Hijack: .3utilities.com?
in [Windows XP]
|
From: Spamlet on 5 Aug 2010 15:18 XPPro SP3 all up to date. Avast free all up to date. Whilst browsing innocent looking kitchen furnishing sites, my browser suddenly came up with a window that looked like Windows Security Centre, with an inset window looking like my AV. This inset window showed a list of supposed trojans and other malware, and was accompanied by a popup insisting that my system was desperately vulnerable and I should click a link to scan it now. I, instead, opted for pulling the plug and running ccleaner, clearing history and running spybot and malware bytes. No malware found yet. The hijack went to http://x05y08.3utilities.com (Sorry: I can't see how to write this so it doesn't make a hyperlink: perhaps someone can tell me how to do that too.) The '0's may be 'o's or a combination. Searches on this link and its various '0' combinations came up with no other mentions of this hijack. The 3utilities domain does get a few unreliable notes. Anyone know any more about this? Were WSC and Avast actually responding to this site as they should, or was the site imitating them to fool me into believing the popup and clicking their 'scan your pc now' button? Cheers, S
From: MowGreen on 5 Aug 2010 16:07 Spamlet wrote: > XPPro SP3 all up to date. Avast free all up to date. > > Whilst browsing innocent looking kitchen furnishing sites, my browser > suddenly came up with a window that looked like Windows Security Centre, > with an inset window looking like my AV. This inset window showed a list of > supposed trojans and other malware, and was accompanied by a popup insisting > that my system was desperately vulnerable and I should click a link to scan > it now. > > I, instead, opted for pulling the plug and running ccleaner, clearing > history and running spybot and malware bytes. No malware found yet. > > The hijack went to hxxp://x05y08.3utilities.com (Sorry: I can't see how to > write this so it doesn't make a hyperlink: perhaps someone can tell me how > to do that too.) The '0's may be 'o's or a combination. > > Searches on this link and its various '0' combinations came up with no other > mentions of this hijack. The 3utilities domain does get a few unreliable > notes. > > Anyone know any more about this? Were WSC and Avast actually responding to > this site as they should, or was the site imitating them to fool me into > believing the popup and clicking their 'scan your pc now' button? > > Cheers, > > S > > 3utilities.com resolves to this IP: 204.16.252.112 x05y08.3utilities.com yields an 403 Forbidden message and resolves to this IP: 85.234.191.94 85.234.191.94 is located in Riga, Latvia, and is on a list of bad sites: http://hosts-file.net/?s=85.234.191.94 http://malc0de.com/database/index.php?search=85.234.191&IP=on You were wise to pull the power plug. In situations such as this, one can open Task Manager and End the Internet Explorer process (iexplore.exe) instead of pulling the power plug. What most likely happened was that either an Iframe or a malware embedded ad (malvertizement) triggered the phony AV scan. Avast's popup window when encountering embedded malware on a site is quite unique and should be difficult to mimic. Key word being *should*. The phony Windows Security Center warning is not quite as easily to discern from the one you see that actually stems from Windows XP. The malware it claimed was resident on your computer was not present and yes, the rogue AV was trying to fool you to click the scan button so it could download malware to your system. Then, to "clean up" the malware that was not present and the ensuing malware that would be downloaded, they would tell you that you had to buy their "product". The worst part about this rogue AV "software" is that folks get conned by it, actually purchase it, and then do not dispute the charges - Rogue Antivirus Victims Seldom Fight Back http://krebsonsecurity.com/2010/07/rogue-antivirus-victims-seldom-fight-back/ As to munging a possibly malware laden link, just change the http to hxxp, like this - hxxp://x05y08.3utilities.com MowGreen ================ *-343-* FDNY Never Forgotten ================ banthecheck.com "Security updates should *never* have *non-security content* prechecked
