RESOLVED Strange script tries to run when connection is down

[Montagar]

I disabled all of the add-ons (except NoScript of course), and all of the plugins as well. The script is still trying to run.

[Tom T.]

@ Giorgio: I reproduced all of the issues. I don't have GreaseMonkey. Have only:

Adblock Original (wouldn't add any content)
RefControl (ditto)
SafeHistory (ditto, I think)
SafeCache (likewise)
Add 'n Edit Cookies (does nothing unless you open it and use it)
Copy Plain Text (merely strips formatting from text copied from web site)
and NS 1.9.9.14

ZoneAlarmFree, which would never add a script
Just did last AV scan @ 24 Oct 09 = clean

On F2.20.

Edit: Just searched local HD, including system files, for "innoshot". No search results found.

Edit #2: RefControl is set to block all referrers, although in this case, attempt was made to go directly to Google with a fresh browser, so there would be no referrer anyway.

[Tom T.]

Certain websites/malwares react differently depending upon how you accessed them, depending upon what the referrer is.

I.e., you can load a webpage, http://www.goodwebpage.com directly by typing the address into the URL bar without a problem.

But if you were to "open" the same page from a Google search - which would set the referrer to http://www.google.com, then http://www.goodwebpage.com responds differently, loading a malware page instead. (Actually it is the hosting service's servers that have been hacked & not goodwebpage itself.) In most instances like this, you can add live.com & yahoo.com & (usually altavisata too) as referrers that would trigger this.

Perhaps you are running into something similar?

The OP, reproduced by moi, wasn't being referred by Google to goodsite.com. The issue is trying to go directly to Google.com with the Internet connection disconnected.

when my connection is down and I attempt to go to a specific web site
When trying to connect to Google with the wireless shut off

How does anything happen in these instances except for an eventual timeout?

Exxxxx..... actly! *THAT* is the $64,000 question!

[therube]

HOSTS file?
SpywareBlaster?
Spybot S&D with its' Immunize feature enabled?
Maybe even your firewall if it is trying to enumerate "badness" in some way or another?
Your router?

And if you enable your Internet connection, then you no longer see this?

Malware on your computer?

Enable software firewall. Disconnect from router. Connect directly to modem. Still happen?
Pull a new IP. Still happen?

Run port scanner. Check modem/router logs.

ISP related?

[GµårÐïåñ]

Just a couple of thoughts out loud, don't bite my head off.

1. Could it be a toolbar? Anything like that installed? A) it could be doing the exploiting, or B) it could have a vulnerability that is being exploited, or C) it supports a function that has been injected with bad code.

2. Could it be a proxy app on your OS that is using your internet connection by being the "man in the middle"? A) something similar in function to DynDns's Internet Guide (sits between you and the web and supposed to monitor your traffic type and protect you) but similarly a malware written with similar model could do the same, B) a malware that is doing this by redirecting specific traffic or ports, C) a legit app like Comodo, or any other malware protector may be relying on a server of their that has fallen victim hence all users of their product is being transferred and jerked around to something less than legit.

3. The default all encompassing assumption is also, there is some bug we don't about yet being exploited either in the browser itself, one of its addons, or a plugin; in which case the crap storm should hit the beaches soon and make landfall when more people catch on.

Take care.

[Tom T.]

HOSTS file?

Don't see how that could run scripts. It's a text file mapping IP to domain name.... But sure, I'll check. (searches Hosts for "innoshot") Nope. There are various listings of Google variations, but they are *all* set to redirect to 0.0.0.0, which is a non-existent address.
SpywareBlaster? Don't have it.
Spybot S&D with its' Immunize feature enabled? Don't have it.
Maybe even your firewall if it is trying to enumerate "badness" in some way or another? Only enumeration of badness is through alerts generated if a local program, non-whitelisted, asks for Internet access. Inbound alerts are disabled (inbounds blocked, of course), due to the large amount of "noise" on the Net.
ZA Free is "firewall only", no malware, AV-scanning, e-mail scanning, anti-phishing, etc. etc. Those are only in the paid versions.
Your router? Hmmm... don't know if everyone with this issue is using a rounter, but could try direct connection to modem and see if it reproduces.

And if you enable your Internet connection, then you no longer see this?

That's exactly what everyone who reports the issue has been seeing.

[Tom T.]

Just a couple of thoughts out loud, don't bite my head off.

No biting! When we get a head-scratcher like this, brainstorming is exactly what's needed.

1. Could it be a toolbar? Anything like that installed? A) it could be doing the exploiting, or B) it could have a vulnerability that is being exploited, or C) it supports a function that has been injected with bad code.

No toolbars on this machine. (You know I'm a "minimalist", Bro. Or as Alan kiddingly calls me, a "Luddite". )

2. Could it be a proxy app on your OS that is using your internet connection by being the "man in the middle"? A) something similar in function to DynDns's Internet Guide (sits between you and the web and supposed to monitor your traffic type and protect you) but similarly a malware written with similar model could do the same, B) a malware that is doing this by redirecting specific traffic or ports, C) a legit app like Comodo, or any other malware protector may be relying on a server of their that has fallen victim hence all users of their product is being transferred and jerked around to something less than legit.

Hmm... if the AV server had been compromised ... or gone rogue ... Since the issue is when disconnected, it should be safe to disable the AV and try it, unless the entire script is loaded into the rogue AV file. ... But NS is blocking it! So it's safe to try. Will do.

What anti-virus are all other reporters using?

3. The default all encompassing assumption is also, there is some bug we don't about yet being exploited either in the browser itself, one of its addons, or a plugin; in which case the crap storm should hit the beaches soon and make landfall when more people catch on.[/quote]
Right.

TEST: Disabled all addons listed in previous post, except NS. Added all back, one by one. No issue. Can't reproduce it now.

Thought: During yesterday's tests, another browser window was open: This forum (Giorgio, are you sure you're OK? ) and often, Yahoo Mail. Will see if it can be reproduced with one or the other open.

[Montagar]

Just to recap some things.

1) Still happens with all add-ons and plugins disabled
2) no toolbars installed
3) I have Comodo software firewall
4) can't be anything external to my computer because the script attempts to run even with the network cable physically disconnected
5) For me, the script does attempt to run with a connection to the internet as well

[Tom T.]

Now, this is weird. I can no longer reproduce the issue at google.com, ask.com, or yahoo.com, and the innoshot script no longer attempts to load at any of those when I do connect to them.

@ Montagar: Do you have NoScript v.1.9.9.14, the latest official release? I can't remember whether this issue arose before or after I updated from .13 to .14.

Edit: Will try on F3.5.3. Give me a few minutes.

[therube]

All kinds of things (exploits) can happen with (by way of) ads.
Are there any here? But there certainly are @ noscript.net (googlesyndication & whatnot).

NoScript doing its job:

Code: Select all

[NoScript] Potential cross-site E4X hijacking detected and blocked (http://pn1.adserver.yahoo.com/a?f=2023634417&pn=ziff&p=pvtnyszt&l=VR&c=sh): ...

If you were talking to someone, could be that the particular site is now down ... to be up later ... or to be rerouted to another domain name ...

[Tom T.]

All kinds of things (exploits) can happen with (by way of) ads.
Are there any here? But there certainly are @ noscript.net (googlesyndication & whatnot).

Adblock Original was blocking all ads.

NoScript doing its job:

Code: Select all

[NoScript] Potential cross-site E4X hijacking detected and blocked (http://pn1.adserver.yahoo.com/a?f=2023634417&pn=ziff&p=pvtnyszt&l=VR&c=sh): ...

Didn't get any XSS warnings

If you were talking to someone, could be that the particular site is now down ... to be up later ... or to be rerouted to another domain name ...

Only, as mentioned, this forum and possibly Yahoo Mail open, but I don't allow their api for chat, etc. It tries to load -- it *insists* -- but sorry, no dice. So it's just the web mail, which *does* run 60-80 scripts of its own, but only the domain mail.yahoo.com was allowed. Still doesn't explain where innoshot was coming from *with the connection off*.

[Tom T.]

OK, here I am on Fx 3.5.3, Portable. It still had NS 1.9.9.11, so left it there for test purposes. Cannot reproduce on google, yahoo, or ask, with connection off.
Innoshot does *not* show any longer in the menu when connecting live to the above.

Updated NS to 1.9.9.14. Same results. The *only* other thing that happened was that a "compatibility update" was applied to RefControl. But this was only on F3; the issue was seen yesterday on F2 by me, and on F3 by OP.

So I'm back to "can't reproduce; issue disappeared".

If OP is still getting the issue, with latest updates of everything, now I'm at a loss as to even where to look.

@ Montagar: Have you tried what I did:
Searching your machine for "innoshot"?
Run an Anti-Virus scan?

I'd say that we scared it away by publicizing the issue , except that it seems at least one other user is still seeing it. And I changed "nothing" between yesterday, when it appeared, and today, when it doesn't, except at some point in time, getting NS 1.9.9.14.

Stumped.

[GµårÐïåñ]

Ok, despite the fact that I am not having this issue, looking at some of the things said in broader context, I am beginning to see a pattern that is not pleasant. So let me run by you what I am thinking and have everyone tell me what they think.

I believe the reason some are experiencing it and some are not is that its a malware of some kind (using loose definition), don't know how or where it got injected yet, but its using each person that it has control over to create sort of a clicker bot that is reporting click-throughs to the Yahoo adserver, possibly Google too, hence why it might appear on their sites but its not actually being served by them, its receiving data from it. Someone could be pumping their click-through for potentially higher commission earning and given its entirely located within Asia, it would not be so far fetched, given nearly 80%+ of spam is generated and sent through China, it could have successfully infected enough people to create this band of unique computers sending traffic to the server to achieve legitimacy so they can get paid. Its probably not harmful per se, but certainly malicious.

[Tom T.]

Certainly a possibility. But then, why did it suddenly stop for me? The AV scan mentioned was on 10/24, *before* the issue appeared; I didn't do a scan since, only a search for any file with "innoshot" in the name.

And how would it be injected? As a blocked third party, it wasn't allowed to run on OP or my machine. If they've infected Yahoo *and* Google *and* Ask to the point that the malcode is served by Yahoo under its own name... but again, why would it mysteriously disappear?

its not actually being served by them,

Then how can it infect the machine if NS blocks it? I know you're trying your best, Bro, but this is where I can't put those pieces together.

I'd say let's wait and see what further reports come in before spending any more time speculating, then we'll have some hard data to go on. Good thinking, though.

[GµårÐïåñ]

Well in regards to it just stopping, it could be that it runs a certain number of cycles before stopping since it will no longer be unique. It might or may not start up again, which means it could be persistent or just a drive by.

I mean off the top of my head a code such as this inserted into the user's userChrome.css file "COULD" potentially assist in making this kind of random behavior happen (keep in mind that I have not thought this through completely, I am thinking on my feet here):

Code: Select all

@-moz-document url-prefix("http://www.yahoo.com/") {
// Insert behavior to be inserted into the page code to access xyz ad server
}

@-moz-document url-prefix("http://www.google.com/") {
// Insert behavior to be inserted into the page code to access some other xyz server
}

@-moz-document url("http://some.site.tld/that/has/something/I/am/targeting") {
// Insert behavior geared towards a very very specific target page, sort of a targeted action
}

I don't know...