RESOLVED Strange script tries to run when connection is down

[Tom T.]

(Discussion of general merits of various virtualization and sandboxing solutions split from this point and moved to Forum: Security, here: http://forums.informaction.com/viewtopi ... =19&t=3255)

[Jim Too]

I would be interested in the VirusTotal results for the "infected" files.

[Tom T.]

I would be interested in the VirusTotal results for the "infected" files.

Not sure what you mean by "VirusTotal". It's *one* Trojan, a variant of JS/Gord.A, apparently, with several files to support it, as in the analysis from Avira on the previous page. http://forums.informaction.com/viewtopi ... 534#p13534

[computerfreaker]

I would be interested in the VirusTotal results for the "infected" files.

Not sure what you mean by "VirusTotal". It's *one* Trojan, a variant of JS/Gord.A, apparently, with several files to support it, as in the analysis from Avira on the previous page. http://forums.informaction.com/viewtopi ... 534#p13534

VirusTotal is an online scanner; you can upload files and it will scan them with several popular AV scanners, then return the results. http://en.wikipedia.org/wiki/VirusTotal.com

[Tom T.]

VirusTotal is an online scanner; you can upload files and it will scan them with several popular AV scanners, then return the results. http://en.wikipedia.org/wiki/VirusTotal.com

Actually, "several:" = 41, in this case. Thanks for the link.

@ Jim Too: Sorry I wasn't familiar with this, but when dealing with any but the most popular and widely-known services or websites, a link would be appreciated. Here you go:

Result: 7/41 (17.08%)

Antivirus Version Last Update Result

a-squared 4.5.0.43 2009.11.28 -
AhnLab-V3 5.0.0.2 2009.11.28 -
AntiVir 7.9.1.79 2009.11.27 JS/Gord.A.1
Antiy-AVL 2.0.3.7 2009.11.27 -
Authentium 5.2.0.5 2009.11.28 -
Avast 4.8.1351.0 2009.11.28 -
AVG 8.5.0.426 2009.11.28 JS/Redir
BitDefender 7.2 2009.11.28 Trojan.Script.235944
CAT-QuickHeal 10.00 2009.11.28 -
ClamAV 0.94.1 2009.11.28 -
Comodo 3070 2009.11.28 -
DrWeb 5.0.0.12182 2009.11.28 -
eSafe 7.0.17.0 2009.11.26 -
eTrust-Vet 35.1.7146 2009.11.27 -
F-Prot 4.5.1.85 2009.11.28 -
F-Secure 9.0.15370.0 2009.11.24 -
Fortinet 4.0.14.0 2009.11.28 -
GData 19 2009.11.28 Trojan.Script.235944
Ikarus T3.1.1.74.0 2009.11.28 Trojan.JS.Gord
Jiangmin 11.0.800 2009.11.28 -
K7AntiVirus 7.10.906 2009.11.27 -
Kaspersky 7.0.0.125 2009.11.28 -
McAfee 5816 2009.11.28 -
McAfee+Artemis 5816 2009.11.28 -
McAfee-GW-Edition 6.8.5 2009.11.28 Script.Gord.A.1
Microsoft 1.5302 2009.11.28 Trojan:JS/Gord.A
NOD32 4645 2009.11.28 -
Norman 6.03.02 2009.11.27 -
nProtect 2009.1.8.0 2009.11.28 -
Panda 10.0.2.2 2009.11.28 -
PCTools 7.0.3.5 2009.11.28 -
Prevx 3.0 2009.11.28 -
Rising 22.23.05.04 2009.11.28 -
Sophos 4.48.0 2009.11.28 -
Sunbelt 3.2.1858.2 2009.11.28 -
Symantec 1.4.4.12 2009.11.28 -
TheHacker 6.5.0.2.081 2009.11.28 -
TrendMicro 9.100.0.1001 2009.11.28 -
VBA32 3.12.12.0 2009.11.28 -
ViRobot 2009.11.28.2060 2009.11.28 -
VirusBuster 5.0.21.0 2009.11.28 -[/code]

Of the 7 out of 41 that found it, please note that some may have known of this only through this thread. I know this to be the case with Avira, referred to here by its other trade name, AntiVir. They added it to the database about a week after I sent them the sample. Unknown about the others.

Even though MS Security Essentials was the first one we know of to detect it, the thread was already two or three weeks old before that was tried.

[computerfreaker]

Well, it's now Wednesday. Nothing back from Google or Yahoo...
Tom, you want to take a shot at getting their attention? If that doesn't work, it's time to get public...

[therube]

What's the deal with Google or Yahoo... ?

(therube thinks you guys know more then I do on this)

[Exploits that occur when referrer=Google... are well known]

[computerfreaker]

What's the deal with Google or Yahoo... ?

