Goingonearth.com! Stay Away!

Post Reply
FireFoxOmicron
Posts: 88
Joined: Thu Nov 11, 2010 3:51 pm

Goingonearth.com! Stay Away!

Post by FireFoxOmicron » Wed Nov 17, 2010 9:44 pm

Please rate this site Red. www.goingonearth.com [ Do NOT go onto this site! ]

I have noticed over the last two years or so of an increase of infections from goingonearth.com. [ Don't go on it. ]

From what i can tell, It contains a very dangerous rootkit that is extremely hard to find. It redirects to goingonearth.com and if you try typing goingonearth into Google, Bing etc then the Rootkit will turn the word into an Anagram [ Example. anrethoiggnon ].

You can successfully search for a diagnosis by typing in g-o-i-n-g-o-n-e-a-r-t-h OR
goingoneart h [ Note the space between the t and h. ]

Basically it hijacks your browser with one of the most advanced malware techniques i have ever seen. This Rootkit is UNDETECTABLE by all means. I am a virus remover and even i have had trouble finding the source.

Things i have checked and have been either fixed or unaffected in the first place -

Host File
Network Proxy For All Browsers
Any New Add-On Installed
Any Recently Created Or Suspicious Looking Files [ .dll etc. ]

And none of the above were edited in any way. Yet the redirects still continue to this day.

The sequence of the infection seems to be the same on each computer.

Site drops a few trojans.
Anti-Malware software picks up trojans.
Trojans all removed but redirects stay due to hidden rootkit.

Not many people know about this, Which is most likely why there is no " cure " for the Rootkit. Even TDSS Killer can't find it OR Malwarebytes Anti-Malware.

So please rate this site red. It is one of those horrible sites that plague the net.

It appears to target FireFox more then any other browser [ But with NoScipt you should be safe. ]

Thanks to Anonymouse for reminding me about something ...

If you check out their " Privacy Policy " or " Contact Us " links, They lead to the same page with either little to no information.

Safe Browsing.


UPDATE
-----------------------

I found this! -

" flastrui on Thu 21 Jul 2011
01:46:52 PM UTC

RE: Goingonearth.com! Stay Away!

This worked for me : http://www.microsoft.com/security/scanner/en-us/de...


I downloaded the scanner (around 69 MB), ran the program, chose the default scan type and it came up with 2 trojan infections, restarted to complete the removal......have been constantly doing searches on google to test and so far not even once it went to either http://www.goingonearth.com

or http://www.thewebtimes.net

.
The other reason i think it has really fixed my problem is this : Before cleaning using this scanner, I tried searching for "thewebtimes.net virus" on google for a number of times but google just sat their doing nothing....after the scan, the same search worked perfectly.
Hope it helps.

Update : Now running a full scan, time elapsed : 1 hr 52 mins, infected files found : 33, completion : about 25%
22-July-11 Update : Confirm that system is now completely clean of any infection. Thanks Microsoft !! "


Also, My friend told me she had downloaded this today [ 28 / 7 / 2011 ] and that the redirects have stopped!

c۞g
Posts: 21225
Joined: Mon Jan 05, 2009 4:02 am

re: goingonearth.com

Post by c۞g » Wed Nov 17, 2010 11:17 pm

goingonearth.com [url=https://www.mywot.comgoingonearth.com t=_self]whois[/url] | [url=http://www.robtex.com/dns/goingonearth.com.html t=_self]DNS[/url]

I checked:
clean - http://www.google.com/safebrowsing/diagnostic?site=goingonearth.com
clean - http://support.clean-mx.de/clean-mx/viruses.php?domain=goingonearth.com&response=
clean (excluding WOT) - http://www.urlvoid.com/scan/goingonearth.com
IP: 69.42.84.140 is clean - http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=69.42.84.140
Wepawet [url=http://wepawet.iseclab.org/view.php?hash=ba094a432368d32828f138d18c0893bf&t=1290032693&type=js t=_self]analysis[/url]: benign [clean]

Warxas
Posts: 1152
Joined: Sun Nov 16, 2008 11:07 pm

Ummm

Post by Warxas » Wed Nov 17, 2010 11:21 pm

I haven't visited the site, just in case it is as horrible as you say. But I don't see anything telling me it contains a rootkit?

http://www.urlvoid.com/scan/goingonearth.com
http://www.UnmaskParasites.com/security-report/?page=www.goingonearth.com
http://wepawet.cs.ucsb.edu/view.php?hash=a0951e180cdc76364e6a63df0b76d996&t=1290035730&type=js

I did see this: http://answers.yahoo.com/question/index?qid=20101003105455AArvpkx
and this: http://www.bleepingcomputer.com/forums/topic315694.html

Where is your proof, that it contains a rootkit? Thanks! :D


Edit: a few minutes too late I see. :(

i☆
Posts: 2200
Joined: Tue Sep 28, 2010 9:57 pm

Re:

Post by i☆ » Thu Nov 18, 2010 1:48 am

Are you serious that I should not visit it? Or will I have to be stupid enough to click a .exe file?

