DevNetwork Forums

I'll bet there is just some cracker (negative hacker) out there reading this, and just laughing his head off.

Wow ! More & more complaints on this issues - and most from India. Odd, that this worm doesnt affect gateways in other countries.
First of all, most ISPs here provide internet through a local cable operator as a gateway and most of these gateways are on Windows - not Linux. And I wont be surprised if its running on WinXP or Win2000. Linux at the local customer-level is still a long way.

From Nerul here and same setup - using Sify though.

I can never seem to talk to my cable operator in such depths. I can understand that he has no clue as to whats going on - because he keeps saying "हां । काम हो रहा है । पांच मिनट में आजाएगा"

Not all the time - even at night I face same issues - guess some PC is still on at the time. But often I have noticed smooth connectivity during the night. But also a request timed out.

This is news to me. Unfortunately I dont know any IPs in my network (its going to be tedious to try all out)
I have Apache httpd 2.2.6 on my WinXP PC and I keep checking the access & error log files.
Quite often I get a request from a local IP

Tried these IPs with your method of pinging them if ping <gateway> times out. Doesnt seem to work.
This might have worked 2-3 weeks back, right now the ISP or cable guys are upto something. I keep getting timed out at random intervals - all the time. Never steady enough to download a 5MB file @256kbps.

Redirect ? Are you sure ? I never got redirected. All my pages got injected with that JS line on top and tried to pull that JS file first. I hope thats what you meant by redirect.

This may be true, but because of the randomness, its quite difficult to know. But what I dont understand is, how can a PC in the network send the html page to the gateway and then send it to the users. Shouldnt it be the other way round - gateway sends data to PCs and on the way one the infected PCs injects that JS line to other destined PCs - I suck at networking, but I thought this was how point-to-point works.

Its the firewall thats required more than the anti-virus. But most cost which ppl wont buy.

Im still facing terrible slowness. Unfortunately Im residing in an are awhere Sify dominates - recently Tata Indicom lines were established. YouTeleCom is not available in all sectors. Other major players like AirTel etc arent available in Navi Mumbai.

Luckily your ISP 'listens' to you. When I called tech support, and when the exec inquired at the higher level, the reply was always 'contact your hardware engineer' (to check for virus etc) !

Anjanesh what i meant by redirecting is whenever i open any page on my IE or firefox the first link which my borwser redirects to is http://g.asdafdgfgf.com/ads.js but as i got Adblock Plus in firefox the site never gets a chance to open and then the original site which i desire to get open finally connects.

And yhea the problem is with both internal and external.....the PCs which do not have a good antivirus like norton and Nod32 let these JS to reside in them and from these PCs requests are send repeatedly to the gateway (and not other users) this makes the gateway to clog and hence net to get disconnected for all of us till the gateway is unclogged. The simple solution to this is ping the gateway and at the same time ping to any random ip within your range to evoke the gateway ...... its working perfectly fine.... till the next attack happens.........if u can meet me i can demonstrate this to you......... there is a direct train from Panvel to Andheri (i think u knw it)...... so u can hop on it and get to my place...... ill give u my detailed address through email..........by the way i got many friends from your locality coming to my college in chembur........and all are complaining about this same issue........lets meet up, what say?

chillpill_rohit !

exactly same issues, similar ip addresses .. similar gateways ..

I have also been trying to help out my local cable guy, who has no clue whatsoever !

Anyways to help anyone who requires it, everytime the connection disconnects (this is happening too frequently at my end due to the virus broadcasting and flooding the routers) if you clear the arp cache on your windows pc (by either repair or the arp -d * command) the network starts working.

I got frustrated repairing the connection each and everytime ! .. so finally I have written a program to keep checking up the connection status every 30 seconds and repair it automatically if required ! .. now I don't need to do anything .. i have a log with disconnections every 10 minutes ..

now its my cable guy who is surprised how i am managing to make my connection work, when the entire area is down for almost a week now. !

Maybe it will help if you set a static ARP entry for your gateway IP.

Care to share that code ?

Btw, this is the JS code (ads.js) thats trying to execute


Anyone has any clue as to what this code might be doing ?
It obviously seems to be creating quite a number of ActiveXObjects but this totally harmless in FF right ?

People i got something new to share..........this ads.exe file which seems to be getting downloaded on unprotected computers in our local area network through the above JS can have following effects :-

ADS.EXE has been seen to perform the following behavior(s):

* Executes a Process
* Creates a TCP port which listens and is available for communication initiated by other computers
* The Process is packed and/or encrypted using a software packing process

ADS.EXE has been the subject of the following behavior(s):

* Created as a new Background Service on the machine
* Created as a process on disk
* Executed as a Process
* Added as a Registry auto start to load Program on Boot up


for further information chck this site http://www.prevx.com/filenames/21101812 ... S.EXE.html

and also chck this out http://www.spywaredata.com/spyware/malware/ads.exe.php

One very important thing i need to add is........ i have been in contact with my cable operator and even the ISP interface tech support people on this issue.......i have talked to anjanesh all about it..........

Firstly the interface ISP people failed to acknowledge our problem......after few persistent request from us they were ready to lissen to what we had to say.........actually we had asked them to block this ip 222.216.28.25 (which is the root cause of this whole issue refer my earlier posts where i have mentioned it) from their main DNS servers through which our line was getting connected.......than i tried

tracert 222.216.28.25

which gave me only 1st hop till my gateway and then it was dead which means that the ip was sucessfully blocked from their servers.....

Then they asked us to clear our cache and all other temporary data and reboot and then try and connect to net........what came to our surprise was that the JS was still getting injected......... this was very shocking......the interface people tried to solve this problem but today atleast we didnt hit any success.....

Now to check if our PC was infected or not we tried this.........we logged into vibes online (another ISP having other ip config) from the same machine and then started surfing net........and that JS was no more to be seen.......so it was quiet evident that nothing is wrong with our PC.......coz its already blocking the JS and now allowing it to run.........

So what does all this point to?

Simple........ something is wrong in our local area network itself...... in some of the computers which are unprotected that above mentioned JS is getting run and tht ads.exe is getting downloaded and hence executed ........ as i have mentioned that this ads.exe " Creates a TCP port which listens and is available for communication initiated by other computers " so this is probably the port which is clogging the gateway and hence making our connectivity to net disrupted........ but still my this point is yet to be proved.......so tmmrw ill again work on it and find out the infected PCs on my network and try and see if any such ads.exe file is running any kind of service on their PC or not...........WISH ME LUCK buddies.........this problem has got a shorter life now........its soon gonna get resolved and i assure u all a HAPPY ENDING to this thread

Regards,
Rohit Jain
(not the only affected user :p )

From secunia.com
Related : xforce.iss.net, securityvulns.com


From secunia


From secunia


The biggest threat is the BaiduBar.Tool ActiveXObject object because it tries to download an exe file.

According to wikipedia,
Thats probably why Baidu is used by many - download mp3s !

Latest from me. It seems that, contrary to what I reported earlier, when I go through a secure proxy server the code is no longer added to my html. I thought I could safely ifnore this little piece of offending code as I had set the site in my host file to point to 127.0.0.1 and my virus software was dealing with it BUT adding that piece of code still affects 'some' pages I view but causing things like the font to be larger or some other formatting of the page error. Worse it must be getting added to even programs code that uses the net as one of my key programs that accesses an API does not work - it does work when I go through proxy with it.

So it seems the code it getting added from the server rather than my computer!!!! (this really is weird as I am the only computer on my network getting it and I am on a dynamicaly allocated IP from my wireless router). If this is so WHY am I the only one seems to be reporting this in the UK and on Virgin. Surely this would be more widespread.

I eagerly await some solution for this. Till then I will run through a proxy server - hardly a solution!!

Is there some way I can access the prerender engine of my browser and add some java script that removes the offending code before it renders??

Richard

I thought it was CSS that wasnt getting parsed properly because of the missing JavaScript.

Any clue if this is getting added to incoming bytes to ports other than 80 ? I am facing issues FTP, SFTP quite often, but no clue if the JS line is getting injected in those requests too.

Thats the weirdest part - how come this is not common enough.

AdBlock Plus extension for FireFox.

Rohit has some interesting update on this. He got to his local cable operator and checked the log files.
Apparently, there are whole lot of bytes sent out when compared to incoming bytes and the MAC address is being changed to 00-80-48-40-90-CC for ALL PCs when the exploit is active.
The MAC address and the IP address map is stored at the local cable operator's area net is refused if either one are changed. And yet, all these customers are getting their MAC address changed to a same value !

Everah | Please use [code] tags when posting code in the forums. To post a particular type of code, use a syntax similar to [code={lang}] where lang is the language you are using. Thanks.

this is a very small and trivial code, actually but worked for me for a while at least ... vb.net (.net 2.0) !



unfortunately i don't have much idea about setting up static arp

and yes i already know about references to RBN, indonesia, 6.gif and ads.jpg, and i am quite sure it has to be coming from some gateway in between .. and not from our machines/ servers or browsers ..

Everah | Please use [code] tags when posting code in the forums. To post a particular type of code, use a syntax similar to [code={lang}] where lang is the language you are using. Thanks.

EUREKA !!

The Solution is found and working well. First let me tell you the real culprits creating this problem in our networks...


And the culprit is not the gateway or the ISP servers....but some of the computers within our own local area networks..........and not necessarily of the same ip pool but of the ip pools which share the same servers.........and this was possible to prove only because of the co operation from my local cable operator and our ISP (IOL Broadband) and our tech team ofcourse..........

Now the whole problem is created by a bunch of computers where this particular JS found a way in(due to lack of any protection by antivirus) and installed a couple of deadly trojan files infecting the Network services of those computers in a way that the these computers send heavy broadcast to the shared servers in a way of multiple ARP requests at a very high frequency thus clogging our requests to the gateway..........hence to solve this we isolated these PCs from our network for sometime and then found out to our surprise that the JS had vanished and the internet was working at full speed...........then again we inserted those PCs into our network to find that the JS was again appearing and the network had slowed down and ultimately got clogged...........

Now how we proved it?..........we were working hard to find out from which PCs these broadcast were taking place ............being sunday many offices and other PCs were inactive barring a few...........so we were fortunate enuff to find out one PC sending these broadcasts to the server........we got his address from the cable operator and visited his place.........to find out what didnt surprise us much.........his pc was having absolutely no protection in form of any antivirus or anti-spyware or adware..........moreover he was using Internet Explorer to browse through the net which can activate an ActiveX object created by the JS which anjanesh has proved in his decoded scripts.........even the user got many alerts (to block/unblock particular contents on the pages) which due to his ignorance he always used to unblock...........

Now we scanned his PC with Nod32 to find more than 1500 different infected files in his windows folder........the log of the scan ill be sharing with u all in the next post........once his PC was disconnected from net we found no JS appearing and the net was working perfectly fine.........is PC was cleaned and then again connected to network which didnt clogg till 8 or 9pm in evening..........then some other infected PCs started clogging the network and now we are one by one isolating such PCs and cleaning them with Nod32 updated version..........

Another important thing...........the ISP servers had no role in this entire clogging thing........we proved this also by connecting our machine directly to the line coming from the servers and isolating our network from it.........we found absolutely no JS and net was working fine ..........but then when we included the network the JS started appearing the net speeds slowed down and ultimately the network got clogged.........we had also asked the ISP tech team to check if their servers were infected or not.......they found no such viruses on their systems.....
so our point is proved.........the culprits are within the local area network itself

This is how our problem has been solved and so can be urs......now to find out which PCs on your network are cloggin the servers..........just download this software Ethersnoop from http://www.arechisoft.com/ and install it.......now configure it as i say.......in the next post.

Just install the above software.............run it...........go to TOOLS>SETUP
and set ur buffer size to more than 5MB.........now come back to the main
window.........and click on PACKET FILTER option.............tick all the other
protocols like ICMP,TCP,UDP,OTHERS and just leave ARP unticked..........now
select ur LAN CARD from the drop down combo box just left to the PACKET
FILTER option........and now click on the leftmost first button to start sniffing ur network..........wait for some time and ull see a list of ARP requests
coming from some physical address........click on the physical address
which is getting repeated regularly and chck its details like its IP on the
left hand side of ur window..........if any problem do contact me.

The logs of the virus scan performed using Nod32 on one of the infected PCs.......