Noticed that one of my firewall rules was activated for the first time today...
The IP in question: 85.255.115.221.
________________________________________________________________

The Google redirect works in both IE and Opera.

The exploit targets several IE vulnerabilities, using javascript to launch the files.

This part of the exploit does not work in Opera.

The site in question is Sloan Tree Farms. Clicking on the link redirects to a malicious web site:


___________________________________________________________

The wilderssecurity.com member made this Proxomitron capture,
showing the Referrer heading from Google
and the Redirect (302 page) from the Sloan site (Server= Apache/1.3.37):


___________________________________________________________

Disabling Automatic Redirect, I can force the 302 page error.
Hovering the mouse over the hyperlink reveals the redirect URL.
The spoof uses an appended URL:


___________________________________________________________

NOTE: I have contacted Sloan Tree Farm and they have identified the vulnerability
and have fixed their site so that the referrer/redirect no longer works.

However, the direct link above is still in operation.

Several HTML pages cache


__________________________________________________________

The Index.html page calls out to a different web server
to download the nasty WinAntiVirus web site:

__________________________________________________________

This is the source of the WinAntiVirus page:

http://6950172115.hbison.com/sp/fpa/

Initiating server query ...
Looking up IP address for domain: hbison.com
The IP address for the domain is: 69.50.184.59

the domain is registered to someone in Finland.
Administrative
Henry Bison
Kauppakatu
Suomussalmi, -- 89600
Finland -- FI
email: domains@hbison.com

your-searcher.com

[CWSTrojan]:69.50.184.50-69.50.184.50
esthost.com[CWSTrojans]:69.50.179.217-69.50.179.217
nns1.hbison.com:69.50.184.50-69.50.184.50
nns2.hbison.com:69.50.184.51-69.50.184.51

User Review Summary for hbison.com 
Adware, spyware, or viruses

User Reviews
Rating: Adware, spyware, or viruses

As soon as the WinAntiVir Page loads, immediately the first downloader attempts to cache
and is blocked from downloading:



__________________________________________________________

Scan of cnte-oiduuyes.gif

___________________________________________________________

If cnte-oiduuyes[1].gif is blocked from downloading, nothing happens.

Letting it download: cnte-oiduuyes[1].gif is copied as
MS_update_0704_KB74073.exe
in the C:\Documents and Settings\.......\Startup directory. (see code above)

Scan of MS_update_ showing they are the same file:

___________________________________________________________

which then runs to create tmp11.tmp in the C:\Documents and Settings.....\Temp directory:

___________________________________________________________

Now, IExplore immediately crashes and a new process of IExplore starts (hidden window) and attempts to connect out to inhoster.com.

Note that normally, the downloader itself connects out, but in this case, as the firewall alert shows, IExplore has been hijacked to do the actual connecting - this would not normally be flagged by the firewall. I set the firewall to alert in order to catch it:

___________________________________________________________

Three files are installed in C:\WINNT\System32

___________________________________________________________

Proof that MS_update_0704_KB74073.exe creates the *.tmp files was shown by an alert later to create another one:

___________________________________________________________

It seems like MS_update_0704_KB74073.exe is the workhorse. Being in the StartUp Directory, it will run on every bootup and connect to inhoster.com hidden from view.

To test: I executed the file manually and immediately a new process of IExplore started along with two MS_Update_0704 processes:

___________________________________________________________

ipv6mons.dll has been used with several trojans as a BHO.

Restarting IExplore - Definitely hijacked:


___________________________________________________________

This exploit uses an evasive technique whereby the malicious site somehow tracks the IP address and declines a return visit from the same address. I had to disconnect|reconnect in order to run the exploit a second time.

I noticed that a series of random characters following trk= appended to the cached URLs was generated each time.The last file in the list is the URL which downloads of the spoofed *.gif executable file:


_____________________________________________________________________


_____________________________________

In this case, trying to run this URL again returns an error page that the file cannot be located:


_____________________________________________________________________

Finjan's 2nd Quarterly Report discusses some of these evasive measures:

Finjan Report

"Evasive attack techniques where malicious code is controlled per IP address, country of origin or number of visits provide hackers with the ability to minimize the malicious code’s exposure, thereby reducing the likelihood of detection. Moreover, evasive attacks can identify the IP addresses of crawlers used by URL filtering, reputation services and search engines, replying to these engines with legitimate content and increasing the chances of mistakenly being classified by them as a legitimate category," said Yuval Ben-Itzhak, CTO, Finjan. "The combination of these evasive attacks with code obfuscation techniques significantly enhances the capability of sophisticated hackers to go undetected."