Malwarebytes

Welcome Guest ( Log In | Register )

 
Closed TopicStart new topic
> best-antivirus03.com
hector
post Sep 12 2009, 06:18 PM
Post #1


New Member
*

Group: Members
Posts: 2
Joined: 12-September 09
Member No.: 19,849



Today, was browsing nytimes.com, and suddenly redirected to best-antivirus03.com for the usual fake online scan, but quick MBAM 1.41 scan revealed nothing, and google search only indicated it was a rogue site, but no details about possible nature of infection, removal etc. So far, no signs of trouble, but I remain on guard. Wingnut attack on Times? LOL
Go to the top of the page
 
+Quote Post
Fatdcuk
post Sep 12 2009, 07:34 PM
Post #2


Forum Deity
******

Group: Moderators
Posts: 8,123
Joined: 15-November 07
From: Yeovil,England.
Member No.: 1,856



Yeah they are sprouting up all over the place ohmy.gif

If you did'nt consent to installing the trojan file then the fake scanner page would not have infected you,here is an explaination i gave back a while to someone with a very simmilar query.
http://www.malwarebytes.org/forums/index.p...st&p=109708


--------------------
Ade Gill
Malwarebytes Researcher



Follow us: Twitter, Become a fan: Facebook
Go to the top of the page
 
+Quote Post
TomCC
post Sep 12 2009, 08:31 PM
Post #3


New Member
*

Group: Members
Posts: 1
Joined: 12-September 09
Member No.: 19,858



Norton Antivirus detected it as title: "An intrusion attempt by brest-antivirus03.com was blocked." "Network traffic from best-antivirus03.com matches the signature of a known attack." It attempts to download & run a 166,820 byte file "Scanner-xxxxxx_2006-63.exe", where the x's are random alphanumerics. The file did download on another computer where ClamAV did not detect it; notably, Norton did not detect a virus in the file.

Browsing back to the same page later on does not pick up the virus, so it hides itself.
Go to the top of the page
 
+Quote Post
musafir
post Sep 12 2009, 08:36 PM
Post #4


New Member
*

Group: Members
Posts: 1
Joined: 12-September 09
Member No.: 19,859



QUOTE (Fatdcuk @ Sep 12 2009, 08:34 PM) *
Yeah they are sprouting up all over the place ohmy.gif

If you did'nt consent to installing the trojan file then the fake scanner page would not have infected you,here is an explaination i gave back a while to someone with a very simmilar query.
http://www.malwarebytes.org/forums/index.p...st&p=109708


Re: Trojan best-antivirus03.com, on August 13th you wrote:
One issue occuring is that these fake scanner pages make it difficult to navigate away from the consented file download prompt by normal means of closing the webpage or using backpage.One sure fire way is to invoke taskmanager and terminate all iexplore.exe's that are running.This will kill the fake scanner page stone cold dead"

I encountered this pop up when visiting NYTimes website.

I'm running Win XP (svc Pack3). When I went to the task manager I could see no "iexplore.exe" in the list of open processes.

Please advise. Thank you.
Go to the top of the page
 
+Quote Post
hector
post Sep 12 2009, 10:47 PM
Post #5


New Member
*

Group: Members
Posts: 2
Joined: 12-September 09
Member No.: 19,849



To Fatdcuk: Having helped a few friends with similar attacks, I knew if I didn't allow the download that I wouldn't be infected - at least for now these trojans are trojans: you have to invite them in.

To Tom CC: Thanks for the details from NAV. Odd that it detected an attack signature in the network traffic but no virus in the payload.

To musafir: I can't say why iexplore.exe was not visible in Task Manager, but another way to kill a process is to enter Alt-F4. That sometimes works for sites or programs that refuse to close.
Go to the top of the page
 
+Quote Post
Jaxryley
post Sep 13 2009, 12:02 AM
Post #6


Forum Deity
******

Group: Rogue Reporters
Posts: 5,830
Joined: 7-July 08
From: West Aussie
Member No.: 2,796



Seems to give a different named/numbered installer at every download and installs Personal Antivirus.
Installer not hit from rc.
CODE
http://best-antivirus03.com/1/?sess=pmT05jzxMi0xJmlwPTIxMS4yNi45Mi4yMDImdGltZT0xMjUzNkAMPQZN
http://best-antivirus03.com/download.php?id=2013-1

Scanner-8d5d_2013-1.exe
No hits at jottis.
File size: 167936 bytes
CODE
http://rapidshare.de/files/48331573/Scanner-8d5d_2013-1.rar.html


--------------------
Lean, Mean and Clean - Sandboxie - Returnil - MS Vitual PC 2007 - Ghost Images
Go to the top of the page
 
+Quote Post
taupehat
post Sep 13 2009, 02:50 AM
Post #7


New Member
*

Group: Members
Posts: 3
Joined: 13-September 09
From: Cali5nia
Member No.: 19,887



Ran into this on my Mac running both Firefox and Safari. Tested on a Linux box. Seems to me that the NYT got itself compromised there. I called (not easy to find someone at this hour) and let them know that they had a problem. Redirect seems to be gone now.

Hope they decide it's worth their while to go after these scumbags. NYT should be big enough to do the job if they have the stones. Heck, if nothing else it'd be a great story: "how we followed the money and brought down a virus crew."

Sigh, if only. I doubt they'll do it though.
Go to the top of the page
 
+Quote Post
JenD
post Sep 13 2009, 03:34 AM
Post #8


New Member
*

Group: Members
Posts: 1
Joined: 13-September 09
Member No.: 19,891



It seems nytimes.com is still compromised, if indeed that was the problem. I have been redirected to these "best antivirus" websites several times today, the most recent time being just five minutes ago. It seems entirely random which links trigger it, and it is difficult to reproduce the results by following the same link again. This last time, however, the redirect failed because the best-antivirus03 address was invalid. I'm using XP + the most recent version of Firefox.

Jen D.
Go to the top of the page
 
+Quote Post
taupehat
post Sep 13 2009, 03:54 AM
Post #9


New Member
*

Group: Members
Posts: 3
Joined: 13-September 09
From: Cali5nia
Member No.: 19,887



QUOTE (JenD @ Sep 12 2009, 08:34 PM) *
It seems nytimes.com is still compromised, if indeed that was the problem. I have been redirected to these "best antivirus" websites several times today, the most recent time being just five minutes ago. It seems entirely random which links trigger it, and it is difficult to reproduce the results by following the same link again. This last time, however, the redirect failed because the best-antivirus03 address was invalid. I'm using XP + the most recent version of Firefox.

Jen D.

Weird. I do hope the NYT gets this figured out (if you google best-antivirus03.com you'll see other people on other forums complaining about the same thing, all pointing back at nytimes.com) really soon. They're a pretty high-profile website after all, and I'm sure somebody's granny is falling for this every minute.
Go to the top of the page
 
+Quote Post
Fatdcuk
post Sep 13 2009, 12:47 PM
Post #10


Forum Deity
******

Group: Moderators
Posts: 8,123
Joined: 15-November 07
From: Yeovil,England.
Member No.: 1,856



Thanks Jax,

Have now added the URL for harvesting smile.gif


--------------------
Ade Gill
Malwarebytes Researcher



Follow us: Twitter, Become a fan: Facebook
Go to the top of the page
 
+Quote Post
taupehat
post Sep 13 2009, 08:32 PM
Post #11


New Member
*

Group: Members
Posts: 3
Joined: 13-September 09
From: Cali5nia
Member No.: 19,887



http://www.nytimes.com/2009/09/13/business.../13note.html?hp

Looks like they owned up to it.
Go to the top of the page
 
+Quote Post

Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



Lo-Fi Version Time is now: 9th February 2010 - 04:18 PM ()