RESOLVED Strange script tries to run when connection is down

Ask for help about NoScript, no registration needed to post
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Success at SANS: Publicity!

Post by Tom T. » Thu Dec 17, 2009 8:09 am

Just received a very nice e-mail from the SANS investigator:
SANS wrote:I just put the diary live on isc.sans.org ... I'm basically asking if anyone else has seen this. Let's see what we get. And yes, this
should help to "get the word out", too.

Thanks for letting us know!

...and it's presently on the front page of the Diary page, with a very fine write-up - and a great plug for NS! :D

By all means, visit the link in the above quote, but I'll reproduce it here (O/T portions ommited), since it's licensed under Creative Commons Attribution-Noncommercial 3.0 United States License:

isc.sans.org wrote:Today´s Diary

If you have more information or corrections regarding our diary, click here to contact us.
overlay.xul is back
Published: 2009-12-17,
Last Updated: 2009-12-17 00:58:50 UTC
by Daniel Wesemann (Version: 1)

It's been a while. If I remember correctly, a variant of Vundo was using the "overlay.xul" mechanism to hi-jack searches in the Firefox browser almost a year ago. Now, ISC reader Tom contacted us with a mystery that took him and his colleagues several days to unravel. The symptoms: You try to search with Google/Yahoo/Ask/Bing, but NoScript (a great add-on!!) warns you that the browser is actually trying to run a JavaScript from innoshots-dot-org. Having checked all the usual culprits, and run all the Anti-Virus tools you have, you find: Nothing. And the browser still redirects.

overlay.xul is a Firefox mechanism to allow applications to add elements to the browser GUI, and is used for good effect by several tools. We don't know which infection vector was used in Tom's case to deposit the malicious overlay file on the machine. All we have is the file, and the knowledge that it apparently either resides in

Documents and Settings/user/Local Settings/Application Data/randomstring/chrome/content -- or --
Program Files/Mozilla Firefox/extensions/randomstring/chrome/content

and is accompanied by a suspicious Javascript file called _cfg.js.

overlay.xul contains heavily obfuscated JavaScript, and has nice copyright headers to make it look like a valid Firefox add-on, but the "smoking gun" is still visible in the lower portion of the file:
Image
Yup. Some sort of matching for "google", "ask", "yahoo", "aol" and "bing" is going on here. This particular sample of "overlay.xul" is almost a month old, and yet there are still some very prominent Anti-Virus products that do not see anything wrong with it: VirusTotal

Did anyone else notice a recent resurgence of "overlay.xul" and its search engine redirection malware? If you have a sample, or know anything about the mechanism this latest version uses to get onto the system, please let us know.

Note: overlay.xul also has good uses, so don't go for a frantic deletion rampage now. But take a careful and suspicious look at the files you find!

This should help get the word out, as well as bring in reports of other occurrences or variants. Much thanks to SANS for a prompt and thorough investigation, and for helping to bring this to the attention of the security community!

*However*... IMHO:
overlay.xul is a Firefox mechanism to allow applications to add elements to the browser GUI...
Note: overlay.xul also has good uses, so don't go for a frantic deletion rampage now. But take a careful and suspicious look at the files you find!

I'm into NS, but not deeply into the inner workings of Fx itself. Is there no safer way to add these elements to the browser GUI? Isn't css enough (and has a few vulns itself?) Not rhetorical questions; I'm seriously asking: What functions does overlay.xul provide that can't be provided elsewise, in a safer manner, since clearly it is vulnerable to being used by malware? Especially since SANS has confirmed the same smoking gun that we found?

Thanks again to SANS! :)

EDIT: The story will slip off the front page some time, so the perma-link is http://isc.sans.org/diary.html?storyid=7765
Last edited by Tom T. on Thu Dec 17, 2009 8:24 am, edited 1 time in total.
Reason: add perma-link
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
computerfreaker
Senior Member
Posts: 220
Joined: Wed Sep 16, 2009 10:03 pm
Location: USA

Re: Success at SANS: Publicity!

Post by computerfreaker » Thu Dec 17, 2009 5:46 pm

Tom T. wrote:Just received a very nice e-mail from the SANS investigator:
SANS wrote:I just put the diary live on isc.sans.org ... I'm basically asking if anyone else has seen this. Let's see what we get. And yes, this
should help to "get the word out", too.

Thanks for letting us know!

...and it's presently on the front page of the Diary page, with a very fine write-up - and a great plug for NS! :D

Great! :mrgreen:

isc.sans.org wrote:Today´s Diary

If you have more information or corrections regarding our diary, click here to contact us.
overlay.xul is back
Published: 2009-12-17,
Last Updated: 2009-12-17 00:58:50 UTC
by Daniel Wesemann (Version: 1)

It's been a while. If I remember correctly, a variant of Vundo was using the "overlay.xul" mechanism to hi-jack searches in the Firefox browser almost a year ago. Now, ISC reader Tom contacted us with a mystery that took him and his colleagues several days to unravel. The symptoms: You try to search with Google/Yahoo/Ask/Bing, but NoScript (a great add-on!!) warns you that the browser is actually trying to run a JavaScript from innoshots-dot-org. Having checked all the usual culprits, and run all the Anti-Virus tools you have, you find: Nothing. And the browser still redirects.

overlay.xul is a Firefox mechanism to allow applications to add elements to the browser GUI, and is used for good effect by several tools. We don't know which infection vector was used in Tom's case to deposit the malicious overlay file on the machine. All we have is the file, and the knowledge that it apparently either resides in

Documents and Settings/user/Local Settings/Application Data/randomstring/chrome/content -- or --
Program Files/Mozilla Firefox/extensions/randomstring/chrome/content

and is accompanied by a suspicious Javascript file called _cfg.js.

overlay.xul contains heavily obfuscated JavaScript, and has nice copyright headers to make it look like a valid Firefox add-on, but the "smoking gun" is still visible in the lower portion of the file:
Image
Yup. Some sort of matching for "google", "ask", "yahoo", "aol" and "bing" is going on here. This particular sample of "overlay.xul" is almost a month old, and yet there are still some very prominent Anti-Virus products that do not see anything wrong with it: VirusTotal

Did anyone else notice a recent resurgence of "overlay.xul" and its search engine redirection malware? If you have a sample, or know anything about the mechanism this latest version uses to get onto the system, please let us know.

Note: overlay.xul also has good uses, so don't go for a frantic deletion rampage now. But take a careful and suspicious look at the files you find!

hmm... want me to drop them the link to my de-obfuscation?

Tom T. wrote:This should help get the word out, as well as bring in reports of other occurrences or variants. Much thanks to SANS for a prompt and thorough investigation, and for helping to bring this to the attention of the security community!

And thank you for bringing this to their attention! :)

Tom T. wrote:*However*... IMHO:
overlay.xul is a Firefox mechanism to allow applications to add elements to the browser GUI...
Note: overlay.xul also has good uses, so don't go for a frantic deletion rampage now. But take a careful and suspicious look at the files you find!

I'm into NS, but not deeply into the inner workings of Fx itself. Is there no safer way to add these elements to the browser GUI? Isn't css enough (and has a few vulns itself?) Not rhetorical questions; I'm seriously asking: What functions does overlay.xul provide that can't be provided elsewise, in a safer manner, since clearly it is vulnerable to being used by malware? Especially since SANS has confirmed the same smoking gun that we found?

I don't think CSS is enough, no. DownThemAll!, for example, uses overlay.xul to add an item to the "Clear Private Data" box; I doubt CSS would provide the level of interaction required (i.e. being able to trap the value of the checkbox) without some insane hacking, if it can even provide that kind of interaction at all. Not completely certain about that though...
With great power comes great responsibility.
Learn something new every day, and the rest will take care of itself.
Life is a journey, not a destination. Enjoy the trip!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Success at SANS: Publicity!

