RESOLVED Strange script tries to run when connection is down

Ask for help about NoScript, no registration needed to post
User avatar
computerfreaker
Senior Member
Posts: 220
Joined: Wed Sep 16, 2009 10:03 pm
Location: USA

Re: Strange script tries to run when connection is down

Post by computerfreaker »

computerfreaker wrote:I'll be danged. I copied Monty's Pastebin upload into Notepad and saved it as "overlay.xul" - Microsoft Forefront Client Security
At least one AV program gets this - and it's MS's. Go figure... :roll:
Tom T. wrote:So much for MalwareBytes Anti-Malware being the "bleeding edge" in detecting malware. (No offense to Firefoxer and the whole MB team, but....)
I actually didn't try MBAM on this computer, so I wouldn't know... I wasn't implying that MBAM couldn't find the Goored infection, but I've read that detection rates are incredibly low for this malware so I commented on the (immediate) detection by MFCS.
CF wrote:Looks like some fairly simple code - it monitors the address bar for certain strings, i.e. Google, Bing, Ask.com, AOL, etc. If one of those strings is found, the malware redirects the page by replacing the address in the address bar
Tom T. wrote:Actually, we already knew that. :D .. but it's good to have it proven. Any evidence as to the *source*? ... probably not.
I know we knew that already, but, as you said, nice to have proof.
No evidence as to the source - yet. Monty's PM might be of use here...
Tom T. wrote:Too bad this board doesn't give Karma points, but somehow I expect that you'll get them anyway, in life. ;) Nice. :ugeek:
You're very kind, thank you! :D
Montagar wrote:computerfreaker, Tom T., and GµårÐïåñ... you have private messages.
Thanks, Monty! I'll take appropriate action as soon as possible.
EDIT: wow. The meat of this seems to be overlay.xul - the rest, AFAICT, is mostly install & config information, as well as the jQuery library.
I have to say, though, I'm quite irritated the malware writers went out of their way to smear a legit addon... :mad:
therube wrote:Since this thread deserves a forum of its own ...
You can sure say that again... we're up to >160 posts.
Then try a contents search of the files in your extensions directory tree for the string 'innoshot' & see if anything turns up. (Could be plugin related too, I suppose?)
therube wrote:And it was? Extension? Plugin? A bit of each?
Basically the right idea. We just were not looking in enough possible locations & further searching for other potential strings.
From what I can see, it's an extension, pure and simple.
The idea was entirely correct, the problem was the Windows Search limitations, which inadvertently gave the malware a new lease on life.
therube wrote:So this "hidden" extension/plugin, whatever it is, was not thwarted by starting in Safe Mode?
And -safe-mode does not block plugins, or it does? (Maybe I should read the linked article!)
Safe Mode... interesting thought. While at first blush it doesn't look like the addon could be stopped by going into Safe Mode, I bet it could be...
Safe Mode, AFAIK, doesn't block plugins. It just disables addons...
I have Comodo software firewall
therube wrote:Comodo is quite talkative, wanting you to confirm all kinds of actions. So if something odd was trying to run or to get it, you would think it would have been flagged. Unless that part of the firewall were disabled?
I think this Goored thing piggybacked on Firefox's firewall exception - because Firefox has the firewall extension, and the extension is technically part of Firefox, it could get through. An analogy: a leech sticks to your leg but you don't notice it. You go home, get into the house, and the leech comes along - taking advantage of your "clearance" into the house to get in as well.
therube wrote:And Tom had the same experience - for a short while. How did that happen?
The current guess is a drive-by download, a by-product of Google or Yahoo (or both) getting hacked.
Tom T. wrote:*Had* to be drive-by or otherwise picked up on-the-fly, since Sandbox emptying disposed of it. The fact that I use Yahoo mail, and therefore trust the 60 to 80 scripts (no kidding) that they run *just for mail*, suggests that rogue code got into a Yahoo script, at least for me. Monty doesn't use Yahoo mail, but apparently, he visits Google (I don't -- use only secure Scroogle for searches, and use no other Google services), and they could have been targeted, too.
Only thing is - how could Google and Yahoo get hacked at the same time? I mean, we've got 2 gigantic corporations here, surely somebody in there would have noticed if any weird scripts started running or anything else looked weird? I'm no expert at this kind of thing, but I'd hardly expect a hacker, and the effects of his hacking, to be invisible while he does his dirty work... and why didn't anybody from Google or Yahoo come out and say "yes, we got hacked. Better run your antivirus software, people"?
therube wrote:(Yeah, yeah, I know, the simple answer. Porn & warez. But that alone tells nothing.)
Tom T. wrote:Neither apply in my case.
I doubt this would be that simple - there's too many people picking up Goored variants. You can't chalk all of those infections up to inappropriate content or pirated apps... there's got to be another way.

Tom, Monty, would you be willing to post the apps (and Fx addons, plugins, etc.) you've got installed on your computer?
The malware (as expected) isn't revealing anything about its source, and maybe we can get a common denominator by seeing your apps, extensions, plugins, etc. lists...
With great power comes great responsibility.
Learn something new every day, and the rest will take care of itself.
Life is a journey, not a destination. Enjoy the trip!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Strange script tries to run when connection is down

Post by Tom T. »

