8 Replies Latest reply on Mar 29, 2012 8:55 AM by Hayton

    Firewall does not stay on/Re-direct searches (Phoenix Exploit on ushmm.org installs Trojan)

      Been reading all morning about this issue.  Sadly I see it has been ongoing for what seems years.  I have seen little to no resolution, and this troubles me.

       

      I have the same issue with regard to others who have tried exhaustive attempts at fixes (MTV, Adaware, Spybot, etc etc) all to no avail.

       

      Mcafee did discover a trojan and removed it.  However, when using IE 9.0, any search conducted now re-directs to bogus search results. 

       

      Also, the firwall shuts off, and cannot be restarted.  I ONLY use Mcafee, but did try to use windows firewall, and of course it didn't work either.

       

      Have tried scans in both normal and safe mode (Without networking) to no avail as well.

       

      Obviously I don't want to run the computer without a firewall.

       

      I do know that the National Holocaust Museum is what infected both systems in the house. (I have contacted their IT department to inform them)

       

      Is it possible for Mcafee to investigate their site (Was moving through the hyper links at the time for where they are located, when all hell broke loose)

       

      Also, is there an ongoing effort with regard to this problem, which seems to me is occuring quite frequently now?

       

      Thanks

       

      Message was edited by: Hayton on 27/03/12 22:02:47 IST
        • 1. Re: Firewall does not stay on/Re-direct searches (Phoenix Exploit on ushmm.org installs Trojan)
          spc3rd

          Hi steveinva and welcome to the McAfee Community Forums,

           

               Sorry to hear of the issues you are experiencing.  Until some of our more knowledgeable forum members, Moderators, and Admins can arrive to review your post, may I suggest reviewing this forum article:

           

          https://community.mcafee.com/docs/DOC-1294

           

          It will help provide a starting point for addressing the problems you are experiencing.  After trying the instructions given, please post back and let us know the results.  Also, what was the name of the trojan that McAfee found on your system?

           

          You indicated having run scans in both Normal and Safe Mode (without Networking).  Were the scans done only with McAfee or did you use other security software?  if so, please indicate all security programs you did scans with & what the results were.

           

          Regards,

           

          Message was edited by: spc3rd on 3/27/12 12:51:38 PM EDT

           

          Message was edited by: spc3rd on 3/27/12 1:30:32 PM EDT

           

          Message was edited by: Hayton - copying amended subject header to following posts - on 27/03/12 22:18:58 IST
          • 2. Re: Firewall does not stay on/Re-direct searches  (Phoenix Exploit on ushmm.org installs Trojan)
            Hayton

            You're quite right about the site. It's infected by a Javascript exploit which downloads a Trojan, which McAfee seems to have caught. The question is whether there is still some malware running on your system which causes your searches to be redirected : I think it is highly likely.

             

            From Sucuri, first, the evidence for the site infection.

             

            Sucuri SiteCheck - ushmm_org.png

             

            The details of the malware : it's a Phoenix Exploit. It steals, among other things, your email addresses and passwords. You could be sending spam to people in your address book : you'd better check with a few people to see if they've received anything unusual from you lately.

             

            Malware entry- MW-JS-6525 - Sucuri Security.png

             

            This Trojan’s capability is basically similar to Zeus and SpyEye. It collects information from the user’s machine and sends it to the C&C server. This information can include, for example, cookies, FTP credentials and email accounts.

            The configuration panel of the Cridex Trojan

            The configuration panel of the Cridex Trojan

             

            The cybercriminals can track specific Web sites that are accessed by the user by taking screenshots of every page the user accessed in real time. They can also blacklist URLs, redirect URLs and more. Same as with the Zeus Trojan, the administrators can supply a code to be injected into Web pages. The Cridex Trojan intercepts browser requests and changes the displayed content according to the configuration, written by the administrator of the botnet. This way the cybercriminal can trick the user to enter valuable information the cybercriminal is looking for, without raising suspicion.

             

             

            The website isn't blacklisted anywhere (yet) and McAfee hasn't detected it yet. But detection by any of the AV vendors is poor. This is a dangerous infection, and you should probably run McAfee's Stinger tool (download from here) and then a couple of scans with non-McAfee programs to see if they can detect anything that McAfee misses. Since this Exploit is not new, Microsoft's Malicious Software Removal Tool may pick it up; alternatively, the Microsoft Safety Scanner, which is a more catch-all product. And then a scan with Malwarebytes, which is a useful backup in cases like this.

             

            Infection by this Exploit usually means some of your software needs updating. Have a look on the list below for anything you have, and check that it's up to date.

