, 1 Anti-Virus, 2 or more on-demand Anti-spyware programs. Perhaps 1 real-time Anti-spyware or anti-malware program. Just be sure not to over-burden your system. If you have a router which contains a type of hardware firewall, you still should have a 3rd party software firewall.

Spywareblaster - prevents spyware from being installed on your PC. - Tutorial: Using SpywareBlaster

This program doesn't use resources. What it does is insert things into your browser's restricted sites, blocked cookies, and other areas too keep bad sites from putting stuff on your computer. Of course, you need to update it occasionally. I'd suggest checking for updates on at least a bi-weekly basis.

SuperAntiSpyware - link to a direct download of the Free version

This is a very good on-demand scanner. It finds things best in Safe Mode, but also works well in Normal mode.

You might also consider the MVPS Host File which you can read about here: http://www.mvps.org/winhelp2002/hosts.htm and find the links to the downloads and various information pages here: http://www.bleepingcomputer.com/forums/t/123980/mvps-hosts-file-update/

Here is a link to a list of many free-ware programs. http://www.bleepingcomputer.com/forums/topic3616.html It does need updating and there are a lot of posts to wade through right now, but there is still lots of good stuff to be found.

Occasionally, perhaps once a month, get a "second opinion" with an on-line AV scan. There is a list of those in the free-ware program link I posted.

You can also see what I have installed in my signature.

Orange Blossom

Argh, my second friend checked in and is still getting an error message:

The initial message comes through McAfee and says McAfee has automatically blocked and removed a Trojan. By the time I got that much written down the message was gone, so I went into McAfee and got this info:

Real-time virus protection enabled and protecting your computer.

In the activity log is this:
Detection name: Exploit-PDF.f (Trojan)
File C:\Users\Leisa\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IES\T3296W32\618[1].pdf

Thanks for all the info about antivirus programs. That's helpful.

Nick

My first friend just checked in again. She logged on fine last night, but today she received another warning when she logged onto teamrcia.com:

Threat Severity: High

Activity: An intrusion attempt by D5LC1Q31 was blocked Application path \ DEVICE \ HARDDISK VOLUME 2 \ PROGRAM FILES \ INTERNET EXPLORER \ IEXPLORE.EXE

HTTP Malicious Toolkit Variant Activity

Attacking Computer
D5LC1Q31 (68.175.48.253, 1976)

Attacker URL
ibalefo.net/?click=3F7ED2

Source address
68.175.48.253 (68.175.48.253)

Traffic description
TCP, Port 1976

Thanks for your help with this. I hope you can help me figure it out.

Nick

I just signed onto TeamRCIA.com in IE8 and got another warning from Norton. Everything is still fine in Firefox. I'm not sure how to paste the screen shot into the post, but this is the link:

http://bit.ly/GC0CP

Nick

hello plaese run a FULL scan on your PC..
Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform FULL Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

I just signed onto TeamRCIA.com in IE8 and got another warning from Norton. Everything is still fine in Firefox. I'm not sure how to paste the screen shot into the post, but this is the link:
http://bit.ly/GC0CP

TeamRCIA.com <- is ok according to McAfee Site Advisor and Norton Safe Web on my computer.

LinkScanner said the attacker URL (ibalefo.net/?click=3F7ED2) was clean (did not find any exploits), Dr.Webb Check URL Scan said it was clean and Unmask Parasites said the address was suspicious.

Norton Safe Web said it was bad (Bloodhound.Exploit.196).

Bloodhound.Exploit.196 is a heuristic detection for files attempting to exploit one of the following vulnerabilities:
* Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID 27641)
* Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability (BID 34169)

Files that are detected as Bloodhound.Exploit.196 may be malicious. We suggest that you submit to Symantec Security Response any files that are detected as Bloodhound.Exploit.196. For instructions on how to do this using Scan and Deliver, read Submit Virus Samples.

http://securityresponse.symantec.com/secur...-99&tabid=2

Note that Norton says it may be malicious but then again it may not be so they ask for samples to be submitted for further investigation.

Some types of infections spread by by visiting legitimate web sites that have been compromised through various hacking techniques used to host and deliver malware via malicious code, automated SQL Injection and exploitation of the browser/operating system vulnerabilities.

• Malicious website evolution
• 70 Of Top 100 Web Sites Spread Malware
• Researchers uncover tool used to infect websites, spread malware
• Malicious HTML Tags Embedded in Client Web Requests
• Malicious Applets in Java cache directory

...More than 90 percent of these webpages belong to legitimate sites that have been compromised through hacking techniques such as SQL Injection...Hackers are apparently planting viruses into websites instead of attaching them to email. Users without proper security in place get infected by simply clicking on these webpages.

One webpage gets infected by virus every 5 seconds

• SQL Injection Overview
• Threat and Vulnerability Mitigation: SQL Injection

So someone could have been hacking your site (unlikely from the info provided thus far) or visitors with unpatched systems are receiving alerts because they did not apply the patch for the Adobe Reader exploit and/or are using Norton AV which picks up that detection.

The log is posted below. Before I ran the MBAM scan, I downloaded all the files from my Web site so those would be scanned too. (Took most of the day to run the scan, or I'd have been here sooner.) As I was downloading the files from the Web site, Norton indicated it was blocking lots of bad files. MBAM came up clean, though. However, AVG picked up two HTML/Framer viruses. The warnings look identical to me:

"C:\Documents and Settings\Nick\My Documents\Team RCIA\Back up TeamRCIA 0511\Backup2\wp-includes\default-filters.php";"Virus found HTML/Framer";"Infected"

"C:\Documents and Settings\Nick\My Documents\Team RCIA\Back up TeamRCIA 0511\Backup2\wp-includes\default-filters.php";"Virus found HTML/Framer";"Infected"

I also found some information on this Web site http://bit.ly/8uCA9 that iframes are injected into index.php files. I did a desktop search on "index.php" and physically looked inside each of them. They all have an iframe code that includes ibalefo.net.

I did a desktop search on "ibalefo" and found four index.html (not php) files that had the bad code.

I can reload clean files to my Web site, but I'm not exactly sure how to make sure all my blog posts get reloaded without also reloading the malware. Thanks for you help.

And thanks to you, too, quietman7 for your info.

Malwarebytes' Anti-Malware 1.37
Database version: 2222
Windows 6.0.6002 Service Pack 2

6/3/2009 4:21:06 PM
mbam-log-2009-06-03 (16-21-06).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|)
Objects scanned: 515773
Time elapsed: 8 hour(s), 2 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I have found a lot of these NAV Bloodhound heuristics detections to be false positives so I was leaning in that direction since there only appeard to be a couple of users complaining as well. Looks like your investigation shows otherwise. Good job.

Also check out PHP security exploit with GIF images - Avoiding the problem.