Tom T. wrote:So much for MalwareBytes Anti-Malware being the "bleeding edge" in detecting malware. (No offense to Firefoxer and the whole MB team, but....)
computerfreaker wrote:I actually didn't try MBAM on this computer, so I wouldn't know... I wasn't implying that MBAM couldn't find the Goored infection, but I've read that detection rates are incredibly low for this malware so I commented on the (immediate) detection by MFCS.
No, but OP did, as well as the other "top 3" malware detectors, none of which found it. Neither did my AV, Avira, and I *will* be writing to them about that.
computerfreaker wrote:I have to say, though, I'm quite irritated the malware writers went out of their way to smear a legit addon... :mad:
We already know they're evil -- why the surprise? :| ... and it *did* deflect attention, briefly.
therube wrote:So this "hidden" extension/plugin, whatever it is, was not thwarted by starting in Safe Mode?
And -safe-mode does not block plugins, or it does? (Maybe I should read the linked article!)
computerfreaker wrote:Safe Mode... interesting thought. While at first blush it doesn't look like the addon could be stopped by going into Safe Mode, I bet it could be...
Safe Mode, AFAIK, doesn't block plugins. It just disables addons...
IMHO, I don't think it actually *was* an extension. It was malcode masquerading as an extension, by using the name and copyright as CF pointed out above. And probably using the Fx install mechanisms, since there was an install.rdf file. But it went to a completely independent directory, not the Fx Profile nor Program Files /MZ Fx, and a hidden directory at that -- one that Windows does not show users by default, unless you enable "Show hidden folders" in Folder Options > View.
http://support.mozilla.com/en-US/kb/Saf ... _Safe_Mode
Disable all add-ons: If you select this box and then click Make Changes and Restart then Firefox will start back up in its normal mode, except all your extensions and themes (but not plugins) will be disabled (not uninstalled).
(emphasis mine) .. .The rest of the page seems to make pretty clear that Safe Mode does not disable plugins, although presumably you could disable them manually. OP *did* disable all extensions, but the fact that this malcode folder was "somewhere else" than the Extensions folder probably prevented it from being affected, even by Safe Mode. Just as Safe Mode wouldn't help if your HD had any other virus, trojan, etc. It only mimicked an "extension" at first glance, it seems.
I have Comodo software firewall
therube wrote:Comodo is quite talkative, wanting you to confirm all kinds of actions. So if something odd was trying to run or to get it, you would think it would have been flagged. Unless that part of the firewall were disabled?
CF wrote:I think this Goored thing piggybacked on Firefox's firewall exception - because Firefox has the firewall extension, and the extension is technically part of Firefox, it could get through. An analogy: a leech sticks to your leg but you don't notice it. You go home, get into the house, and the leech comes along - taking advantage of your "clearance" into the house to get in as well.
Agree. Its purpose was to run scripts, and the vehicle for running scripts is the browser. So whatever scripts the browser runs are not affected by firewall permissions. One doesn't have to whitelist scripts in the firewall, right? Only in NS, or, in the case of most other browsers, too bad. :roll:
Only thing is - how could Google and Yahoo get hacked at the same time? I mean, we've got 2 gigantic corporations here, surely somebody in there would have noticed if any weird scripts started running or anything else looked weird? I'm no expert at this kind of thing, but I'd hardly expect a hacker, and the effects of his hacking, to be invisible while he does his dirty work... and why didn't anybody from Google or Yahoo come out and say "yes, we got hacked. Better run your antivirus software, people"?
Easily. Lots of multiple hacks over the years. And as CF pointed out earlier, if they fixed it quickly and received no complaints, they have a strong motive *not* to tell, and lose user confidence. Especially because, *as far as we know*, the script merely attempts to connect you to innoshot, probably increasing a hit count and making a little extra money for someone. It was said that other variants of Gord took you to adware and spyware sites. It may be that innoshot loaded some ad/spyware, and some people haven't noticed it yet. A lot of that stays under the radar for a long time.

Anyone want to try connecting to 29.innoshots.org and let it run, in a safe environment, to see what it does? ;) (Do not try this at home!)
computerfreaker wrote:Tom, Monty, would you be willing to post the apps (and Fx addons, plugins, etc.) you've got installed on your computer?
The malware (as expected) isn't revealing anything about its source, and maybe we can get a common denominator by seeing your apps, extensions, plugins, etc. lists...
I think we've already compared add-ons, and nothing in common except NS. Plugins, too -- I have the standard Flash, Java, QuickTime. Don't use Java except at Hushmail, a very secure site. Hardly ever use QuickTime.

If Monty wants to compare apps in PM, we can, but I don't see why a short, multiple drive-by isn't likely, and here's why: When BadGuy discovers a site vuln, like an XSS or something, it may be a vuln that affects tens of thousands of sites that are coded similarly in certain functions. You're not going to spend your time injecting your code into 40,000 sites; you'd go after the biggest bang for the buck -- the big search engines, who rank at the top in page hits. (It was previously mentioned that Wikipedia is up there, too, but JS is *not* required at WP, even to edit it.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
User avatar
computerfreaker
Senior Member
Posts: 220
Joined: Wed Sep 16, 2009 10:03 pm
Location: USA

Re: Strange script tries to run when connection is down

Post by computerfreaker »

