Injection into sites with determination of whether it's in a frameset (user on google images) or outside of one (google image bot browsing for images).

Very common. Google images is somewhat perilous these days as a resutl.

>he allows javascript to resize his windows

If you've already visited the page and have downloaded the file, can you give me a copy of the infected exe?

>isn't running NoScript
welp

>.cz.cc
Seems legit, Microsoft does a lot of outsoucing these days

>he has java installed
>2011

feels good to be part of the linux master race

>>17267502
How do you know for a fact that he has Java installed? I see no indication of it from the OP image.

>>17267515
Can you upload a copy of BestAntivirus2011.Exe to mediafire for me to fuck around with?

>>17267515
That page is awesome. The source is actually pretty funny if you like that sort of thing.

a metric fuckload of image results lead to some fake security scan site

the one that tries to keep you from leaving with a dialog box. i hate that shit so much. i want to block alert scripts entirely.

>>17267519
Did you somehow miss the large white rectangle that is trying to scare OP into clicking OK?

>>17267530
Never mind, downloaded in a VM. Virustotlan now.

>>17267530
just download it from the website but dont execute it.

I got one of those today in a Google image search as well

>>17267549
In some cases, these sites use Java/Flash/Adobe Reader/Windows vulnerabilities to elevate + autoexecute automatically.

Fully up to date, but could have a zero day.

>/fa/
How the fuck did you fags miss this? Obvious fucking hipster Firefox user, Go back to >>>/fa/.

Detection is pretty bad, I'm submitting to microsoft and avira.

>>17267565
They have a pretty nice guide on what clothes to wear if you don't want to look like a child.

>>17267545
Post link/hash when done.

>>17267603
http://www.virustotal.com/file-scan/report.html?id=2652630b329aa4231baa72368645cea1dfc07e162a6752a4d
dad62efb68410af-1304298547

8/42. Microsoft is testing the file now.

>intro to algebra
>spark notes
>/fa/
confirmed for 8th grade faggot

>>17267613
algorithms dumbshit

>>17267611
How about the box? What does the program do? Any data going in/out? Thread has me interested. I fucking hate this shit but can't resist knowing how others get away with this.

Avira took the file in, but they're pretty slow.

File if anybody wants it:
http://www.mediafire.com/?n4itugart8yp4c7

ZIP Password is "infected". This is a torjan. DOn't download unless you know what the fuck you're doing.

>>17267638
Ah, well, I used the VM as a potential sacrifice in case there was an exploit. I could burn the box, I suppose... let me shutdown and make a copy of the VM before proceeding.

>>17267671
I'm pretty sure that true /g/entoomen know what they're doing.

And people who don't... they deserve it.

copying my vm, here's the CWSandbox report in the meantime (may take a couple minutes to process):
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=12077122&cs=48CBBC0AEBF39180762A1FB43CB6D
81E

Anubis report incoming:
http://anubis.iseclab.org/?action=result&task_id=11f8a84d15a1d0dc411969ac15c958bf1&call=firs
t

>>17267515

At least they put some effort into it, right?

>>17267742
Sigh. CWSandbox reports make it look likely that there's VM detection in place.

>>17267671
I don't have a box on hand to destroy and no Windows install discs around atm, Otherwise I would do it myself.

>>17267742
Neat.

>>17267797
I hear ya. Say, any suggestions on how to filter down wireshark to only show activity from a particular EXE (virtual box)?

>>17267759
True.

>>17267836
Never mind. I think I can watch the virtual net adapter instead.

Anubis barked on the VM detection as well. I wonder if this'll react to virtualbox.

>>17267540
are you aware that java and javascript are two different and unrelated languages?

>>17267540
You're a fucking idiot.

Backed up the VDI, awaiting VirutalBox to finish updating.

Precaution - sometimes VMs have holes.

My fresh XP install has so many viruses, i must buy xp total security 2011!

>>17268025
I learned this the hard way from Microsoft's virtual machine. The older 2005 version anyway, Long ago. I switched to VirtualBox and never had any problems but the simplicity and accessibility is kinda gone.

>>17268053
lol'd.

>>17268056
Yeah. VM's booted, I'm updating the additions to the guest.

