SPYWARE BUNDLE!

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: SPYWARE BUNDLE!

Re: This might be what actually happened (RSnake blog)

by computerfreaker » Tue Dec 29, 2009 10:08 am

computerfreaker wrote: EDIT: by a peculiar coincidence, I ran into Gizmo's Freeware Product of the Year 2009: Users' Choice shortly after posting; Avira AntiVir Free made the #2 product of 2009.
Tom T. wrote:Then why didn't Avira detect the overlay.xul malware described in this lengthy thread? :evil:

(Yes, I realize none of them detect 100%, and none ever will. Just strange coincidence that your edit reflected Avira, which I've been using for a good while, and which didn't find the JS/Gord.A variant that we found there. Overall, I do like the program. Just mentioning ... ;) )
I don't know why Avira didn't pick up that Goored variant... it does seem to be a pretty potent AV, though, or people wouldn't have voted for it.
Kind of ironic that it's had a lot of false positives recently, though, while Goored walks right by... :roll:

Anyway, stavstav, you might get results with it (as well as some of the other apps I listed). Good luck!

Re: This might be what actually happened (RSnake blog)

by Tom T. » Tue Dec 29, 2009 9:03 am

computerfreaker wrote: EDIT: by a peculiar coincidence, I ran into Gizmo's Freeware Product of the Year 2009: Users' Choice shortly after posting; Avira AntiVir Free made the #2 product of 2009.
Then why didn't Avira detect the overlay.xul malware described in this lengthy thread? :evil:

(Yes, I realize none of them detect 100%, and none ever will. Just strange coincidence that your edit reflected Avira, which I've been using for a good while, and which didn't find the JS/Gord.A variant that we found there. Overall, I do like the program. Just mentioning ... ;) )

Re: This might be what actually happened (RSnake blog)

by computerfreaker » Tue Dec 29, 2009 8:03 am

Tom T. wrote:http://ha.ckers.org/blog/20091228/popup ... hijacking/
Popup & Focus URL Hijacking
December 28th, 2009

<snip> a small snippet of JavaScript that could cause a page to be replaced by another page in such a way that if you looked at the URL bar, it didn’t matter because after you looked at it - a few seconds later - it would be replaced by the evil site. <snip>

Let’s pretend I wanted an unsuspecting user to download my malicious Firefox add-on. I might create something like this demo which claims to be requesting that you download NoScript from Mozilla’s site.
Emphasis was mine, but it's interesting that RSnake (Robert Hansen) chose NoScript as the "cover" for the malicious download. Coincidence to this thread?

NOTE: You don't need to run the demo, nor even allow scripting at Hansen's blog, to see the results. There's a "click-to-enlarge" screenshot that should be perfectly safe to view, and demonstrates exactly how the OP might have acquired the malware.

The pertinent parts of the article are just the first two (of three) paragraphs (the third is about IE) and take only a couple of minutes to read and understand.

To the OP: I strongly suggest that something like this happened in your case.

btw, RSnake often plugs NS -- this would have gone in "NoScript Sightings" if it weren't related to this thread -- and apparently considered it an attractive "bait" for the malicious exploit. Nice. :)
Both interesting and scary.

stavstav, you might want to uninstall "NoScript" and re-install it from here or addons.mozilla.org, just to be certain you have a legit NoScript copy and not some malicious imitation, or even a hacked NoScript build (that's entirely possible, btw, since all addons are open-source. It would be impossible for you to obtain a hacked NoScript if you got it from here or addons.mozilla.org, but it sounds like you may have been tricked into downloading it from somewhere else)...
Although the damage may have already been done, a comment on that blog post pointed out that a keylogger could probably be used as the payload, and the keylogger's data sent back to the malicious hacker.

Also, for your security & peace of mind, you may wish to run some antivirus tools. Here's a short list for you...
MalwareBytes Anti-Malware
Ad-Aware Free
Spybot Search and Destroy
Avast!
EDIT: by a peculiar coincidence, I ran into Gizmo's Freeware Product of the Year 2009: Users' Choice shortly after posting; Avira AntiVir Free made the #2 product of 2009. Avast is also high on the list, ranking at #6.
You can find more malware-removal tools here.

If you don't have a resident (e.g. permanently-installed) virus scanner, you may wish to get one. Here's a list of some of the best free antivirus apps.

You may also wish to look into getting more security software; here's a list of some of the best security software, sorted by category.

DISCLAIMER: I am not affiliated with any of the products or services listed in this post. Use at your own risk.

This might be what actually happened (RSnake blog)

by Tom T. » Tue Dec 29, 2009 7:32 am

http://ha.ckers.org/blog/20091228/popup ... hijacking/
Popup & Focus URL Hijacking
December 28th, 2009

<snip> a small snippet of JavaScript that could cause a page to be replaced by another page in such a way that if you looked at the URL bar, it didn’t matter because after you looked at it - a few seconds later - it would be replaced by the evil site. <snip>

Let’s pretend I wanted an unsuspecting user to download my malicious Firefox add-on. I might create something like this demo which claims to be requesting that you download NoScript from Mozilla’s site.
Emphasis was mine, but it's interesting that RSnake (Robert Hansen) chose NoScript as the "cover" for the malicious download. Coincidence to this thread?