Tom T. wrote:So much for MalwareBytes Anti-Malware being the "bleeding edge" in detecting malware. (No offense to Firefoxer and the whole MB team, but....)
computerfreaker wrote:I actually didn't try MBAM on this computer, so I wouldn't know... I wasn't implying that MBAM couldn't find the Goored infection, but I've read that detection rates are incredibly low for this malware so I commented on the (immediate) detection by MFCS.
Tom T. wrote:No, but OP did, as well as the other "top 3" malware detectors, none of which found it. Neither did my AV, Avira, and I *will* be writing to them about that.
Wow.
And btw, the MS scanner found the malware instantly - I mean, I hit the "Save" button in Notepad and I got a warning immediately. I have to confess, I have a lot more respect for that scanner after this incident.
computerfreaker wrote:I have to say, though, I'm quite irritated the malware writers went out of their way to smear a legit addon... :mad:
Tom T. wrote:We already know they're evil -- why the surprise? :| ... and it *did* deflect attention, briefly.
No surprise, just anger. Sure, they're evil, but smearing a legit addon is just plain fighting dirty - just like spreading malicious, untrue gossip about a total stranger. You know, they could keep their stinkpot to themselves instead of smearing it around... :mad:
therube wrote:So this "hidden" extension/plugin, whatever it is, was not thwarted by starting in Safe Mode?
And -safe-mode does not block plugins, or it does? (Maybe I should read the linked article!)
computerfreaker wrote:Safe Mode... interesting thought. While at first blush it doesn't look like the addon could be stopped by going into Safe Mode, I bet it could be...
Safe Mode, AFAIK, doesn't block plugins. It just disables addons...
Tom T. wrote:IMHO, I don't think it actually *was* an extension. It was malcode masquerading as an extension, by using the name and copyright as CF pointed out above. And probably using the Fx install mechanisms, since there was an install.rdf file. But it went to a completely independent directory, not the Fx Profile nor Program Files /MZ Fx, and a hidden directory at that -- one that Windows does not show users by default, unless you enable "Show hidden folders" in Folder Options > View.
http://support.mozilla.com/en-US/kb/Saf ... _Safe_Mode
Valid point. Although the malware's file structure is definitely that of an addon...
Tom T. wrote:
Disable all add-ons: If you select this box and then click Make Changes and Restart then Firefox will start back up in its normal mode, except all your extensions and themes (but not plugins) will be disabled (not uninstalled).
(emphasis mine) .. .The rest of the page seems to make pretty clear that Safe Mode does not disable plugins, although presumably you could disable them manually. OP *did* disable all extensions, but the fact that this malcode folder was "somewhere else" than the Extensions folder probably prevented it from being affected, even by Safe Mode. Just as Safe Mode wouldn't help if your HD had any other virus, trojan, etc. It only mimicked an "extension" at first glance, it seems.
No, Monty disabled all the addons he could see. Remember the invisibility flag?
Safe Mode would disable all the addons Fx could see, which might include the malware.
Only thing is - how could Google and Yahoo get hacked at the same time? I mean, we've got 2 gigantic corporations here, surely somebody in there would have noticed if any weird scripts started running or anything else looked weird? I'm no expert at this kind of thing, but I'd hardly expect a hacker, and the effects of his hacking, to be invisible while he does his dirty work... and why didn't anybody from Google or Yahoo come out and say "yes, we got hacked. Better run your antivirus software, people"?
Tom T. wrote:Easily. Lots of multiple hacks over the years. And as CF pointed out earlier, if they fixed it quickly and received no complaints, they have a strong motive *not* to tell, and lose user confidence.
I reckon... although, now that the junk has hit the fan, you'd think somebody would say something like "oops"...
Tom T. wrote:Especially because, *as far as we know*, the script merely attempts to connect you to innoshot, probably increasing a hit count and making a little extra money for someone. It was said that other variants of Gord took you to adware and spyware sites. It may be that innoshot loaded some ad/spyware, and some people haven't noticed it yet. A lot of that stays under the radar for a long time.
True. However, I doubt the malware writers would bypass the chance to make a little extra cash - say, with a fake AV scanner? Those have gotten really popular with the malware writers, if infection counts are any indicator... file-encrypting Trojans have gotten big recently too.
computerfreaker wrote:Tom, Monty, would you be willing to post the apps (and Fx addons, plugins, etc.) you've got installed on your computer?
The malware (as expected) isn't revealing anything about its source, and maybe we can get a common denominator by seeing your apps, extensions, plugins, etc. lists...
Tom T. wrote:I think we've already compared add-ons, and nothing in common except NS. Plugins, too -- I have the standard Flash, Java, QuickTime. Don't use Java except at Hushmail, a very secure site. Hardly ever use QuickTime.

If Monty wants to compare apps in PM, we can, but I don't see why a short, multiple drive-by isn't likely, and here's why: When BadGuy discovers a site vuln, like an XSS or something, it may be a vuln that affects tens of thousands of sites that are coded similarly in certain functions. You're not going to spend your time injecting your code into 40,000 sites; you'd go after the biggest bang for the buck -- the big search engines, who rank at the top in page hits. (It was previously mentioned that Wikipedia is up there, too, but JS is *not* required at WP, even to edit it.)
Much as I don't like the idea, I think you're right - we've got to concede this was a drive-by hitting Google and Yahoo. (Who knows what else got infected too?)
Now there are going to be repercussions - and possibly even for Scroogle. Since we can safely assume Google was hacked, and the hacked Google pages tried to download malware onto users' computers, it's certainly possible Scroogle got hit - after all, they handle an awful lot of Google searching. (Unless just the Google mail pages were hacked, but I have trouble believing that - why hack just a mail page if you can serve your trash via the world's most popular search engine?)
Also, what about logins? If the Google & Yahoo mail pages were hacked, there's exactly no guarantee logins weren't stolen via that same hack... as I said, the repercussions could be enormous. Not a happy thought... :cry:
With great power comes great responsibility.
Learn something new every day, and the rest will take care of itself.
Life is a journey, not a destination. Enjoy the trip!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Strange script tries to run when connection is down

Post by Tom T. »

