Possible threat?

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Possible threat?

rikona
Some folks on a mailing list have been infected with a virus that
seems to be spreading rapidly. I thought I'd get a little info about
who might be behind this by looking up the domain, which has been
changing more than once a day. Earlier domains were very recently
created, with a bogus admin contact, in the Ukraine.

The current one is newsonmsnbc.com. I thought I'd copy this and do a
whois. This time, though, I was in Claws mail, and not in my usual
client, TheBat. Unfortunately, Claws mail immediately opens the link
if you press the mouse button anywhere inside the link, and so it was
opening in Opera even before I could move the mouse to copy. As soon
as I realized this I went to Opera, stopped the access, and closed the
tab. BUT - there was a very large surge of continuous disk activity
which continued for a couple of minutes, with nothing else going on in
the box [running 10.04]. Maybe a coincidence, but worrisome.

So, what is the best way to check for a possible new malware problem
if one sees suspicious activity?

Anyone know what the newsonmsnbc.com link is trying to do?

Thanks,

   rikona


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible threat?

Tony Arnold-3
Rikona,

On 20/12/12 16:40, rikona wrote:

> Some folks on a mailing list have been infected with a virus that
> seems to be spreading rapidly. I thought I'd get a little info about
> who might be behind this by looking up the domain, which has been
> changing more than once a day. Earlier domains were very recently
> created, with a bogus admin contact, in the Ukraine.
>
> The current one is newsonmsnbc.com. I thought I'd copy this and do a
> whois. This time, though, I was in Claws mail, and not in my usual
> client, TheBat. Unfortunately, Claws mail immediately opens the link
> if you press the mouse button anywhere inside the link, and so it was
> opening in Opera even before I could move the mouse to copy. As soon
> as I realized this I went to Opera, stopped the access, and closed the
> tab. BUT - there was a very large surge of continuous disk activity
> which continued for a couple of minutes, with nothing else going on in
> the box [running 10.04]. Maybe a coincidence, but worrisome.
>
> So, what is the best way to check for a possible new malware problem
> if one sees suspicious activity?
>
> Anyone know what the newsonmsnbc.com link is trying to do?

Not sure but here is the whois output:

Service Provided By: Center of Ukrainian Internet Names
Website: http://www.ukrnames.com
Contact: +380.577626123

Domain Name: NEWSONMSNBC.COM

Creation Date: 20-Dec-2012
Modification Date: 20-Dec-2012
Expiration Date: 20-Dec-2013

Domain servers in listed order:
ns1.hipflwow.ru
ns2.hipflwow.ru

Registrant:
Arthor Brown [hidden email]
TNew line ave 172 95
NY, 18274
UNITED STATES
+1.7343541732


So, something to do with the Ukraine, with authoritative domain servers
in Russia!

If you lookup the IP addresses of www.newsonmsnbc.com you get 4
addresses. Two of them have a country code of PT and one of them is in
Russia.

I wouldn't go near it personally.

Regards,
Tony.
--
Tony Arnold,                        Tel: +44 (0) 161 275 6093
Head of IT Security,                Fax: +44 (0) 705 344 3082
University of Manchester,           Mob: +44 (0) 773 330 0039
Manchester M13 9PL.                 Email: [hidden email]

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

RE: Possible threat?

Compdoc@hotrodpc.com
In reply to this post by rikona
> BUT - there was a very large surge of continuous disk activity which
continued for a couple of minutes

There are many ways of infecting a computer through Java.



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible threat?

David Fletcher-5
In reply to this post by rikona
On Thu, 2012-12-20 at 08:40 -0800, rikona wrote:
> client, TheBat. Unfortunately, Claws mail immediately opens the link
> if you press the mouse button anywhere inside the link, and so it was

Never, NEVER EVER click the damn link on unexpected/suspect messages! I
thought we all knew this.

The link often isn't what it appears to be i.e. the actual link is
different to the text in the message which can be anything e.g.
www.hsbc.co.uk but the link will send you off to some suspect domain
that might be anything.

I see this all the time. Using Evolution, if I hover over the link with
the mouse it displays the actual destination in the bar at the bottom.

Delete.

Or, if they're targeting customers of e.g. a bank, you can sometimes
find something like [hidden email] or [hidden email] to forward
it to and they'll use their muscle to try to put a stop to the
perpetrator. Maybe.



