RESOLVED Strange script tries to run when connection is down

[computerfreaker]

I would rather not have to wipe out FF completely and install FF from scratch, but I am running out of ideas. Does anyone have any suggestions as to what else I can try to attempt to find out where this script is coming from?

Well, instead of wiping out FF, try FF Portable: http://portableapps.com/apps/internet/firefox_portable
(Completely legal, PA.c has Mozilla's blessing on it)

Go ahead and try the FF Portable, you can just delete the "installation" folder when you're all done.

btw, back on-topic... I have to think this is more of a local infection (if it's malware). Since the innoshot connection was attempted when the Internet connection was down, it would have to be a cache thing or a local thing, IMHO. Did you try searching your computer for innoshot?
(Make sure you search for files containing innoshot, not just files containing innoshot in the name - also, make sure you search hidden & system folders)

[Montagar]

btw, back on-topic... I have to think this is more of a local infection (if it's malware). Since the innoshot connection was attempted when the Internet connection was down, it would have to be a cache thing or a local thing, IMHO. Did you try searching your computer for innoshot?
(Make sure you search for files containing innoshot, not just files containing innoshot in the name - also, make sure you search hidden & system folders)

Yes, I have done that search and came up with nothing... Tom T. (who had this problem as well) also did a search and found nothing.

[therube]

If you create a new, clean Profile, installing only NoScript, disabling all plugins, does it still happen?
If you use a different browser version, FF 2, or FF 3.0, or SeaMonkey, install NoScript, does it still happen?

Won't hurt to follow the steps here: Security Cleanup FAQ: Mandatory Steps Before Requesting Assistance

[Montagar]

I ran portable FF (as computerfreaker suggested) and if we are sure that it doesn't share anything with my installed version of FF, I can say that the problem is not "inside" of FF. Portable FF with only NoScript installed, comes up with the same rouge script as my installed version.

Won't hurt to follow the steps here: Security Cleanup FAQ: Mandatory Steps Before Requesting Assistance

I have now followed all of those steps and still have the problem. Where in the world is this thing hiding?

[Tom T.]

I ran portable FF (as computerfreaker suggested) and if we are sure that it doesn't share anything with my installed version of FF, I can say that the problem is not "inside" of FF. Portable FF with only NoScript installed, comes up with the same rouge script as my installed version.

Portable doesn't. It has its own self-contained profile and other applicable folders. I have mine on a USB Flash drive. You can install it there, too, and see the independent folders for yourself.

IIRC, during the day that I *did* reproduce the issue, I plugged in the Portable, which was the latest Fx at the time, 3.5.3, and successfully reproduced it. The machine is running Fx 2.20 (please don't ask why ) and I had seen your issue there first. So yes, two completely different versions of FF, one local, one independent on flash drive.

And yes, I searched the entire HDD, the Registry, and the Hosts file (which would be part of the HDD search anyway), for anything containing "innoshot", including hidden and system files (which, of course, is where it's likely to be hiding). And got nothing.

And just did the same search again. And got a scary false alarm! Came up with "innoshot", but it was in ContainingTextMRU -- just recording the last Search done.

Since it mysteriously vanished the next day, I have no more clues. Hopefully Giorgio can find something in the HTTPFox output that will help him, or he may ask you to do a specific search, connection on, connection off, etc... and tell you what output he's looking for.

It's not in Fx, apparently, and all of those malware detectors couldn't find it... seems like it's not coming from the local machine at all ?

I don't believe Giorgio addressed, or saw, my one other idea:

@ Giorgio: IP cached by the ISP, and my ISP either discovered the infection first, or refreshed the cache sooner, than Montagar's ISP?
IP cached on the local machine, but I have Windows DNS Client service disabled.

[Montagar]

@ Giorgio: IP cached by the ISP, and my ISP either discovered the infection first, or refreshed the cache sooner, than Montagar's ISP?
IP cached on the local machine, but I have Windows DNS Client service disabled.

I flushed my DNS... (using the command line: ipconfig /flushdns)... and also, with my computer physically disconnect from the network, how can anything from the "outside" influence what FF does? I don't understand how it can be anything other than on the local computer.

[computerfreaker]

I ran portable FF (as computerfreaker suggested) and if we are sure that it doesn't share anything with my installed version of FF, I can say that the problem is not "inside" of FF. Portable FF with only NoScript installed, comes up with the same rouge script as my installed version.

Won't hurt to follow the steps here: Security Cleanup FAQ: Mandatory Steps Before Requesting Assistance

I have now followed all of those steps and still have the problem. Where in the world is this thing hiding?

Portable doesn't. It has its own self-contained profile and other applicable folders. I have mine on a USB Flash drive. You can install it there, too, and see the independent folders for yourself.

Not quite, Tom. In one word: plugins.
My Fx Portable "install" detects, and uses, all the "regular" Fx plugins - after seeing all the cache-clearing, DNS-flushing, etc. you guys have done, I have to guess at a plugin. Try disabling your plugins (ALL of them, even the "safe" ones like Flash and QuickTime) and see what happens...

[Tom T.]

Not quite, Tom. In one word: plugins.
My Fx Portable "install" detects, and uses, all the "regular" Fx plugins - after seeing all the cache-clearing, DNS-flushing, etc. you guys have done, I have to guess at a plugin. Try disabling your plugins (ALL of them, even the "safe" ones like Flash and QuickTime) and see what happens...

It's good thinking, CF, but IIRC, your Portable is installed permanently on the HD, correct?

The big appeal of portable is that you could be, say, at a friend's house who didn't have Fx (surely all your friends do! ), plug in the flash drive, and you're good to go with Fx. The Readme in Portable > Data > Plugins says, "Place Firefox plugins in this directory (Flash, Shockwave, etc)". I haven't, yet, so I'll have to see if the Portable is indeed detecting them from the HD, or whether it won't play Flash or QT -- can't remember ever trying.

In the meantime, that's another good lead for Montagar ... "move" or rename the HD Fx files temporarily, to render them useless, and try to reproduce on the portable -- or as you say, disable all plugins in his regular Fx. Nice thinking, regardless of outcome.

Gonna test that now on my portable. Back in a bit.

[Tom T.]

Interesting!

Renaming the Flash folder on the HD (win\s32\macromed\flash), thereby rendering it useless, did indeed prevent Flash vids from playing on the portable as well as on the native browser.

*But* ... the portable has a folder for plugins. Which makes sense, because again, what if the machine into which you plug your USB drive with the portable doesn't have these plugins?

So... the portable has the *capability* to be completely independent, but will search the HD for the plugins if not present in the portable.

Good point, CF.

Montagar, try disabling all plugins as CF suggests, flush everything again (if something is coming from a corrupted plug-in file), run the Portable, and see if it persists?

[computerfreaker]

It's good thinking, CF, but IIRC, your Portable is installed permanently on the HD, correct?

not quite - I sync my Fx Portable across two computers, using a Flash drive. The Portable "install" immediately begins using the plugins installed on the computer it's on... for example, on the laptop it uses the Windows Presentation Foundation plugin (which I promptly disable), while on the desktop computer it uses the Java Toolkit plugin. In my experience, the Portable "install" takes on the plugins of the host computer...

*But* ... the portable has a folder for plugins. Which makes sense, because again, what if the machine into which you plug your USB drive with the portable doesn't have these plugins?

So... the portable has the *capability* to be completely independent, but will search the HD for the plugins if not present in the portable.

Correct. A few plugins (IIRC, just Flash & a semi-working Java right now) have been portabilized - those can be placed in the portable Fx's plugins folder and taken with it. Portable Fx will auto-detect any other plugins the host computer happens to have...

Another thing that occurred to me - searching for "innoshot" won't do any good. There are too many ways of representing it... for example,

Code: Select all

dim DestinationSite as String
DestinationSite = "i" + "n" + "n" + "o" + "s" + "h" + "o" + "t" + "." + "o" + "r" + "g"
//now launch a browser instance, passing DestinationSite as a paramter

That's just a basic obfuscation technique... toss in ASCII character codes and/or Unicode character codes and/or hex versions of those character codes and/or octal versions of those character codes and/or binary versions of those character codes and/or a basic encryption scheme or two and/or string concatenation... whew, what a mess.

Montagnar, did you try disabling your plugins?

[Montagar]

Montagnar, did you try disabling your plugins?

Yes, with no success.

I have been doing all kinds of testing and I have come up with something interesting.

If I use: "www.google.com" - script attempts to load

If I use the FF google start page: "www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:officia" - no script attempts to load.

BUT once I click the "Google Search" button the URL becomes: "www.google.com/search?" and the script attempts to load.

BUT if I use the "Web" link in the upper left of the page: "www.google.com/webhp?hl=en&tab=iw" no script attempts to load and I can click the "Google Search" button all day long and it's fine because it uses "/webhp?" instead of "/search?".

So it appears that whatever "program" is injecting this script, uses list of URLs to determine when to attempt to run the script and the list is dynamic because "www.bing.com" is now also generating the script (it just started a couple of days ago).

My next step is to start looking at the actual packets to see if I can find something.

[computerfreaker]

Montagnar, did you try disabling your plugins?

Yes, with no success.

I have been doing all kinds of testing and I have come up with something interesting.

If I use: "www.google.com" - script attempts to load

If I use the FF google start page: "www.google.com/firefox?client=firefox-a ... US:officia" - no script attempts to load.

BUT once I click the "Google Search" button the URL becomes: "www.google.com/search?" and the script attempts to load.

