...and it's presently on the front page of the Diary page, with a very fine write-up - and a great plug for NS!SANS wrote: I just put the diary live on isc.sans.org ... I'm basically asking if anyone else has seen this. Let's see what we get. And yes, this
should help to "get the word out", too.
Thanks for letting us know!
By all means, visit the link in the above quote, but I'll reproduce it here (O/T portions ommited), since it's licensed under Creative Commons Attribution-Noncommercial 3.0 United States License:
This should help get the word out, as well as bring in reports of other occurrences or variants. Much thanks to SANS for a prompt and thorough investigation, and for helping to bring this to the attention of the security community!isc.sans.org wrote: Today´s Diary
If you have more information or corrections regarding our diary, click here to contact us.
overlay.xul is back
Published: 2009-12-17,
Last Updated: 2009-12-17 00:58:50 UTC
by Daniel Wesemann (Version: 1)
It's been a while. If I remember correctly, a variant of Vundo was using the "overlay.xul" mechanism to hi-jack searches in the Firefox browser almost a year ago. Now, ISC reader Tom contacted us with a mystery that took him and his colleagues several days to unravel. The symptoms: You try to search with Google/Yahoo/Ask/Bing, but NoScript (a great add-on!!) warns you that the browser is actually trying to run a JavaScript from innoshots-dot-org. Having checked all the usual culprits, and run all the Anti-Virus tools you have, you find: Nothing. And the browser still redirects.
overlay.xul is a Firefox mechanism to allow applications to add elements to the browser GUI, and is used for good effect by several tools. We don't know which infection vector was used in Tom's case to deposit the malicious overlay file on the machine. All we have is the file, and the knowledge that it apparently either resides in
Documents and Settings/user/Local Settings/Application Data/randomstring/chrome/content -- or --
Program Files/Mozilla Firefox/extensions/randomstring/chrome/content
and is accompanied by a suspicious Javascript file called _cfg.js.
overlay.xul contains heavily obfuscated JavaScript, and has nice copyright headers to make it look like a valid Firefox add-on, but the "smoking gun" is still visible in the lower portion of the file:
Yup. Some sort of matching for "google", "ask", "yahoo", "aol" and "bing" is going on here. This particular sample of "overlay.xul" is almost a month old, and yet there are still some very prominent Anti-Virus products that do not see anything wrong with it: VirusTotal
Did anyone else notice a recent resurgence of "overlay.xul" and its search engine redirection malware? If you have a sample, or know anything about the mechanism this latest version uses to get onto the system, please let us know.
Note: overlay.xul also has good uses, so don't go for a frantic deletion rampage now. But take a careful and suspicious look at the files you find!
*However*... IMHO:
I'm into NS, but not deeply into the inner workings of Fx itself. Is there no safer way to add these elements to the browser GUI? Isn't css enough (and has a few vulns itself?) Not rhetorical questions; I'm seriously asking: What functions does overlay.xul provide that can't be provided elsewise, in a safer manner, since clearly it is vulnerable to being used by malware? Especially since SANS has confirmed the same smoking gun that we found?overlay.xul is a Firefox mechanism to allow applications to add elements to the browser GUI...
Note: overlay.xul also has good uses, so don't go for a frantic deletion rampage now. But take a careful and suspicious look at the files you find!
Thanks again to SANS!
EDIT: The story will slip off the front page some time, so the perma-link is http://isc.sans.org/diary.html?storyid=7765