0
SimonBones

So how did it happen?

By SimonBones, in The Bonfire

Recommended Posts

SimonBones    1

SimonBones
That DZ.com virus that got me and a bunch of others...

I know people said that it was because of a Coors ad, but my knowledge of how computers work and all that nonsense is pretty limited. How does a visual Coors ad upload viruses to my computer? I'm hoping someone could explain to me how the virus got downloaded onto my computer.

I guess I was always under the impression that in order to get a virus one had to physically download something from a site or from an email. All I did was leave the DZ.com page open and left to a party. I never clicked download to anything, I wasn't even around!

So I guess viruses can get onto your computer by simply viewing a page? How does that work? How did it work in this case? How did it get itself into my registry? Any computer experts out there that can explain this stuff?
108 way head down world record!!!
http://www.simonbones.com
Hit me up on Facebook

Share this post

Link to post
Share on other sites

PhreeZone    15

PhreeZone
Quote


I guess I was always under the impression that in order to get a virus one had to physically download something from a site or from an email. All I did was leave the DZ.com page open and left to a party. I never clicked download to anything, I wasn't even around!


That was last true in about 1998. As long as there is an issue on your system that will allow for remote code execution there is a hole for these issues to occur. In this case there is an issue in the Adobe Acrobat reader plug in for the web browser.

I'll try to explain this the best I can. I'm not going to get into an argument with anyone that is looking for someone to vent against for this occurring or asking for a detailed breakdown of the issue.

In this case the impacted web server was the one that was serving up the Coors Light ad that our users were being displayed. From what I have been able to figure out the attack exploited either an issue in Acrobat (my money is on this one) or another program such as the root browser. The sample file that was downloaded to my PC was a file called ~.exe that was in the Windows\System32 folder. The was a file that was linked to Acrobat.exe as a running process so this is why I am suspecting it was the PDF issue that was the root of the issue but it could have been one of a few other issues also including an IE issue (I run Firefox and was impacted so its 99% not an IE exploit). What ended up happening is that when the user browsed (accessed the ad in this case) to the infected webpage it was set to display not only the ad but it also sent a data stream that caused exploitation of the vulnerability in the the users browser. This exploit allowed the execution of remote code with out user interaction, basically just browsing to the ad caused the program to be ran - no clicking was needed. This remote code was a back door virus that typically sets the system up for the hacker to be able to remotely access the system by having the backdoor automatically download and install other viruses on the system. The viruses frequently target Anti Virus software to disable them to keep the infection going. The best thing to do is to get all the patches for all the software on the system and update the AV signatures, even if the root virus is removed manually it could easily have triggered the download and install of a few other pieces of malware so scan your system for the next few days to make sure it is all detected and removed.

Root cause is the host for the ads that are served on here had some sort of issue that allowed for a real time hack of their server. This then allowed the hacker to place the backdoor Trojan on the ad server so that when users accessed that ad it would trigger them to run some additional code also. This code caused an issue in the Acrobat plugin to let them install the virus on your system with out you needing to do anything. From there the virus did what it was told to do.
Yesterday is history
And tomorrow is a mystery

Parachutemanuals.com

Share this post

Link to post
Share on other sites

SimonBones    1

SimonBones
So how were people able to tell where it came from? I had absolutely no idea that it came from dropzone.com, even less a specific rolling ad. I would have never known if I didn't read about other people getting the same problems I did and where it came from.

If Adobe and similar programs allow for remote execution without user interaction, then any knowledgeable person anywhere can do whatever they want with my computer any time right? What is the benefit for allowing any program to allow remote execution without user interaction? It seems like the risks would always out weigh the benefits. In fact, I'd say it was a very stupid idea!

Quote

The viruses frequently target Anti Virus software to disable them to keep the infection going.



Does this mean that having anti-virus software can be pretty pointless? If a virus can just shut it off, then what's the point?
108 way head down world record!!!
http://www.simonbones.com
Hit me up on Facebook

Share this post

Link to post
Share on other sites

airtwardo    6

airtwardo
Quote

Quote


I guess I was always under the impression that in order to get a virus one had to physically download something from a site or from an email. All I did was leave the DZ.com page open and left to a party. I never clicked download to anything, I wasn't even around!


That was last true in about 1998. As long as there is an issue on your system that will allow for remote code execution there is a hole for these issues to occur. In this case there is an issue in the Adobe Acrobat reader plug in for the web browser.

I'll try to explain this the best I can. I'm not going to get into an argument with anyone that is looking for someone to vent against for this occurring or asking for a detailed breakdown of the issue.

