From: Spamlet on
XPPro SP3 all up to date. Avast free all up to date.

Whilst browsing innocent looking kitchen furnishing sites, my browser
suddenly came up with a window that looked like Windows Security Centre,
with an inset window looking like my AV. This inset window showed a list of
supposed trojans and other malware, and was accompanied by a popup insisting
that my system was desperately vulnerable and I should click a link to scan
it now.

I, instead, opted for pulling the plug and running ccleaner, clearing
history and running spybot and malware bytes. No malware found yet.

The hijack went to http://x05y08.3utilities.com (Sorry: I can't see how to
write this so it doesn't make a hyperlink: perhaps someone can tell me how
to do that too.) The '0's may be 'o's or a combination.

Searches on this link and its various '0' combinations came up with no other
mentions of this hijack. The 3utilities domain does get a few unreliable
notes.

Anyone know any more about this? Were WSC and Avast actually responding to
this site as they should, or was the site imitating them to fool me into
believing the popup and clicking their 'scan your pc now' button?

Cheers,

S


From: MowGreen on
Spamlet wrote:
> XPPro SP3 all up to date. Avast free all up to date.
>
> Whilst browsing innocent looking kitchen furnishing sites, my browser
> suddenly came up with a window that looked like Windows Security Centre,
> with an inset window looking like my AV. This inset window showed a list of
> supposed trojans and other malware, and was accompanied by a popup insisting
> that my system was desperately vulnerable and I should click a link to scan
> it now.
>
> I, instead, opted for pulling the plug and running ccleaner, clearing
> history and running spybot and malware bytes. No malware found yet.
>
> The hijack went to hxxp://x05y08.3utilities.com (Sorry: I can't see how to
> write this so it doesn't make a hyperlink: perhaps someone can tell me how
> to do that too.) The '0's may be 'o's or a combination.
>
> Searches on this link and its various '0' combinations came up with no other
> mentions of this hijack. The 3utilities domain does get a few unreliable
> notes.
>
> Anyone know any more about this? Were WSC and Avast actually responding to
> this site as they should, or was the site imitating them to fool me into
> believing the popup and clicking their 'scan your pc now' button?
>
> Cheers,
>
> S
>
>

3utilities.com resolves to this IP: 204.16.252.112
x05y08.3utilities.com yields an 403 Forbidden message and resolves to
this IP: 85.234.191.94
85.234.191.94 is located in Riga, Latvia, and is on a list of bad sites:
http://hosts-file.net/?s=85.234.191.94
http://malc0de.com/database/index.php?search=85.234.191&IP=on

You were wise to pull the power plug. In situations such as this, one
can open Task Manager and End the Internet Explorer process
(iexplore.exe) instead of pulling the power plug.

What most likely happened was that either an Iframe or a malware
embedded ad (malvertizement) triggered the phony AV scan.
Avast's popup window when encountering embedded malware on a site is
quite unique and should be difficult to mimic. Key word being *should*.
The phony Windows Security Center warning is not quite as easily to
discern from the one you see that actually stems from Windows XP.

The malware it claimed was resident on your computer was not present and
yes, the rogue AV was trying to fool you to click the scan button so it
could download malware to your system. Then, to "clean up" the malware
that was not present and the ensuing malware that would be downloaded,
they would tell you that you had to buy their "product".

The worst part about this rogue AV "software" is that folks get conned
by it, actually purchase it, and then do not dispute the charges -
Rogue Antivirus Victims Seldom Fight Back
http://krebsonsecurity.com/2010/07/rogue-antivirus-victims-seldom-fight-back/

As to munging a possibly malware laden link, just change the http to
hxxp, like this - hxxp://x05y08.3utilities.com


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked
From: Spamlet on

"MowGreen" <mowgreen(a)nowandzen.com> wrote in message
news:i3f5lg$kst$1(a)speranza.aioe.org...
> Spamlet wrote:
>> XPPro SP3 all up to date. Avast free all up to date.
>>
>> Whilst browsing innocent looking kitchen furnishing sites, my browser
>> suddenly came up with a window that looked like Windows Security Centre,
>> with an inset window looking like my AV. This inset window showed a list
>> of
>> supposed trojans and other malware, and was accompanied by a popup
>> insisting
>> that my system was desperately vulnerable and I should click a link to
>> scan
>> it now.
>>
>> I, instead, opted for pulling the plug and running ccleaner, clearing
>> history and running spybot and malware bytes. No malware found yet.
>>
>> The hijack went to hxxp://x05y08.3utilities.com (Sorry: I can't see how
>> to
>> write this so it doesn't make a hyperlink: perhaps someone can tell me
>> how
>> to do that too.) The '0's may be 'o's or a combination.
>>
>> Searches on this link and its various '0' combinations came up with no
>> other
>> mentions of this hijack. The 3utilities domain does get a few unreliable
>> notes.
>>
>> Anyone know any more about this? Were WSC and Avast actually responding
>> to
>> this site as they should, or was the site imitating them to fool me into
>> believing the popup and clicking their 'scan your pc now' button?
>>
>> Cheers,
>>
>> S
>>
>>
>
> 3utilities.com resolves to this IP: 204.16.252.112
> x05y08.3utilities.com yields an 403 Forbidden message and resolves to this
> IP: 85.234.191.94
> 85.234.191.94 is located in Riga, Latvia, and is on a list of bad sites:
> http://hosts-file.net/?s=85.234.191.94
> http://malc0de.com/database/index.php?search=85.234.191&IP=on
>
> You were wise to pull the power plug. In situations such as this, one can
> open Task Manager and End the Internet Explorer process (iexplore.exe)
> instead of pulling the power plug.
>
> What most likely happened was that either an Iframe or a malware embedded
> ad (malvertizement) triggered the phony AV scan.
> Avast's popup window when encountering embedded malware on a site is quite
> unique and should be difficult to mimic. Key word being *should*. The
> phony Windows Security Center warning is not quite as easily to discern
> from the one you see that actually stems from Windows XP.
>
> The malware it claimed was resident on your computer was not present and
> yes, the rogue AV was trying to fool you to click the scan button so it
> could download malware to your system. Then, to "clean up" the malware
> that was not present and the ensuing malware that would be downloaded,
> they would tell you that you had to buy their "product".
>
> The worst part about this rogue AV "software" is that folks get conned by
> it, actually purchase it, and then do not dispute the charges -
> Rogue Antivirus Victims Seldom Fight Back
> http://krebsonsecurity.com/2010/07/rogue-antivirus-victims-seldom-fight-back/
>
> As to munging a possibly malware laden link, just change the http to
> hxxp, like this - hxxp://x05y08.3utilities.com
>
>
> MowGreen

Thanks Mow, a very good response.

I thought I already had a hosts file with all these black listed sites on.
Perhaps I lost it when I uninstalled Spybot during a recent hard drive
change. Would the SpyBot Resident protection - now reinstalled - have
picked this up? If not, how do I incorporate all the blacklisted sites, or
get a regularly updated hosts list (I used to have something called Hosts
Secure, but it seems to have disappeared now I come to think of it?). I've
added *3utilities.com* to my Add Block Plus filters in Firefox: is there a
similar add on for IE8?

A lot of new questions: sorry! And, finally: should I be posting this as a
warning somewhere else?

Thanks very much for the prompt reply.

S


From: MowGreen on
Spamlet wrote:
> Very helpful. Thanks very much for all your help.
> I don't see anything about IFrames in Firefox either, but it does have quite
> a long list of sites where popups and images are blocked.
>
> S


The NoScript add on can be installed to forbid IFRAMES for Untrusted
Sites in Mozilla based browsers. Forbid IFRAMES is Enabled by Default
when NoScipt is installed,
The setting is on the Embeddings page of Options.


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked
From: Spamlet on

"MowGreen" <mowgreen(a)nowandzen.com> wrote in message
news:i3pcs2$bdi$1(a)speranza.aioe.org...
> Spamlet wrote:
>> Very helpful. Thanks very much for all your help.
>> I don't see anything about IFrames in Firefox either, but it does have
>> quite
>> a long list of sites where popups and images are blocked.
>>
>> S
>
>
> The NoScript add on can be installed to forbid IFRAMES for Untrusted Sites
> in Mozilla based browsers. Forbid IFRAMES is Enabled by Default when
> NoScipt is installed,
> The setting is on the Embeddings page of Options.
>
>
> MowGreen

Well thank you once again: this is going beyond the call of duty!
That looks like quite a sophisticated add on: I'll give it a try - though I
notice its own website appears to be encouraging a click and scan...

Cheers,
S