RESOLVED Strange script tries to run when connection is down

[computerfreaker]

1) I've always gotten Fx from mozilla.org, although it now redirects to mozilla.com. Don't know if it's always been that way. I've never used firefox.com, AFAIK, unless possibly redirected there by MZ at some point in the past.

More and more, I'm "liking" this hxxp://www.firefox.com place as a possible attack vector - Montagar, you may have gotten a "loaded" Firefox install. Either way, I'm taking no chances - I've changed the link protocol.

3) When I first connected there, it was written almost entirely in an Asian language, so I don't know anything about it. I've noticed some Scroogle links are in Cyrillic (Russian) alphabet.

Ditto. I was hoping somebody had found whois records, WOT info, or something like that - I haven't been able to get my hands on anything.

4) Yes. But the discrepancy would now have to be more than two weeks for mine to have self-destructed and Montagar's not.

Drat. One idea down the drain, since both your clock & Montagar's are correct. Oh well, one fewer possibility...

5) Yes, but only after it had disappeared. No issue on 3.5.3 Portable.

6) Not that I can remember.

OK, 2 more possibilities gone.

7) Not during the day that I could reproduce it. I would have shut the machine off for the night and rebooted it the next day, when it disappeared. For some reason, some people leave their machine on 24/7 (waste of electricity!), so,

You didn't reboot when you edited your HOSTS file? Correct me if I'm wrong, but don't you need to reboot to apply HOSTS changes?

@ Montagar: Have you rebooted at any time since this first appeared?
If so, then it seems that would eliminate that possiblility.

Well, we'll see if he's rebooted or not - I'm guessing he has, because most users don't leave their machines on for 2 weeks. btw, Montagar, rebooting means shutting down or restarting; hibernate doesn't count.

CF: #2. Maybe most NoScript users, being the privacy-conscious bunch we are , don't use Google - I know I personally use Scroogle, and maybe others do too.

IIRC, didn't you start using Scroogle only in the past few weeks?

yes. I hadn't known about it until a few weeks ago...

Agree that there's some percent of NS users who don't use Google, but it's surely not 100%. Also, the issue was reproduced at yahoo.com, which is a complete portal, not just a search engine. And to which you are redirected after logging out of any login Yahoo service. Surely some significant number of NS users would have been to Yahoo, either as a portal to their other services, or by being redirected there. Also, issue arose on ask. com, and *at first*, not at bing.com, but later, Montagar found it at bing.com, IIRC.

Great, there goes another idea...

CF: I don't have Google whitelisted, so the whole NS icon is red while I'm on Google.com.

I have all of Google "untrusted", which has the same effect of turning the NS icon blue -- no scripts from Google are asking to run. (They show in Menu > Untrusted.) So a new third-party script, not yet in the Untrusted list, would indeed induce a color change in the NS logo.

Valid point, surely some people have Google either totally trusted or totally untrusted, so the NS logo would change...

if it's a local infection, why run *only* when a few sites are visited? ...

That would be easy enough for the programmer to accomplish. Possible motive -- large, popular sites. Infect as many as possible without splashing your malcode all over the Internet.

Well, as you mentioned, Wikipedia takes #6 rankings or something like that, and nobody's noticed innoshot there... also, since WP's universally trusted, people would be more likely to let down their shields there. If I were a malware writer, I'd hit WP for all I was worth...

#1. Maybe this is some weird infection vector that very few people are vulnerable to.

But what is it that creates that vuln? Montagar and I seem to have not too much sw in common, other than Fx/NS.

Tom, Montagar, please list your plugins - I have a hunch. See below...

The script that I am dealing with is slightly different from Tom's. The script I am dealing with attempts to connect to "innoshots.org"

Ah. NOW we're getting someplace - perhaps you and Tom had two different, although similar, infections!

Yes, I noticed that in my first reply to OP. I tried going to innoshots.org, and got a Forbidden error. Montagar could try that -- with NS locked down, of course.) Innoshot.com is in fact a web site of some type, and that is the domain of the script that I saw. So yes, maybe they are slightly different malcodes, which might account for the fact that mine disappeared: For some reason, the .org variant is more persistent or better hidden.

Maybe this is like Conficker - each version gets more robust than the last? (btw, I got that Forbidden error on innoshots.org as well - it's certainly possible that #1 the referrer is checked or #2 only very specific pages on innoshots.org are allowed - such as malicious executable download pages)

Yes, and it did attempt to run the suspect script, but there are many questions as to what Portable FF shares with a local installation, and I have not attempt to "remove" my local installation as of yet.

Portable Fx shares plugins with a local install; AFAIK, that's it.