This is its efforts to stop me opening add/remove programs :/

>>17268085
Rebooting, then...adventure awaits!

Even opens in safe mode, crafty.

>>17268120
No antivirus in the VM. Go naked or install something? We know MSE and Avira won't catch it, but will the virus stop them from running?

Thoughts?

this virus doesn't run on windows 7?

>>17268170
Avast / Super Antispyware. See what that in a combination picks up with their on-demand scans.

Otherwise, I'd say go naked.

>>17268198
I'm going to try in a minute. I wanted thoughts on whether or not I should install an antivirus first and, if so, what does /g/ want.

Lets see if MBAM will pick it up.

>>17268212
Avast misses the EXE (before install, at least), SAS catches it.

Guess I'll go naked.

after only one minute it caught an exe, lets see if its gone...

>>17268234
Fuck, looks like Wireshark won't pick up the VM traffic properly. Guess I'll have to skip the network analysis.

>>17268234
Oh, Oops. I forgot about that earlier VirusTotal scan.

>>17268251
Time to get infected.

>>17268264
wat

>>17268285
It registers with windows as an antivirus. interesting.

Still haven't seen the virus.

>>17268247
Nope, 9 more, even though the "antivirus" wont open.

>>17268296
Didn't have to wait long though.

>>17268312
/g/ was visible briefly, but then, this shit came up. Hitting the view anyway button has it come back up a moment later.

>>17268312
What do I have to do to get infected? Is just visiting the site enough?

>>17268327
Interesting, Too bad you didn't upgrade to IE9 to see if it affects that as well.

>>17268335
There's a MediaFire link a few posts above.

Netstat found nothing out of norm. My guess is a rootkit.

>>17268327
Not for this particular site, but yes, on many sites exploits are used to automatically install this shit.

>>17268345
I know I am not planning on installing it. I was just curious.

>>17267424
does this click on random image also happen
on Bing?

And there we go, a couple of MBAM runs and its all cleaned out.

>>17268354
Most definitely around warez sites and the likes. Not hard to come by if you do google searches a typical person that didn't know anything would click on.

Cropping the VM window from now on.

>>17268354
It enforces IE being disabled with a fucking addon???

I remember this shit. Got payed 60$ to pull it off of a laptop the other day. The fact that it got into Safe Mode was a piss off to be honest.

>>17268395
This must not be a very aggressive variant.

Anyway, thats it gone for XP.

U jelly?

>>17268423
Starting the scan.

Also, LOL at the warning in the bottom.

>>17268454
Under a minute to find it.

>>17268423
Forgot about Super Antispyware having a portable program, Wanted to test it out as I honestly have yet to try it in ages but got this:

>SUPERAntiSpyware.com - Site Momentarily Unavailable
>We are currently experiencing a high server load with our site. Our system administrators are working to resolve this issue and the site should be back up in a few moments. We apologize for the inconvenience.

>>17268476
The options tick on other tabs, but immediately change back to what they were if you leave the tab.

>>17268503
So /g/, I'm at a crossing here.

A) Boot from an ISO and see if any rescue CDs find this.

B) Allow SUPERAntispyware to try to remove it.

>>17268503
In a nutshell, Options are just there for looks and nothing else.

>>17268528
I would format and persist any friend that got caught with it to format. Otherwise, Use a rescue disc as safety to backup and do basics in safe mode with portable scanners / hijackthis / mbam / the likes.

interesting thread thanks
goodnight

>>17268528
The obvious answer, A.

But go with B.

>>17268576
I'll try B, then reinstall the virus and try A.

What rescue CDs do you guys like (And want me to try?)

Poster of >>17268558, Misread a few things and then read >>17268576. I would use the rescue CD's to attempt and _find_ this first. Otherwise, Boot safe mode and do everything else for checks.

I'm bein opressed!

Apparently you are not getting smarter though.

Using Firefox and not using noscript is just full retard.

adblock plus prevented me from getting any malicious exe when I visited the site.

>>17268635
Can you show what happens if you try to register? Are you sent to some shady russian site or something?

>>17268729
This site didn't do a drive-by. You had to manually download it.

Therefore, any statements made about the efficacy of adblock plus on that site would be automatically invalid.

oh boy!
a malware inspection thread!
hey, where do you guys get windows installs to make vm's with?

>>17268768
IE opens in a window with no address bar. View source gets you http://zuzusutity.com/buy.html.

>>17268791
Any basic Windows install will do.

>>17268791
I used a loader on a MSDN download.

>>17268768
I've had a few customers that have actually registered for this and payed the $50 or whatever for it to go away.

They give you a serial key that doesn't even fit in the boxes where you register within the program.

>>17268803
so you don't authenticate it?
or you use a loader...

Fuck, does anyone know some good virus scanners for os x?

>>17268827
I would pay for this if I wanted to deal with the time/risk of a chargeback, because they'd get hit with a chargeback free from the merchant bank. Don't have time to deal with that shit, really.

>>17268830
Why would I need to make it genuine (If that's what you're trying to say)? There's no reason to if you're going to scrap it later. Otherwise, Just use a loader I guess.

>>17268635
nmap -Pn 24.165.231.237

Starting Nmap 5.21 ( http://nmap.org ) at 2011-05-01 22:17 EDT
Nmap scan report for mta-24-165-231-237.satx.rr.com (24.165.231.237)
Host is up (0.0047s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
714/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 165.06 seconds

begin the attack on mta-24-165-231-237.satx.rr.com:714

>>17268830
On 7, you have a 30 day grace period that you can reset 3 times with slmgr.vbs -rearm.

But if you're smart, you make a snapshot after updating/setting up but before you rearm and keep reusing it forever.

OP Here. Killed it from Task manager. I think Superantispyware will succeed. Quite tame variant.

>>17268865
That's not nice, considering the warning was almost surely fake.

>>17268798
Thanks! Are you going to try to clean the install or you will just nuke it?

>>17268917
I'll nuke it for future usage, but I'm trying Superantispyware. Then reinstalling and trying a boot CD.

/g/ still hasn't picked a rescue CD to try.

>mfw this is actually a genuine antivirus trying to help people out

that would be a great trojan/virus

>>17268871
ah ha...
thats what i though...
so what do you guys do?
do you actually do any reverse engineering, or are you just watching what it does?

i really like the idea of reverse engineering

>>17268798

This looks legit

>>"I found Win 7 Anti-Virus 2011 4 years ago."
>>2011
>>4 years ago

She's clean.

If anyone wants me to reinstall and try a boot CD, I'm open to suggestions.

>>17268924
Can't say I'm experienced on what Rescue CD's are worth using nowadays, as I only use the ones that boot Linux so I'm able to backup files.

really?

got this on my iphone this morning.

>>17268953
It broke EXE file associations in Windows. LONG TROLL.

>>17268954
hirens boot cd is really nice

>>17268995
Does he actually still bundle a scanning antivirus in the part of the CD that runs live?

>>17268995
>>17269026
Checked it out, And actually does. Not OP, But I can't find download link anywhere on this page. Where the hell is it?

>http://www.hiren.info/pages/bootcd

OP here. Stub downloaded files out of IPs registered in Chicago and New Jersey.

>>17269026
>>17269084
http://www.hirensbootcd.org/

>>17268965
>MFW someone posted a screenshot I posted before

>>17269085
Err, not OP. Fuck. Forgot I didn't make a separate thread for this shit.

Downloading Kaspersky for first attempt.

IPs it connected to (* means previous octets the same as last one)
76.73.85.187
*.*.*.188
*.*.*.190
67.196.15.116
*.*.*.109
*.*.*.108
*.113
*.112
*.115
*.114
*.117
*104
*106
76.73.85.186
67.196.15.141
*.105
*.140
*.107

>>17269114
D'oh... Fuck me. I found it as soon as you posted it. Thanks for that.

Anybody want to speculate on potential detection?

>>17268808
all the windows 7 downloads are unavailable

>>17269195
I'd say it will get detected but won't be removed completely or successfully. Calling it.

ThreatExpert report:
http://www.threatexpert.com/report.aspx?md5=09c50e2821be0806bc09cbf928bc9aee

It downloaded from one of the IPs I mentioned earlier.

Flew right over Kaspersky's head. What now.

>>17269286
Shit, Move on to the next AV then.

>>17269294
I'm getting a copy of BitDefender's ISO.

>>17269323
Also, Give that boot CD a try here >>17269114.

>>17269323
Shit internet here. Next ISO in a couple minutes.

>>17269350
I'll grab Hiren's, but I think he removed both the pirated Mcafee and F-prot (no longer updated) boot CD images.

>>17269212
this
should i just torrent sp1?

>>17269371
Eh, What're you gonna do when receive lawsuit threats. Just gotta make it yourself instead of trying to help others. Regardless, The features it still has makes it much useful to this day.

This thread is awesome thanks /g/.

Has anyone looked at this shit with wireshark/Olly/IDA yet?

Is this packed with anything?

>>17269384
Just grab this, modify the ei.cfg if you want an edition other than Pro:
32 bit:
http://msft-dnl.digitalrivercontent.net/msvista/pub/X15-65804/X15-65804.iso

64-bit:
http://msft-dnl.digitalrivercontent.net/msvista/pub/X15-65805/X15-65805.iso

(ignore the msvista directory names; google the part numbers)

Anyone wish to speculate?

>>17269452
No dice.

>>17269458
Something I also find amusing, A person would take this long to completely scan their entire system instead of taking the time to backup their most important essentials and doing an easy format. Starting fresh is always a great thing no matter what. I can only assume the greatest arguments would be old settings they once had.

>>17269496
it does take a while to back up
im usually lazy when it comes to backup and reinstall, been putting it off for almost 3 weeks while slowly as fuck backing stuff up

>>17269496
Tons of people don't backup.

Still going...

Well, well. What have we here.

>>17269520
Lazyness isn't an excuse though if you know your system is compromised.

>>17269522
I don't backup at all on a daily basis. In fact, rarely once every 3 months or so. Even then, I don't do it regardless. But I'm referring to saving what's left on your system before severe damage is done and moving on to reinstall the OS.

>>17269533
(still scanning)

>>17269555
Oh shit, I had doubts. BitDefender is actually coming through with the business.

>>17268798
http://newlydomains.com/domain-2011-04-28-com-334.html
Registered 3 days ago, and looking there, seems like a bunch of other malware-hosting domains too.

<--- and here's the whois info. The idiot didn't even protect the info.

>>17269582
Tom Schwartz in Sulzberg? Probably fake.

This thread is making me want to reinstall Virtualbox, install XP Home (WITHOUT ANY SERVICE PACKS :o) and see how infected I can get.

>>17269596
Windows 7 can be harder, but in regular use, fairly quick, probably within a day on googl eimages.

He's dead, jim.

>The Microsoft Malware Protection Center (MMPC) strives to keep you informed about the status of your submission.

>This email communicates what we currently know about the file(s) you submitted.

>If you were to scan the files you submitted using one of Microsoft's Antimalware products such as Microsoft Forefront Client Security or Microsoft Security Essentials, you would see relevant detection information similar to what is displayed below.
=======================================>======
>BestAntivirus2011.exe [Changes to detection currently undergoing testing]

Overall, an EXTREMELY tame variant. Requires a manual install, easily removed. Can even kill it with task manager.

Anybody got another sample?

>>17269676
Odd that it wasn't very persistent. Unfortunately 4chan is going dead slow over the Bin Laden news. There's a website dedicated to archiving various malware sparked on a daily basis. I don't have it bookmarked but perhaps someone else may know of it? Could keep this thread open for hours longer, For enjoyment purposes anyway.

>>17269684
youd think that with so many people using google images, the thing would be more malicious

>>17269692
(VM Guy here)
My twin brother (not a techie) had outdated java + didn't do windows update this month (he did after disinfection), he got a highly aggressive variant that automatically installed through Google images.

look for flash.go.plugin.exe

I could play the RS.4chan.org game and download...

DDoS application.exe

Sound good?

>>17269702
So, I've stuck through this thread since the beginning and through your VM experiments. I have to ask as I may be sitting under a rock this entire time or just ballsy enough to go through the images, What the hell is wrong with Google Images? How does this happen exactly? I know how people get malware sites on top searches but images I'm unaware of. I've seen fake sites but nothing happens and usually get a white page (Because I block by host), How does this affect Google Images?