computerfreaker wrote:And btw, the MS scanner found the malware instantly - I mean, I hit the "Save" button in Notepad and I got a warning immediately. I have to confess, I have a lot more respect for that scanner after this incident.
I'm going to have to look into that MS scanner, although it's against my core beliefs ever to trust anything from MS. (Shall I cite examples? :twisted: )
Tom T. wrote:
Disable all add-ons: If you select this box and then click Make Changes and Restart then Firefox will start back up in its normal mode, except all your extensions and themes (but not plugins) will be disabled (not uninstalled).
(emphasis mine) .. .The rest of the page seems to make pretty clear that Safe Mode does not disable plugins, although presumably you could disable them manually. OP *did* disable all extensions, but the fact that this malcode folder was "somewhere else" than the Extensions folder probably prevented it from being affected, even by Safe Mode. Just as Safe Mode wouldn't help if your HD had any other virus, trojan, etc. It only mimicked an "extension" at first glance, it seems.
computerfreaker wrote:No, Monty disabled all the addons he could see. Remember the invisibility flag?
Safe Mode would disable all the addons Fx could see, which might include the malware.
Or might *not*. Fx might not see this rogue thing with an unrecognized folder title in a not-normal location. If I have time this weekend, I *might* try putting the thing back inside, and then starting in Safe Mode (disconnected, of course) -- and see if it still tries to run -- since, *AFAWK*, the *only* damage known is the attempt to connect to innoshot and run that script. Or I might not. ;)
Tom T. wrote:Especially because, *as far as we know*, the script merely attempts to connect you to innoshot, probably increasing a hit count and making a little extra money for someone. It was said that other variants of Gord took you to adware and spyware sites. It may be that innoshot loaded some ad/spyware, and some people haven't noticed it yet. A lot of that stays under the radar for a long time.
computerfreaker wrote:True. However, I doubt the malware writers would bypass the chance to make a little extra cash - say, with a fake AV scanner? Those have gotten really popular with the malware writers, if infection counts are any indicator... file-encrypting Trojans have gotten big recently too.
The *less* they do, the longer it could stay undetected. Malware has been heading in that direction for years. Used to crash your machine, put pop-ups on the screen, etc. Now they realize that stealthily doing a little for a long period of time to a lot of users adds up in the long run. Of course, every bad guy's mileage will vary. ;)
computerfreaker wrote:Now there are going to be repercussions - and possibly even for Scroogle. Since we can safely assume Google was hacked, and the hacked Google pages tried to download malware onto users' computers, it's certainly possible Scroogle got hit - after all, they handle an awful lot of Google searching. (Unless just the Google mail pages were hacked, but I have trouble believing that - why hack just a mail page if you can serve your trash via the world's most popular search engine?)
Also, what about logins? If the Google & Yahoo mail pages were hacked, there's exactly no guarantee logins weren't stolen via that same hack... as I said, the repercussions could be enormous. Not a happy thought... :cry:
Logins are via SSL, and IIRC, it was *only* the search engine URLs themselves that triggered the script. So unless this thing is a keylogger -- and your analysis found no evidence of that, only of redirection of the browser -- I don't *think* that's an issue. I login to Yahoo mail frequently, so if a new, non-whitelisted script tried to run, the color change in the NS logo would be a red (literallly! :lol: ) flag.

The code analysis listed the location bars matches, and Scroogle wasn't there. So going to Scroogle doesn't trigger it. If you're asking whether the Scroogle *servers* got hit by doing Google searches, ... somehow, I don't think they use Firefox and its extensions as a server. :ugeek: :mrgreen:

As for a direct hack of Scroogle -- going back to the "bang for the buck" theory -- Google averages a million hits a minute. Scroogle averages 178 hits a minute, 1/4 of them via SSL.There are thousands of targets busier than that.

As for monitoring, I'd guess that Google, Yahoo, etc.' highest priority is keeping the servers running, given that volume of traffic. I don't know how frequently they scan the traffic or servers for malware, or what kind of alarms they have, and I'll bet they won't tell us. ;) But it *might* have been found very quickly, as noted before, because of the fact that only *one* NS user noticed it. (I never would have, but for OP, and that's probably when I picked it up.) And very little publicity about this variant, although since its parents are well-known, again, they might have seen it quickly.

No, I wouldn't put it past them to say nothing, at least until it's reported to them, or in the press.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
User avatar
computerfreaker
Senior Member
Posts: 220
Joined: Wed Sep 16, 2009 10:03 pm
Location: USA

Re: Strange script tries to run when connection is down

Post by computerfreaker »