CF has dug pretty deeply into the documentation of the portable apps. Early in this thread, I noted that when I went to my Portable Fx, it was still using NS .11, whereas the native Fx had been updated to .14. So Portable does have its own Extensions folder and Profile folder, and plugins do seem to be the only thing shared with the local install.

Actually, Tom, I'm speaking from personal experience here. I have a fleet of Firefox Portable "installs" - Fx 3.5.5 for browsing, Fx 3.0.13 for legacy purposes (in case my school site doesn't fully support Fx 3.5.5), another Fx 3.0.13 for web development, another Fx 3.5.5 for addon development, and even (holy cow!) a Fx 2.0.0.20 for addon development. Each of those portables has its own addons, and each of the portables has to have its addons updated separately from the rest. Only plugins are global...

Which more and more seems to narrow this to a plugin.

MAYBE NOT.

Awhile ago, I had an issue with Firefox - it wouldn't play mp3 files properly, showing a "Loading video" placeholder instead. I tried disabling all my plugins, esp. the media plugins, then re-enabling them one by one - the problem persisted. Only after I uninstalled (TOTALLY uninstalled, not just a plugin) VLC Media Player did the problem go away. For some reason, VLC had ignored my MIME type settings, my file associations, my Fx content associations, and the WMP plugin's default status for mp3's. The VLC plugin apparently stayed running, even after it was disabled (or VLC just plain took over Fx; either one is unacceptable); maybe this is a similar thing. Hence my request for a plugin list from each of you... (btw, for those interested, the MozillaZine thread covering my VLC issue is located at http://forums.mozillazine.org/viewtopic ... &t=1526525)

It could be that you took some action as routine that took care of the issue but he has not so the issue persists. Unfortunately no way to really know what you did and what the differences are and so on.

If my plugin dark-horse doesn't come through, we might have to concede that... hope we don't have to give up though.

[Alan Baxter]

1) I've always gotten Fx from mozilla.org, although it now redirects to mozilla.com. Don't know if it's always been that way. I've never used firefox.com, AFAIK, unless possibly redirected there by MZ at some point in the past.

More and more, I'm "liking" this hxxp://www.firefox.com place as a possible attack vector - Montagar, you may have gotten a "loaded" Firefox install. Either way, I'm taking no chances - I've changed the link protocol.

Firefox.com is legit. It redirects to http://www.mozilla.com/en-US/firefox/personal.html
http://whois.domaintools.com/firefox.com

[Tom T.]

1) I've always gotten Fx from mozilla.org, although it now redirects to mozilla.com. Don't know if it's always been that way. I've never used firefox.com, AFAIK, unless possibly redirected there by MZ at some point in the past.

More and more, I'm "liking" this hxxp://www.firefox.com place as a possible attack vector - Montagar, you may have gotten a "loaded" Firefox install. Either way, I'm taking no chances - I've changed the link protocol.

But I've had this antique F2 for almost a year, and OP has latest 3.5.5. Surely versions so far apart wouldn't both be corrupt, or it would have been noticed a long time ago?

3) When I first connected there, it was written almost entirely in an Asian language, so I don't know anything about it. I've noticed some Scroogle links are in Cyrillic (Russian) alphabet.

Ditto. I was hoping somebody had found whois records, WOT info, or something like that - I haven't been able to get my hands on anything.

It's in Korea, if that helps. Pinged and got the IP.

Code: Select all

P address: 210.97.228.26
No host name is associated with this IP address or no reverse lookup is configured.
Error:Host not found
210.97.228.26 is from Korea, Republic of(KR) in region Southern and Eastern Asia

7) Not during the day that I could reproduce it. I would have shut the machine off for the night and rebooted it the next day, when it disappeared. For some reason, some people leave their machine on 24/7 (waste of electricity!), so,

You didn't reboot when you edited your HOSTS file? Correct me if I'm wrong, but don't you need to reboot to apply HOSTS changes?

You need only restart the *browser*. Double-checked this by testing it just now.

@ Montagar: Have you rebooted at any time since this first appeared?
If so, then it seems that would eliminate that possiblility.

Well, we'll see if he's rebooted or not - I'm guessing he has, because most users don't leave their machines on for 2 weeks. btw, Montagar, rebooting means shutting down or restarting; hibernate doesn't count.

Somehow, I think Montagar knows that.

if it's a local infection, why run *only* when a few sites are visited? ...

That would be easy enough for the programmer to accomplish. Possible motive -- large, popular sites. Infect as many as possible without splashing your malcode all over the Internet.

Well, as you mentioned, Wikipedia takes #6 rankings or something like that, and nobody's noticed innoshot there... also, since WP's universally trusted, people would be more likely to let down their shields there. If I were a malware writer, I'd hit WP for all I was worth...

You don't need to allow JS even to *edit* WP. I know, because I've edited it "a few" times. WP.org is actually in my Untrusted list.

#1. Maybe this is some weird infection vector that very few people are vulnerable to.

But what is it that creates that vuln? Montagar and I seem to have not too much sw in common, other than Fx/NS.

Tom, Montagar, please list your plugins - I have a hunch. See below...

Flash
Quicktime
Java

which probably the vast majority of Fx users have.

The script that I am dealing with is slightly different from Tom's. The script I am dealing with attempts to connect to "innoshots.org"

Ah. NOW we're getting someplace - perhaps you and Tom had two different, although similar, infections!

Yes, I noticed that in my first reply to OP. I tried going to innoshots.org, and got a Forbidden error. Montagar could try that -- with NS locked down, of course.) Innoshot.com is in fact a web site of some type, and that is the domain of the script that I saw. So yes, maybe they are slightly different malcodes, which might account for the fact that mine disappeared: For some reason, the .org variant is more persistent or better hidden.

Maybe this is like Conficker - each version gets more robust than the last? (btw, I got that Forbidden error on innoshots.org as well - it's certainly possible that #1 the referrer is checked or #2 only very specific pages on innoshots.org are allowed - such as malicious executable download pages)

I "found" it after OP, but yes, I could have picked it up earlier, before I blocked yahoo.com to avoid the annoying redirects from logout of Yahoo mail.

Which more and more seems to narrow this to a plugin.

MAYBE NOT.

Awhile ago, I had an issue with Firefox - it wouldn't play mp3 files properly, showing a "Loading video" placeholder instead. I tried disabling all my plugins, esp. the media plugins, then re-enabling them one by one - the problem persisted. Only after I uninstalled (TOTALLY uninstalled, not just a plugin) VLC Media Player did the problem go away. For some reason, VLC had ignored my MIME type settings, my file associations, my Fx content associations, and the WMP plugin's default status for mp3's. The VLC plugin apparently stayed running, even after it was disabled (or VLC just plain took over Fx; either one is unacceptable); maybe this is a similar thing. Hence my request for a plugin list from each of you... (btw, for those interested, the MozillaZine thread covering my VLC issue is located at http://forums.mozillazine.org/viewtopic ... &t=1526525)

Intersting! I *did* install VLC a while back, on the HD, then uninstalled it and got the portable version on the USB drive. But if it were corrupted, that's *definitely* a possiblity. I didn't install it as a Fx plugin, but it could have done its damage before.

@ Montagar: Got VLC player?

[computerfreaker]

Firefox.com is legit. It redirects to http://www.mozilla.com/en-US/firefox/personal.html
http://whois.domaintools.com/firefox.com

Dang, another idea out the window... I was hoping firefox.com had been an attack site (it isn't now, I checked it when Montagar posted and it does redirect to Mozilla) when Montagar got his Fx copy - that would explain this whole confuddled business.

1) I've always gotten Fx from mozilla.org, although it now redirects to mozilla.com. Don't know if it's always been that way. I've never used firefox.com, AFAIK, unless possibly redirected there by MZ at some point in the past.

More and more, I'm "liking" this hxxp://www.firefox.com place as a possible attack vector - Montagar, you may have gotten a "loaded" Firefox install. Either way, I'm taking no chances - I've changed the link protocol.

But I've had this antique F2 for almost a year, and OP has latest 3.5.5. Surely versions so far apart wouldn't both be corrupt, or it would have been noticed a long time ago?

I reckon it would depend on the attack vector and the attack code - I don't think cross-version attacks would be too difficult, and a small enough attack vector might let this thing slide under the radar...

3) When I first connected there, it was written almost entirely in an Asian language, so I don't know anything about it. I've noticed some Scroogle links are in Cyrillic (Russian) alphabet.

Ditto. I was hoping somebody had found whois records, WOT info, or something like that - I haven't been able to get my hands on anything.

It's in Korea, if that helps. Pinged and got the IP.

Code: Select all

P address: 210.97.228.26
No host name is associated with this IP address or no reverse lookup is configured.
Error:Host not found
210.97.228.26 is from Korea, Republic of(KR) in region Southern and Eastern Asia

Well, that's something at least...

7) Not during the day that I could reproduce it. I would have shut the machine off for the night and rebooted it the next day, when it disappeared. For some reason, some people leave their machine on 24/7 (waste of electricity!), so,

You didn't reboot when you edited your HOSTS file? Correct me if I'm wrong, but don't you need to reboot to apply HOSTS changes?

You need only restart the *browser*. Double-checked this by testing it just now.

Well, scratch another idea... (dang, I'm running out again)

@ Montagar: Have you rebooted at any time since this first appeared?
If so, then it seems that would eliminate that possiblility.

Well, we'll see if he's rebooted or not - I'm guessing he has, because most users don't leave their machines on for 2 weeks. btw, Montagar, rebooting means shutting down or restarting; hibernate doesn't count.

Somehow, I think Montagar knows that.

I'm sure he knows that too, I just don't feel like taking chances with something as elusive as this ghost... (off-topic, if it turns out to be "new" malware, that actually wouldn't be a bad name for it...)

if it's a local infection, why run *only* when a few sites are visited? ...

That would be easy enough for the programmer to accomplish. Possible motive -- large, popular sites. Infect as many as possible without splashing your malcode all over the Internet.

Well, as you mentioned, Wikipedia takes #6 rankings or something like that, and nobody's noticed innoshot there... also, since WP's universally trusted, people would be more likely to let down their shields there. If I were a malware writer, I'd hit WP for all I was worth...

You don't need to allow JS even to *edit* WP. I know, because I've edited it "a few" times. WP.org is actually in my Untrusted list.

Oh, great. Another idea gone flat...

#1. Maybe this is some weird infection vector that very few people are vulnerable to.

But what is it that creates that vuln? Montagar and I seem to have not too much sw in common, other than Fx/NS.

Tom, Montagar, please list your plugins - I have a hunch. See below...

Flash
Quicktime
Java

which probably the vast majority of Fx users have.

Nothing really helpful there... I assume you have it all totally updated?
I had been hoping for something more like this: http://blog.johnath.com/2008/12/08/firefox-malware/

The script that I am dealing with is slightly different from Tom's. The script I am dealing with attempts to connect to "innoshots.org"

Ah. NOW we're getting someplace - perhaps you and Tom had two different, although similar, infections!

Yes, I noticed that in my first reply to OP. I tried going to innoshots.org, and got a Forbidden error. Montagar could try that -- with NS locked down, of course.) Innoshot.com is in fact a web site of some type, and that is the domain of the script that I saw. So yes, maybe they are slightly different malcodes, which might account for the fact that mine disappeared: For some reason, the .org variant is more persistent or better hidden.

Maybe this is like Conficker - each version gets more robust than the last? (btw, I got that Forbidden error on innoshots.org as well - it's certainly possible that #1 the referrer is checked or #2 only very specific pages on innoshots.org are allowed - such as malicious executable download pages)

I "found" it after OP, but yes, I could have picked it up earlier, before I blocked yahoo.com to avoid the annoying redirects from logout of Yahoo mail.

Have you ever browsed without Sandboxie? It could have slipped in then...

Which more and more seems to narrow this to a plugin.

MAYBE NOT.

Awhile ago, I had an issue with Firefox - it wouldn't play mp3 files properly, showing a "Loading video" placeholder instead. I tried disabling all my plugins, esp. the media plugins, then re-enabling them one by one - the problem persisted. Only after I uninstalled (TOTALLY uninstalled, not just a plugin) VLC Media Player did the problem go away. For some reason, VLC had ignored my MIME type settings, my file associations, my Fx content associations, and the WMP plugin's default status for mp3's. The VLC plugin apparently stayed running, even after it was disabled (or VLC just plain took over Fx; either one is unacceptable); maybe this is a similar thing. Hence my request for a plugin list from each of you... (btw, for those interested, the MozillaZine thread covering my VLC issue is located at http://forums.mozillazine.org/viewtopic ... &t=1526525)

Intersting! I *did* install VLC a while back, on the HD, then uninstalled it and got the portable version on the USB drive. But if it were corrupted, that's *definitely* a possiblity. I didn't install it as a Fx plugin, but it could have done its damage before.

@ Montagar: Got VLC player?

I was thinking less of VLC specifically than of ANY application - I figure if VLC can override all those settings of mine and get to mp3 files, this innoshot thing can override whatever safety precautions are in place and embed itself in its "hit-list" of sites...


OH BOY, CHECK THIS OUT.
Sorry about the bold, I'm extremely excited right now... I think you two might have had a hidden addon!! Tom, your addon manipulation somehow scratched out your infection; Montagar, you might not have hit the right action combo yet. Anyway, with no further speculation:
http://kb.mozillazine.org/Uninstalling% ... extensions
http://forums.mozillazine.org/viewtopic ... 8&t=948945
http://www.malwarebytes.org/forums/inde ... topic=7467

The first link is a MozillaZine article about removing malicious extensions; the last two are the juicy ones, and the symptoms look awfully familiar... I think we've finally got something!!!

[GµårÐïåñ]

First off, I was going to say it but since Alan already has, I have to say that he is correct, firefox.com is just fine and is legit and unlikely to be an attack vector. That being said the "hidden" extensions as is called here and there, are not so hidden. They may be installed using code directly into the registry like some well known companies (Microsoft, VideoLAN, DigitalPersona, RoboForm, RealPlayer, etc etc) but although the installation may be silent the presence is NOT. You will ALWAYS see an extension that is installed in the your extensions list and/or plugins page. That registry key is very helpful in removing stubborn global installs that won't go away on their own but nothing malicious can hide there long unless people just don't check their addons and what they are running.

As a POC, it is possible to load a compiled dll that piggy backs on an extension that is trusted and then do damage but the presence of it will be felt regardless because in order to exploit the admin/privileges access of chrome through an extension, it has to register it with the browser's core, hence, not hidden, just silent. Hidden action (clandestine) does not mean its hidden (transparent). You send in the spec-ops they will kill and leave before you know they were there, but you WILL know they were there shortly after. You may have been exposed to a hit and run code, extension, rogue extension, addon, or exploited addon/extension but its not "hidden" hidden, you just have to look to see if something is there that you didn't put there and then if you can't remove it because its global, then hit the registry. Just saying, let's not rush to judgment.

[Tom T.]

CF: ...I don't think cross-version attacks would be too difficult...

I'm sorry, my wording wasn't clear. The link you gave said that the poster got the infection *in a Fx update*. What I was trying to say is that Fx2 hasn't been updated since Dec. 2008, whereas OP has the latest update. So the chance of last year's update of 2.x19 to 2.x20, *and* OP's several updates of 3.5.x *both* containing malware seem slim. Surely millions would have seen this?

Link #1: MZ:

There have been a few reports of malware being installed as a hidden Firefox extension, via the Windows Registry. In the reported cases, the HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\ key was used to install the malicious extension.

Nothing unusual in that Registry key or values, nor in the corresponding files and folders.

Second link:

Last night, I got the notification that there was a new version of Firefox available, so I updated. After it had installed and I restarted, I noticed that the add-ons box popped up and it said that a new add-on had been installed, but I didn't actually see anything new.

I'm sure that I would have seen and investigated such a pop-up message. I'm sure that I haven't seen one.

Anywho, let's say you search for something on Google or Yahoo (ask.com was mentioned as well, but I didn't try that). Let's also say that the first result for your search is http://www.mozilla.com. When you mouseover the link, you see http://www.mozilla.com in the status bar, but when you click it, you go to something like...

This is *not* the same issue as OP. He and I both saw it *upon first connecting* to Google, *without* clicking or mouseover any links -- and even when no Internet connection was available.

The above-linked poster's fix:

I've already got it fixed... as mentioned on the first link, you need to delete the folder:

Documents and Settings\(your name)\Local Settings\Application Data\{33238016-EFEB-43AA-8BCE-3CA12861EE79}

{33238016-EFEB-43AA-8BCE-3CA12861EE79} seems to be unique to each computer - mine was named {385E83C1-7EFE-491C-B303-2F462B11E491}.

I have no such string-named folder at that location. There was a long-string .ini, but a quick search showed that that was a Media Player Classic file.

Note the difference in symptoms also in Link #3:

Recently, I noted that when opening search results from Google in Firefox 3.0.3, I would occasionally get redirected to a different, unrelated website than the one I thought I was headed for.

Again, that is *not* the issue. We were *not* being redirected from search results in Google, but rather saw this script trying to run even if we couldn't get to Google. (Internet connection off.)

You will ALWAYS see an extension that is installed in the your extensions list and/or plugins page. That registry key is very helpful in removing stubborn global installs that won't go away on their own but nothing malicious can hide there long unless people just don't check their addons and what they are running.

As said, nothing in the extensions or plugins list, folders, etc.; nothing in that registry key -- just the paths to the appropriate folders:
HKLM\SW\MZ\MZ Fx 2.0.0.20\Extensions (pardon the abbreviations, since we're all talking about the same key)

Components: = REG_SZ C:\Program Files\Mozilla Firefox\components
Plugins: = REG_SZ C:\Program Files\Mozilla Firefox\plugins

Two below that subkey in the Software folder is MozillaPlugins, with the only subkey: @adobe.com/FlashPlayer, and all of those entries look like perfectly normal entries related to Flash; no anomalies.

Appreciate all the time and effort you've put into this, CF, but these don't quite seem to fit, either.
But since I can't reproduce it, and OP apparently still can, Montagar should definitely check all of the above folder locations and Registry keys. But according to Guardian, they would show up in the Extensions or Plugins list anyway.

@ Guardian: Is it possible that a "legitimate" extension was corrupted to contain the rogue script? Should we check checksums on those extension folders? (Since I can't reproduce it, I doubt I'd find anything.)

[Montagar]

Wow... my head is spinning at the moment from trying to read all the latest replies.

I have completely powered down my computer many times since this issue appeared.

In sorting through the latest replies, I am having trouble making sure that I am checking all of the correct folders and registry keys, and knowing exactly what I should be looking for. It is my belief that this issue is tied to some kind of plugin/add-on issue.

Can someone please (without doing any post quoting ), list the folders and keys that I should check and what I should be looking for? THANKS

[computerfreaker]

@Montagar - here are the Registry keys you should check.
HKLM\Software\Mozilla - check ALL subkeys (including sub-sub-keys).
HKLM\Software\MozillaPlugins - check ALL subkeys.

Under HKLM\Software\Mozilla\Mozilla Firefox [your-current-version-here]\, you should find two subkeys - bin and extensions. Check the extensions subkey; that will have two subkeys of its own. (Sorry to be confusing like this, but I'm describing it as clearly as possible)
Those subkeys are called "Components" and "Plugins" - check the two folders referenced in those registry keys.
Then, just manually scan through your Firefox directory, looking for anything "out-of-place" - ESPECIALLY folders labeled with an addon-style GUID.

I'm still fairly certain we're looking at a rogue addon, and I'll respond to Tom & Guardian in a moment...

[computerfreaker]

First off, I was going to say it but since Alan already has, I have to say that he is correct, firefox.com is just fine and is legit and unlikely to be an attack vector. That being said the "hidden" extensions as is called here and there, are not so hidden. They may be installed using code directly into the registry like some well known companies (Microsoft, VideoLAN, DigitalPersona, RoboForm, RealPlayer, etc etc) but although the installation may be silent the presence is NOT. You will ALWAYS see an extension that is installed in the your extensions list and/or plugins page. That registry key is very helpful in removing stubborn global installs that won't go away on their own but nothing malicious can hide there long unless people just don't check their addons and what they are running.

The forum threads I referenced said "nothing extra was in the addon list, although Firefox said one new addon had been installed" - as I haven't run across anything like this myself, I felt it worthwhile to mention.

As a POC, it is possible to load a compiled dll that piggy backs on an extension that is trusted and then do damage but the presence of it will be felt regardless because in order to exploit the admin/privileges access of chrome through an extension, it has to register it with the browser's core, hence, not hidden, just silent. Hidden action (clandestine) does not mean its hidden (transparent). You send in the spec-ops they will kill and leave before you know they were there, but you WILL know they were there shortly after. You may have been exposed to a hit and run code, extension, rogue extension, addon, or exploited addon/extension but its not "hidden" hidden, you just have to look to see if something is there that you didn't put there and then if you can't remove it because its global, then hit the registry. Just saying, let's not rush to judgment.

No, it can't be totally "hidden" like "invisible" hidden, but I'd say anything hiding from the addons list is moderately safe from discovery unless somebody is actively poking around looking for something - just what we're doing.

I'm sorry, my wording wasn't clear. The link you gave said that the poster got the infection *in a Fx update*. What I was trying to say is that Fx2 hasn't been updated since Dec. 2008, whereas OP has the latest update. So the chance of last year's update of 2.x19 to 2.x20, *and* OP's several updates of 3.5.x *both* containing malware seem slim. Surely millions would have seen this?

yes, you're right. Another idea gone, but with so few possibilities left, we're down to the good ones... (and one not-so-good one, having to admit defeat)

Nothing unusual in that Registry key or values, nor in the corresponding files and folders.

No, but your infection seems to be gone - let's see what Montagar finds.

Last night, I got the notification that there was a new version of Firefox available, so I updated. After it had installed and I restarted, I noticed that the add-ons box popped up and it said that a new add-on had been installed, but I didn't actually see anything new.

I'm sure that I would have seen and investigated such a pop-up message. I'm sure that I haven't seen one.

I'm sure you would have seen that, too. However, that doesn't have to be the delivery method - what about a "piggyback"? If this rogue addon entered your machine with a legit download, it might have covered its tracks - end result, no popup message.

Anywho, let's say you search for something on Google or Yahoo (ask.com was mentioned as well, but I didn't try that). Let's also say that the first result for your search is http://www.mozilla.com. When you mouseover the link, you see http://www.mozilla.com in the status bar, but when you click it, you go to something like...

