HTTP Malicious Toolkit

CLLL · ‎05-08-2008

It looks like a lot of people have gotten this before, and now I have it. I I did get it once before but this time it looks like it's sending a request to adw95.com, which is related to sites like banner82.com and google.info which in turn were related to that large SQL injection attack that happened a few months ago.

Quote from another forum I asked (what someone replied) "From the looks of the security log there, your computer is already a carrier. The deal though is that this thing is a remote trojan downloader. Those things won't show up on a virus scan until after you're already infected."

I couldn't see how I'm infected. This is the second install (of windows) I've had this happen on. I haven't downloaded anything shady, I've had the latest virus definitions, I've been using firefox, I've been using common sense... I don't see how I could be infected/part of a botnet/etc. etc. Don't mean to sound ignorant or anything.

I know this alert originated from simtropolis.com which was badly damaged from that attack (it has since been repaired)

EDIT: Can someone move this to a different forum? I'm not running a beta version. Sorry.

Message Edited by CLLL on 07-31-2008 10:11 AM

jgibney · ‎04-08-2008

Actually, I believe this message is just showing that we blocked an exploit attempt (I believe there is a defect in the way that we display text on IPS messages so that it seems as if the attacking computer is your own computer - I thought this was fixed already, but will dbl check because if so you should have received an update w/ the fix). This message doesn't indicate that you're infected, just that we've blocked an exploit attempt (I agree that the message should be improved for clarity).

This is my favorite feature in NIS - our Intrusion Prevention + Browser Protection - we did a ton of R&D to come out with an updated IPS + new Browser Protection in NIS 2008. We block browser exploit attempts, so that as infected sites are trying to get malware onto your system using a drive-by download (the #1 method these days used by hackers to get bad stuff on people's machines), we block the exploit from successfully exploiting whatever vulnerability it's targeting (Browser, ActiveX, SQL Injection, etc.). Blocking the avenue of entry to the machine is the safest way to keep off the bad stuff - because threats have been multiplying so rapidly, it's much easier to keep them off in the first place rather than trying to hunt one down and pull it off once it's already infected the machine. (Most often, the first thing that happens once an exploit has successfully exploited a vulnerability & gotten some shell code to run on the machine, it pulls down a downloader and starts downloading other bad stuff onto the infected machine. That's what we want to avoid at all costs).

Hope this helps!

John_Harrison · ‎06-04-2008

CLLL,

Thanks for the post, as Jody mentioned, this is definitely a drive-by download being blocked by NIS. You have been protected by NIS when you visited a certain website. The domain you included (please do NOT visit or go to that domain) is one that is directly involved with SQL injection/drive-by download attacks. Also, I would recommend NOT visiting the site where you received the alert from either until they get it cleaned up.

It looks like we still have the issue with the attack direction being switched and will be providing an update via LiveUpdate. You are being protected from the attack, NOT the other way around. Sorry this is causing confusion.

Edit - I want to add that this explanation is for the "HTTP Malicious Toolkit Download Request" attack. We do have protection in the product where we are looking for malware, spyware, or misleading applications making outbound calls and is our post-infection protection. We prevent this from occuring and in this cause your computer WOULD be the 'attacker'.

Thanks,

Doctor Drive-By

Message Edited by John_Harrison on 07-31-2008 02:41 PM

John Harrison, aka “Dr. Drive-By”
Symantec Security Technology and Response

CLLL · ‎05-08-2008

Simtropolis is biggest simcity fansite around... you're saying that over 200,000 people's computers have been compromised?

John_Harrison · ‎06-04-2008

Mainstream websites are compromised everyday. Larger ones then that have been - many forum boards. It only takes on SQL injection or malicious advertisement to attempt to infect users. Users running systems with a good Internet Security program and are fully patched (or have FireFox and NoScript) would be less susceptible to any compromises (good security hygene).

Two facts I know:

1) The domain you included in your post is included in Asprox/SQL injection attacks. You can google that or check out Malwaredomains

2) We have an issue where the attack direction is incorrect - in this case the domain attacked your computer and NIS blocked it.

If you want to PM me a URL (do not post here), we can check it out to see if it is active. With malicious advertisements it is much harder to trace and reproduce if an ad only runs once every 1000 times.

Thanks,

Doctor Drive-By

John Harrison, aka “Dr. Drive-By”
Symantec Security Technology and Response

Norton Internet Security / Norton AntiVirus

HTTP Malicious Toolkit

Re: HTTP Malicious Toolkit

Re: HTTP Malicious Toolkit

Re: HTTP Malicious Toolkit

Re: HTTP Malicious Toolkit

Products

Services

Support