From: Spamlet on 5 Aug 2010 17:32 "MowGreen" <mowgreen(a)nowandzen.com> wrote in message news:i3f5lg$kst$1(a)speranza.aioe.org... > Spamlet wrote: >> XPPro SP3 all up to date. Avast free all up to date. >> >> Whilst browsing innocent looking kitchen furnishing sites, my browser >> suddenly came up with a window that looked like Windows Security Centre, >> with an inset window looking like my AV. This inset window showed a list >> of >> supposed trojans and other malware, and was accompanied by a popup >> insisting >> that my system was desperately vulnerable and I should click a link to >> scan >> it now. >> >> I, instead, opted for pulling the plug and running ccleaner, clearing >> history and running spybot and malware bytes. No malware found yet. >> >> The hijack went to hxxp://x05y08.3utilities.com (Sorry: I can't see how >> to >> write this so it doesn't make a hyperlink: perhaps someone can tell me >> how >> to do that too.) The '0's may be 'o's or a combination. >> >> Searches on this link and its various '0' combinations came up with no >> other >> mentions of this hijack. The 3utilities domain does get a few unreliable >> notes. >> >> Anyone know any more about this? Were WSC and Avast actually responding >> to >> this site as they should, or was the site imitating them to fool me into >> believing the popup and clicking their 'scan your pc now' button? >> >> Cheers, >> >> S >> >> > > 3utilities.com resolves to this IP: 204.16.252.112 > x05y08.3utilities.com yields an 403 Forbidden message and resolves to this > IP: 85.234.191.94 > 85.234.191.94 is located in Riga, Latvia, and is on a list of bad sites: > http://hosts-file.net/?s=85.234.191.94 > http://malc0de.com/database/index.php?search=85.234.191&IP=on > > You were wise to pull the power plug. In situations such as this, one can > open Task Manager and End the Internet Explorer process (iexplore.exe) > instead of pulling the power plug. > > What most likely happened was that either an Iframe or a malware embedded > ad (malvertizement) triggered the phony AV scan. > Avast's popup window when encountering embedded malware on a site is quite > unique and should be difficult to mimic. Key word being *should*. The > phony Windows Security Center warning is not quite as easily to discern > from the one you see that actually stems from Windows XP. > > The malware it claimed was resident on your computer was not present and > yes, the rogue AV was trying to fool you to click the scan button so it > could download malware to your system. Then, to "clean up" the malware > that was not present and the ensuing malware that would be downloaded, > they would tell you that you had to buy their "product". > > The worst part about this rogue AV "software" is that folks get conned by > it, actually purchase it, and then do not dispute the charges - > Rogue Antivirus Victims Seldom Fight Back > http://krebsonsecurity.com/2010/07/rogue-antivirus-victims-seldom-fight-back/ > > As to munging a possibly malware laden link, just change the http to > hxxp, like this - hxxp://x05y08.3utilities.com > > > MowGreen Thanks Mow, a very good response. I thought I already had a hosts file with all these black listed sites on. Perhaps I lost it when I uninstalled Spybot during a recent hard drive change. Would the SpyBot Resident protection - now reinstalled - have picked this up? If not, how do I incorporate all the blacklisted sites, or get a regularly updated hosts list (I used to have something called Hosts Secure, but it seems to have disappeared now I come to think of it?). I've added *3utilities.com* to my Add Block Plus filters in Firefox: is there a similar add on for IE8? A lot of new questions: sorry! And, finally: should I be posting this as a warning somewhere else? Thanks very much for the prompt reply. S
From: MowGreen on 9 Aug 2010 13:11 Spamlet wrote: > Very helpful. Thanks very much for all your help. > I don't see anything about IFrames in Firefox either, but it does have quite > a long list of sites where popups and images are blocked. > > S The NoScript add on can be installed to forbid IFRAMES for Untrusted Sites in Mozilla based browsers. Forbid IFRAMES is Enabled by Default when NoScipt is installed, The setting is on the Embeddings page of Options. MowGreen ================ *-343-* FDNY Never Forgotten ================ banthecheck.com "Security updates should *never* have *non-security content* prechecked
From: Spamlet on 9 Aug 2010 16:39
"MowGreen" <mowgreen(a)nowandzen.com> wrote in message news:i3pcs2$bdi$1(a)speranza.aioe.org... > Spamlet wrote: >> Very helpful. Thanks very much for all your help. >> I don't see anything about IFrames in Firefox either, but it does have >> quite >> a long list of sites where popups and images are blocked. >> >> S > > > The NoScript add on can be installed to forbid IFRAMES for Untrusted Sites > in Mozilla based browsers. Forbid IFRAMES is Enabled by Default when > NoScipt is installed, > The setting is on the Embeddings page of Options. > > > MowGreen Well thank you once again: this is going beyond the call of duty! That looks like quite a sophisticated add on: I'll give it a try - though I notice its own website appears to be encouraging a click and scan... Cheers, S |