NOTE: You don't need to run the demo, nor even allow scripting at Hansen's blog, to see the results. There's a "click-to-enlarge" screenshot that should be perfectly safe to view, and demonstrates exactly how the OP might have acquired the malware.

The pertinent parts of the article are just the first two (of three) paragraphs (the third is about IE) and take only a couple of minutes to read and understand.

To the OP: I strongly suggest that something like this happened in your case.

btw, RSnake often plugs NS -- this would have gone in "NoScript Sightings" if it weren't related to this thread -- and apparently considered it an attractive "bait" for the malicious exploit. Nice. :)

Re: SPYWARE BUNDLE!

by stavstav » Thu Dec 24, 2009 7:36 pm

your ritght it cant be cuz someone else would have posted rite

anyways seriously i love noscript tho how it blocks the ads

i cant be right sorry i apologize

Files Infected:
d:\$AVG\$VAULT\wiupxfd.exe.fil (Rogue.SpyFighter) -> No action taken.
d:\$AVG\$VAULT\64966074.exe.fil (Rogue.SpyFighter) -> No action taken.
d:\$AVG\$VAULT\64966074a.exe.fil (Rogue.SpyFighter) -> No action taken.

Re: SPYWARE BUNDLE!

by Giorgio Maone » Thu Dec 24, 2009 5:02 pm

stavstav wrote: exept the noscript plugin oof course which executed a virus as well
If it came with the automatic update, it cannot contain any known virus.
Files on AMO are scanned with an antivirus, and since everybody gets the same file during an automatic update at this time there should be literally millions of affected users.

Re: SPYWARE BUNDLE!

by stavstav » Thu Dec 24, 2009 4:57 pm

i also wasnt tricked into downloading anything, exept the noscript plugin oof course which executed a virus as well

Re: SPYWARE BUNDLE!

by Guest » Thu Dec 24, 2009 4:53 pm

nothing happens at noscript page i went there a bunch of times.

it was not a popup it was a malware program running

Re: SPYWARE BUNDLE!

by stavstav » Thu Dec 24, 2009 4:44 pm

well i think it came down with the firefox software update maybe an old url or something. it wouldnt be able to install from the web page like that

does the noscript guy have a bunch of hacker enemies maybe

Re: SPYWARE BUNDLE!

by computerfreaker » Tue Dec 22, 2009 12:32 am

stavstav wrote:the way i could tell is it went to the noscript page after installing update, then the malware exeuted right after that
Sounds like an ugly coincidence to me. (Unless some moron's trying to smear NoScript...)
Try going back to the NoScript page and see if anything unusual happens. If not, the popup was a coincidence. If something unusual happens, post here.

Re: SPYWARE BUNDLE!

by therube » Mon Dec 21, 2009 9:45 pm

(Notice that ... I was probably updating my above response four or file times while you were posting ... so if you didn't reread ;-).)

Re: SPYWARE BUNDLE!

by Giorgio Maone » Mon Dec 21, 2009 9:42 pm

therube wrote:Now that could be a possibility if the NoScript site or an ad within were compromised?
But even if it were an ad, you would still expect NoScript to afford you protection, as the ad would be hosted at a different domain. And that domain would not be Allowed by default.
Notice that a malicious ad or a site compromisal (both of which I can exclude, since the only embedded ads I've got are Adsense and those can't do any damage unless you click them, provided that a landing page is infected and whitelisted) wouldn't anyway install a "Free Spy Fighter Tool": that sounds like a scareware, which by definition gets installed by tricking the user into voluntarily download it. Otherwise there would be no point into using a "legitimate" disguise.

Re: SPYWARE BUNDLE!

by therube » Mon Dec 21, 2009 9:33 pm

Now that could be a possibility if the NoScript site or an ad within were compromised?
But even if it were an ad, you would still expect NoScript to afford you protection, as the ad would be hosted at a different domain. And that domain would not be Allowed by default.

After the restart, you would (normally) also open your Home Page, & any other windows/tabs (sites) that you had opened before the update, so the possibility exists that any malware could have come from one of those pages too.

Or the malware could have gotten onto your computer by means outside of Mozilla, & was only waiting for the appropriate time to present itself, which would have been on a browser restart. Just so happened that it was a NoScript update that prompted the restart, & so just so happened that is when you saw the malware.

PS: FF 3.5.6 is out, closing a few (four I believe) security vulnerabilities. You should update. (Likewise, you want to be sure that your "plugins" (Flash, Acrobat, Java, ...) are all up to date too.)

Do you still have this "64966074.exe" file? Not that I don't doubt it is malware, but upload it to Virustotal & provide the returned link here.

Re: SPYWARE BUNDLE!

by stavstav » Mon Dec 21, 2009 7:56 pm

the way i could tell is it went to the noscript page after installing update, then the malware exeuted right after that

Re: SPYWARE BUNDLE!

by stavstav » Mon Dec 21, 2009 7:53 pm

i had no other progs open only firefox and the plugin updater came up, so i updated, immediately after installing plugin, then it starts trying to download more spyware with a fake "windows update" dialog

well maybe it was another plugin download it could be but i thought it was this one

Top