Noticed that one of my firewall rules was activated for the first time today...
The IP in question: 85.255.115.221.
________________________________________________________________

The Google redirect works in both IE and Opera.

The exploit targets several IE vulnerabilities, using javascript to launch the files.

This part of the exploit does not work in Opera.

The site in question is Sloan Tree Farms. Clicking on the link redirects to a malicious web site:


___________________________________________________________

The wilderssecurity.com member made this Proxomitron capture,
showing the Referer heading from Google
and the Redirect (302 page) from the Sloan site (Server= Apache/1.3.37):


___________________________________________________________

Disabling Automatic Redirect, I can force the 302 page error.
Hovering the mouse over the hyperlink reveals the redirect URL.
The spoof uses an appended URL:


___________________________________________________________

NOTE: I have contacted Sloan Tree Farm and they have identified the vulnerability
and have fixed their site so that the referer/redirect no longer works.

However, the direct link above is still in operation.

Several HTML pages cache


__________________________________________________________

The Index.html page calls out to a different web server
to download the nasty WinAntiVirus web site:

__________________________________________________________

This is the source of the WinAntiVirus page:

http://6950172115.hbison.com/sp/fpa/

Initiating server query ...
Looking up IP address for domain: hbison.com
The IP address for the domain is: 69.50.184.59

the domain is registered to someone in Finland.
Administrative
Henry Bison
Kauppakatu
Suomussalmi, -- 89600
Finland -- FI
email: domains@hbison.com

your-searcher.com

[CWSTrojan]:69.50.184.50-69.50.184.50
esthost.com[CWSTrojans]:69.50.179.217-69.50.179.217
nns1.hbison.com:69.50.184.50-69.50.184.50
nns2.hbison.com:69.50.184.51-69.50.184.51

User Review Summary for hbison.com 
Adware, spyware, or viruses

User Reviews
Rating: Adware, spyware, or viruses

As soon as the WinAntiVir Page loads, immediately the first downloader attempts to cache
and is blocked:

__________________________________________________________

Scan of cnte-oiduuyes.gif

___________________________________________________________

If cnte-oiduuyes[1].gif is blocked from downloading, nothing happens.

Letting it download: cnte-oiduuyes[1].gif is copied as MS_update_0704_KB74073.exe in the C:\Documents and Settings\.......\Startup directory,

Scan of MS_update_ showing they are the same file:

___________________________________________________________

which then runs to create tmp11.tmp in the C:\Documents and Settings.....\Temp directory:

___________________________________________________________

Now, IExplore immediately crashes and a new process of IExplore starts (hidden window) and attempts to connect out to inhoster.com.

Note that normally, the downloader itself connects out, but in this case, as the firewall alert shows, IExplore has been hijacked to do the actual connecting - this would not normally be flagged by the firewall. I set the firewall to alert in order to catch it:

___________________________________________________________

Three files are installed in C:\WINNT\System32

___________________________________________________________

Proof that MS_update_0704_KB74073.exe creates the *.tmp files was shown by an alert later to create another one:

___________________________________________________________

It seems like MS_update_0704_KB74073.exe is the workhorse. Being in the StartUp Directory, it will run on every bootup and connect to inhoster.com hidden from view.

To test: I executed the file manually and immediately a new process of IExplore started along with two MS_Update_0704 processes:

___________________________________________________________

ipv6mons.dll has been used with several trojans as a BHO.

Restarting IExplore - Definitely hijacked:


___________________________________________________________

This exploit uses an evasive technique whereby the malicious site somehow tracks the IP adddress and declines a return visit from the same address. I had to disconnect|reconnect in order to run the exploit a second time.

I noticed that a series of random characters appended to the cached URLs was generated each time.The last file in the list is the URL which downloads of the spoofed *.gif executable file:


_____________________________________________________________________


_____________________________________

In this case, trying to run this URL again returns an error page that the file cannot be located:


_____________________________________________________________________

Finjan's 2nd Quarterly Report discusses some of these evasive measures: