The purpose of this note is to get keywords out there, since I am finding nothing about this new malicious host, but it also makes for an interesting read.
A customer was losing internet connection intermittently and claiming that when he tried to log into his bank website -- bankofamerica.com , he was being redirected to a page asking for card#, CVV, PIN# etc.
I went to his office, also tried logging into usbank.com (not with my ID of course, but a jumble of 8 characters). Sure enough, we were also getting the same thing at US Bank. One thing about both banking sites, Internet Explorer would pop up a message about displaying unencrypted items -- something I wasn't used to seeing for a long time, especially when logging into a banking site. The only visible item that changed if I clicked 'do not show' was that a gif would not display over a still active [submit] button. the ability to view page source was greyed out.
I did all of the usual stuff, ran malwarebytes, superantispyware, loaded hijackthis to look at start-up entries, ran systemexplorer to see what drivers and services were loading at start-up. Malwarebytes and superantispyware found a few things (vundo, mywebsearch) so I cleaned and rebooted. None of this helped. The customer allowed me to take the system with me so that I could do a full backup and check it thoroughly.
After the backup, I uninstalled Norton, installed Avast. I still found nothing.
I decided to install Wireshark to determine just where this browser was being redirected to, and found a https session being created with hxxps://190.120.226.43/ .
The interesting things here are that the browser still shows association with usbank SSL certificate, and Internet Explorer was not complaining at all about negotiating with a self-signed SSL certificate, but as hostname km35535.keymachine.de , which does not resolve to the same IP as above -- 190.120.226.43.
If I tried connecting directly to the numdered host from the URL, only THEN would Internet Explorer tell me that the SSL cert was suspicious.
After talking with the customer, we mutually agreed that we only felt comfortable with a wipe/reload.
I had his HDD backed up already, so I went ahead with the reload / restore.
Now I have some time to kill, so I removed his HDD, installed a spare, and restored his 'infected' image. I DO NOT LIKE to be beaten by malware, so I thought I would research this thing a bit more.
I used Macrium Reflect, which gives you the option of replacing the MBR with a Windows XP 'standard' MBR -- then it CLICKED in my mind... This could have been a MBR infection,so I told Macrium to replace the MBR upon restoration.
That fixed it! I was so pleased. NO more intermittent problems with the NIC, log ins to USBank and BankofAmerica both behaved normally again.
According to the customer, this odd behaviour started happening about 11 days ago.
I have not yet seen anything on any security forums yet, so I still do not know how it got there, what it is being called, or how long it's been around.
I have been dealing with malware almost daily for the past 4 years, and have not seen one exactly like this, although I know boot record infections have been around for ages.
Between this infection and Vitro, it seems that with wider use of flash drives, external hard drives, and iPods, we will see more of the types of infections we used to see when the floppydisk was the most common portable storage medium. Whether this infection was downloaded or transferred by removable storage, I do not know. When I go to drop off the system, I will be checking his flash drives / ipods etc.. on a honeypot laptop.
Oh yeah, the subject of this post. Who do I report this website to? I have read bad things in general about keymachine.de, but not this specific host. As part of my troubleshooting I tried 'blacklisting the offending IP in InternetExplorer, but it didn't matter for some reason.
===============================
EDIT: since posting this I have determined that km35535.keymachine.de is likely not the same host as 190.120.226.43 (I'm a malware guy, not a DNS/networking guy
) - the post above has been edited to remove association between hostname and IP.