computerfreaker wrote:And btw, the MS scanner found the malware instantly - I mean, I hit the "Save" button in Notepad and I got a warning immediately. I have to confess, I have a lot more respect for that scanner after this incident.
Tom T. wrote:I'm going to have to look into that MS scanner, although it's against my core beliefs ever to trust anything from MS. (Shall I cite examples? :twisted: )
I know, it's against my core beliefs to trust anything from MS too... and I had been planning to replace my MS "half-scanner" with a "real" one. After today, it looks like that MS scanner stays put. No kidding, it was yelling so much (and trying to auto-clean the infected files) that I had to quit it before I could even analyze overlay.xul yesterday... same deal with the other files today. For once MS might have something right...
Tom T. wrote:
Disable all add-ons: If you select this box and then click Make Changes and Restart then Firefox will start back up in its normal mode, except all your extensions and themes (but not plugins) will be disabled (not uninstalled).
(emphasis mine) .. .The rest of the page seems to make pretty clear that Safe Mode does not disable plugins, although presumably you could disable them manually. OP *did* disable all extensions, but the fact that this malcode folder was "somewhere else" than the Extensions folder probably prevented it from being affected, even by Safe Mode. Just as Safe Mode wouldn't help if your HD had any other virus, trojan, etc. It only mimicked an "extension" at first glance, it seems.
computerfreaker wrote:No, Monty disabled all the addons he could see. Remember the invisibility flag?
Safe Mode would disable all the addons Fx could see, which might include the malware.
Tom T. wrote:Or might *not*. Fx might not see this rogue thing with an unrecognized folder title in a not-normal location. If I have time this weekend, I *might* try putting the thing back inside, and then starting in Safe Mode (disconnected, of course) -- and see if it still tries to run -- since, *AFAWK*, the *only* damage known is the attempt to connect to innoshot and run that script. Or I might not. ;)
I think Fx would see it. If Fx can load it, Fx can see it - as I mentioned, the malware's structure is the same as any legit addon's, and I'm more and more inclined to think Fx recognizes it as an addon.
Tom T. wrote:Especially because, *as far as we know*, the script merely attempts to connect you to innoshot, probably increasing a hit count and making a little extra money for someone. It was said that other variants of Gord took you to adware and spyware sites. It may be that innoshot loaded some ad/spyware, and some people haven't noticed it yet. A lot of that stays under the radar for a long time.
computerfreaker wrote:True. However, I doubt the malware writers would bypass the chance to make a little extra cash - say, with a fake AV scanner? Those have gotten really popular with the malware writers, if infection counts are any indicator... file-encrypting Trojans have gotten big recently too.
Tom T. wrote:The *less* they do, the longer it could stay undetected. Malware has been heading in that direction for years. Used to crash your machine, put pop-ups on the screen, etc. Now they realize that stealthily doing a little for a long period of time to a lot of users adds up in the long run. Of course, every bad guy's mileage will vary. ;)
True. But how much would they get from one script load? Maybe a couple of cents. Multiply that out and, IMHO, you still don't get the $50-70-100 most fake AV scanners want...
EDIT: given the apparent focus on stealth, especially the hidden flag, I'd say you're right. The virus writers seem to want a long lifespan with smaller daily rewards that eventually add up.
computerfreaker wrote:Now there are going to be repercussions - and possibly even for Scroogle. Since we can safely assume Google was hacked, and the hacked Google pages tried to download malware onto users' computers, it's certainly possible Scroogle got hit - after all, they handle an awful lot of Google searching. (Unless just the Google mail pages were hacked, but I have trouble believing that - why hack just a mail page if you can serve your trash via the world's most popular search engine?)
Also, what about logins? If the Google & Yahoo mail pages were hacked, there's exactly no guarantee logins weren't stolen via that same hack... as I said, the repercussions could be enormous. Not a happy thought... :cry:
Tom T. wrote:Logins are via SSL
Not all of them, and there have been some widely-publicized attacks on Google, Yahoo, etc. - cookie sniffing, the HTTPS MITM attack I posted about recently, etc. etc. etc.
Stealing logins could be a profitable thing, especially if those stolen logins are subsequently used for spamming.
Tom T. wrote:and IIRC, it was *only* the search engine URLs themselves that triggered the script. So unless this thing is a keylogger -- and your analysis found no evidence of that, only of redirection of the browser -- I don't *think* that's an issue. I login to Yahoo mail frequently, so if a new, non-whitelisted script tried to run, the color change in the NS logo would be a red (literallly! :lol: ) flag.
My analysis found no trace of any keylogging - just a simple redirect. (I actually posted a link to the de-obfuscated overlay.xul file yesterday, want me to re-post it so you guys can take a second look?)
I was more thinking of an "evil twin" kind of thing - IIRC, where a legit site's login information is submitted to a malware site.
Tom T. wrote:The code analysis listed the location bars matches, and Scroogle wasn't there. So going to Scroogle doesn't trigger it. If you're asking whether the Scroogle *servers* got hit by doing Google searches, ... somehow, I don't think they use Firefox and its extensions as a server. :ugeek: :mrgreen:
Not what I was thinking - I was thinking more of Scroogle downloading the malware along with the Google queries. It would probably be "dormant", since Fx wouldn't be run on the Scroogle servers, but malware is malware, even in a dormant state.
The other concern I had was a direct hack of Scroogle, right along with Google and Yahoo, but I see you covered that below.
Tom T. wrote:As for a direct hack of Scroogle -- going back to the "bang for the buck" theory -- Google averages a million hits a minute. Scroogle averages 178 hits a minute, 1/4 of them via SSL.There are thousands of targets busier than that.
That's good to hear...
Tom T. wrote:As for monitoring, I'd guess that Google, Yahoo, etc.' highest priority is keeping the servers running, given that volume of traffic. I don't know how frequently they scan the traffic or servers for malware, or what kind of alarms they have, and I'll bet they won't tell us. ;)
OT: the big corporations' policy seems to be "don't ask, don't tell; ask, don't tell anyway". :roll:
Tom T. wrote:But it *might* have been found very quickly, as noted before, because of the fact that only *one* NS user noticed it. (I never would have, but for OP, and that's probably when I picked it up.) And very little publicity about this variant, although since its parents are well-known, again, they might have seen it quickly.
I don't know... something's wrong here.
EDIT: that's it. Goored detection rates are pretty darn low, so somebody would have had to be pretty alert to catch it quickly. I don't know how often they scan their systems for malware, but this might be a case of Google & Yahoo getting lucky rather than getting vigilance points.
(If anybody from Google or Yahoo wants to comment, we're all ears!)
Tom T. wrote:No, I wouldn't put it past them to say nothing, at least until it's reported to them, or in the press.
Well, does anybody want to raise a stink? I'm somewhat inclined to bring this out, both to wreck any hope the malware writers might have of this being buried and to put some pressure on the "big boys" - Google and Yahoo - to be more open with this kind of thing. However, I'm no legal expert, and there could be some significant legal ramifications if we don't have conclusive proof that Google & Yahoo were hacked... comments?
With great power comes great responsibility.
Learn something new every day, and the rest will take care of itself.
Life is a journey, not a destination. Enjoy the trip!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Strange script tries to run when connection is down

Post by Tom T. »

CF: Also, what about logins? If the Google & Yahoo mail pages were hacked, there's exactly no guarantee logins weren't stolen via that same hack
Tom T.: Logins are via SSL
CF:Not all of them,
I was referring specifically to Google and Yahoo. Go to mail.yahoo.com and you'll immediately be redirected to https://login.yahoo.com/. Go to http://www.gmail.com and you'll immediately be redirected to https://www.google.com/accounts/ServiceLogin, secured with state-of-art AES-256. These guys got it right, unlike some banks. :roll:
CF: Well, does anybody want to raise a stink? I'm somewhat inclined to bring this out, both to wreck any hope the malware writers might have of this being buried and to put some pressure on the "big boys" - Google and Yahoo - to be more open with this kind of thing. However, I'm no legal expert, and there could be some significant legal ramifications if we don't have conclusive proof that Google & Yahoo were hacked... comments?
I'm somewhat legally knowledgeable, but *not a lawyer*. IMHO *only*, the best thing is to ask, not accuse. Write to their security or abuse departments, politely, explaining what happened, perhaps pointing to this thread, and offer to send the zip (but don't include it, of course, until/unless asked to). Ask whether they can *help* in any way, with any information as to what might be the source of this. (not saying that they were the source, only that their site and their users were affected). That way, you are not putting them on the defensive, but rather you are a Good Samaritan trying to protect them, their site, their reputation, and all users, and offering them a chance to be helpful also. Much better than "raising a stink". Old saying: "You catch more flies with honey than vinegar." :D

If they are totally uncooperative, I'll try, although I like the idea of the first try coming from an Ordinary User (not hardly, in your case, but you know what I mean -- someone with no connections to anything), rather than from someone who might be seen as trying to "use" them to tout NoScript (valid though that be).

If you don't get any sort of decent reply, and I don't, then it's time to "raise a stink", because *now* you have proof of non-cooperation in the face of direct evidence. Save the emails, of course.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Firefoxer

Infection pre NS install, right?

Post by Firefoxer »

For Montagar,
From your post
http://forums.informaction.com/viewtopi ... 105#p13176
Everything was created on 10/8, so it had only been there for about a week *before* I installed NoScript and started to notice it (I did a few days of research before I started this thread).
my *emphasis.

This is the indicator post that prompted my suggestion that you seek expert help in dedicated malware forums. If you have only begun using NS recently - notably *after* getting this infection, and have not done a *directed* search under one of the malware forum's gurus guidance, then there is the possibility that your hdd is still infected. Those volunteers have a search routine that's current and proven to catch more than unconnected enthusiasts can manage.
MBAM is simply a single tool that a malware guru will examine the log file from, along with other results from other tools. There is no single tool for catching these kinds of shape-shifters. HJT is losing its edge, and is the least likely to find these vundo kinds of traces, while MBAM has had more success recently is all that I was commenting about. The fact that the MS tool identified the traces isn't surprising, considering that it is a specialist in Windows searches. It is extremely good at what it does. But has it found the total of possible infections on your hdd?
The advice from the Fx moderator Daifne remains the best you can follow so far: scan with all the recommended tools - in other words, use multiple tests which will in conjunction have better chance at finding hidden stuff than one single tool, and then take those results to one of the fora listed, to be as sure as possible that you aren't still entertaining an unwanted guest. Importantly, even if you have found no traces, visit the forums anyway to confirm your results.
As I originally posted, with luck you have already rid your hdd of bad stuff but why not be absolutely sure by getting a directed, expert search - and not just with bits and pieces as they appear in different non-expert fora?
The infection vectors? Multiple, clever, and run by many well-organised and businesslike setups. Just not names that those in this kind of forum would be familiar with, because NS stops most of the drive-by ones in their tracks.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
User avatar
computerfreaker
Senior Member
Posts: 220
Joined: Wed Sep 16, 2009 10:03 pm
Location: USA

Re: Strange script tries to run when connection is down

Post by computerfreaker »

CF: Also, what about logins? If the Google & Yahoo mail pages were hacked, there's exactly no guarantee logins weren't stolen via that same hack
Tom T.: Logins are via SSL
CF:Not all of them,
Tom T. wrote:I was referring specifically to Google and Yahoo. Go to mail.yahoo.com and you'll immediately be redirected to https://login.yahoo.com/. Go to http://www.gmail.com and you'll immediately be redirected to https://www.google.com/accounts/ServiceLogin, secured with state-of-art AES-256. These guys got it right, unlike some banks. :roll:
I had thought those secure redirections were due to NS, but apparently not - I just checked and there's nothing in my Force HTTPS setting about Google or Yahoo.
Looks like they've got it right, all right... :)
CF: Well, does anybody want to raise a stink? I'm somewhat inclined to bring this out, both to wreck any hope the malware writers might have of this being buried and to put some pressure on the "big boys" - Google and Yahoo - to be more open with this kind of thing. However, I'm no legal expert, and there could be some significant legal ramifications if we don't have conclusive proof that Google & Yahoo were hacked... comments?
Tom T. wrote:I'm somewhat legally knowledgeable, but *not a lawyer*. IMHO *only*, the best thing is to ask, not accuse. Write to their security or abuse departments, politely, explaining what happened, perhaps pointing to this thread, and offer to send the zip (but don't include it, of course, until/unless asked to). Ask whether they can *help* in any way, with any information as to what might be the source of this. (not saying that they were the source, only that their site and their users were affected). That way, you are not putting them on the defensive, but rather you are a Good Samaritan trying to protect them, their site, their reputation, and all users, and offering them a chance to be helpful also. Much better than "raising a stink". Old saying: "You catch more flies with honey than vinegar." :D

If they are totally uncooperative, I'll try, although I like the idea of the first try coming from an Ordinary User (not hardly, in your case, but you know what I mean -- someone with no connections to anything), rather than from someone who might be seen as trying to "use" them to tout NoScript (valid though that be).

If you don't get any sort of decent reply, and I don't, then it's time to "raise a stink", because *now* you have proof of non-cooperation in the face of direct evidence. Save the emails, of course.
I just e-mailed both Google and Yahoo's security departments - all we can do now is wait and see what surfaces.
Firefoxer wrote:For Montagar,
From your post
viewtopic.php?f=7&t=3005&start=105#p13176
Everything was created on 10/8, so it had only been there for about a week *before* I installed NoScript and started to notice it (I did a few days of research before I started this thread).
my *emphasis.

