Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
4608 Views 8 Replies Latest reply: Mar 29, 2012 8:54 AM by Hayton RSS
steveinva Newcomer 3 posts since
Mar 27, 2012
Currently Being Moderated

Mar 27, 2012 4:02 PM

Firewall does not stay on/Re-direct searches (Phoenix Exploit on ushmm.org installs Trojan)

Been reading all morning about this issue.  Sadly I see it has been ongoing for what seems years.  I have seen little to no resolution, and this troubles me.

 

I have the same issue with regard to others who have tried exhaustive attempts at fixes (MTV, Adaware, Spybot, etc etc) all to no avail.

 

Mcafee did discover a trojan and removed it.  However, when using IE 9.0, any search conducted now re-directs to bogus search results. 

 

Also, the firwall shuts off, and cannot be restarted.  I ONLY use Mcafee, but did try to use windows firewall, and of course it didn't work either.

 

Have tried scans in both normal and safe mode (Without networking) to no avail as well.

 

Obviously I don't want to run the computer without a firewall.

 

I do know that the National Holocaust Museum is what infected both systems in the house. (I have contacted their IT department to inform them)

 

Is it possible for Mcafee to investigate their site (Was moving through the hyper links at the time for where they are located, when all hell broke loose)

 

Also, is there an ongoing effort with regard to this problem, which seems to me is occuring quite frequently now?

 

Thanks

 

Message was edited by: Hayton on 27/03/12 22:02:47 IST
  • spc3rd Champion 339 posts since
    Oct 3, 2010

    Hi steveinva and welcome to the McAfee Community Forums,

     

         Sorry to hear of the issues you are experiencing.  Until some of our more knowledgeable forum members, Moderators, and Admins can arrive to review your post, may I suggest reviewing this forum article:

     

    https://community.mcafee.com/docs/DOC-1294

     

    It will help provide a starting point for addressing the problems you are experiencing.  After trying the instructions given, please post back and let us know the results.  Also, what was the name of the trojan that McAfee found on your system?

     

    You indicated having run scans in both Normal and Safe Mode (without Networking).  Were the scans done only with McAfee or did you use other security software?  if so, please indicate all security programs you did scans with & what the results were.

     

    Regards,

     

    Message was edited by: spc3rd on 3/27/12 12:51:38 PM EDT

     

    Message was edited by: spc3rd on 3/27/12 1:30:32 PM EDT

     

    Message was edited by: Hayton - copying amended subject header to following posts - on 27/03/12 22:18:58 IST

    McAfee Forum signature.png

    Volunteer SiteAdvisor Reviewer
    Mid-Atlantic region (United States)

    (Please note:  I am just a volunteer, not employed by McAfee/Intel)

  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010

    You're quite right about the site. It's infected by a Javascript exploit which downloads a Trojan, which McAfee seems to have caught. The question is whether there is still some malware running on your system which causes your searches to be redirected : I think it is highly likely.

     

    From Sucuri, first, the evidence for the site infection.

     

    Sucuri SiteCheck - ushmm_org.png

     

    The details of the malware : it's a Phoenix Exploit. It steals, among other things, your email addresses and passwords. You could be sending spam to people in your address book : you'd better check with a few people to see if they've received anything unusual from you lately.

     

    Malware entry- MW-JS-6525 - Sucuri Security.png

     

    This Trojan’s capability is basically similar to Zeus and SpyEye. It collects information from the user’s machine and sends it to the C&C server. This information can include, for example, cookies, FTP credentials and email accounts.

    The configuration panel of the Cridex Trojan

    The configuration panel of the Cridex Trojan

     

    The cybercriminals can track specific Web sites that are accessed by the user by taking screenshots of every page the user accessed in real time. They can also blacklist URLs, redirect URLs and more. Same as with the Zeus Trojan, the administrators can supply a code to be injected into Web pages. The Cridex Trojan intercepts browser requests and changes the displayed content according to the configuration, written by the administrator of the botnet. This way the cybercriminal can trick the user to enter valuable information the cybercriminal is looking for, without raising suspicion.

     

     

    The website isn't blacklisted anywhere (yet) and McAfee hasn't detected it yet. But detection by any of the AV vendors is poor. This is a dangerous infection, and you should probably run McAfee's Stinger tool (download from here) and then a couple of scans with non-McAfee programs to see if they can detect anything that McAfee misses. Since this Exploit is not new, Microsoft's Malicious Software Removal Tool may pick it up; alternatively, the Microsoft Safety Scanner, which is a more catch-all product. And then a scan with Malwarebytes, which is a useful backup in cases like this.

     

    Infection by this Exploit usually means some of your software needs updating. Have a look on the list below for anything you have, and check that it's up to date.