Post by Tom T. » Fri Dec 18, 2009 12:00 am

computerfreaker wrote:hmm... want me to drop them the link to my de-obfuscation?

Thanks, but I'm sure that they de-obbed (neologism?) it just fine. E. g., he told me privately that "The first part of _cfg.js is XORed with 24 and contains the URLinnoshots-dot-org/ffeed.php". I expect that they're pretty experienced de-obbers. ;) He posted the "as-is" image to let readers know what they'd be seeing in the raw.

Tom T. wrote:Is there no safer way to add these elements to the browser GUI?
computerfreaker wrote:I don't think CSS is enough, no. DownThemAll!, for example, uses overlay.xul to add an item to the "Clear Private Data" box; I doubt CSS would provide the level of interaction required (i.e. being able to trap the value of the checkbox) without some insane hacking, if it can even provide that kind of interaction at all. Not completely certain about that though...

Well, I was just citing CSS as one example of "adding elements to the GUI". Let me remove that and make it a more general question: Is there no safer way to do whatever overlay.xul does? Possibly not, but we now know that it's been used in *multiple variants* as a core part of the malware, so you don't know (or find out) until you start thinking about the issue. Was hoping the Fx über-geeks would put their propeller beanies on and come up with a safer way to do everything that overlay.xul does. Perhaps it will start a discussion of that topic.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
computerfreaker
Senior Member
Posts: 220
Joined: Wed Sep 16, 2009 10:03 pm
Location: USA

Re: Success at SANS: Publicity!

Post by computerfreaker » Fri Dec 18, 2009 12:32 am

computerfreaker wrote:hmm... want me to drop them the link to my de-obfuscation?

Tom T. wrote:Thanks, but I'm sure that they de-obbed (neologism?) it just fine. E. g., he told me privately that "The first part of _cfg.js is XORed with 24 and contains the URLinnoshots-dot-org/ffeed.php". I expect that they're pretty experienced de-obbers. ;) He posted the "as-is" image to let readers know what they'd be seeing in the raw.

Wow, I wonder if they give lessons on de-obbing? :)

Tom T. wrote:Is there no safer way to add these elements to the browser GUI?
computerfreaker wrote:I don't think CSS is enough, no. DownThemAll!, for example, uses overlay.xul to add an item to the "Clear Private Data" box; I doubt CSS would provide the level of interaction required (i.e. being able to trap the value of the checkbox) without some insane hacking, if it can even provide that kind of interaction at all. Not completely certain about that though...

Tom T. wrote:Well, I was just citing CSS as one example of "adding elements to the GUI". Let me remove that and make it a more general question: Is there no safer way to do whatever overlay.xul does? Possibly not, but we now know that it's been used in *multiple variants* as a core part of the malware, so you don't know (or find out) until you start thinking about the issue. Was hoping the Fx über-geeks would put their propeller beanies on and come up with a safer way to do everything that overlay.xul does. Perhaps it will start a discussion of that topic.

IMHO, anything with the power of overlay.xul also has overlay.xul's potential for abuse. It's just like anything else in life: with great power comes great potential for abuse... :cry:
With great power comes great responsibility.
Learn something new every day, and the rest will take care of itself.
Life is a journey, not a destination. Enjoy the trip!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Success at SANS: Publicity!

Post by Tom T. » Fri Dec 18, 2009 2:18 am

computerfreaker wrote:Wow, I wonder if they give lessons on de-obbing? :)

Don't know, but it's another site worth adding to the occasional reading list, which must be into the thousands by now. :)
computerfreaker wrote:IMHO, anything with the power of overlay.xul also has overlay.xul's potential for abuse. It's just like anything else in life: with great power comes great potential for abuse... :cry:

Point well taken. However, permit me to cite one *huge* exception as an example: MS's ActiveX is not natively supported in Fx. At first, that broke some sites, but as Fx's market share grew, and as more and more vulns were found in AX (*notorious* for buffer overruns, e. g.), sites started re-designing to be fully functional with less-powerful technologies, or safer ones. (e. g. Java, with its built-in sandbox vs. AX's 100%-privilege on the system. Not that Java is perfect, but far *fewer* vulns, usually of less consequence). AFAIK from personal experience, the only site in my world that still will not run without AX is MS Update itself -- and you can work around that by searching for the updates manually, even with Fx.

