Sponsored by Keepnet Labs

Free stuff, from the net! Think twice!

A friend of mine called me during the night, asking for help.

He was downloading “free stuff” (magazine) from the net and enjoying the FREE reading, next day when he wanted to log in back to his PC , guess what happened , his FREE anti virus did not protect him from not getting infected.

Open-mouthed smile

After my investigations I found out that this”free magazine” web site had everything in it, the blog them was exactly same as mine  Anyway…

When I wanted to test the web site, i found the below activities :

First i typed the URL (don’t) , selected a category to download

image

While  I was browsing the list “ Microsoft Security Essentials” warned me!

image

At the same time I did check my Sysinternal TCP view application, and yes the PC started to get many TCP connections in unusual ports

SNAGHTMLb773f9a

Many different IP addresses ,diverting the traffic from the “harmless (!)” magazine download web site to the TROJAN hosting web sites… Trojan Hosting ? What do I mean with that ? Of course , the redirection from the “Harmless (!) magazine download website to the “website which hosts the attack” , in this example , The magazine website redirects the browser to a malicious website that contains an instance of the “Blackhole” exploit kit. The “Backhole” exploit kit may exploit vulnerabilities in certain software that may be installed the computer. If exploitation is successful, it could lead to the download and execution of arbitrary files.

Below are few screenshots from TCP view, which proofs the diversion of the traffic,

image
Smile

So many connections where happening, I was not able quick enough to take screen shots

image

What is this Trojan:JS/BlacoleRef.G ?

Trojan:JS/BlacoleRef.G is identified as dangerous Trojan infection. Trojan:JS/BlacoleRef.G makes use of computer vulnerability or network hole to get into the system. For example, it attaches to unknown email message and when you click on attachment, your computer gets infected. It exploits rootkit technique to shun security program. Once it gets executed, Trojan:JS/BlacoleRef.G will make the computer weaker for additional malware. It may drop rogue virus to your computer which is big threat to the system.

Let’s analyse the source of the traffic :

image

As you can see from the screenshots, the exploit will try to attack  your computer from, unusual ports and weird web URL’s as above.

If you search the attacking  IP address from your favourite Search Engine, you will also see most probably the IP is already known as BAD:

result from BING

image

result from GOOGLE

image

IP & URL analysis :

SNAGHTMLbb482c3

This screen shot indicates that there is an attack launched from IP 173.241.242.4 via HTTP protocol, and its randomly scanning my computer ports during the attack to sneak in to my PC…

SNAGHTMLbb7ac33
image

While the attack happens, the Trojan is trying to modify the MEMORY via the IEXPLORER.EXE process name, to get some allocated space.

image

During the infection phase, the trojan is also creating some files in the system “

%AllUsersProfile%\~ 
%UserProfile%\Desktop\Trojan:JS/BlacoleRef.G.lnk 
%UserProfile%\Start Menu\Programs\Trojan:JS/BlacoleRef.G\

As many other Trojan’s, viruses it sits in the registry, too:

image
image

and it does create a OUTBOUND traffic…

image

Please be aware that the Trojan is hosted in many different locations and even though its not a new Trojan, interestingly the Trojan hosting web sites are still not in a BLACK LIST. A ping, trace route , who is query is still responding as below:

image

and

image
image

How to remove the Trojan?

If you are using Up to Date Anti Virus & Windows , you should be fine, if not! Try one of the below steps and you should be fine:

1) http://www.malwareprotectioncenter.org/threats/TrojanJSBlacoleRef.G.html

2)http://answers.microsoft.com/en-us/protect/forum/protect_scanning/how-do-i-delete-an-item-that-is-saying-allowed/a198b2e5-9245-45c0-b8ae-d59ad44943ea

After cleaning the Trojan from my friends PC, i did recommend him to subscribe to his favourite magazines, as there is really noting for FREE on the internet. Sooner or later you will need to pay to the FREE STUFF , either with a PC virus or Trojan which will steal your information from your PC or with loosing your valuables or dealing with a virus…

Next time think twice before you download.

Erdal

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *