Does Noscript call sd.symcd.com (Symantec)? How2stoptheleak?

[IAFSSS]

Hi!
I have found that sometimes my Firefox 30 (on Win 7) makes a call to the site http://sd.symcd.com. This is a symantec site.
I wonder if Nocscript is responsible for this.
If yes, how to stop this leak?
If no: Do you have any idea how I could find out if the browser is doing this or one of the addons? (I don't expect a malware to call a symantec site, so I'm pretty sure it's either the addons or the browser.)

I'm not happy, if it's an undocumented feature of any addon.

Greetings ISS

The active addons I have currently running:
Adblock Plus 2.6.3
Classic Theme Restorer (Customize Australis) 1.1.8
Classic Toolbar Buttons 1.4.0
Custom Buttons 0.0.5.8
FlashGot 1.5.6 (by the way, this should have an option to download only 1 or 2 files simultaneously when given a long list to download. I got many only partly downloaded files when using a long list of files between 100kB and 2 MB. 16Mbit/sec connection here)
Go Parent Folder 2.9.1
Launchy 4.4.0
NoScript 2.6.8.28
RefControl 0.8.16
Status-4-Evar 2014.05.03.06
User Agent Switcher 0.7.3
Web Developer 1.1.9

[therube]

> symantec

Do you have any Symantec software?

> makes a call

What do you mean by that?

> I wonder if Nocscript is responsible for this.

No.

[IAFSSS]

Hi!
I have no Symantec software installed.

The only addon I have installed that is not more or less mainstream or often tested is Custom Buttons 0.0.5.8.
But I needed it and it was not a new addon in the Mozilla site's overview.

I have no imagination at all what could call that site.
Especially unusual is that there are barely results for that site when searching for it on google.

Maybe I should contact Symantec. But I had hoped you would do that. =)

[barbaz]

Anything weird or out of place in about:addons and/or about:support?

Does your browser contact that site even in a new, clean profile?
If not, go back to your main profile, and disable all addons. Does that stop the connections? If so, enable them one by one until it starts making those connections again. Once you find a suspect, disable it again, and keep re-enabling other addons until it makes those connections again or until you've run out of other addons to enable. That should isolate the culprit(s) *if it is an extension* that is directly responsible.
If that doesn't isolate the cause of these connections, it's not an extension; your best bet is to try Standard Diagnostic.

If you're still getting those connections even in a clean profile, try (in the clean profile) disabling all plugins and/or starting the browser in Safe Mode. Does that stop the connections?

Please let us know the results, thanks.

[IAFSSS]

Bad news. I contacted the "Norton by Symantec" online chat support.
I explained what has happened and asked if symcd.com is their domain.
The support assured me it's not a domain owned by Symantec!
I asked him 4 times, just to be sure. He asked his own support at least once, though I assume he even asked twice. "Rest assured" it's not their domain he says.
"is not from Symantec"
"*****: Rest assured, **** that sd.symcd.com is not from Symantec."
ME: "just in case it turns out to be your domain (symantec is a big corporation) , could you make sure I get a email then?"
"*****: I assure you that it is not our domain"

I must admit I'm still not convinced it's not a symantec domain, especially when he said:
"*****: That is not a virus, ****. I would suggest you to run Norton Power Eraser on your computer."

The addon I have most doubts about is Custom Buttons 0.0.5.8, which I installed last. And only not long ago I witnessed for the first time those get and post connection to sd.symcd.com.

Seems it's the first ever virus I got on one of my computers then.

Overall I give it even chances for either being it Firefox or that addon. A small chance I give the Vodafone DSL Router/Modem to manipulate the html, though those practises should be overcome.

I will now start disabling the addons one by one and making a new clean profile as you suggested. Hopefully it turns out to be just some unimportant remains from some software developer.

[IAFSSS]

Just now happened two post connections: first to http://sa.symcd.com, second to http://sd.symcd.com, both with HTTP/1.1 200 OK results.

I just at the same time installed another addon, maybe that triggered it. I'm unhappy.

[therube]

Looks to be Akamai Technologies not Symantec.

> makes a call

What do you mean by that?

> installed another addon

Which?

[barbaz]

Have you scanned your entire system for malware?

[IAFSSS]

I'm pretty sure now it's just Firefox checking the certificates!
At least I could claim that even the Symantec support doesn't know they own that domain.
Edit: Though even if it's not malware, I still wonder why I never encountered those POST connections to all the ocsp-sites in the two weeks before in which I already used the browser console constantly. That's probably the remaining question.


It has to do with OCSP !!?

(With "calls" I just meant the http-connections shown in the webbrowser console.)

I just went to the Mozilla-website to look up which addon I installed earlier today. And just then another connection to sy.symcd.com showed up in the browser-console!
(The addon mentioned earlier today was "about:addons-memory" 8. This just shows the size of the used memory by the active addons.)

About akamai: I'm pretty sure they are just acting as hosting company here and the domain is owned by Symantec.

Before the connection to sa.symcd.com there was one connection to http://evsecure-ocsp.verisign.com/ and after sa.symcd.com there were three connections to http://ocsp.digicert.com/
When some days ago I first encountered those connections to a symcd.com domain I also saw a connection to a google domain which had some letter combination in the address, and I'm very sure it was something like "ocsp".

When I click on the right side of the connection message in the webbrwoser console it shows the header-request and the header-respone. (I wasn't able to copy the second to http://ocsp.digicert.com/ as I closed my browser window inbetween accidentally, and now clicking on the right side in the line in the console doesn't show the headers anymore.)

The four connection's headers:
http://evsecure-ocsp.verisign.com/

Request-URL: http://evsecure-ocsp.verisign.com/
Request-Methode: POST
Status-Code: HTTP/1.1 200 OK

Request-Header 22:35:07.000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Referer: http://evsecure-ocsp.verisign.com/
Host: evsecure-ocsp.verisign.com
DNT: 1
Content-Type: application/ocsp-request
Content-Length: 115
Connection: keep-alive
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Response-Header Δ85ms
Last-Modified: Sun, 20 Jul 2014 02:23:58 GMT
Expires: Sun, 27 Jul 2014 02:23:58 GMT
Date: Tue, 22 Jul 2014 20:35:43 GMT
Content-Type: application/ocsp-response
content-transfer-encoding: binary
Content-Length: 1895
Connection: keep-alive
Cache-Control: max-age=366585, public, no-transform, must-revalidate

===========================================================================================
http://sa.symcd.com/

Request-URL: http://sa.symcd.com/
Request-Methode: POST
Status-Code: HTTP/1.1 200 OK

Request-Header 22:35:07.000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Referer: http://sa.symcd.com/
Host: sa.symcd.com
DNT: 1
Content-Type: application/ocsp-request
Content-Length: 115
Connection: keep-alive
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Response-Header Δ85ms
Last-Modified: Sun, 20 Jul 2014 19:09:18 GMT
Expires: Sun, 27 Jul 2014 19:09:18 GMT
Date: Tue, 22 Jul 2014 20:35:43 GMT
Content-Type: application/ocsp-response
content-transfer-encoding: binary
Content-Length: 1984
Connection: keep-alive
Cache-Control: max-age=426868, public, no-transform, must-revalidate

================================================================
http://ocsp.digicert.com/ - 1st

Request-URL: http://ocsp.digicert.com/
Request-Methode: POST
Status-Code: HTTP/1.1 200 OK

Request-Header 22:38:06.000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Referer: http://ocsp.digicert.com/
Host: ocsp.digicert.com
DNT: 1
Content-Type: application/ocsp-request
Content-Length: 115
Connection: keep-alive
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Response-Header Δ102ms
X-Cache: HIT
Server: ECS (fra/D46F)
Last-Modified: Tue, 22 Jul 2014 15:28:30 GMT
Expires: Tue, 29 Jul 2014 08:38:43 GMT
Etag: "53ce831e-44c"
Date: Tue, 22 Jul 2014 20:38:43 GMT
Content-Type: application/ocsp-response
Content-Length: 1100
Cache-Control: max-age=510411
Accept-Ranges: bytes

-----------------------------------------------------------------------------
http://ocsp.digicert.com/ - 3rd

Request-URL: http://ocsp.digicert.com/
Request-Methode: POST
Status-Code: HTTP/1.1 200 OK
Request-Header 22:38:07.000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Referer: http://ocsp.digicert.com/
Host: ocsp.digicert.com
DNT: 1
Content-Type: application/ocsp-request
Content-Length: 115
Connection: keep-alive
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Response-Header Δ33ms
X-Cache: HIT
Server: ECS (fra/D4DC)
Last-Modified: Tue, 22 Jul 2014 18:08:11 GMT
Expires: Tue, 29 Jul 2014 08:38:43 GMT
Etag: "53cea88b-1d7"
Date: Tue, 22 Jul 2014 20:38:43 GMT
Content-Type: application/ocsp-response
Content-Length: 471
Cache-Control: max-age=518311
Accept-Ranges: bytes

At least I could be pretty sure this isn't real malware doing such connections.

[IAFSSS]

There we go: With looking for the ocsp string in the browser console I found two other domains:
http://ocsp.startssl.com/sub/class1/server/ca
http://clients1.google.com/ocsp

Ok, I think I understand now it's Firefox checking the certificates.
I'm pretty sure only some days ago those connections started to show up for the first time ever in the console; before I never saw such connections in the browser console. :/

[barbaz]

Glad you got it figured out.

Ok, I think I understand now it's Firefox checking the certificates.
I'm pretty sure only some days ago those connections started to show up for the first time ever in the console; before I never saw such connections in the browser console. :/

That means you've got some addon making HTTPS connections that didn't before. If you want more info, use a proper request logging tool like HttpFox to pin down what URLs it's connecting to and whether you want those connections to be made (and maybe that will even tell you something about which addon is responsible).

FYI one of the OCSP connections you see would be related to NoScript determining your WAN IP at https://secure.informaction.com in order to protect your WAN IP against attacks that use the browser as a vector, but I don't think that OCSP connection would be the symcd one