Website throwing up Trojans (Threats or not?)

CorCentral

Banned
Feb 11, 2001
6,415
1
0
Now this is a well know website (vgcharts.com Console gaming/Sales), but recently when visiting it, I get warnings of Trojans when pulling up the page.

I use Kaspersky Internet Security 7.0 and while nothing comes through, I'm wondering if these are false alarms or real threats if I did'nt have KIS?

Here's the link in question......
It's vgchartz.com


Eeeek, make sure to de-clickify potentially-malicious links! :Q

AnandTech Moderator
mechBgon



EDIT: Just did it ;)





 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
I'll scope that out and see what's going on. Back in a while :)
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Ok, they have apparently been hacked. The first line in the page's code launches an IFRAME at mediacount.net (very bad news),
which uses several exploits to try to get the system to download and execute a .exe file from the Peacomm/StormWorm/Nuwar guys, a.k.a. Zhelatin to your Kaspersky antivirus. These are definitely threats, yeah. From what I've read, they're repacked at the server every 30 minutes or so, to make them a fast-moving target.

So if you were running a non-Admin user account, then congratulations :)
BTW if you haven't done so already, go into the individual protection modules in KAV7,
hit the Customize button and then switch on the Heuristics in the Advanced tab for
each module.

Output from VirusTotal on the .exe file: http://pics.bbzzdd.com/users/mechBgon/Stormworm.GIF :camera:
Detection by 12 of 32 apps.

Partial output from Microsoft Network Monitor, if anyone's curious to see. It took them only two tries to pwn my test system (Win2000 running an Administrator account and packing a lot of intentional vulnerabilities):

www.vgchartz.com HTTP: Request, GET /
www.vgchartz.com HTTP: Request, GET /
68.87.69.146 DNS: QueryId = 0xDBEE, QUERY (Standard query), Query for www.vgchartz.com of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0xDBEE, QUERY (Standard query), Query for www.vgchartz.com of type Host Addr on class Internet
10.0.0.7 DNS: QueryId = 0xDBEE, QUERY (Standard query), Response - Success
68.87.69.146 DNS: QueryId = 0xDFEE, QUERY (Standard query), Query for www.symboliclynx.com of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0xDFEE, QUERY (Standard query), Query for www.symboliclynx.com of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0xEBED, QUERY (Standard query), Query for mediacount.net of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0xEBED, QUERY (Standard query), Query for mediacount.net of type Host Addr on class Internet
10.0.0.7 DNS: QueryId = 0xDFEE, QUERY (Standard query), Response - Success
10.0.0.7 DNS: QueryId = 0xEBED, QUERY (Standard query), Response - Success
www.vgchartz.com HTTP: Request, GET /includes/navigation.css
www.vgchartz.com HTTP: Request, GET /includes/navigation.css
www.vgchartz.com HTTP: Request, GET /includes/vg.css
www.vgchartz.com HTTP: Request, GET /includes/vg.css
symboliclynx.com HTTP: Request, GET /bin/index.php
symboliclynx.com HTTP: Request, GET /bin/index.php

www.vgchartz.com HTTP: Request, GET /photos/multifile.js
www.vgchartz.com HTTP: Request, GET /photos/multifile.js
mediacount.net HTTP: Request, GET /strong/092/
mediacount.net HTTP: Request, GET /strong/092/

www.vgchartz.com HTTP: Request, GET /includes/functions2.js
www.vgchartz.com HTTP: Request, GET /includes/functions2.js
68.87.69.146 DNS: QueryId = 0xC5ED, QUERY (Standard query), Query for a.tribalfusion.com of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0xC5ED, QUERY (Standard query), Query for a.tribalfusion.com of type Host Addr on class Internet
10.0.0.7 DNS: QueryId = 0xC5ED, QUERY (Standard query), Response - Success
204.11.109.64 HTTP: Request, GET /tags/VGCharts/ROS/tags.js
204.11.109.64 HTTP: Request, GET /tags/VGCharts/ROS/tags.js
204.11.109.64 HTTP: Request, GET /j.ad
204.11.109.64 HTTP: Request, GET /j.ad
68.87.69.146 DNS: QueryId = 0x4DED, QUERY (Standard query), Query for view.atdmt.com of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0x4DED, QUERY (Standard query), Query for view.atdmt.com of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0xA8E3, QUERY (Standard query), Query for tags.expo9.exponential.com of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0xA8E3, QUERY (Standard query), Query for tags.expo9.exponential.com of type Host Addr on class Internet
10.0.0.7 DNS: QueryId = 0x4DED, QUERY (Standard query), Response - Success
10.0.0.7 DNS: QueryId = 0xA8E3, QUERY (Standard query), Response - Success
204.11.109.61 HTTP: Request, GET /tags/VGCharts/ROS/tags.js
204.11.109.61 HTTP: Request, GET /tags/VGCharts/ROS/tags.js
view.atdmt.com HTTP: Request, GET /NMK/iview/trblfqm20260000193nmk/direct;wi.160;hi.600/01/587027476
view.atdmt.com HTTP: Request, GET /NMK/iview/trblfqm20260000193nmk/direct;wi.160;hi.600/01/587027476
mediacount.net HTTP: Request, GET /strong/092/
mediacount.net HTTP: Request, GET /strong/092/
mediacount.net HTTP: Request, GET /strong/092/exp1.htm
mediacount.net HTTP: Request, GET /strong/092/exp1.htm