            Below is a running list of vulnerabilities that have been used with Phoenix:

            Adobe Reader CollectEmailInfo Vulnerability CVE-2007-5659
            Adobe Reader Collab GetIcon Vulnerability CVE-2009-0927
            Adobe Reader LibTiff Vulnerability CVE-2010-0188
            Adobe Reader newPlayer Vulnerability CVE-2009-4324
            Adobe Reader util.printf Vulnerability CVE-2008-2992
            Adobe Flash Integer Overflow in AVM2 CVE-2009-1869
            IE MDAC CVE-2006-0003
            IE iepeers Vulnerability CVE-2010-0806
            IE SnapShot Viewer ActiveX Vulnerability CVE-2008-2463
            Java HsbParser.getSoundBank (GSB) CVE-2009-3867
            Java Runtime Environment (JRE) CVE-2008-5353

            UPDATE:

            Adobe Flash Player Remote Code Execution Vulnerability (NPSWF32.dll plugin) CVE-2011-0611
            Oracle Java Applet Rhino Script Engine Remote Code Execution  CVE-2011-3544

             

             

             

            Edit : As a precaution, you should probably change all your passwords and (just in case) check with your bank, if you have online banking, for anything unusual. I'll send a notification to the site webmaster that they have a problem (if they don't already know, they soon will).

             

            2nd Edit - Google Safe Browsing is now flagging the site :

             

            Safe Browsing

            Diagnostic page for www.ushmm.org

            What is the current listing status for www.ushmm.org?

            This site is not currently listed as suspicious.

            Part of this site was listed for suspicious activity 3 time(s) over the past 90 days.

            What happened when Google visited this site?

            Of the 1529 pages we tested on the site over the past 90 days, 29 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-03-27, and the last time suspicious content was found on this site was on 2012-03-27.

             

            Malicious software includes 6 trojan(s), 1 exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine.

             

            Malicious software is hosted on 4 domain(s), including implets.in/, doctring.in/, cervation.in/

             

            Links for more information :

            http://www.google.com/safebrowsing/diagnostic?site=http://www.ushmm.org

            http://sitecheck.sucuri.net/scanner/?scan=www.ushmm.org/

            http://sucuri.net/malware/malware-entry-mwjs6525

            http://community.websense.com/blogs/securitylabs/pages/phoenix-exploit-s-kit.asp x

            http://labs.m86security.com/tag/phoenix-exploit-kit/

             

             

            Message was edited by: Hayton : fix typos, highlight text for emphasis -  on 27/03/12 22:16:42 IST

             

            Message was edited by: Hayton - amend subject header in posts -  on 27/03/12 22:21:08 IST
            • 3. Re: Firewall does not stay on/Re-direct searches (Phoenix Exploit on ushmm.org installs Trojan)
              Hayton

              I took the liberty of amending the Subject Header so that if anyone else has the same problem on that site they can find this thread. It also means that the website will be linked with the Phoenix Exploit in Google (and other) searches, which may help people who know the site has caused a problem but don't know what the source of the problem is.

              • 4. Re: Firewall does not stay on/Re-direct searches (Phoenix Exploit on ushmm.org installs Trojan)
                Hayton

                Well, that was fast work. Either Sucuri and Google Safe Browsing were mistaken and were relaying false information, or someone at the National Holocaust Museum reacted very quickly indeed.  The Technical Contact at ushmm.org was notified of the presumed site infection a couple of hours ago and the site is now showing in Sucuri as Clean. All the other usual site checkers also return a Clean status for this website.

                 

                All that remains is to ask the OP (steveinva) : do you have the results of any other scans apart from the McAfee scans you've already done, and are there any remaining problems?

                • 5. Re: Firewall does not stay on/Re-direct searches (Phoenix Exploit on ushmm.org installs Trojan)

                  Hi Guys:

                   

                  Thanks for the welcome, and the assistance.

                   

                  Here is where I am at now and what I know to date:

                   

                  I contacted The National Holocaust Museum and informed them.  Outside of their rudeness and all, at least the gal I spoke to informed their IT department.

                   

                  As for the Infection(Bear in mind I am talking about 2 computers here.  I will refer to Small (Kids and wife) and Big (Mine) as we are the primary users of each.

                   

                  The wife infected the small one, and when she originally got infected an Anti-Antivirus program launched (Smart Fortress 2012)  McAfee did not catch or stop this program.  I ran Adawre and malwarebytes in addition to McAfee on this computer.  It caught 16 exploits with Malwarebytes last night, and I removed them.  Although the results were not quite what I was looking for, because they were "Typical"  I.e. Mysearch, and other bullcrap search bars, etc. 

                   

                  I infected the big one when I was veryifying that what the wiife said was correct, that she got it from the National Holocaust Museum.  I figured one of this kids with their constant music downloads, their friends or something else happened.  Anyway, the strange thing on mine was that Smart-Fortress-2012 was not the culprit, but the ZeroAccess trojan was.  McAfee caught it, however, it appears to not truly be caught, as I got a notice from my ISP today that it appears a bot is running on my system.  Now, after running an 11 hour malwarebytes scan on my system (Logged on as me) it found nothing.  When I was logged on as me on the smaller system it found the 16 i spoke of previously.