FireFoxOmicron
Posts: 88
Joined: Thu Nov 11, 2010 3:51 pm

Hi

Post by FireFoxOmicron » Thu Nov 18, 2010 7:50 am

It doesn't require you to click anything.

Some people have gotten the rootkit as a drive by download.

FireFoxOmicron
Posts: 88
Joined: Thu Nov 11, 2010 3:51 pm

Hello.

Post by FireFoxOmicron » Thu Nov 18, 2010 7:58 am

Nice results.

But check out Bleepingcomputer.com for many posts about the rootkit that always lead back to the site.

My friend even has the Rootkit. I will try to take a picture of it [ Or a small video of the rootkit turning goingonearth into a anagram on Google. ]

Remember. This rootkit is not very well known. Even experienced technicians have resorted to reformatting since the unique nature of this malware.

FireFoxOmicron
Posts: 88
Joined: Thu Nov 11, 2010 3:51 pm

Hello. Sorry for the late reply.

Post by FireFoxOmicron » Thu Nov 18, 2010 8:03 am

Here you go.

http://www.google.co.uk/#hl=en&biw=1440&bih=714&q=+site:bleepingcomputer.com+goingonearth+redirect&sa=X&ei=UdrkTJaPJsyLhQeI7fHIDA&ved=0CB8QrQIwAA&fp=defa3a9cb56700ff

My friend even has the rootkit after visiting the site from a link from Dailymail.com.

Also remember. This Site isn't that well known. And since this rootkit seems to be a unique nature, It could be classed as a Zero Day Virus despite people being infected for many years.

Not one single Anti Virus or Anti Malware detects it. Not even Combofix.

"Edit: a few minutes too late I see. :("

?

Also..

http://www.siteadvisor.com/sites/goingonearth.com/msgpage

Site Advisor claims it is green [ Most likely haven't tested it as the site isn't very well known. ] but check out the comment left by another user. It is categorized as Browser Exploit.

giedrius
Posts: 1310
Joined: Tue Jul 20, 2010 3:34 pm

Omega-FireFox The nature of

Post by giedrius » Thu Nov 18, 2010 9:14 am

Omega-FireFox
The nature of rootkits is that they are hard to detect ONCE they are in the system. They spread by using same exploits like other malware and they can be detected at the same ratio.
Also, Rootkit is kinda of curse word. Sometimes they are mistakenly attributed to malware, that can not be detected yet.

Typically, malware is created for fun or for profit. In many cases malware authors do not bring person back to the same website that infected you, as these sites did their job already. Thus it is more than likely that actual malware is hosted somewhere else (even if it redirect to this one).

FireFoxOmicron
Posts: 88
Joined: Thu Nov 11, 2010 3:51 pm

Hello.

Post by FireFoxOmicron » Thu Nov 18, 2010 9:58 am

Hi there.

Thanks for the information. But in some cases, If the website is a Search Engine or advertises false products in hope of stealing credit cards numbers then goingonearth is one of those sites. It aims to redirect traffic from Google to itself. For example. Some Rogue Programs [ Like Zango ] would display adverts and some of those would lead back to the software's site and either ask for information [ For premium service or to activate a rogue program ] or redirect them to other dangerous sites such as typo-squatters.

Not everyone is experienced in Security like us and the rest of the Anti-Virus community. I found 226 viruses on my friend's 12 year old sister's laptop and she thought they were " Cool " [ Smileys, Pictures of Celebrities etc. ]

The redirects take people to goingonearth.com then it quickly takes them to another link filled with adware downloads and even rogue anti-viruses. Why else would it morph the word goingonearth?

And i understand what you mean by " It is more likely that actual malware is hosted somewhere else " but what i don't understand is how it is able to do that even when there are no P2P Software or Proxy Settings on the infected computer. No add-on or edited host file too.

I know it must sound confusing.

I remember one of the Trojans found being a Trojan.Dropper. Could that do anything with a Rootkit being installed on the system? Or would it still have the same detection ratio? Trojan.Droppers are pesky little things.

By the way er... How is Rootkit a curse word? If you don't mind me asking.

FireFoxOmicron
Posts: 88
Joined: Thu Nov 11, 2010 3:51 pm

Interesting.

Post by FireFoxOmicron » Thu Nov 18, 2010 10:01 am

Many people have claimed to have been infected after visiting this site [ Even my friend has. ]

Try using FireFox? [ You are using a Virtual PC, Right? It would be unwise to go on a Real Computer just in case infection does take place. ]

Edit:

That article has been there ever since my friend got infected... That " Smallest Parrot " One.

Either they haven't updated in months or it's just like another Adware / Malicious site trying to look safe.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests