computerfreaker wrote:I'll be danged. I copied Monty's Pastebin upload into Notepad and saved it as "overlay.xul" - Microsoft Forefront Client Security
At least one AV program gets this - and it's MS's. Go figure...
I actually didn't try MBAM on this computer, so I wouldn't know... I wasn't implying that MBAM couldn't find the Goored infection, but I've read that detection rates are incredibly low for this malware so I commented on the (immediate) detection by MFCS.Tom T. wrote:So much for MalwareBytes Anti-Malware being the "bleeding edge" in detecting malware. (No offense to Firefoxer and the whole MB team, but....)
CF wrote:Looks like some fairly simple code - it monitors the address bar for certain strings, i.e. Google, Bing, Ask.com, AOL, etc. If one of those strings is found, the malware redirects the page by replacing the address in the address bar
I know we knew that already, but, as you said, nice to have proof.Tom T. wrote:Actually, we already knew that... but it's good to have it proven. Any evidence as to the *source*? ... probably not.
No evidence as to the source - yet. Monty's PM might be of use here...
You're very kind, thank you!Tom T. wrote:Too bad this board doesn't give Karma points, but somehow I expect that you'll get them anyway, in life.Nice.

Thanks, Monty! I'll take appropriate action as soon as possible.Montagar wrote:computerfreaker, Tom T., and GµårÐïåñ... you have private messages.
EDIT: wow. The meat of this seems to be overlay.xul - the rest, AFAICT, is mostly install & config information, as well as the jQuery library.
I have to say, though, I'm quite irritated the malware writers went out of their way to smear a legit addon...

You can sure say that again... we're up to >160 posts.therube wrote:Since this thread deserves a forum of its own ...
Then try a contents search of the files in your extensions directory tree for the string 'innoshot' & see if anything turns up. (Could be plugin related too, I suppose?)
From what I can see, it's an extension, pure and simple.therube wrote:And it was? Extension? Plugin? A bit of each?
Basically the right idea. We just were not looking in enough possible locations & further searching for other potential strings.
The idea was entirely correct, the problem was the Windows Search limitations, which inadvertently gave the malware a new lease on life.
Safe Mode... interesting thought. While at first blush it doesn't look like the addon could be stopped by going into Safe Mode, I bet it could be...therube wrote:So this "hidden" extension/plugin, whatever it is, was not thwarted by starting in Safe Mode?
And -safe-mode does not block plugins, or it does? (Maybe I should read the linked article!)
Safe Mode, AFAIK, doesn't block plugins. It just disables addons...
I have Comodo software firewall
I think this Goored thing piggybacked on Firefox's firewall exception - because Firefox has the firewall extension, and the extension is technically part of Firefox, it could get through. An analogy: a leech sticks to your leg but you don't notice it. You go home, get into the house, and the leech comes along - taking advantage of your "clearance" into the house to get in as well.therube wrote:Comodo is quite talkative, wanting you to confirm all kinds of actions. So if something odd was trying to run or to get it, you would think it would have been flagged. Unless that part of the firewall were disabled?
The current guess is a drive-by download, a by-product of Google or Yahoo (or both) getting hacked.therube wrote:And Tom had the same experience - for a short while. How did that happen?
Only thing is - how could Google and Yahoo get hacked at the same time? I mean, we've got 2 gigantic corporations here, surely somebody in there would have noticed if any weird scripts started running or anything else looked weird? I'm no expert at this kind of thing, but I'd hardly expect a hacker, and the effects of his hacking, to be invisible while he does his dirty work... and why didn't anybody from Google or Yahoo come out and say "yes, we got hacked. Better run your antivirus software, people"?Tom T. wrote:*Had* to be drive-by or otherwise picked up on-the-fly, since Sandbox emptying disposed of it. The fact that I use Yahoo mail, and therefore trust the 60 to 80 scripts (no kidding) that they run *just for mail*, suggests that rogue code got into a Yahoo script, at least for me. Monty doesn't use Yahoo mail, but apparently, he visits Google (I don't -- use only secure Scroogle for searches, and use no other Google services), and they could have been targeted, too.
therube wrote:(Yeah, yeah, I know, the simple answer. Porn & warez. But that alone tells nothing.)
I doubt this would be that simple - there's too many people picking up Goored variants. You can't chalk all of those infections up to inappropriate content or pirated apps... there's got to be another way.Tom T. wrote:Neither apply in my case.
Tom, Monty, would you be willing to post the apps (and Fx addons, plugins, etc.) you've got installed on your computer?
The malware (as expected) isn't revealing anything about its source, and maybe we can get a common denominator by seeing your apps, extensions, plugins, etc. lists...