Tom T. wrote:http://ha.ckers.org/blog/20091228/popup ... hijacking/
Popup & Focus URL Hijacking
December 28th, 2009
<snip> a small snippet of JavaScript that could cause a page to be replaced by another page in such a way that if you looked at the URL bar, it didn’t matter because after you looked at it - a few seconds later - it would be replaced by the evil site. <snip>
Let’s pretend I wanted an unsuspecting user to download my malicious Firefox add-on. I might create something like this demo which claims to be requesting that you download NoScript from Mozilla’s site.
Emphasis was mine, but it's interesting that RSnake (Robert Hansen) chose NoScript as the "cover" for the malicious download. Coincidence to this thread?
NOTE: You don't need to run the demo, nor even allow scripting at Hansen's blog, to see the results. There's a "click-to-enlarge" screenshot that should be perfectly safe to view, and demonstrates exactly how the OP might have acquired the malware.
The pertinent parts of the article are just the first two (of three) paragraphs (the third is about IE) and take only a couple of minutes to read and understand.
To the OP: I strongly suggest that something like this happened in your case.
btw, RSnake often plugs NS -- this would have gone in "NoScript Sightings" if it weren't related to this thread -- and apparently considered it an attractive "bait" for the malicious exploit. Nice.
Both interesting and scary.
stavstav, you might want to uninstall "NoScript" and re-install it from here or addons.mozilla.org, just to be certain you have a legit NoScript copy and not some malicious imitation, or even a hacked NoScript build (that's entirely possible, btw, since all addons are open-source. It would be impossible for you to obtain a hacked NoScript if you got it from here or addons.mozilla.org, but it sounds like you may have been tricked into downloading it from somewhere else)...
Although the damage may have already been done, a comment on that blog post pointed out that a keylogger could probably be used as the payload, and the keylogger's data sent back to the malicious hacker.
Also, for your security & peace of mind, you may wish to run some antivirus tools. Here's a short list for you...
MalwareBytes Anti-Malware
Ad-Aware Free
Spybot Search and Destroy
Avast!
EDIT: by a peculiar coincidence, I ran into
Gizmo's Freeware Product of the Year 2009: Users' Choice shortly after posting;
Avira AntiVir Free made the #2 product of 2009. Avast is also high on the list, ranking at #6.
You can find more malware-removal tools
here.
If you don't have a resident (e.g. permanently-installed) virus scanner, you may wish to get one.
Here's a list of some of the best free antivirus apps.
You may also wish to look into getting more security software;
here's a list of some of the best security software, sorted by category.
DISCLAIMER: I am not affiliated with any of the products or services listed in this post. Use at your own risk.
With great power comes great responsibility.
Learn something new every day, and the rest will take care of itself.
Life is a journey, not a destination. Enjoy the trip!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6