This is the indicator post that prompted my suggestion that you seek expert help in dedicated malware forums. If you have only begun using NS recently - notably *after* getting this infection, and have not done a *directed* search under one of the malware forum's gurus guidance, then there is the possibility that your hdd is still infected. Those volunteers have a search routine that's current and proven to catch more than unconnected enthusiasts can manage.
MBAM is simply a single tool that a malware guru will examine the log file from, along with other results from other tools. There is no single tool for catching these kinds of shape-shifters. HJT is losing its edge, and is the least likely to find these vundo kinds of traces, while MBAM has had more success recently is all that I was commenting about. The fact that the MS tool identified the traces isn't surprising, considering that it is a specialist in Windows searches. It is extremely good at what it does. But has it found the total of possible infections on your hdd?
The advice from the Fx moderator Daifne remains the best you can follow so far: scan with all the recommended tools - in other words, use multiple tests which will in conjunction have better chance at finding hidden stuff than one single tool, and then take those results to one of the fora listed, to be as sure as possible that you aren't still entertaining an unwanted guest. Importantly, even if you have found no traces, visit the forums anyway to confirm your results.
As I originally posted, with luck you have already rid your hdd of bad stuff but why not be absolutely sure by getting a directed, expert search - and not just with bits and pieces as they appear in different non-expert fora?
The infection vectors? Multiple, clever, and run by many well-organised and businesslike setups. Just not names that those in this kind of forum would be familiar with, because NS stops most of the drive-by ones in their tracks.
Sound advice, IMHO.
Monty, have you headed over to MalwareBytes? (MB is especially important because it didn't pick up your infection - I've heard they are pretty quick to add new malware & malware variants to their definitions database. I don't know for sure though, as I'm not a member there)
With great power comes great responsibility.
Learn something new every day, and the rest will take care of itself.
Life is a journey, not a destination. Enjoy the trip!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Strange script tries to run when connection is down

Post by Tom T. »

Firefoxer wrote: .... The advice from the Fx moderator Daifne remains the best you can follow so far: scan with all the recommended tools - in other words, use multiple tests which will in conjunction have better chance at finding hidden stuff than one single tool, ....
IIRC, OP did exactly that, and found nothing.
Firefoxer wrote:... The fact that the MS tool identified the traces isn't surprising, considering that it is a specialist in Windows searches. It is extremely good at what it does.....
Then in all fairness, the MS tool should be added to the recommended list of search tools for all Windows users. The statement was that MBAM was "the bleeding edge" of malware detectors. No offense intended -- I'm aware of its well-earned high standing in the community. But it didn't find this, and the MS scanner flagged it immediately. I'm a confirmed MS-basher, as you can easily see from my posts, but also believe in giving credit where credit is due, and not in the "NIH" mentality. ("Not Invented Here", a pun on "National Institute of Health" -- might be en-US-only)

Agree that the focus here is on prevention by use of NoScript, rather than on detection after the fact. But also please know that NoScript developer Giorgio Maone is one of the world's leading hackers himself, though thankfully a white-hat, and so hardly a lightweight in the category of malware.

Thank you for your contributions. In fact, the search by computerfreaker that included links to your site was instrumental in locating the malware, in that it gave a location in which to look, even though the detector didn't find it. We've all learned a lot from this, and if a similar situation were to arise (something that seems to be mimicking a Fx add-on), the first thing I'd do -- after running your four tools, HJT (it might find *something* the others didn't, right?) and the MS scanner for a Win user, would be to search the machine for .xul and install.rdf files --- there aren't that many -- and look for the key words inside.

Again, thanks for all the good work that MB does, and for sharing with us here.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
User avatar
computerfreaker
Senior Member
Posts: 220
Joined: Wed Sep 16, 2009 10:03 pm
Location: USA

Re: Strange script tries to run when connection is down

Post by computerfreaker »

Firefoxer wrote: .... The advice from the Fx moderator Daifne remains the best you can follow so far: scan with all the recommended tools - in other words, use multiple tests which will in conjunction have better chance at finding hidden stuff than one single tool, ....
Tom T. wrote:IIRC, OP did exactly that, and found nothing.
Monty ran, as far I can recall, HJT, MB and a virus scanner (although I don't recall which).
Firefoxer wrote:... The fact that the MS tool identified the traces isn't surprising, considering that it is a specialist in Windows searches. It is extremely good at what it does.....
Tom T. wrote:Then in all fairness, the MS tool should be added to the recommended list of search tools for all Windows users.
I second this.
Tom T. wrote:The statement was that MBAM was "the bleeding edge" of malware detectors. No offense intended -- I'm aware of its well-earned high standing in the community. But it didn't find this, and the MS scanner flagged it immediately.
The MS scanner flagged it immediately, all right - the infected overlay.xul file was barely on the HDD before the scanner was yelling. It did a dang good job of cleaning the infected file, too - stripped out ALL the malcode, leaving just this code:

Code: Select all

<script><overlay>
[about 2 dozen blank lines]
</overlay></script>
I'm no MS fanboy; in fact, I'm quite the opposite; however, I have to respect this scanner. It's won that respect...
Tom T. wrote:I'm a confirmed MS-basher, as you can easily see from my posts, but also believe in giving credit where credit is due, and not in the "NIH" mentality. ("Not Invented Here", a pun on "National Institute of Health" -- might be en-US-only)
Ditto.
Tom T. wrote:Agree that the focus here is on prevention by use of NoScript, rather than on detection after the fact. But also please know that NoScript developer Giorgio Maone is one of the world's leading hackers himself, though thankfully a white-hat, and so hardly a lightweight in the category of malware.
Well, this time NS provided detection after the fact as well as prevention... score two for NS. :mrgreen:
Tom T. wrote:Thank you for your contributions. In fact, the search by computerfreaker that included links to your site was instrumental in locating the malware, in that it gave a location in which to look, even though the detector didn't find it. We've all learned a lot from this, and if a similar situation were to arise (something that seems to be mimicking a Fx add-on), the first thing I'd do -- after running your four tools, HJT (it might find *something* the others didn't, right?) and the MS scanner for a Win user, would be to search the machine for .xul and install.rdf files --- there aren't that many -- and look for the key words inside.