For example, a local government agency introduced a new and useful feature to its site, but it was AX-powered. I wrote a strong letter, first to the webmaster, then to the head of the agency, then to the Commissioners. All were ignored. :cry: But a little less than a year later, the AX was eliminated, and they even had that as a yellow-background highlight: "Now works with any browser! No ActiveX required!" :D :ugeek:

Can I take full credit? I don't know. They did say that they were using v.2 of a third-party sw, but perhaps said third-pary came out with the AX-less version precisely because of such protests? If enough people make noise -- the squeaky wheel gets the grease (as you've noticed. :mrgreen: )

So I'm thinking it's not impossible to achieve the same results with safer methods -- *if security is made a priority in the design*. Which is the bottom line everywhere. Cheers.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
computerfreaker
Senior Member
Posts: 220
Joined: Wed Sep 16, 2009 10:03 pm
Location: USA

Re: Success at SANS: Publicity!

Post by computerfreaker » Fri Dec 18, 2009 7:02 pm

computerfreaker wrote:Wow, I wonder if they give lessons on de-obbing? :)

Tom T. wrote:Don't know, but it's another site worth adding to the occasional reading list, which must be into the thousands by now. :)

I actually cleared out most of my occasional reading list when I rebuilt my Firefox... much nicer than having an 8-page list, eh? ;)
I'll have to add that to the list, though...

computerfreaker wrote:IMHO, anything with the power of overlay.xul also has overlay.xul's potential for abuse. It's just like anything else in life: with great power comes great potential for abuse... :cry:

Tom T. wrote:Point well taken. However, permit me to cite one *huge* exception as an example: MS's ActiveX is not natively supported in Fx. At first, that broke some sites, but as Fx's market share grew, and as more and more vulns were found in AX (*notorious* for buffer overruns, e. g.), sites started re-designing to be fully functional with less-powerful technologies, or safer ones. (e. g. Java, with its built-in sandbox vs. AX's 100%-privilege on the system. Not that Java is perfect, but far *fewer* vulns, usually of less consequence). AFAIK from personal experience, the only site in my world that still will not run without AX is MS Update itself -- and you can work around that by searching for the updates manually, even with Fx.

yes, ActiveX is a huge exception to the rule... (side note: it's interesting that most of MS's proprietary stuff gets rejected, and with good reason)
Java's pretty well guarded, but the sandbox still needs some help IMHO. (Then again, as usual, what's perfect?)

Tom T. wrote:For example, a local government agency introduced a new and useful feature to its site, but it was AX-powered. I wrote a strong letter, first to the webmaster, then to the head of the agency, then to the Commissioners. All were ignored. :cry: But a little less than a year later, the AX was eliminated, and they even had that as a yellow-background highlight: "Now works with any browser! No ActiveX required!" :D :ugeek:

Nice!

Tom T. wrote:Can I take full credit? I don't know. They did say that they were using v.2 of a third-party sw, but perhaps said third-pary came out with the AX-less version precisely because of such protests? If enough people make noise -- the squeaky wheel gets the grease (as you've noticed. :mrgreen: )

Well, I think market share might have something to do with it too... IE still has the majority of the market, but for how much longer? Fx has already hit 25% of the market, and even Safari, Opera and Chrome are starting to gouge IE's share... it makes perfect sense to support Fx and the other major browsers, not just IE.