BUT if I use the "Web" link in the upper left of the page: "www.google.com/webhp?hl=en&tab=iw" no script attempts to load and I can click the "Google Search" button all day long and it's fine because it uses "/webhp?" instead of "/search?".

So it appears that whatever "program" is injecting this script, uses list of URLs to determine when to attempt to run the script and the list is dynamic because "www.bing.com" is now also generating the script (it just started a couple of days ago).

My next step is to start looking at the actual packets to see if I can find something.

Weird.

When you look at the actual packets, if you don't have a packet sniffer already, let me recommend Wireshark (http://www.wireshark.org/download.html)... I use the portable version, personally, but you might want something else.

btw, maybe use HiJackThis to see about any browser helper objects or anything like that?
(Also check to see if you have any extra "firewall" stuff, or if your traffic is somehow modified by your ISP)

[GµårÐïåñ]

Another thing that occurred to me - searching for "innoshot" won't do any good. There are too many ways of representing it... for example,

Code: Select all

dim DestinationSite as String
DestinationSite = "i" + "n" + "n" + "o" + "s" + "h" + "o" + "t" + "." + "o" + "r" + "g"
//now launch a browser instance, passing DestinationSite as a paramter

That's just a basic obfuscation technique... toss in ASCII character codes and/or Unicode character codes and/or hex versions of those character codes and/or octal versions of those character codes and/or binary versions of those character codes and/or a basic encryption scheme or two and/or string concatenation... whew, what a mess.

There are tons more ways to obfuscate what would normally be a simple string. You can use individual Char code concantations, you can use html encoding, hex, or you can use a basic loop logic to build the string too. Granted in basic HTML its very limited and with JS disabled you won't get much there, but if embedded well enough into a trusted parent with JS enabled, then it can have even more methods available to it, depending on extensions and libraries being used. If they are hooking something server side or even dare I say locally, then the methods are endless. Just saying.

PS. I see you are still running 3.5.4, have you guys had a chance to update it yet to 3.5.5?

[Montagar]

(Also check to see if you have any extra "firewall" stuff, or if your traffic is somehow modified by your ISP)

Don't forget that this script attempts to run even if I have the network cable disconnected, so whatever is trying to insert this script is on my computer.

I just updated to 3.5.5

[computerfreaker]

Another thing that occurred to me - searching for "innoshot" won't do any good. There are too many ways of representing it... for example,

Code: Select all

dim DestinationSite as String
DestinationSite = "i" + "n" + "n" + "o" + "s" + "h" + "o" + "t" + "." + "o" + "r" + "g"
//now launch a browser instance, passing DestinationSite as a paramter

That's just a basic obfuscation technique... toss in ASCII character codes and/or Unicode character codes and/or hex versions of those character codes and/or octal versions of those character codes and/or binary versions of those character codes and/or a basic encryption scheme or two and/or string concatenation... whew, what a mess.

There are tons more ways to obfuscate what would normally be a simple string. You can use individual Char code concantations, you can use html encoding, hex, or you can use a basic loop logic to build the string too. Granted in basic HTML its very limited and with JS disabled you won't get much there, but if embedded well enough into a trusted parent with JS enabled, then it can have even more methods available to it, depending on extensions and libraries being used. If they are hooking something server side or even dare I say locally, then the methods are endless. Just saying.

PS. I see you are still running 3.5.4, have you guys had a chance to update it yet to 3.5.5?

yes, I know there are lots more ways of doing it... I'm just listing a few to illustrate the complexity of hunting this. Another "fun" way of doing business (once tried by yours truly, for the sake of creating an anti-piracy system - I dropped it when it got too hairy) is to use different function calls:

Code: Select all

Function F1() As String
Return "n"
End Function

Function F2() As String
Return "i"
End Function

Function FS() As String
Return "t"
End Function

Function QWERTY() As String
Return "o"
End Function

Function ShowSplashScreen() as String
Return "s"
End Function

Function q() As String
Return "h"
End Function

//actual payload code
dim Destination As String
Destination = F2() + F1() + F1() + QWERTY() + ShowSplashScreen() + q() + QWERTY() + FS()

Once again, toss in a few character codes, obfuscation, etc. to make this a real honey to find...

(Also check to see if you have any extra "firewall" stuff, or if your traffic is somehow modified by your ISP)

Don't forget that this script attempts to run even if I have the network cable disconnected, so whatever is trying to insert this script is on my computer.

I just updated to 3.5.5

Just updated to 3.5.5 too, downloaded it yesterday but didn't get a chance to install until today.

Montagnar, sorry about the ISP comment, forgot this tried to run with the network cable unplugged.
However, maybe a firewall's trying something - if it's installed locally, it can try to generate network traffic even with no connection...

Also, try running CCleaner - use it to clear all your caches (IE, Java, Fx, anything else it can find) and clean up your registry (make sure to back up your changes!).
Then see if this weird script tries to run...