Again, thanks for all the good work that MB does, and for sharing with us here.
yes, a big thanks for MB and its great work. Don't worry about it not catching this, nothing's perfect - and I'm not a MB user, but I've heard it gets some pretty quick definition database updates. Kudos! :)

Cheers!
With great power comes great responsibility.
Learn something new every day, and the rest will take care of itself.
Life is a journey, not a destination. Enjoy the trip!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3370
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Strange script tries to run when connection is down

Post by GµårÐïåñ »

Yeap, that's why even though I am not a M$ fan either, I reported it on my blog and told everyone about it here way back when it came out. It was still in beta then, before they closed the beta to prepare for the release. I think therube mentioned something about it as well, not sure. The scanner has proven itself worthy to me so far, that's why I installed it myself and use it in addition to Avira which I am about to chuck and AVG which I chucked long ago and even Comodo stuff chucked long ago. Norton and McAfee have gone down the tube as well, its a pity. Kaspersky was good till recently and that turned to crap, leaving little if any GREAT AV programs. That's why the M$ AV is such a refreshing welcome, you figure since most people attack THEIR code, they would be slightly adapt to detecting and predicting "ODD" behavior.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Strange script tries to run when connection is down

Post by Tom T. »

computerfreaker wrote:Monty ran, as far I can recall, HJT, MB and a virus scanner (although I don't recall which).
Avast, and also Ad-Aware. I recalled incorrectly about him running all four of the recommended tools. My mistake.
GµårÐïåñ wrote:Avira which I am about to chuck
I have already written to Avira, enclosing the malware and expressing disappointment that it was not on their detection list. It was Friday evening in Germany, so I don't expect a reply until at least Monday or later.

I've PMd our forum friend Luntrus, who IIRC is associated with Avast, about this issue. Looking forward to his response.
GµårÐïåñ wrote:Norton and McAfee have gone down the tube as well, its a pity.
Agree that that happened a long time ago.
GµårÐïåñ wrote:AVG which I chucked long ago
Ditto.
GµårÐïåñ wrote:That's why the M$ AV is such a refreshing welcome
Unfortunately, from my reading (please correct me if I'm mistaken), it is not a true, full, real-time AV service, only a one-time scanner that you should run periodically or if you think you're infected -- just like the scanners that come with most AV products. But It does not provide real-time, automatic scanning of files you open, Web pages, etc.

IIUC, Windows Live OneCare was that type of product, but sales have been discontinued.

So is there *any* good, real-time, full-service AV out there, Guardian? Or anyone else?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Topic Split

Post by Tom T. »

(At this point, the discussion went OT to the original thread, and became an extensive discussion of various security tools available from Microsoft. All succeeding posts on the latter topic were moved to Forum: Security, here: AV and other security tools available from Microsoft.)

(Further posts relevant to the original topic are still welcome at this thread.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
User avatar
SeanM
Junior Member
Posts: 44
Joined: Fri Jul 24, 2009 1:42 pm
Location: Upstate, New York USA

Strange script tries to run when connection is down

Post by SeanM »

Tom T. wrote:(At this point, the discussion went OT to the original thread, and became an extensive discussion of various security tools available from Microsoft. All succeeding posts on the latter topic were moved to Forum: Security, here: AV and other security tools available from Microsoft.)

(Further posts relevant to the original topic are still welcome at this thread.)
(I think the "original topic" (running scripts) led to "hidden extensions, so .............)

If I have followed the discussion aright, the inclusion of this "hidden" extension via the registry key "HKLM\SOFTWARE\Mozilla\Firefox\Extensions" allows "something" to be installed outside the normal add-on channels (such as Real Player, etc). Does this process apply to the "HKCU\Software\Mozilla\Firefox\ ..." key as well ? Will Firefox startup process the Current User key as an addition/override of the HKLM key ? If so, the OT problem might manifest in a form associated with one ( more) individual users, and not be generally reproduceable. Further, my understanding is that the Current User registry keys are accessible by that user, whereas the HKLM key should not be so.

Of course, if Firefox ignores the "HKCU\ ..... \Extensions" key, this point would be moot.

.... I must look for my tin hat ....
Last edited by Tom T. on Thu Nov 26, 2009 2:52 am, edited 1 time in total.
Reason: change title back to original thread title
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b3) Gecko/20091115 Firefox/3.6b3
User avatar
computerfreaker
Senior Member
Posts: 220
Joined: Wed Sep 16, 2009 10:03 pm
Location: USA

Strange script tries to run when connection is down

Post by computerfreaker »

SeanM wrote:If I have followed the discussion aright, the inclusion of this "hidden" extension via the registry key "HKLM\SOFTWARE\Mozilla\Firefox\Extensions" allows "something" to be installed outside the normal add-on channels (such as Real Player, etc).
Correct.
SeanM wrote:Does this process apply to the "HKCU\Software\Mozilla\Firefox\ ..." key as well ? Will Firefox startup process the Current User key as an addition/override of the HKLM key ? If so, the OT problem might manifest in a form associated with one ( more) individual users, and not be generally reproduceable.
Interesting questions. I don't know the answer, unfortunately....
Tom T. wrote:Further, my understanding is that the Current User registry keys are accessible by that user, whereas the HKLM key should not be so.
Depends on the user. Admins can always access HKLM as well as HKCU, but limited users can only access HKCU.
SeanM wrote:Of course, if Firefox ignores the "HKCU\ ..... \Extensions" key, this point would be moot.
True.
SeanM wrote:.... I must look for my tin hat ....
Why? :lol:
Seriously, you raised some very good questions... no tinfoil hat required for that. :mrgreen:
Last edited by Tom T. on Thu Nov 26, 2009 2:53 am, edited 1 time in total.
Reason: change title back to original topic title
With great power comes great responsibility.
Learn something new every day, and the rest will take care of itself.
Life is a journey, not a destination. Enjoy the trip!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Locked