Tom T. wrote:So I'm thinking it's not impossible to achieve the same results with safer methods -- *if security is made a priority in the design*. Which is the bottom line everywhere. Cheers.

Deja vu - we've been down this path before, when we discussed sandboxing at the OS-level. Security vs. convenience again... which is ActiveX's only redeeming feature: convenience. Users don't have to restart the browser to use AX objects, which is probably why they've survived for so long. :|

l8r!
With great power comes great responsibility.
Learn something new every day, and the rest will take care of itself.
Life is a journey, not a destination. Enjoy the trip!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Strange script tries to run when connection is down

Post by Tom T. » Sat Dec 19, 2009 1:10 am

@ MONTAGAR: Sorry for shouting, but just realized: Do you still have the malware folder that was extracted from your friend's machine? It might well be yet another variant, *especially* since it exhibited a symptom you and I didn't see. It too should be analyzed and reported -- and now, I have a good place to report it (SANS, as above) and a connection there, as well as a prior valid report = credibility.

If you have it or can get it, please zip and email to me (PM me if you don't have the address.)

computerfreaker wrote:Users don't have to restart the browser to use AX objects, which is probably why they've survived for so long. :|

Do you have to restart the browser to use Java? Have used it to play real-time, online poker, online games, etc... seems it can do about anything AX can do. ;)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

Montagar
Junior Member
Posts: 43
Joined: Tue Oct 27, 2009 11:44 pm

Re: Strange script tries to run when connection is down

Post by Montagar » Sat Dec 19, 2009 5:54 pm

I removed them completely from his computer, but surprisingly, the files were identical (I checked them) except for creation date and time, his were 2 days prior to mine.

This leads me to believe that we "acquired" this from the same location. Unfortunately neither of us keep a browsing history on the computers that were compromised.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)

User avatar
computerfreaker
Senior Member
Posts: 220
Joined: Wed Sep 16, 2009 10:03 pm
Location: USA

Re: Strange script tries to run when connection is down

Post by computerfreaker » Sat Dec 19, 2009 6:39 pm

Tom T. wrote:@ MONTAGAR: Sorry for shouting, but just realized: Do you still have the malware folder that was extracted from your friend's machine? It might well be yet another variant, *especially* since it exhibited a symptom you and I didn't see. It too should be analyzed and reported -- and now, I have a good place to report it (SANS, as above) and a connection there, as well as a prior valid report = credibility.

If you have it or can get it, please zip and email to me (PM me if you don't have the address.)

Something else just occurred to me.
Monty, you mentioned your friend was "browsing the web when the addons dialog popped up"; that implies he wasn't installing any 3rd-party anything. That also implies he wasn't knowingly downloading anything. I'm no JavaScript guy, but I don't think JS on a webpage can download and install files on the user's computer... can it?
If not, that means we've got something much bigger than just a script running - we've got a vuln in Fx. :shock:

computerfreaker wrote:Users don't have to restart the browser to use AX objects, which is probably why they've survived for so long. :|

Tom T. wrote:Do you have to restart the browser to use Java? Have used it to play real-time, online poker, online games, etc... seems it can do about anything AX can do. ;)

I was referring to plugin installs, etc. IIRC, Fx needs to be restarted for all extensions - including the Java plugin - to work. AX installs without needing a browser restart, which is its only saving feature (although of dubious usefulness at best)
With great power comes great responsibility.
Learn something new every day, and the rest will take care of itself.
Life is a journey, not a destination. Enjoy the trip!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Strange script tries to run when connection is down

Post by Tom T. » Sat Dec 19, 2009 10:17 pm

computerfreaker wrote:Something else just occurred to me.
Monty, you mentioned your friend was "browsing the web when the addons dialog popped up"; that implies he wasn't installing any 3rd-party anything. That also implies he wasn't knowingly downloading anything. I'm no JavaScript guy, but I don't think JS on a webpage can download and install files on the user's computer... can it?
If not, that means we've got something much bigger than just a script running - we've got a vuln in Fx. :shock:

It *had* to install "live", as mentioned previously, because my Sandboxie dumped it on the next start, just as restarting the browser to install would have dumped it. See a couple of posts above about the work-arounds one must do to install Fx add-ons, updates, or any other sw with Sandboxie.

