RESOLVED Strange script tries to run when connection is down

[GµårÐïåñ]

That's a good way to approach it, considering. Avira has been hitting false positive on Trillian for nearly a month now and although the users and developers have reported the false positive and were assured it was implemented and corrected, the latest version of the db still flags it as a trojan, which is ludicrous, but they do it none the less. AV solutions have become so passive its ridiculous.

[Tom T.]

<snip> AV solutions have become so passive its ridiculous.

http://www.schneier.com/blog/archives/2 ... us_de.html "Is Antivirus Dead?"

Interesting Bruce Schneier essay and links, questioning whether AV serves any useful purpose any more. Perhaps a topic for a new thread, if there is user interest and comments.

[GµårÐïåñ]

Definitely Tom, I believe that if you open a thread in Security section and share the summary of the articles and use the links to give us your impressions, I am sure many will find it very useful. I am use you can enlist the assistance of luntrus for this as well.

[computerfreaker]

I wish that would matter. Unfortunately until they get sued or a class action bring them into the open and FORCES them to do it, they are pretty much able to do whatever they want as have many before them and not worry too much about the public. For every 1 person that sees their true color, there are a hundred new noobs that will go for it hook, line and sinker. Its unfortunate, sad and a slippery slope we the people have frankly provided them on a silver platter. As long as they pay their millions into the system, the system will be happy to let them do whatever the hell they want. Just consider AOL, need I say more?

Too bad. (What do you mean about AOL, though? I'm not sure... :S)
Well, a little publicity might help... sure can't hurt anything, IMHO.

@ computerfreaker: How, exactly? I sent it to my AV (Avira), and they added it to their detection list. VirusTotal.com *still* shows only 7/41 detections, the same as before. So none of their other 34 AV engines have updated, apparently.

What did you have in mind?

Mr. Maone, would you be willing to do a blog post about this? IIUC, your blog is widely-read... since you're a well-known security expert, the message would take on a whole new level of importance. (And hopefully Google and/or Yahoo and/or the AV companies will respond, as I've heard banks responded to NoScript's Force HTTPS by implementing SSL on their login pages)

[Tom T.]

I've made a full report and sent the malcode folder to SANS at http://isc.sans.org/. They seemed to welcome such reports, and are well-respected in the security community. Will advise upon response.

@ computerfreaker: Since the infection did not seem too widespread, it probably does not meet the significance bar for Mr. Maone's blog. Also, SANS probably reaches a wider audience of IT and security professionals, since Hackademix is read *mostly* by NS users, which are a small fraction of Fx users. Probably relatively few users of IE, Safari, etc. read it. The SANS organization covers all platforms. Let us see what is their response.

[Tom T.]

Re: Bruce Schneier article on AV, which seems to have failed us in the main topic of this thread:

Definitely Tom, I believe that if you open a thread in Security section and share the summary of the articles and use the links to give us your impressions, I am sure many will find it very useful. I am use you can enlist the assistance of luntrus for this as well.

Done. http://forums.informaction.com/viewtopi ... =19&t=3347

[Tom T.]

I received a *very* prompt and courteous reply from a malware investigator at SANS. He did a preliminary investigation, promising a more thorough one with time.

He said that overlay.xul malware is well-known, and that this appears to be another variant of the same family. One such variant, from February 2009, was delivered via a vulnerability in Java.

I block all Java by default, and just about the only place I TA it is at Hushmail.com. They are in the business of providing secure services themselves, and serve *everything* over https, even the home page, so a remote code-injection of Hushmail seemed less likely to me. Regardless of the source of a Java exploit, it would not be possible unless the Java vuln somehow gained access outside the Sandbox, because I did *not* have any Java running during the short period in which I was able to reproduce the issue.

I gave them what additional information we had, including the specific factor of my use of Sandboxie, and I look forward to their more detailed investigation.

I told him that the infection did not appear to be widespread and probably the site has been taken down already, but if he could help us in disseminating this information to the AV providers and to the IT community in general, it would be a big help in our common goal of fighting malware.

I look forward to the further response from SANS. Based on my experience with them so far, I would use them again as a portal for malware investigation and dissemination of information.

It's unfortunate that after I told Avira about it, they included it in their own database, but did not disseminate the information. I suppose that each AV company competes to have the "highest detection rate", and so malware information is "proprietary" and not placed in a common database for all AV companies to access. Given the need to sell one's product to stay in business, I don't expect that to happen, and don't know how to make it happen. But it would be a win-win for users, with the companies instead bragging about how many new viruses they had contributed to the common db.

More as I receive more.

[computerfreaker]

I've made a full report and sent the malcode folder to SANS at http://isc.sans.org/. They seemed to welcome such reports, and are well-respected in the security community. Will advise upon response.

@ computerfreaker: Since the infection did not seem too widespread, it probably does not meet the significance bar for Mr. Maone's blog. Also, SANS probably reaches a wider audience of IT and security professionals, since Hackademix is read *mostly* by NS users, which are a small fraction of Fx users. Probably relatively few users of IE, Safari, etc. read it. The SANS organization covers all platforms. Let us see what is their response.

I see what you're saying about Mr. Maone doing a blog posting about this... hopefully SANS will get the info spread quickly & widely.

l8r!