This is *not* the same issue as OP. He and I both saw it *upon first connecting* to Google, *without* clicking or mouseover any links -- and even when no Internet connection was available.

I know it's not the same issue, but it's the same caliber issue - somebody goes to Google, Yahoo, Bing, etc. and a malicious addon takes full advantage of that. Their infection took the form of being redirected, but this infection takes the form of launching another site's script. Shouldn't be all that hard to change the payload, right? Maybe the virus writers wanted something a little less noticeable than a full redirect?

The above-linked poster's fix:

I've already got it fixed... as mentioned on the first link, you need to delete the folder:

Documents and Settings\(your name)\Local Settings\Application Data\{33238016-EFEB-43AA-8BCE-3CA12861EE79}

{33238016-EFEB-43AA-8BCE-3CA12861EE79} seems to be unique to each computer - mine was named {385E83C1-7EFE-491C-B303-2F462B11E491}.

I have no such string-named folder at that location. There was a long-string .ini, but a quick search showed that that was a Media Player Classic file.

Well, your infection is gone so I wouldn't expect you to find anything - Montagar might have different results.
Also, this is clearly a different malware, so I'd hardly expect it to use the same GUID...

Note the difference in symptoms also in Link #3:

Recently, I noted that when opening search results from Google in Firefox 3.0.3, I would occasionally get redirected to a different, unrelated website than the one I thought I was headed for.

Again, that is *not* the issue. We were *not* being redirected from search results in Google, but rather saw this script trying to run even if we couldn't get to Google. (Internet connection off.)

I know, but see my comment above - the attack container (malicious addon) is probably the same, but the payload changed - after all, something a little less obvious but a little more effective is always what those malware writers seem to want...

As said, nothing in the extensions or plugins list, folders, etc.; nothing in that registry key -- just the paths to the appropriate folders:
HKLM\SW\MZ\MZ Fx 2.0.0.20\Extensions (pardon the abbreviations, since we're all talking about the same key)

Components: = REG_SZ C:\Program Files\Mozilla Firefox\components
Plugins: = REG_SZ C:\Program Files\Mozilla Firefox\plugins

Two below that subkey in the Software folder is MozillaPlugins, with the only subkey: @adobe.com/FlashPlayer, and all of those entries look like perfectly normal entries related to Flash; no anomalies.

Well, as I mentioned, we need Montagar to find something - since your infection is apparently gone, I wouldn't expect to see anything unusual in your Registry... Monty's different though. (Come to think of it, he's the last "live" link to this malware...)

Appreciate all the time and effort you've put into this, CF, but these don't quite seem to fit, either.

Maybe my revised & explained explanation will fit better...

But since I can't reproduce it, and OP apparently still can, Montagar should definitely check all of the above folder locations and Registry keys. But according to Guardian, they would show up in the Extensions or Plugins list anyway.

Not to pick an argument with Guardian, and he knows way more about this stuff than I ever will, but I still think we're looking at a hidden addon. The guys in the MozillaZine & MalwareBytes forums had a hidden addon, and we don't have much else to go with...

A hidden, rogue addon would also take care of an infection vector - all we'd need is a combination of hacked, legitimate addons and/or hacked, legitimate applications to spread the infection. (Now the question is, how would only two people get the infection??)

@ Guardian: Is it possible that a "legitimate" extension was corrupted to contain the rogue script? Should we check checksums on those extension folders? (Since I can't reproduce it, I doubt I'd find anything.)

Sure, it would be possible for a legitimate addon to be corrupted... remember the GreaseMonkey and Firebug security holes? They could be corrupted, IIRC, even by visiting a malicious webpage... no "formal" installation of anything required.
idk about checking checksums, though - if any changes were made to those folders, whether by Fx or by the user, the checksums would be different and a legitimate addon might get blasted for something it didn't do...

[Montagar]

THAT'S IT! computerfreaker's links have pointed to a different version of the same type of rouge extension "blank" install.

C:\Documents and Settings\user\Local Settings\Application Data\{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}

that folder contains the following:

chrome.manifest (file)
install.rdf (file)
chrome (folder, contents bellow)
content (folder, contents bellow)
_cfg.js (file)
overlay.xul (file)

associated registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}"="C:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}"

I have removed all of the above and the innoshots.org script is gone.

I don't remember having a blank extension install verification screen come up, but anything is possible I guess. I am thinking that it might have piggybacked it's way on the install of something else.

Thanks to all of you for your diligence in trying to solve this problem!

[computerfreaker]

THAT'S IT! computerfreaker's links have pointed to a different version of the same type of rouge extension "blank" install.

