Önceki Başlık :: Sonraki Başlık |
Yazar |
Mesaj |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Pembe-Patikli
Tecrübeli Üye
Kayıt: Apr 23, 2008
Mesajlar: 453
Nereden: Giresun
|
Tarih: 29 Nisan 2008, Salı 21:52:16 Mesaj Konusu: Re: Googkle.com tehdidine dikkat |
|
Mehmet_URAL demiş ki: |
Deneyip baktın mı Bence dene Öyle birşeyin olması mantıksız geliyor bana. Neden diye sorarsan birçok sirket domain alirken benzer domainleri de aliyor. Ki bu şirketin google olduğunu düşünürsek bu ve benzer domainleri baştan satın almamaları içten bile değil. Ayrıca sen denemediğin belli. Googkle.com domainini internet adres satırına yazınca bir sonuç vermiyor yani bir siteye bağlanmıyor. Bu haberi birçok yerde daha okudum. Yorumları takip ettim. Bir kişi kalkıpta bana virüs bulaştı demedi. |
Slm ilk önce elestiri iicn tsk edrim ama sunu söleyeyim denemeye kalkarsam pc me bulasacak vurusler nolacak soru 2 denemeden bahsetmissin neden sen denemiyorsun soru 3 benm yaptgim arastirmada sitenin vuruslu oldugu ap acik belirtiliyor denemeye gerek yok snrm ama illada emin olmak istiyom diosan sen dene formatini ben atarim snnn ..... Kimse bulasti demes kimse deneme ye kalkmaz
Alıntı: |
F-Secure ekibi, popüler arama motoru google ın hatalı yazılması sonucu gidilen bir sitede zararlı kodlar tespit etti. Eğer mu zararlı site açılırsa Bilgisayarınıza çeşitli zararlı koldar bulaşabilir. sitenin adı, googkle.com, bulaşabilecek zararlılardan bazıları: trojan droppers, trojan downloaders, backdoors, proxy trojan ve spying trojan. Az mktarda adware-related files.
googkle.com a girildiğinde iki adet popup pencere açılıyor, www ntsearch.com ve toolbarpartner.com.
Aşağıda bu siteden bulaşan zararlı kodları görebilirsiniz.
Kod: |
wildersecurity'den alıntı.
The 'ntsearch.com' website downloads and runs the 'pop.chm' file and the 'toolbarpartner.com' website downloads and runs the 'ddfs.chm' file. Both files are downloaded using exploits and they contain exploits themselves to run embedded executable files. One of the webpages of the 'toolbarpartner.com' website downloads a file named 'pic10.jpg' using an exploit. This JPG file is actually an executable that replaces Windows Media Player application.
In addition these websites launch a stream of webpages with different exploits than end up in downloading and running 2 files from the 'daosearch.com' website:
web.exe
classload.jar
See the description of these files below.
As far as the JAR archive is concerned. the actual malware functionality is in Installer.class, which downloads file from the same location as the JAR file is being loaded.
First the applet looks for filename to download from Applet parameter ModulePath (is specified in the HTML tag). If the parameter is not specified the applet defaults to msxmidi.dat.
After the file is downloaded the applet gets the location of Windows directory with GetWindowsDirectory() and saves the downloaded executable as 'web.exe' and executes it.
As said above, two CHM files get downloaded and activated on a computer. The 'pop.chm' file drops the 'sp.exe' file and runs it. The dropped 'sp.exe' file is detected as 'Trojan.Win32.Spooner.f'.
The 'ddfs.chm' file drops the 'frame.exe' file and runs it. The 'frame.exe' file is a trojan downloader that is detected as 'Trojan-Downloader.Win32.Small.apf'. It has the functionality to automatically reply to security questions asked by Windows to ensure that its process has connection to Internet. This downloader downloads and runs the following files from the 'toolbarpartner.com' website:
xz.exe
ggl.exe
The 'xz.exe' file is a trojan dropper that is detected as 'Trojan-Dropper.Win32.Small.vv'. It drops a DLL named 'winloadhh.dll', detected as 'Trojan-Downloader.Win32.Small.anu' to the root folder of C: drive. This DLL is another downloader that connects to 2 different websites to get the list of files to download:
toolbarpartner.com
sturfajtn.com
Last time we checked these sites, they contained the following list of files to download:
The 'sturfajtn.com' website:
next3.exe
next1.exe
next2.exe
The 'toolbarpartner.com' website:
ggl.exe
svchosts.exe
proxyrnd.exe
ldr.exe
toolbar.exe
inst.exe
winran.exe
These files are currently detected as follows:
next1.exe: Trojan-Spy.Win32.Banker.jk
next2.exe: Trojan-Proxy.Win32.Small.bh
next3.exe: Backdoor.Win32.Zins.c
ggl.exe: Trojan-Dropper.Win32.Small.vn
inst.exe: Trojan-Dropper.Win32.Small.wp
ldr.exe: Trojan-Downloader.Win32.Agent.lv
proxyrnd.exe: Backdoor.Win32.Jeemp.c
So as you see, a nice malware package get installed on an affected computer: 2 backdoors, 2 trojan droppers, a proxy trojan, a spying trojan (that steals bank-related information) and a trojan downloader.
The 'winran.exe' file that is downloaded from 'pillz.info' website is a trojan dropper. It copies itself to Windows System folder with a random name and drops a DLL also with a random name to the same folder. The DLL modifies HOSTS file to block connection to the following websites:
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
download.mcafee.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
update.symantec.com
The 'svchosts.exe' file is a trojan dropper. It drops a DLL named 'svchosts.dll' into Windows System folder. This DLL places a fake virus alert on a desktop. The alert looks like that (original spelling preserved):
VIRUS ALERT!
YOUR PC IS INFECTED!
IT HAS BEEN DETECTED THAT YOUR PC HAS AT LEAST 3 DANGEROUS VIRUSES!
TO KNOW FOR SURE YOU URGENTLY NEED TO RUN AN ANTIVIRUS TEST ON YOUR PC!
The consequences of spyware and virus presence on your pc might belike:
loosing all the data, data might be stolen, your secrets might beexposed.
PROTECT YOUR PC!
REMOVE ALL VIRUSES NOW!
This fake alert is created by placing the HTML file on a desktop, so a user could click on the alert and go to a pre-defined website. The link from this fake alert points to the following website:
topantivirus.biz
This website offers links to different websites that offer anti-virus and spyware cleaners for download. The motto of this site is 'Top Antivirus - We help people.'. Unfortunately the way people are directed to that website is somewhat deceptional.
The 'toolbar.exe' is an adware installer, that installs an adware toolbar known as 'Perez'.
The 'pic10.jpg' file is a trojan dropper similar to 'frame.exe'. It also drops a DLL named 'winloadhh.dll' to the root of C: drive. This DLL has the same functionality as the DLL, detected as 'Trojan-Downloader.Win32.Small.anu' mentioned above.
The 'web.exe' file is also a trojan downloader that is identical to the 'pic10.jpg' file described above. |
|
Ben şu anda Kaspersky 2006 Beta'yı deniyor olduğumdan siteye girmedim site aiclmior buyur sana kanitlar... okey tatmin olmustursun umarim |
Dirime selâm vermeyen, Ölüme de fazla yaklaşmasın! ... |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Tüm kadın aksesuar fırsatları için tıklayın !
|
|
|
Bu forumda yeni konular açamazsınız Bu forumdaki mesajlara cevap veremezsiniz Bu forumdaki mesajlarınızı değiştiremezsiniz Bu forumdaki mesajlarınızı silemezsiniz Bu forumdaki anketlerde oy kullanamazsınız
|
We request you retain the full copyright notice below including the link to www.phpbb.com.
This not only gives respect to the large amount of time given freely by the developers
but also helps build interest, traffic and use of phpBB 2.0. If you cannot (for good
reason) retain the full copyright we request you at least leave in place the
Powered by phpBB line, with phpBB linked to www.phpbb.com. If you refuse
to include even this then support on our forums may be affected.
The phpBB Group : 2002
// -->
Powered by phpBB © 2001, 2005 phpBB Group
|