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible threat?

Kevin O'Gorman
You may also want to check out links provided by NoScript

http://noscript.net/about/newsonmsnbc.com;newsonmsnbc.com



--
Kevin O'Gorman

programmer, n. an organism that transmutes caffeine into software.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible threat?

Kevin O'Gorman
In reply to this post by rikona
On Thu, Dec 20, 2012 at 8:40 AM, rikona <[hidden email]> wrote:

> Some folks on a mailing list have been infected with a virus that
> seems to be spreading rapidly. I thought I'd get a little info about
> who might be behind this by looking up the domain, which has been
> changing more than once a day. Earlier domains were very recently
> created, with a bogus admin contact, in the Ukraine.
>
> The current one is newsonmsnbc.com. I thought I'd copy this and do a
> whois. This time, though, I was in Claws mail, and not in my usual
> client, TheBat. Unfortunately, Claws mail immediately opens the link
> if you press the mouse button anywhere inside the link, and so it was
> opening in Opera even before I could move the mouse to copy. As soon
> as I realized this I went to Opera, stopped the access, and closed the
> tab. BUT - there was a very large surge of continuous disk activity
> which continued for a couple of minutes, with nothing else going on in
> the box [running 10.04]. Maybe a coincidence, but worrisome.
>
> So, what is the best way to check for a possible new malware problem
> if one sees suspicious activity?
>
> Anyone know what the newsonmsnbc.com link is trying to do?
>
> Thanks,
>
>    rikona


My first stop in checking out any site tends to be "web of trust"
(WOT): https://www.mywot.com/en/scorecard/newsonmsnbc.com
Reports on this site are not good.

--
Kevin O'Gorman

programmer, n. an organism that transmutes caffeine into software.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: [going OT a bit] Possible threat?

David Fletcher-5
In reply to this post by rikona
Further, you really can't trust anything these days.

Can't remember what they're called, they're those square block label
thingies that you're supposed to point your phone at. Apparently the
bastards have now started making up their own code blocks on sticky
labels and plonking them over legitimate ones on advertising hoardings.
So, don't be tempted to point your smartphone at adverts you're passing
by on an escalator. You might find yourself infected with malware or
being offered fake ED drugs instead of viewing that prestige car site.



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible threat?

rikona
In reply to this post by Tony Arnold-3
Hello Tony,

Thursday, December 20, 2012, 8:48:09 AM, Tony wrote:

>> Anyone know what the newsonmsnbc.com link is trying to do?

> Not sure but here is the whois output:

<snip>

Thanks for the info - I did get the info also. Apparently they are the
same folks that register a couple of domains a day, probably to avoid
filters.

> So, something to do with the Ukraine, with authoritative domain servers
> in Russia!

> If you lookup the IP addresses of www.newsonmsnbc.com you get 4
> addresses. Two of them have a country code of PT and one of them is in
> Russia.


> I wouldn't go near it personally.

Agreed - and that was NOT my intent! It was a mistake, and I'm trying
to find out how I can tell if they were even partially successful.

--

 rikona        


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible threat?

rikona
In reply to this post by Compdoc@hotrodpc.com
Hello compdoc,

Thursday, December 20, 2012, 8:51:02 AM, compdoc wrote:

>> BUT - there was a very large surge of continuous disk activity which
> continued for a couple of minutes

> There are many ways of infecting a computer through Java.

Agreed - I usually keep java and js disabled unless I need them for a
specific site. I'm assuming that worked this time for j & js, but I
don't know if those clever folks found another way to get me. Any
other possible attack ideas much appreciated - or, even better, a way
to check if they were successful.

Thanks,

--

 rikona        


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible threat?

rikona
In reply to this post by David Fletcher-5
Hello David,

Thursday, December 20, 2012, 10:37:06 AM, David wrote:

> On Thu, 2012-12-20 at 08:40 -0800, rikona wrote:
>> client, TheBat. Unfortunately, Claws mail immediately opens the
>> link if you press the mouse button anywhere inside the link, and so
>> it was

> Never, NEVER EVER click the damn link on unexpected/suspect
> messages! I thought we all knew this.

I do know that very well. In my usual client, I can press the mouse
button OUTSIDE the link, drag it in the link and highlight what I
want, then move the mouse back outside the link. The highlighting
remains and I can copy it **WITHOUT going to the link***. That is not
what happened in Claws mail, though - it went immediately to the link
as soon as I was on the link.

> The link often isn't what it appears to be i.e. the actual link is
> different to the text in the message which can be anything e.g.
> www.hsbc.co.uk but the link will send you off to some suspect domain
> that might be anything.

Agreed - I always check to see where it is going to go. If it's still
suspect, the email is copied, opened as text and examined/copied from
there.

> I see this all the time.

Me too. :-)

> Or, if they're targeting customers of e.g. a bank, you can sometimes
> find something like [hidden email] or [hidden email] to
> forward it to and they'll use their muscle to try to put a stop to
> the perpetrator.

I do that if it seems like it might help.

> Maybe.

In my experience, maybe not is more accurate. :-))

--

 rikona        


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible threat?

rikona
In reply to this post by Kevin O'Gorman
Hello Kevin,

Thursday, December 20, 2012, 10:55:03 AM, Kevin wrote:

> You may also want to check out links provided by NoScript

> http://noscript.net/about/newsonmsnbc.com;newsonmsnbc.com

Thanks for the info. An interesting idea, but no useful info, perhaps
because they are changing names every day. :-)

--

 rikona        


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible threat?

rikona
In reply to this post by Kevin O'Gorman
Hello Kevin,

Thursday, December 20, 2012, 10:55:33 AM, Kevin wrote:

> My first stop in checking out any site tends to be "web of trust"
> (WOT): https://www.mywot.com/en/scorecard/newsonmsnbc.com
> Reports on this site are not good.

True - but you could infer their view just doing a whois. :-)

What I'd really like is a site that tells me what exploits they are
using.  

--

 rikona        


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: [going OT a bit] Possible threat?

rikona
In reply to this post by David Fletcher-5
Hello David,

Thursday, December 20, 2012, 11:24:00 AM, David wrote:

> Further, you really can't trust anything these days.

I am coming to that conclusion too...

> Can't remember what they're called, they're those square block label
> thingies that you're supposed to point your phone at. Apparently the
> bastards have now started making up their own code blocks on sticky
> labels and plonking them over legitimate ones on advertising
> hoardings. So, don't be tempted to point your smartphone at adverts
> you're passing by on an escalator. You might find yourself infected
> with malware or being offered fake ED drugs instead of viewing that
> prestige car site.

Interesting heads-up. Thanks.    

--

 rikona        


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible threat?

iceblink
In reply to this post by rikona
On 2012-12-21 05:19, rikona wrote:

> Hello Kevin,
>
> Thursday, December 20, 2012, 10:55:33 AM, Kevin wrote:
>
>> My first stop in checking out any site tends to be "web of trust"
>> (WOT): https://www.mywot.com/en/scorecard/newsonmsnbc.com
>> Reports on this site are not good.
>
> True - but you could infer their view just doing a whois. :-)
>
> What I'd really like is a site that tells me what exploits they are
> using.
>
> --
>
>  rikona

It's probably too new to find out. Maybe if you Google for some of
their previously used domain names you'll have better luck finding out.

Some other options:

1. Run a system auditing tool. I don't know of any good one, I only
found Lynis in the repository and it does not seem to be aimed at
detecting malware but more to detecting general security holes in your
system. Maybe other people know of better tools.

2. Install a fresh Ubuntu in a virtual machine, install some file
changes tracker like auditd, then go and visit that site and see what it
changes on your system.

3. Reinstall your system. This is no doubt the safest option, but also
the most drastic.

Best regards,
Patrick Asselman


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible threat?

Eddie G. O'Connor Jr.
In reply to this post by rikona
On 12/21/2012 07:00 AM, [hidden email] wrote:
Send ubuntu-users mailing list submissions to
	[hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
or, via email, send a message with subject or body 'help' to
	[hidden email]

You can reach the person managing the list at
	[hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-users digest..."


Today's Topics:

   1. Re: Possible threat? (Patrick Asselman)


Wouldn't something like "ClamAV" pick up on this?...or would I have to configure it to LOOK for this threat? And if not, what can I do/install that would prevent me from becoming a victim? (bear in mind my "scripting / Terminal" skills are at the zero mark!...I'm still trying to get a handle on it all.....but it ain't easy!) so whatever I can do that protects me with the least amount of stress would be greatly appreciated!


EGO II

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users