Still don't know the source or vector, but yeah, it wrote this folder and these files to the HD -- or, in my case, the *virtual" HD created by Sandboxie for that session (and each session, if needed).
computerfreaker wrote:Users don't have to restart the browser to use AX objects, which is probably why they've survived for so long. :|

Tom T. wrote:Do you have to restart the browser to use Java? Have used it to play real-time, online poker, online games, etc... seems it can do about anything AX can do. ;)
computerfreaker wrote:I was referring to plugin installs, etc. IIRC, Fx needs to be restarted for all extensions - including the Java plugin - to work. AX installs without needing a browser restart, which is its only saving feature (although of dubious usefulness at best)

It's been a few years since I installed Fx for the first time, but I don't remember installing any Java plug-in. My vague recollection was that since I already had the Java VM installed on the HD, Fx natively picked that up -- kind of like your fave, the Portable Apps Fx, will pick up Fx addons from the HD without a separate install. Not exactly the same thing, just an analogy. Anyway, I don't remember installing an additional plugin for Java, though my feeble memory could be mistaken.
Montagar wrote:I removed them completely from his computer, but surprisingly, the files were identical (I checked them) except for creation date and time, his were 2 days prior to mine.

This leads me to believe that we "acquired" this from the same location. Unfortunately neither of us keep a browsing history on the computers that were compromised.

I don't either, but the chances of all of us having visited the same site within a few days -- and myself visiting that site shortly before reading your OP and trying to reproduce, are rather remote, with the sole exception of Yahoo (my webmail), and possibly Google. I don't use Google for searches, but if there are ever glitches in the wireless connection (unable to connect), I sometimes try Google, because with their vast server capacity, the page loads almost instantly (especially with all the ads and scripting blocked.) If it doesn't load in a second or two, I know it's a connection issue, not just whatever site I was trying to visit being busy. Can't say whether that happened in the period before the original incident, but of course, Google has already denied-by-silence any possibility of them hosting it. (And the SANS guy made a good point that if these guys could pwn Google, they could do a lot worse -- a lot better for themselves -- than just get a few redirections to another site. Except that we don't know what would *happen* at that site -- if a permanent keylogger or other spy- or -adware or Trojan botnet, yeah, it's worth redirecting Google users there, and keeping a low profile.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
computerfreaker
Senior Member
Posts: 220
Joined: Wed Sep 16, 2009 10:03 pm
Location: USA

Re: Strange script tries to run when connection is down

Post by computerfreaker » Sat Dec 19, 2009 10:54 pm

computerfreaker wrote:Something else just occurred to me.
Monty, you mentioned your friend was "browsing the web when the addons dialog popped up"; that implies he wasn't installing any 3rd-party anything. That also implies he wasn't knowingly downloading anything. I'm no JavaScript guy, but I don't think JS on a webpage can download and install files on the user's computer... can it?
If not, that means we've got something much bigger than just a script running - we've got a vuln in Fx. :shock:

Tom T. wrote:It *had* to install "live", as mentioned previously, because my Sandboxie dumped it on the next start, just as restarting the browser to install would have dumped it. See a couple of posts above about the work-arounds one must do to install Fx add-ons, updates, or any other sw with Sandboxie.

Still don't know the source or vector, but yeah, it wrote this folder and these files to the HD -- or, in my case, the *virtual" HD created by Sandboxie for that session (and each session, if needed).