(therube thinks you guys know more then I do on this)

[Exploits that occur when referrer=Google... are well known]

Write to their security or abuse departments, politely, explaining what happened, perhaps pointing to this thread, and offer to send the zip (but don't include it, of course, until/unless asked to). Ask whether they can *help* in any way, with any information as to what might be the source of this. (not saying that they were the source, only that their site and their users were affected).
<snip>
If they are totally uncooperative, I'll try, although I like the idea of the first try coming from an Ordinary User (not hardly, in your case, but you know what I mean -- someone with no connections to anything), rather than from someone who might be seen as trying to "use" them to tout NoScript (valid though that be).

[Tom T.]

What's the deal with Google or Yahoo... ?

(therube thinks you guys know more then I do on this)

Yes, some of the dissection of the malcode was done within PMs at the request of OP, in case there was any privacy-sensitive information inside the suspicious files. I know that you made a couple of suggestions at various times in this topic, and they were greatly appreciated. It was OP's choice as to whom to PM, probably based on those who were *continually* active in the thread, but I can't speak for OP.

[Exploits that occur when referrer=Google... are well known]

The referrer was not Google. If the *target URL* matched Google, Yahoo, Ask, Bing, or AOL Search, the malware redirected the user to the Korean site, innoshot. NS detected this malicious JS-based redirection and prevented it from executing. OP saw an unknown script, innoshot.com/org/variants thereof, attempting to run, *even without an Internet connection available". In other words, unplug modem or unplug machine from modem. Open browser. Attempt to go to any of the above, whether by hand-typing or by bookmark. The malicious script shows up in NS blocklist, indicating that the malcode was inside the local machine.

If you made it to Google safely, nothing bad happened, no matter where you clicked or to where you were referred (assuming a legit site is the next click).

All of this was in the admittedly-long thread - 150+ posts --, including your previous questions about it running with no Net connection and about Google being the desired URL, not the referrer. I understand your busy schedule and that you don't always have time to read a thread this long -- *none* of us has time to read every thread on here -- but a few of us were so intrigued that we stuck with it, perhaps at the expense of other things. So please don't infer any offense from not having been chosen by OP to be in on the PM loop.

We were hoping that since Google lost some users *and* some trust from those who are foolish enough not to run NoScript, that they might be willing to search their logs for any evidence of unusual activity that might indicate from where the infection *originated* -- was there an injection vuln in Google, or is there some tracing they could do to help find the source? It's a long shot, but why not?

[Tom T.]

Well, it's now Wednesday. Nothing back from Google or Yahoo...
Tom, you want to take a shot at getting their attention? If that doesn't work, it's time to get public...

I sent an email to Google Security, including full details, my position here and means to verify it, and a link to this thread, about twenty minutes ago. I received an auto-acknowledgment of receipt. I'll let everyone know if/when I receive a response from the Security team.

[Tom T.]

It's been a week, and no response from Google Security Team. They make it very plain that they will respond *only to vulnerabilities in Google products and services", so if they don't think the infection *came* from them, they wouldn't respond. It probably didn't, and I don't see any other way to trace the source.

[GµårÐïåñ]

They have almost NEVER responded to any email. They are very good at sequestering themselves and not having contact with people. Its the most ridiculous thing I have ever seen.

[computerfreaker]

IMHO, it's time to go public with this.
Google's been given plenty of time, Yahoo's been given plenty of time, and both have essentially pooh-poohed us. Openness is fairly important in security, IMHO (anyone remember the Apache servers getting hacked? They were transparently honest about how they got hacked, and the public response was very supportive & forgiving), and Google & Yahoo haven't shown that openness.
At the very least, we need to put out a warning about the new Goored variant; putting a little pressure on the "big boys" to be more transparent might be a good thing too.

Just MHO...

[GµårÐïåñ]

I wish that would matter. Unfortunately until they get sued or a class action bring them into the open and FORCES them to do it, they are pretty much able to do whatever they want as have many before them and not worry too much about the public. For every 1 person that sees their true color, there are a hundred new noobs that will go for it hook, line and sinker. Its unfortunate, sad and a slippery slope we the people have frankly provided them on a silver platter. As long as they pay their millions into the system, the system will be happy to let them do whatever the hell they want. Just consider AOL, need I say more?

[Tom T.]

@ computerfreaker: How, exactly? I sent it to my AV (Avira), and they added it to their detection list. VirusTotal.com *still* shows only 7/41 detections, the same as before. So none of their other 34 AV engines have updated, apparently.

What did you have in mind?

I might think about https://forms.us-cert.gov/report/, using this forum as the reporter. They could decide whether and how to publicize it. Comments or suggestions, anyone?