But that did *not* happen here. Both Monty and I could *go* to Google, Ask, etc. without being redirected.The typical Goored infection redirects the browser from search engine sites to adware/scumware site
Right! And without NoScript, I doubt anybody would have noticed the infection at all...Tom T. wrote:But that did *not* happen here. Both Monty and I could *go* to Google, Ask, etc. without being redirected.The typical Goored infection redirects the browser from search engine sites to adware/scumware site
AHA! Because the redirection script was prevented by (drum roll) ... NoScript!
A little? Heh.The quote nesting is getting a little crazy
http://forums.informaction.com/viewtopi ... 201#p13201therube wrote:So is this ZIP'd, posted someplace yet?
therube wrote:Oh, & to search for file (names), there is nothing like Everything search engine!
No one had any trouble locating the overlay.xul once it was known what to look for. What might have helped was something that would search the contents of said file for the string "innoshot", which, to our surprise, someone (either CF or Monty) said Windows didn't search inside certain files. Plus, "innoshot" might not turn out not to be there. Probably obfuscated, and you could redirect by IP. (I posted the IP of innoshot.com earlier: 210.97.228.26.)everything wrote:]1.3 Does Everything search file contents?
No, "Everything" does not search file contents, only file and folder names.
Wow, that is one *long* string, all right! Good choice not to post it here with code tags.Montagar wrote:I have decided to post just the actual script code that is contained in overlay.xul
The code contains no formatting, so it's just one long string.
Here is the pastebin link: http://pastebin.com/f55f211e9
I have run gooredfix to make sure that nothing remains of this malware.
I have also checked for any suspect dlls and I have used autoruns as well.
Code: Select all
loc=doc.location.href;if(loc_bar.match(/google.*\/(search|cse).*[&\?]q=/)|
|loc.match(/\/search\.yahoo.*search.*[&\?]p=/)|
|loc.match(/ask.com.*\/web.*[&\?]q=/)||loc.match(/bing.com\/search.*[&\?]q=/)|
|loc.match(/aol\/search.*(query|q)=/)){src.search(/(http:\/\/[^\/]+\/)/);var
Tom... that was the point of my "I feel dumb" post, I was mad at myself once I saw that the search engines were listed in plain text. We all had figured that the innoshots part would be hidden, but I did search after search after search for bing figuring that would be the most unique not knowing that the OS didn't search the contents of .xul files (and a bunch of others it turns out!).Tom T. wrote:D'oh, all of us. Instead of searching for "innoshot", we should have been searching for files containing the affected search engines. Google, Yahoo, Bing, Ask, AOL .
Dang it. Somebody sure covered their tracks nicely. Heavily obfuscated, all the way... although de-obfuscating it shouldn't be too hard. I posted a link to a de-obfuscating article recently, just need to find it...Montagar wrote:I have decided to post just the actual script code that is contained in overlay.xul
The code contains no formatting, so it's just one long string.
Here is the pastebin link: http://pastebin.com/f55f211e9
Sounds good. Glad to hear you're safe now...Montagar wrote:I have run gooredfix to make sure that nothing remains of this malware.
I have also checked for any suspect dlls and I have used autoruns as well.
Interesting is right. I'd better break out Sandboxie and Tracemonkey...Tom T. wrote:Wow, that is one *long* string, all right! Good choice not to post it here with code tags.
It will be interesting searching through.
Ditto. Montagar, probably the only way we're going to figure this out is with the name of the addon this belongs to... please would you drop us the name in a PM? As always, your PM will be kept strictly confidential...Tom T. wrote:Glad you're safe now. Still need to find out *how* it arrives.
True. The obfuscation we suspected is there, all right...Tom T. wrote:Edit: As suspected, "innoshot" does not appear in that blob. So even a search of file contents wouldn't have located it.
The smoking gun, indeed.Tom T. wrote:Well, here's the smoking gun: (broken into lines so it doesn't run out the screen and into the next room)
Code: Select all
loc=doc.location.href;if(loc_bar.match(/google.*\/(search|cse).*[&\?]q=/)| |loc.match(/\/search\.yahoo.*search.*[&\?]p=/)| |loc.match(/ask.com.*\/web.*[&\?]q=/)||loc.match(/bing.com\/search.*[&\?]q=/)| |loc.match(/aol\/search.*(query|q)=/)){src.search(/(http:\/\/[^\/]+\/)/);var
True... but we had no way of knowing that.Tom T. wrote:D'oh, all of us. Instead of searching for "innoshot", we should have been searching for files containing the affected search engines. Google, Yahoo, Bing, Ask, AOL .
Montagar posted the source for overlay.xul on pastebin... http://pastebin.com/f55f211e9therube wrote:Free Javascript Obfuscator - Protects JavaScript code from stealing and shrinks size
Sure, looks about right.
And that was the point of my D'oh post, as I know about the Windows Search limitations... I just never thought to apply that knowledge here.Montagar wrote:Tom... that was the point of my "I feel dumb" post, I was mad at myself once I saw that the search engines were listed in plain text. We all had figured that the innoshots part would be hidden, but I did search after search after search for bing figuring that would be the most unique not knowing that the OS didn't search the contents of .xul files (and a bunch of others it turns out!).Tom T. wrote:D'oh, all of us. Instead of searching for "innoshot", we should have been searching for files containing the affected search engines. Google, Yahoo, Bing, Ask, AOL .