In this case the impacted web server was the one that was serving up the Coors Light ad that our users were being displayed. From what I have been able to figure out the attack exploited either an issue in Acrobat (my money is on this one) or another program such as the root browser. The sample file that was downloaded to my PC was a file called ~.exe that was in the Windows\System32 folder. The was a file that was linked to Acrobat.exe as a running process so this is why I am suspecting it was the PDF issue that was the root of the issue but it could have been one of a few other issues also including an IE issue (I run Firefox and was impacted so its 99% not an IE exploit). What ended up happening is that when the user browsed (accessed the ad in this case) to the infected webpage it was set to display not only the ad but it also sent a data stream that caused exploitation of the vulnerability in the the users browser. This exploit allowed the execution of remote code with out user interaction, basically just browsing to the ad caused the program to be ran - no clicking was needed. This remote code was a back door virus that typically sets the system up for the hacker to be able to remotely access the system by having the backdoor automatically download and install other viruses on the system. The viruses frequently target Anti Virus software to disable them to keep the infection going. The best thing to do is to get all the patches for all the software on the system and update the AV signatures, even if the root virus is removed manually it could easily have triggered the download and install of a few other pieces of malware so scan your system for the next few days to make sure it is all detected and removed.

Root cause is the host for the ads that are served on here had some sort of issue that allowed for a real time hack of their server. This then allowed the hacker to place the backdoor Trojan on the ad server so that when users accessed that ad it would trigger them to run some additional code also. This code caused an issue in the Acrobat plugin to let them install the virus on your system with out you needing to do anything. From there the virus did what it was told to do.



We never had them there kinda problems back when we used stone tablets~! :|










~ If you choke a Smurf, what color does it turn? ~

Share this post

Link to post
Share on other sites

PhreeZone    15

PhreeZone

I knew about it since I only spent about 3 hours starting at 11pm on Friday night deconstructing and analyzing the file after finding its links in the code on the pages here. That is exactly how I like to spend my Friday nights BTW :S:D

The remote code execution is due to flaws in the code that can be addressed with patches for the softwre. Think of it as holes in the programs that unpatched let people run code from their website on your computer. Properly patched your system would not have the holes in it for the code to run and nothing would happen. Flaws are uncovered in programs all the time that allow for stuff like this to occur, look up Buffer Overflows and you'll have enough reading for months. So far this year Microsoft has released 77 patches, over 45 of them deal with Buffer Overflows of some type. Apple is not immune either see http://www.us-cert.gov/cas/alerts/SA08-350A.html for Apple issues release today.

Here is a run down showing the variety of programs that have been impacted over the last 2 years where just accessing a page/video could allow a remote user to run code on your system.

http://www.us-cert.gov/cas/techalerts/TA07-005A.html - Quicktime
http://www.us-cert.gov/cas/techalerts/TA07-089A.html - Windows/IE/Outlook/etc
http://www.us-cert.gov/cas/alerts/SA07-297A.html - RealPlayer


And the list goes on and on...

http://www.us-cert.gov/cas/alerts/

Keep up to the day for your patches for any and all installed software. I am mad at myself for not having the patch installed since I just recovered my system from a backup on Wednesday and forgot to apply the patches that had been released since the last time the PC was backed up.

Quote


Does this mean that having anti-virus software can be pretty pointless? If a virus can just shut it off, then what's the point?



Better AV software has hardening techniques that prevent viruses for stopping or modifying the AV software, some of the low end/free versions do not have that ability.
Yesterday is history
And tomorrow is a mystery

Parachutemanuals.com

Share this post

Link to post
Share on other sites

PhreeZone    15

PhreeZone
Quote

You have truly proven yourself a computer Jedi Knight.



That's funny since I'm developing quite the hate group on here. :D

AVG is the only free one I would touch. I don't use it since I user other stuff but its decent at what it does, and you can't beat the free price.
Yesterday is history
And tomorrow is a mystery

Parachutemanuals.com

Share this post

Link to post
Share on other sites

ChasingBlueSky    0

ChasingBlueSky
Just another pro tip to everyone: Update your Adobe Flash software. As this software becomes even more popular to deliver banner advertisements on the web, the more people are finding exploits in it. In the last year there has been at least three separate exploits that allowed malware to be delivered to a computers via legitimate websites (even some as big as CNN, Yahoo). Also, switch to Firefox and learn how to use the plugin "NoScript" to your advantage.

Trusted sites are no longer trusted sites and haven't been for a while.

Also to back up Eric, AVG-Free is one of the best pieces of software you can install on your computer to protect yourself, especially at that cost.
_________________________________________
you can burn the land and boil the sea, but you can't take the sky from me....
I WILL fly again.....