    Below is a running list of vulnerabilities that have been used with Phoenix:

    Adobe Reader CollectEmailInfo Vulnerability CVE-2007-5659
    Adobe Reader Collab GetIcon Vulnerability CVE-2009-0927
    Adobe Reader LibTiff Vulnerability CVE-2010-0188
    Adobe Reader newPlayer Vulnerability CVE-2009-4324
    Adobe Reader util.printf Vulnerability CVE-2008-2992
    Adobe Flash Integer Overflow in AVM2 CVE-2009-1869
    IE MDAC CVE-2006-0003
    IE iepeers Vulnerability CVE-2010-0806
    IE SnapShot Viewer ActiveX Vulnerability CVE-2008-2463
    Java HsbParser.getSoundBank (GSB) CVE-2009-3867
    Java Runtime Environment (JRE) CVE-2008-5353

    UPDATE:

    Adobe Flash Player Remote Code Execution Vulnerability (NPSWF32.dll plugin) CVE-2011-0611
    Oracle Java Applet Rhino Script Engine Remote Code Execution  CVE-2011-3544

     

     

     

    Edit : As a precaution, you should probably change all your passwords and (just in case) check with your bank, if you have online banking, for anything unusual. I'll send a notification to the site webmaster that they have a problem (if they don't already know, they soon will).

     

    2nd Edit - Google Safe Browsing is now flagging the site :

     

    Safe Browsing

    Diagnostic page for www.ushmm.org

    What is the current listing status for www.ushmm.org?

    This site is not currently listed as suspicious.

    Part of this site was listed for suspicious activity 3 time(s) over the past 90 days.

    What happened when Google visited this site?

    Of the 1529 pages we tested on the site over the past 90 days, 29 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-03-27, and the last time suspicious content was found on this site was on 2012-03-27.

     

    Malicious software includes 6 trojan(s), 1 exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine.

     

    Malicious software is hosted on 4 domain(s), including implets.in/, doctring.in/, cervation.in/

     

    Links for more information :

    http://www.google.com/safebrowsing/diagnostic?site=http://www.ushmm.org

    http://sitecheck.sucuri.net/scanner/?scan=www.ushmm.org/

    http://sucuri.net/malware/malware-entry-mwjs6525

    http://community.websense.com/blogs/securitylabs/pages/phoenix-exploit-s-kit.asp x

    http://labs.m86security.com/tag/phoenix-exploit-kit/

     

     

    Message was edited by: Hayton : fix typos, highlight text for emphasis -  on 27/03/12 22:16:42 IST

     

    Message was edited by: Hayton - amend subject header in posts -  on 27/03/12 22:21:08 IST

    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010

    I took the liberty of amending the Subject Header so that if anyone else has the same problem on that site they can find this thread. It also means that the website will be linked with the Phoenix Exploit in Google (and other) searches, which may help people who know the site has caused a problem but don't know what the source of the problem is.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010

    Well, that was fast work. Either Sucuri and Google Safe Browsing were mistaken and were relaying false information, or someone at the National Holocaust Museum reacted very quickly indeed.  The Technical Contact at ushmm.org was notified of the presumed site infection a couple of hours ago and the site is now showing in Sucuri as Clean. All the other usual site checkers also return a Clean status for this website.

     

    All that remains is to ask the OP (steveinva) : do you have the results of any other scans apart from the McAfee scans you've already done, and are there any remaining problems?


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010

    This is just a holding reply .... I'll cover the details later

     

    The site itself now appears to be clean but AVG and Avast are still flagging it as Possibly Risky.

     

    Whether or not the site admin received my emails I cannot say because I received neither reply nor auto-acknowledgement. The site itself merely went silently from Reported Infected to Reported Clean within a couple of hours.

     

    I'm looking into whether the Phoenix Exploit is responsible for downloading ZeroAccess and Smart Fortress. For Smart Fortress of course the workaround has been given here (see this post for the Activation Code and this document for assistance on removal).

     

    As the discussion topic has shifted from a website infection to PC cleanup of specific malware I've moved the discussion into Top Threats.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010

    Thanks for the compliments. I'm glad you've got the malware removed, but sorry to see you go.

     

    Yes, unfortunately one of the first things that most malware does once it gets a foothold on a PC is to switch off any antivirus programs and kill the firewall. Then some - the more professionally-written malware - hides itself to make detection difficult. You seem to have had one of those (ZeroAccess, you said). Malwarebytes, although good at what it does, is probably not enough for an infection like that. They leave that stuff to the major AV players like McAfee, Symantec, and Kaspersky. McAfee actually has a rootkit removal tool that would have removed this ... oh well. You're clean now, and that's what matters most.

     

    If it was your ISP that notified you your PC was part of a botnet it may be that you were part of the Kelihos botnet, which was taken down by Microsoft (in collaboration with some other key security players) within the past couple of days.

     

    If you're interested there's a story about this by Brian Krebs (always worth reading) at

    http://krebsonsecurity.com/2012/03/researchers-clobber-khelios-spam-botnet/

     

    Message was edited by: Hayton on 29/03/12 14:55:04 IST

    Volunteer Moderator  Leeds, UK
    No PM's please

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points