So ultimately we were searching for the right items, just let down by limited knowledge of the limitations of the Windows XP search function.
OT: As I was struggling with the Windows search engine again today (this time with NSIS scripts), does anybody know of a better search engine? Everything only searches file & folder names, so that won't work... (or would locate32 do the trick?)
Oops, missed one.
[quote="therube"So is this ZIP'd, posted someplace yet?
Unfortunately, Everything only searches file names... does Locate32 search file contents too? (Sorry, can't check right now - I'm in a bit of a hurry)therube wrote:Oh, & to search for file (names), there is nothing like Everything search engine!
Locate32 is really nice too, but Everything is just, EVERYTHING.
(Both Windows only. Everything needs NTFS drives.)
Well, with 145 posts or so on the same topic, what would you expect?therube wrote:A little? Heh.The quote nesting is getting a little crazy
you know, I actually have that addon... haven't used it as I haven't needed it, but now would be a good time.therube wrote:Don't know if this can help JavaScript Deobfuscator so that you won't have to manually decode each section?
SOLVED!Montagar wrote:Tom... that was the point of my "I feel dumb" post, I was mad at myself once I saw that the search engines were listed in plain text. We all had figured that the innoshots part would be hidden, but I did search after search after search for bing figuring that would be the most unique not knowing that the OS didn't search the contents of .xul files (and a bunch of others it turns out!).Tom T. wrote:D'oh, all of us. Instead of searching for "innoshot", we should have been searching for files containing the affected search engines. Google, Yahoo, Bing, Ask, AOL .
So ultimately we were searching for the right items, just let down by limited knowledge of the limitations of the Windows XP search function.
(emphasis mine).WatchetFind! - search the contents of text files - even under Windows XP
Free utility - fast text search - through selected drives/folders/file types
Speeds up text searching. Particularly useful for XP users who may find they can't search certain types of files.
Originally developed for our own in-house use on Windows XP machines where the operating system prevents searching certain file types.
WatchetFind! is a very fast text-search utility offering drive/folder searching - selecting by file type - choose case sensitive/insensitive, whole word search and nested folder tree options.
The dirty rats... they sure went out of their way to cover themselves.Montagar wrote:Oh, I do need to clear something else up, I was able to determine that this code is not part of any of the add-ons that the "named" developer has on mozilla.org... it appears that someone has placed a particular developers copyright info in this .xul file to make it appear that it is his code.
Well, I'm glad the "named" addon isn't responsible; regardless of the addon, a malicious addon on mozilla.org would really cause a stink.Montagar wrote:I confirmed this by installing the add-ons in question on a separate computer (with a fresh OS install) and checking everything that was installed/changed. I also looked at the code associated with the add-ons themselves.
Great!!Tom T. wrote:SOLVED!Montagar wrote:Tom... that was the point of my "I feel dumb" post, I was mad at myself once I saw that the search engines were listed in plain text. We all had figured that the innoshots part would be hidden, but I did search after search after search for bing figuring that would be the most unique not knowing that the OS didn't search the contents of .xul files (and a bunch of others it turns out!).Tom T. wrote:D'oh, all of us. Instead of searching for "innoshot", we should have been searching for files containing the affected search engines. Google, Yahoo, Bing, Ask, AOL .
So ultimately we were searching for the right items, just let down by limited knowledge of the limitations of the Windows XP search function.
http://www.pcl-online.org/watchetsoft/h ... tfind.html
(emphasis mine).WatchetFind! - search the contents of text files - even under Windows XP
Free utility - fast text search - through selected drives/folders/file types
Speeds up text searching. Particularly useful for XP users who may find they can't search certain types of files.
Originally developed for our own in-house use on Windows XP machines where the operating system prevents searching certain file types.
WatchetFind! is a very fast text-search utility offering drive/folder searching - selecting by file type - choose case sensitive/insensitive, whole word search and nested folder tree options.
I just d/l this, scanned for virus, OK, installed.
I then created a file called test.xul, containing the singe word, "google". Buried it several folders deep in some random folder. Searched for "google" and it found the .xul file "immediately" -- plus many Fx .js files with "google" inside, because the code is credited to Google or to someone from Google. None of which, presumably, would have been found under the standard XP search.
Well, does anybody with Vista or Windows 7 want to try this out? (I'd do it, but I've never even used a Vista/7 box - the highest I've gotten is XP SP3)Tom T. wrote:Unfortunately, it doesn't appear to support Vista+, as it was dated 2003 -- but it *might*. Only 1.29 MB installed. Very user-friendly.
True... 20/20 human hindsight again.Tom T. wrote:Using this tool to search "google", "ask", etc. would have found the miscreant file very quickly.
Super-valuable tool, period!Tom T. wrote:I'm going to duplicate this post in Web Tech, for more general dissemination. Super-valuable tool for us malware hunters, eh?
Yeah, I was thinking that too. Now we just need to find out how they evaded Guardian's very firm opinion that it would have shown up somewhere in the Add-ons/Extensions list. Some new obfuscation technique?computerfreaker wrote:Well, I'm glad the "named" addon isn't responsible; regardless of the addon, a malicious addon on mozilla.org would really cause a stink.
) rights. Of course, it was immediately changed to XP. If no one with a native Vista/7 installation wants to try it, I could re-install Vista long enough to install this tool and test it, then use my disk-image backup to get back to where it was. It would be a lot faster if someone running these systems already would try it, though.