[Jim Too]

As to low virus engine detection rates, I don't know what the path is for other virus vendors to gain access to the offending code so that they can add detection. VirusTotal is (at last last week it was) using an outdated AV engine for which updates are no longer supplied for the AV software that I use which does make it difficult to judge coverage.

[Tom T.]

As to low virus engine detection rates, I don't know what the path is for other virus vendors to gain access to the offending code so that they can add detection. VirusTotal is (at last last week it was) using an outdated AV engine for which updates are no longer supplied for the AV software that I use which does make it difficult to judge coverage.

Thanks for that information, Jim Too. We'll keep that in mind.

FWIW, VT merely confirmed what we knew -- that several different users, with different AV providers, did not get a detection on this. So the AV companies are lagging behind. I'm hoping the report to SANS, as above, will result in more widespread dissemination.

[Jim Too]

The support people for the AV I use are active in the support forum where false positives and missing detections are reported. They do need a source so that they can analyze and adjust detection appropriately. Is there a reference I can give which will allow them to gain access to the files?

[GµårÐïåñ]

The inconsistency in the malware has been well documented here. It did not happen to all and those that were able to reproduce it seemed temporary. However, some detections were done with persistence and continued research. Unfortunately I don't think there is any substantial source that can be reported or shared as we still don't know for sure how and where it occurred and how to get to it.

[Montagar]

I have just found someone else that has the same version of this malware that I had. I helped him remove it.

They said that a weird thing happened while they were browsing in FF. For no apparent reason the Add-ons window popped up as if a new add-on had been installed, but the list was empty (he doesn't have any add-ons installed, I have since had him install no-script ).

He thought he must have accidentally hit a key combination that caused the add-on window to open so he just closed it and moved on. Unfortunately, he doesn't remember what web site he was on when the add-on was "invisibly" installed.

I don't remember my add-on window appearing on it's own at anytime, but I guess anything is possible.

TOM... any chance that something like this happened to you?

[computerfreaker]

I have just found someone else that has the same version of this malware that I had. I helped him remove it.

They said that a weird thing happened while they were browsing in FF. For no apparent reason the Add-ons window popped up as if a new add-on had been installed, but the list was empty (he doesn't have any add-ons installed, I have since had him install no-script ).

Typical Goored infection, per the other links I posted earlier...

He thought he must have accidentally hit a key combination that caused the add-on window to open so he just closed it and moved on.

I just checked - there is no key combo that opens the addons window. idk if you told him that or not, but you might want to...

Unfortunately, he doesn't remember what web site he was on when the add-on was "invisibly" installed.

Too bad...
Does he remember if he restarted Firefox before the addons window showed up? I'm still wondering if this is a "real" addon that requires a restart to apply or if it's a "live" thing that doesn't require a restart to activate.

[Tom T.]

I have just found someone else that has the same version of this malware that I had. I helped him remove it.

They said that a weird thing happened while they were browsing in FF. For no apparent reason the Add-ons window popped up as if a new add-on had been installed, but the list was empty (he doesn't have any add-ons installed, ...

I don't remember my add-on window appearing on it's own at anytime, but I guess anything is possible.

TOM... any chance that something like this happened to you?

I don't remember any add-on window opening either, and in fact, being ultra-cautious (read, "paranoid" ), I don't allow ANY sites to install sw by default, not even AMO. When there is an update, I *temp* allow AMO for that d/l only. So surely, I would have noticed such a thing.

It would be expected that his list would stay empty, since this installs with the <hidden> tag (soon to be deprecated) and *outside* the Fx profile folder, in \username\local settings\application data, IIRC.

Does he remember if he restarted Firefox before the addons window showed up? I'm still wondering if this is a "real" addon that requires a restart to apply or if it's a "live" thing that doesn't require a restart to activate.

Keep in mind that since I browse with Sandboxie, any restart would empty the sandbox. So it must be a live thing. I couldn't reproduce it next day, as you'll recall, because it snuck in "live", but only inside the sandbox, and so was gone the next time the browser was started.

For genuine updates of add-ons, including NS, I'll open a naked, admin-privileged browser for the sole purpose of getting the update, then restart to install, then close that browser and re-open in Sandboxie, which now clones the updated browser. The only two suspects would be AMO and noscript.net (for latest development build), and I'm not too worried about the latter.

*Or* I'll d/l the xpi into the sandbox, then move or copy it from the sandbox to the "real" desktop. This allows the Internet connection to be terminated while I open the admin-browser, drag the xpi into it, restart, shut down. The as before, open sandboxed browser and re-establish Net connection. This would be the über-paranoid way, if I'm not willing to trust my life to whatever site is hosting it. Sorry, but I think this indicates more of a genuine infection than an actual add-on. It just mimics an add-on in the folder and file structure, that's all.

The support people for the AV I use are active in the support forum where false positives and missing detections are reported. They do need a source so that they can analyze and adjust detection appropriately. Is there a reference I can give which will allow them to gain access to the files?

PM me with an email address (disposable, if you like -- no offense taken) and I'll mail you the .zip file with the source files in it, so that you can send it to your AV provider. The more, the better.