68.87.69.146 DNS: QueryId = 0x6AE3, QUERY (Standard query), Query for rmd.atdmt.com of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0x6AE3, QUERY (Standard query), Query for rmd.atdmt.com of type Host Addr on class Internet
10.0.0.7 DNS: QueryId = 0x6AE3, QUERY (Standard query), Response - Success
204.11.109.64 HTTP: Request, GET /j.ad
204.11.109.64 HTTP: Request, GET /j.ad
64.62.193.81 HTTP: Request, GET /tl/DocumentDotWrite.js
64.62.193.81 HTTP: Request, GET /tl/DocumentDotWrite.js
mediacount.net HTTP: Request, GET /strong/092/324123.htm
mediacount.net HTTP: Request, GET /strong/092/324123.htm

68.87.69.146 DNS: QueryId = 0x9BE2, QUERY (Standard query), Query for cdn5.tribalfusion.com of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0x9BE2, QUERY (Standard query), Query for cdn5.tribalfusion.com of type Host Addr on class Internet
10.0.0.7 DNS: QueryId = 0x9BE2, QUERY (Standard query), Response - Success
216.246.122.80 HTTP: Request, GET /media/958076/fpa17.js
216.246.122.80 HTTP: Request, GET /media/958076/fpa17.js
view.atdmt.com HTTP: Request, GET /NMK/iview/trblfqm20350000013nmk/direct/01/587189676
view.atdmt.com HTTP: Request, GET /NMK/iview/trblfqm20350000013nmk/direct/01/587189676
68.87.69.146 DNS: QueryId = 0x4AE1, QUERY (Standard query), Query for spe.atdmt.com of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0x4AE1, QUERY (Standard query), Query for spe.atdmt.com of type Host Addr on class Internet
10.0.0.7 DNS: QueryId = 0x4AE1, QUERY (Standard query), Response - Success
64.62.193.72 HTTP: Request, GET /ds/M5NMKQWESQM2/q307_HSI_rtk5_update_8_16/qw9578_mmc_dsldial_rtk5_2699_160x600_30k_v2.swf
64.62.193.72 HTTP: Request, GET /ds/M5NMKQWESQM2/q307_HSI_rtk5_update_8_16/qw9578_mmc_dsldial_rtk5_2699_160x600_30k_v2.swf
64.62.193.72 HTTP: Request, GET /ds/M5NMKQWESQM2/washinton_1499_8_24/upstream_728x90.swf
64.62.193.72 HTTP: Request, GET /ds/M5NMKQWESQM2/washinton_1499_8_24/upstream_728x90.swf
68.87.69.146 DNS: QueryId = 0x95E7, QUERY (Standard query), Query for pagead2.googlesyndication.com of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0x95E7, QUERY (Standard query), Query for pagead2.googlesyndication.com of type Host Addr on class Internet
10.0.0.7 DNS: QueryId = 0x95E7, QUERY (Standard query), Response - Success
72.14.253.165 HTTP: Request, GET /pagead/show_ads.js
72.14.253.165 HTTP: Request, GET /pagead/show_ads.js
68.87.69.146 DNS: QueryId = 0x13E7, QUERY (Standard query), Query for activex.microsoft.com of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0x13E7, QUERY (Standard query), Query for activex.microsoft.com of type Host Addr on class Internet
10.0.0.7 DNS: QueryId = 0x13E7, QUERY (Standard query), Response - Success
activex.windowsmedia.com.akadns.net HTTP: Request, POST /objects/ocget.dll
activex.windowsmedia.com.akadns.net HTTP: Request, POST /objects/ocget.dll
68.87.69.146 DNS: QueryId = 0x4AE5, QUERY (Standard query), Query for codecs.microsoft.com of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0x4AE5, QUERY (Standard query), Query for codecs.microsoft.com of type Host Addr on class Internet
10.0.0.7 DNS: QueryId = 0x4AE5, QUERY (Standard query), Response - Success
216.246.122.9 HTTP: Request, POST /isapi/ocget.dll
216.246.122.9 HTTP: Request, POST /isapi/ocget.dll
mediacount.net HTTP: Request, GET /dl/092/win32.exe
mediacount.net HTTP: Request, GET /dl/092/win32.exe

