All-clear: Virus attack from totalcmd.net !

[tbeu]

When I start totalcmd.net in Firefox 3.6.20 I get a Java popup window and a firewall alarm of this trojan (scan at virustotal.com) on WinXP. Please be aware until admin of totalcmd.net gives the all-clear.

[Peter]

My Firefox 7.0.1 with "AVG Free Edition" tells me

Code: Select all

Gefahr: Surf-Shield hat auf dieser Seite aktive Bedrohungen erkannt und zu Ihrem Schutz den Zugriff blockiert.
Die Seite, auf die Sie zugreifen möchten, wurde als bekannte Exploit-, Phishing- oder Social Engineering-Website identifiziert und daher zu Ihrer Sicherheit blockiert. Ohne Schutz, wie beispielsweise durch AVG Security Toolbar und AVG, besteht die Gefahr, dass Ihr Computer beschädigt oder Ihre persönlichen Daten gestohlen werden. Wählen Sie eine der unten angeführten Optionen aus, um fortzufahren.

URL: cick.chickenkiller.com/sys/main.php?page=fb14c1b3b6e4c496
Name: Blackhole Exploit Kit (type 1889)

Short translation:
"active harrassment; blocked; known Exploit-, Phishing- or Social Engineering-Website"

Peter

[Jon Canale]

Just now MS Security Essentials blocked a couple of items from Totalcmd.net, so it's still infected.

[Flint]

Thanks for the warning, I remoed the malicious code now.

[Stance]

http://www.webopedia.com/TERM/B/blackhole_exploit_kit.html

BlackHole Exploit Kit

A type of crimeware Web application developed in Russia to help hackers take advantage of unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer.

Blackhole exploit kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating system and applications installed on Windows platforms.

The first Blackhole exploit kit appeared on the black market in August 2010 as a Web application available for sale on a subscription basis ($1,500 for an annual license). Newer releases and a free version of the Blackhole exploit kit have since appeared on warez download sites. The most well-known Blackhole exploit kit attack targeted the U.S. Postal Service's Rapid Information Bulletin Board System (RIBBS) website in April 2011.

[tbeu]

Thanks for the warning, I remoed the malicious code now.

Thanks. There are still two open questions. How did it get infected? And how likely is a re-infection?

[Flint]

How did it get infected? And how likely is a re-infection?

Unfortunately, I'm not a security expert, so I'm unable to answer these questions. I tried to find any traces of the infection in log files but failed.

Since it's not the first time, I suspect there is some open hole in the server, but how to find it it beyond my abilities. I'll ask Ergo (the owner of the site) to contact the hoster company, maybe they'll be able to help.