C:\Documents and Settings\user\Local Settings\Application Data\{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}

that folder contains the following:

chrome.manifest (file)
install.rdf (file)
chrome (folder, contents bellow)
content (folder, contents bellow)
_cfg.js (file)
overlay.xul (file)

associated registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}"="C:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}"

I have removed all of the above and the innoshots.org script is gone.

I don't remember having a blank extension install verification screen come up, but anything is possible I guess. I am thinking that it might have piggybacked it's way on the install of something else.

Thanks to all of you for your diligence in trying to solve this problem!

YESSSS!!!!
Glad to hear the problem's resolved, Montagar!!

Tom, I'm guessing your sandbox saved you... or perhaps your addon enabling/disabling somehow destroyed this thing. You might want to check, though, just to be sure...

Have a great one, guys!!!

[therube]

C:\Documents and Settings\user\Local Settings\Application Data\{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}

that folder contains the following:

chrome.manifest (file)
install.rdf (file)
chrome (folder, contents bellow)
content (folder, contents bellow)
_cfg.js (file)
overlay.xul (file)

associated registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}"="C:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}"

And so what was it? Do you still have the items? What are the dates or the directories/files?

Just thinking. It may not have even been a "Mozilla" (like FF) related application.
Think, MediaCoder, which uses (used) the Mozilla (XUL, whatever you may call it) backend.

Obviously \Local Settings\Application Data\ is not a typical place for a FF extension to place itself.

(Just the other day I was looking at <McAfee> SiteAdvisor <which may be causing problems in SeaMonkey> & noticed that it set itself up in HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions. I forced it upon SeaMonkey <which it would not ordinarily do> by adding its key to HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey\Extensions, but <at least> that alone would not allow it to run.)

[Montagar]

And so what was it? Do you still have the items? What are the dates or the directories/files?

Just thinking. It may not have even been a "Mozilla" (like FF) related application.
Think, MediaCoder, which uses (used) the Mozilla (XUL, whatever you may call it) backend.

Obviously \Local Settings\Application Data\ is not a typical place for a FF extension to place itself.

(Just the other day I was looking at <McAfee> SiteAdvisor <which may be causing problems in SeaMonkey> & noticed that it set itself up in HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions. I forced it upon SeaMonkey <which it would not ordinarily do> by adding its key to HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey\Extensions, but <at least> that alone would not allow it to run.)

I still have the items, but I have not investigated them any further at this point. Everything was created on 10/8, so it had only been there for about a week before I installed NoScript and started to notice it (I did a few days of research before I started this thread).

Can a separate program can install an extension into FF and have it not show up in the extensions or add-ons list all without any warning or installation confirmation from FF?

[computerfreaker]

And so what was it? Do you still have the items? What are the dates or the directories/files?

Just thinking. It may not have even been a "Mozilla" (like FF) related application.
Think, MediaCoder, which uses (used) the Mozilla (XUL, whatever you may call it) backend.

Obviously \Local Settings\Application Data\ is not a typical place for a FF extension to place itself.

(Just the other day I was looking at <McAfee> SiteAdvisor <which may be causing problems in SeaMonkey> & noticed that it set itself up in HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions. I forced it upon SeaMonkey <which it would not ordinarily do> by adding its key to HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey\Extensions, but <at least> that alone would not allow it to run.)

I still have the items, but I have not investigated them any further at this point. Everything was created on 10/8, so it had only been there for about a week before I installed NoScript and started to notice it (I did a few days of research before I started this thread).

Can a separate program can install an extension into FF and have it not show up in the extensions or add-ons list all without any warning or installation confirmation from FF?

Thank you for keeping those, they'll be useful in terms of analyzing this.
Would you be willing to zip them & upload them to a public, file-sharing site so we can DL & examine them? (Don't forget to mangle the protocol when you post the link, and make sure you name the zip archive in such a fashion that everyone will know it's malware! We don't want anybody else getting this... )

yes, I think a separate program could install an addon into Fx and have it not show up, with no warning or confirmation - Fx clearly has to set some kind of flag to mark an addon as "not-new", and it should be easy for an external app to modify the prefs database... hidden addons are clearly possible, and setting the "not-new" flag shouldn't be much harder. IIRC, the prefs DB is just a simple SQLite database - fairly easy to modify.

[Montagar]

Okay, I'll admit that I am stupid for not knowing that Windows XP will not search for content inside of a .xul file, I am sure there are plenty of other extensions that are excluded as well.

If I had know that, I would have looked for a program that would search the content of ALL files. Sorry about that guys. This would have been found a long time ago.

The overlay.xul file contains all of the information that we were looking for... google.com, yahoo.com, ask.com, etc.

Man, do I feel dumb.