72.14.253.165 HTTP: Request, GET /pagead/ads
72.14.253.165 HTTP: Request, GET /pagead/ads
68.87.69.146 DNS: QueryId = 0x9FE4, QUERY (Standard query), Query for www.hypemakers.net of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0x9FE4, QUERY (Standard query), Query for www.hypemakers.net of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0xA6FB, QUERY (Standard query), Query for media.fastclick.net of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0xA6FB, QUERY (Standard query), Query for media.fastclick.net of type Host Addr on class Internet
10.0.0.7 DNS: QueryId = 0x9FE4, QUERY (Standard query), Response - Success
10.0.0.7 DNS: QueryId = 0xA6FB, QUERY (Standard query), Response - Success
72.14.253.165 HTTP: Request, GET /pagead/inject_object_div.js
72.14.253.165 HTTP: Request, GET /pagead/inject_object_div.js
vcm-media.valueclick.akadns.net HTTP: Request, GET /w/get.media
vcm-media.valueclick.akadns.net HTTP: Request, GET /w/get.media
72.14.253.165 HTTP: Request, GET /pagead/imgad
72.14.253.165 HTTP: Request, GET /pagead/imgad
www.hypemakers.net HTTP: Request, GET /hellgate/view/v/j/c/1806/s/5564/u/5195
www.hypemakers.net HTTP: Request, GET /hellgate/view/v/j/c/1806/s/5564/u/5195
www.hypemakers.net HTTP: Request, GET /hellgate/view/v/f/c/1806/s/5564/u/5195
www.hypemakers.net HTTP: Request, GET /hellgate/view/v/f/c/1806/s/5564/u/5195
72.14.253.165 HTTP: Request, GET /pagead/imgad
72.14.253.165 HTTP: Request, GET /pagead/imgad
72.14.253.165 HTTP: Request, GET /pagead/imgad
72.14.253.165 HTTP: Request, GET /pagead/imgad
68.87.69.146 DNS: QueryId = 0x3AFA, QUERY (Standard query), Query for fpdownload.macromedia.com of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0x3AFA, QUERY (Standard query), Query for fpdownload.macromedia.com of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0xB9F8, QUERY (Standard query), Query for cdn.fastclick.net of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0xB9F8, QUERY (Standard query), Query for cdn.fastclick.net of type Host Addr on class Internet
10.0.0.7 DNS: QueryId = 0x3AFA, QUERY (Standard query), Response - Success
10.0.0.7 DNS: QueryId = 0xB9F8, QUERY (Standard query), Response - Success
www.hypemakers.net HTTP: Request, GET /ama_components/pro/include/flashobject.js
www.hypemakers.net HTTP: Request, GET /ama_components/pro/include/flashobject.js
e526.d.akamaiedge.net HTTP: Request, GET /get/flashplayer/update/current/xml/version_en_win_ax.xml
e526.d.akamaiedge.net HTTP: Request, GET /get/flashplayer/update/current/xml/version_en_win_ax.xml
e880.p.akamaiedge.net HTTP: Request, GET /fastclick.net/v4flash.js
e880.p.akamaiedge.net HTTP: Request, GET /fastclick.net/v4flash.js
e880.p.akamaiedge.net HTTP: Request, GET /fastclick.net/cid89934/code_contra_miva_cheatTB_8-29-07_728x90x.swf
e880.p.akamaiedge.net HTTP: Request, GET /fastclick.net/cid89934/code_contra_miva_cheatTB_8-29-07_728x90x.swf
68.87.69.146 DNS: QueryId = 0x8DF8, QUERY (Standard query), Query for www.google-analytics.com of type Host Addr on class Internet
68.87.69.146 DNS: QueryId = 0x8DF8, QUERY (Standard query), Query for www.google-analytics.com of type Host Addr on class Internet
10.0.0.7 DNS: QueryId = 0x8DF8, QUERY (Standard query), Response - Success
209.85.199.99 HTTP: Request, GET /urchin.js
209.85.199.99 HTTP: Request, GET /urchin.js
www.hypemakers.net HTTP: Request, GET /hellgate/files/creative/1806/1806.swf
www.hypemakers.net HTTP: Request, GET /hellgate/files/creative/1806/1806.swf


 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
In the Heuristics, do I set them on detail or Med?

Considering you have a C2D @ 2.4, you might as well go with Detail. This may help it detect the actual exploits that were hauling in the .exe file. In fact, I'll test that.

Thanks once again for the help MEch!

Sure thing, that was interesting :)