Share this post

Link to post
Share on other sites

mnealtx    0

mnealtx
Quote

Also to back up Eric, AVG-Free is one of the best pieces of software you can install on your computer to protect yourself, especially at that cost.



From the stuff I've been reading online, Comodo seems to be a very strong AV and firewall.
Mike
I love you, Shannon and Jim.
POPS 9708 , SCR 14706

Share this post

Link to post
Share on other sites

gonzalesna    0

gonzalesna
Quote

Quote

Quote


I guess I was always under the impression that in order to get a virus one had to physically download something from a site or from an email. All I did was leave the DZ.com page open and left to a party. I never clicked download to anything, I wasn't even around!


That was last true in about 1998. As long as there is an issue on your system that will allow for remote code execution there is a hole for these issues to occur. In this case there is an issue in the Adobe Acrobat reader plug in for the web browser.

I'll try to explain this the best I can. I'm not going to get into an argument with anyone that is looking for someone to vent against for this occurring or asking for a detailed breakdown of the issue.

In this case the impacted web server was the one that was serving up the Coors Light ad that our users were being displayed. From what I have been able to figure out the attack exploited either an issue in Acrobat (my money is on this one) or another program such as the root browser. The sample file that was downloaded to my PC was a file called ~.exe that was in the Windows\System32 folder. The was a file that was linked to Acrobat.exe as a running process so this is why I am suspecting it was the PDF issue that was the root of the issue but it could have been one of a few other issues also including an IE issue (I run Firefox and was impacted so its 99% not an IE exploit). What ended up happening is that when the user browsed (accessed the ad in this case) to the infected webpage it was set to display not only the ad but it also sent a data stream that caused exploitation of the vulnerability in the the users browser. This exploit allowed the execution of remote code with out user interaction, basically just browsing to the ad caused the program to be ran - no clicking was needed. This remote code was a back door virus that typically sets the system up for the hacker to be able to remotely access the system by having the backdoor automatically download and install other viruses on the system. The viruses frequently target Anti Virus software to disable them to keep the infection going. The best thing to do is to get all the patches for all the software on the system and update the AV signatures, even if the root virus is removed manually it could easily have triggered the download and install of a few other pieces of malware so scan your system for the next few days to make sure it is all detected and removed.

Root cause is the host for the ads that are served on here had some sort of issue that allowed for a real time hack of their server. This then allowed the hacker to place the backdoor Trojan on the ad server so that when users accessed that ad it would trigger them to run some additional code also. This code caused an issue in the Acrobat plugin to let them install the virus on your system with out you needing to do anything. From there the virus did what it was told to do.



We never had them there kinda problems back when we used stone tablets~! :|


But you did have the Plague and Dinosaurs trying to eat you...
Some people refrain from beating a dead horse. Personally, I find a myriad of entertainment value when beating it until it becomes a horse-smoothie.

Share this post

Link to post
Share on other sites

PhreeZone    15

PhreeZone
Comodo has a 0 day detection percentage just lower then AVG. Another year or so and the tables might swap for them. I actually am very impressed with one vendors research wing, they find the highest rate of 0 day malware but their implementation sucks and its a shame.
Yesterday is history
And tomorrow is a mystery

Parachutemanuals.com

Share this post

Link to post
Share on other sites

SkydiveJack    1

SkydiveJack


From PhreeZones great explanation of what happened-

The viruses frequently target Anti Virus software to disable them to keep the infection going.



After I log on to DZ.com and the forums wouldn't open for me, I noticed that my Norton Anti Virus was turned off. And when I opened Norton to turn it on, it wouldn't respond. I then reloaded and updated Norton and ran a scan. It seemed to work fine and then detected and removed a program called bloodhound.

Everything seems fine now. Do you think this was enough to eliminate this thing from my computer?

Thanks for any advice!

Share this post

Link to post
Share on other sites

PhreeZone    15

PhreeZone
If Norton is updated and still running then it should be fine. Make sure there is a complete scan ran and you'll be ok. Viruses from Friday are ancient history right now so they are in all the AV software at this point for the most part.
Yesterday is history
And tomorrow is a mystery

Parachutemanuals.com

Share this post

Link to post
Share on other sites

SkydiveJack    1

SkydiveJack
Quote

If Norton is updated and still running then it should be fine. Make sure there is a complete scan ran and you'll be ok. Viruses from Friday are ancient history right now so they are in all the AV software at this point for the most part.



Thanks for the reply!

So if I understand this situation in my limited way, my Norton AV has removed any virus loaded on my computer but the malware could re-infect me if I happen to get on a web site whose server has been infected.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
0
Go To Topic Listing