                   

                  So, here is where I am at with my thinking.  The "virus" is user specific.  Reason I say this is because if I am logged on as me, McAfee shuts itself off, but if I log on as anyone else, it doesn't.

                   

                  I ran clean up on McAfee this morning and it found quite a few lil nasties, but several temp files and 1 registry key could not be deleted.  The registry key appears to only be random characters (I didn't count the number of them, but it looks like more than 20 that look something like {BA27Jug6 etc etc }  I will try to see if I can get in when I get off work and provide screenshots or copy paste stuff.  I am sure there is a rootkit bug, but so far nothing specific other than the ZeroAccess trojan has popped up, but at this point, while it did notify me, I am not sure it has stoopped it.  Within the quarantine for McAfee, there are currently 16K entries.  None are deletable.

                   

                  The wife is currently logged into the small system and the firewall is still up.  She has used IE and has not been redirected.

                   

                  I am re-running MALWAREBYTES on the big system currently as another user so I will see when I go home tonight if it finds anything.

                   

                  *Update*  Was speaking to a couple of the "Geeks" here at work (I work on a Gov't enterprise system)  and basically the steps taken are what they recommend, as well as using spyware blaster and spybot....  I will also try to run regedit from a c: prompt prior to full boot up and see if I can't manually delete that key I was talking about....  Any other suggestions, gents?

                   

                  Message was edited by: steveinva on 3/28/12 8:35:39 AM CDT
                  • 6. Re: Firewall does not stay on/Re-direct searches (Phoenix Exploit on ushmm.org installs Trojan)
                    Hayton

                    This is just a holding reply .... I'll cover the details later

                     

                    The site itself now appears to be clean but AVG and Avast are still flagging it as Possibly Risky.

                     

                    Whether or not the site admin received my emails I cannot say because I received neither reply nor auto-acknowledgement. The site itself merely went silently from Reported Infected to Reported Clean within a couple of hours.

                     

                    I'm looking into whether the Phoenix Exploit is responsible for downloading ZeroAccess and Smart Fortress. For Smart Fortress of course the workaround has been given here (see this post for the Activation Code and this document for assistance on removal).

                     

                    As the discussion topic has shifted from a website infection to PC cleanup of specific malware I've moved the discussion into Top Threats.

                    • 7. Re: Firewall does not stay on/Re-direct searches (Phoenix Exploit on ushmm.org installs Trojan)

                      OK Guys:   It is done.

                       

                      I actually got an email from my ISP's security department informing me that it appeared I had a bot that was doing all kinds of wonderful things.  (I was like No &^%$)  Anyways....  they were very helpful, plust my ISP actually provides Norton Security Suite free, so after exhausting myself the past 3 days, I had to uninstall McAfee.

                       

                      You guys here are doing great things, and I commend you for looking out for your fellow man!  Unfortuantely, a Trojan/Virus/Bot, whatever, that shuts down your firewall, which is provided by an AV company, and an AV company itself is of little or no help, then it is time to move along.  And to think I renewed for 3 years recently.

                       

                      The trojan itself was actually located in 2 places:  in a USB20.DLL files, as well as within the root.  It ultimately took 2 swipes of the removal tool from symantec, along with a shot of power eraser. 

                       

                      To the rest of you who have had a similar issue like mine:  All of the advice I have seen given here is correct.  These things manifest themselves in so many variable ways, it is next to impossible to be 100% effective, or 100% right in diagnosing and ridding ourselves of problems. 

                       

                      Not slamming McAfee in anyway, they just let me down in this one instance, but the guys on here are awesomesauce!

                      • 8. Re: Firewall does not stay on/Re-direct searches (Phoenix Exploit on ushmm.org installs Trojan)
                        Hayton

                        Thanks for the compliments. I'm glad you've got the malware removed, but sorry to see you go.

                         

                        Yes, unfortunately one of the first things that most malware does once it gets a foothold on a PC is to switch off any antivirus programs and kill the firewall. Then some - the more professionally-written malware - hides itself to make detection difficult. You seem to have had one of those (ZeroAccess, you said). Malwarebytes, although good at what it does, is probably not enough for an infection like that. They leave that stuff to the major AV players like McAfee, Symantec, and Kaspersky. McAfee actually has a rootkit removal tool that would have removed this ... oh well. You're clean now, and that's what matters most.

                         

                        If it was your ISP that notified you your PC was part of a botnet it may be that you were part of the Kelihos botnet, which was taken down by Microsoft (in collaboration with some other key security players) within the past couple of days.

                         

                        If you're interested there's a story about this by Brian Krebs (always worth reading) at

                        http://krebsonsecurity.com/2012/03/researchers-clobber-khelios-spam-botnet/

                         

                        Message was edited by: Hayton on 29/03/12 14:55:04 IST