12-04-2010 05:42 PM - edited 12-04-2010 05:45 PM
I'm getting really vexed at this. I don't know whether to praise NIS or be rightfully annoyed.
I just had a failed attack on my computer and NIS says No Action Required. I click on their link to the problem and it gives a list of time consuming things to do.
In the past of the few attacks i have had the interface ALWAYS says high risk, so i click on the link and it has ALWAYS said 0-49 low risk.
Please can we have some synchronictiy in the threat levels between the NIS on my computer and the links NIS gives to the specific attack. They have never ever agreed and by extreme ends of the scale too.
If my interface right now is saying 'no action required'...please please..someone tell me if i can rely on that. Only, if i go to the link that NIS gives there is a list of things to do and warnings as to the potential severity of the (apparently BLOCKED) attack.
So, and not just specific to this intrusion attempt, NIS on my computer says attack blocked no further action required, so why does the link it provides give a long-winded list of things to do????
I would have pasted the relevant messages but annoyingly, as with lots of WIndows notifications, NIS does
n't allow one to copy and paste the contents in view.
Sincere thanks in advance for replies.
12-04-2010 06:11 PM - edited 12-04-2010 07:03 PM
Without knowing the specific threat that you are referring to it is impossible to provide anything other than some general observations. If you are unable to copy and paste, you could provide a screenshot (instructions, here).
FIrst, you are dealing with two separate types of threat level criteria which are used for two different purposes. The risk level that is reported by the program on your computer only considers the types of risks that the threat poses to your system, including performance impact, privacy concerns, difficulty of removal, and tactics the infection uses to conceal itself. The threat assessment shown in the Security Response write-up concerns the risks posed not to your computer, but to the larger population of computers in the world, and so also considers such things as how widespread the threat is, and how quickly it can propagate. The latter is a measure of the statistical risk to a population, while the former is a measure of the damage that can be done to an individual computer. Therefore, a nasty virus that is extremely rare, will not be rated as a high risk in Security Response, since most people are unlikely to encounter it in the wild. If you are attacked however, your program may show this as a High RIsk, based solely on the virus' intrinsic nastiness. See this article for a discussion of Threat Assessment:
Secondly, it your program reports that an attack has been blocked and that no action is required on your part, that means that the threat was prevented from compromising your computer. SInce you weren't infected, you do not need to do anything further. The instructions posted in the Security Response write-up are manual remediation steps that you would need to take if a) you had actually been infected, and b) your antivirus program was not able to remove the infection by itself.
Hope that answers your questions.
12-05-2010 11:27 AM - edited 12-05-2010 11:40 AM
Thank you very much indeed a superb explanation.
I'll give details below of what, to be honest, is the most serious attack i've ever had happen. Mention of a toolkit i presume is a rootkit? I'll expand further as well on what could have been an amazing costly blunder whilst checking up on the details of the reported attack.
I always like to read up on every aspect of information provided by NIS be it the port number involved, IP address and the virus itself. So i opened up internet explorer, clicked in the adjacent Google search box and typed in the IP address involved. To my horror internet explorer did what it sometimes does, namely, as you are looking down typing it has hijacked your input and unbeknown to you, you are typing into the IE address bar!!! So it went to the heart of the spiders lair and opened up the url where it said 'the site has declined to show the webpage' total disaster.
Only possible saving grace i hope is that NIS did not throw up any warnings when i went to the page. Although i did and still do to an extent fear the absolute worst that i would have been highly infected. Balancing out such a disaster is that i have since carried out a full scan with NIS and Malwarebytes (with sytem restore turned off). I also ran System Internals Root Kit Detector. All three gave a total clean bill of health (at that moment in time anyway).
I've since been keeping 'TCPView in sight looking for any dubious traffic on the ports. I really don't know if it is lying in wait. Having said that NIS was mighty impressive in the speed of it popping up to signify the attack. I even used the command line window to 'ipconfig release' and then disconnected my hub and turned the computer off. I did that in the hope that releasing and reconnecting hours later would give me a new dynamic IP address. Certainly my IP address has a different end digit now. The 'default gateway' is the same though, but hopefully that is ok as possibly that doesn't change in the way that the 'subnet mask' never does???
Ok.....the specific attack. I was playing on a famous poker site and got the original message that NIS had foiled an attack on my computer. So i logged out of the site immediately. I then typed in the address of the site's homepage so i could contact support and was shocked to see that the NIS again detected an attack! I've since uninstalled the site's software and will obtain their support email address from Googling and not by visiting the actual site. I have played on the site for several years and only ever had a warning once about a month ago and it was a minor virus which was blocked. However this one is, certainly to my mind, very disturbing.
In 'intrusion prevention' it says 'An intrusion attempt by (my IP address) was blocked'. Recommended Action- 'No Action Required'
Risk Name: HTTP Bleeding Life Toolkit Request
Attacking computer: Gives my IP address and port 4347.
Attacker URL: I won't give it here obviously in case anyone accidentally clicks on it. But it's main part ends in 'cc' (is that china?). it has attached to the end load.php? and then quotes Java.
Which reminds me at some stage of the whole affair my Java Console opened up but i was able to close it. I don't know if that happened when i went to the poker site's home page or the offending url's web page which declined to show. On reflection i'm 99% sure it wasn't the latter case, it could well have been coincidence anyway. I can't remember what else i had opened.
Destination address: Again i won't print it fully here but it begins with 69.
Source Address: Gives my IP address by itself with no port number.
Traffic Description: TCP port 4347.
Network traffic from (my IP) matches the signature of a known attack. The attack resulted form \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE. To stop being notified of this type of traffic, in the actions panel, click stop notifying me. Network traffic from (the offending url) matches the signature of a known attack.
Am i dead man walking or ok?
12-05-2010 12:45 PM
I think you are probably OK. A toolkit is not a rootkit. A toolkit is a prepackaged set of exploits that works like this: Bad guys compromise a website such as your poker site, and insert the toolkit which contains multiple exploits for vulnerabilities in programs such as Java, Adobe Reader and others. When you visit the site the toolkit launches a search of your browser in an attempt to find a program that is vulnerable to one of the exploits contained in the pack, and if it is successful it will use the vulnerability to install malware without your knowledge or any action on your part. This is why it is so important to keep your software, especially Adobe Reader, Adobe Flash Player, and Java, up to date on patches. If your software is not vulnerable to the exploits the attack cannot succeed.
The alert you got was for such an exploit pack that Norton detected and blocked on the poker website. SInce the attack was blocked you were protected. Since a toolkit is a tool and not a virus, your clean scans would tend to confirm that nothing was installed. The only thing I am a bit concerned about it your Java program opening. The current version of the program is Java 6, Update 22. If that is your installed version you should be fine, but if you are running an older version you could have been at risk. To be safe, you should probably clear your Java cache anyway. But I'm sure if there were a problem one of your scans would have detected it.
12-05-2010 03:06 PM
I did as you suggested regarding the Java cache. However, i think i am ok due to my memory jog about the Java detailed below. My version is 'Version 6 Update 21'. I probably forgot to update recently, i always wait a few days to see if problems are reported with updates rather than allow them to download automatically.
A fresh Google search for 'HTTP Bleeding Life Toolkit Request' has unearthed a thread started yesterday on a website elsewhere. It refers to a poker site that i think is the umbrella for several major sites, as in they use the same software. My poker site was amalgamated with them, i think it was last year, in that players on both sites now play as one.
It has also jogged my memory as to the Java events. The poster mentions;
"Security Issue...am I paranoid or is this not right?? So I launched the UB software last night, and as it's loading I get two different security warnings. The first one is Java telling me that the signature on an applet was generated by an untrusted certificate, and the second one is Norton telling me it blocked an attack on my computer."
I myself did instantly refuse to accept the applet, so it didn't get to run. They go on to say they've never had warnings before from Norton whilst on the poker site. They contacted support and received this reply;
"Please notice that both messages are fairly common and there is nothing to be afraid of.
The first one is just mentioning the digital signature which you must Run and actually choose the option to Always trust the content from the publisher. This can happen if the digital signature was not found or if you need to Allow it for the first time.
Regarding the second message, Browser.exe is the file that controls our Cashier window. This file requires internet access in order to send and receive deposit and payment request from you or for you. If this file is blocked, your cashier window will not function at all and it need to be unblocked. All our transactions are secure and protected, but some security programs might believe they are "attacking" the PC due to the nature of the files (that requires connection back and forth from your PC to our servers).
Let us emphasize on the fact that having this file block will most likely cause your Cashier window and all it's functions to be blocked and inaccessible."
A poster reckons that the registration info for the url is 'shady'. They actually give the url link, i don't want to do that as it makes it clickable, how does one refer to a url on this forum, is there a way?.
I do share their concern regarding the path of the url. Incidentally the 'browser.exe' referred to is fine in that it is the main programme that runs when you play. I also speciffically scanned it the first time i ever saw it.
To quote them again; "What concerns me isn't the browser.exe file itself, but the URL that the browser is trying to reach (the offending url ending in cc) Especially with the shady WHOIS info for that domain (nancy taylor from Frederick, MD???). I dunno, with the wildly sketchy history of this site I'm not gonna just close my eyes and click accept to any warnings I get about their software."
I'll download the Java update22 now. I tried to do it with the 'update now' button on the java control panel but it doesn't respond and is surrounded by dotted lines.
12-05-2010 03:57 PM
12-06-2010 10:37 AM
More reports of this are arriving all the time on the web. Google even on and off had it marked as 'a site that may harm your computer'. I've seen another AV red flag the site as well recently. Google found on the 4th and 5th it downloading malware.
I researched the port it attacked me through 4347 and it is listed as lansurveyor Lan Surveyor. I googled that and apparently it is a programme that; "Discover how simple network mapping can be. Using a unique multi-level discovery technique, LANsurveyor automatically discovers your network and produces comprehensive, easy-to-view network maps that that integrate OSI Layer 2 and Layer 3 topology data."
Now i've yet to educate myself in the whole tcp/udp protocols and how ports work etc, but does this possibly mean that a third party has hacked the website or intercepted the connections and is using the lansurveyor to map individual's computer network?
Got to admit mind, that means little to me in the same way that people are told to keep their social security number safe, like most people i wouldn't have a clue what to do with one if i found one lol.
Anyway for now i'd just like to offer thanks again for excellent information given. I'll hold back a few days or a week and return to close/solve the topic once the whole saga plays it's course and i can report back that it wasn't a false positive etc. People elsewhere at first said it would be Norton, however, that was swiftly defended and the majority are stating stronlg it is malware. As i say i'll report back at the end of the week.
12-06-2010 10:43 AM
It certainly sounds like a hacked poker site. This sort of thing is very common. Norton blocks the exploit pack, so you should be fine. Until the site owners clean up their site visitors will continue to be redirected to the malicious toolkit.
12-07-2010 09:46 AM - edited 12-07-2010 09:59 AM
Had to come back to update and wish i could edit the title to mention the possible culprit. In an update elsewhere on the web they refer to none of the main AV products being able to trace it. In the snippet i've pasted below i think they may have made a typo and instead of backdoor.tass.565 they meant Backdoor.TDSS.565. I say that as a Googling only reveals the latter of the two names.
Either way i am concerned in that a Norton search shows no mention of either eeeeek!
EDIT for some reason using the search box at the top of this page reveals a thread about Norton not being able to detect this exact trojan, i shall read on.
FURTHER EDIT the thread mentioned above leaves me confused as it's dated a while ago and doesn't make clear to me whether NIS does detect it. Bear in mind it detected the attack but mentioned 'HTTP Bleeding Life Toolkit Request' and did not then or since mention the (detectable/undectable by Norton?) trojan 'Backdoor.TDSS.565'
The snippet from elsewhere;
"I'm going to update this thread, beacuse the virus we actually ended up finding was not caught by any of the main scans on the market, and this virus hides very well.
Panda came up clean- the files infected were " cookies" Avast came up clean. Mcaffe came up clean. Norton came up clean. Malwarebytes came up clean,
It found , where no others did, this: backdoor.tass.565 (my comment here i think that's a typo and they meant Backdoor.TDSS.565..maybe, maybe not???)
It eradicated it, but when I rebooted it and ran it again, it was back. Techie friend said it was just a piece of the process it was finding,, and not all of it. This is one nasty virus, and it hides very very well.
Everything is updated and 100% secure, but it was a doozy to find the actual virus. Just letting you all know because none of the main software is catching it. This virus can take control of your computer.
Also, some of the redirects got blocked by dr.web after we got it installed and they were from .co.cc which is relevant as it is the same address in the warning for google about Absolute."
I personally haven't suffered any attempted redirects since staying away from the poker site, not sur eit that means i'm safe or not.
12-07-2010 10:18 AM
It might be best if you visited and signed up for one of the malware removal sites to have your computer checked out. If you have what you corrected the typo to be, then that is a rootkit and none of the programs you have mentioned can pick up all the latest rootkits that are out there. These malware removal sites have the proper tools and know how to have you run scans and post logs and they can tell you if you if your computer is clean or not and if it isn't clean, they have the means to get it cleaned up safely on a 1 to 1 basis. In today's malware world, rootkits can be very well hidden and need an expert to be able to find them and help to remove them safely. Here is a list of malware removal sites. Bleepingcomputer will be busy, but the others are good also. If your computer is clean, then you will have the peace of mind that it is clean and if it isn't, then you will have the peace of mind after it is cleaned up.
Please go to one of these free Forums for help in removing your bad malware or rootkits.
(Thanks to Delph for providing the list of sites)
Please let us know which one you decide to sign up with and keep us informed. Thanks.
Success always occurs in private and failure in full view.