That wasn't what I meant, actually.
I was wondering if JavaScript can download and install files. If it can't, a Fx vuln had to have been used to get the files installed - perhaps something like the font-face vuln fixed by the Fx 3.5.6 release?

computerfreaker wrote:Users don't have to restart the browser to use AX objects, which is probably why they've survived for so long. :|

Tom T. wrote:Do you have to restart the browser to use Java? Have used it to play real-time, online poker, online games, etc... seems it can do about anything AX can do. ;)
computerfreaker wrote:I was referring to plugin installs, etc. IIRC, Fx needs to be restarted for all extensions - including the Java plugin - to work. AX installs without needing a browser restart, which is its only saving feature (although of dubious usefulness at best)

Tom T. wrote:It's been a few years since I installed Fx for the first time, but I don't remember installing any Java plug-in. My vague recollection was that since I already had the Java VM installed on the HD, Fx natively picked that up -- kind of like your fave, the Portable Apps Fx, will pick up Fx addons from the HD without a separate install. Not exactly the same thing, just an analogy. Anyway, I don't remember installing an additional plugin for Java, though my feeble memory could be mistaken.

I don't recall installing a plugin either... it probably came with the Java VM install. The interesting question, though, is "what would happen if someone didn't have the Java VM but visited a Java-based site?"

Montagar wrote:I removed them completely from his computer, but surprisingly, the files were identical (I checked them) except for creation date and time, his were 2 days prior to mine.

This leads me to believe that we "acquired" this from the same location. Unfortunately neither of us keep a browsing history on the computers that were compromised.

Tom T. wrote:I don't either, but the chances of all of us having visited the same site within a few days -- and myself visiting that site shortly before reading your OP and trying to reproduce, are rather remote, with the sole exception of Yahoo (my webmail), and possibly Google. I don't use Google for searches, but if there are ever glitches in the wireless connection (unable to connect), I sometimes try Google, because with their vast server capacity, the page loads almost instantly (especially with all the ads and scripting blocked.) If it doesn't load in a second or two, I know it's a connection issue, not just whatever site I was trying to visit being busy. Can't say whether that happened in the period before the original incident, but of course, Google has already denied-by-silence any possibility of them hosting it. (And the SANS guy made a good point that if these guys could pwn Google, they could do a lot worse -- a lot better for themselves -- than just get a few redirections to another site. Except that we don't know what would *happen* at that site -- if a permanent keylogger or other spy- or -adware or Trojan botnet, yeah, it's worth redirecting Google users there, and keeping a low profile.)

Does anybody have an old computer they'd be willing to download the malware onto and let it run? Here's what would probably need to be done...
* Install malware
* Run RegShot and save it to a CD
* Let malware run
* Run RegShot again, save the new results to a CD
* Compare regshots to see what changed
* Reimage computer to avoid all possibility of malware remaining on the computer

That's the only way we can find out what the malware was supposed to do... I'd do it myself, but I only have one computer and can't use it for this. :(
With great power comes great responsibility.
Learn something new every day, and the rest will take care of itself.
Life is a journey, not a destination. Enjoy the trip!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Strange script tries to run when connection is down

Post by Tom T. » Sun Dec 20, 2009 3:35 am

computerfreaker wrote:I don't recall installing a plugin either... it probably came with the Java VM install. The interesting question, though, is "what would happen if someone didn't have the Java VM but visited a Java-based site?"

But that wasn't my case, and "probably" wasn't Montagar's. Presumably, you'd be prompted to install the Java VM, just as you're prompted to install Flash at a Flash-based site, either if you don't have the plug-in, or if Flash is blocked in NS. But I'm not seeing the relation to this case.
computerfreaker wrote:Does anybody have an old computer they'd be willing to download the malware onto and let it run? Here's what would probably need to be done...
* Install malware
* Run RegShot and save it to a CD
* Let malware run
* Run RegShot again, save the new results to a CD
* Compare regshots to see what changed
* Reimage computer to avoid all possibility of malware remaining on the computer

That's the only way we can find out what the malware was supposed to do... I'd do it myself, but I only have one computer and can't use it for this. :(

I tried several times to let it run, sandboxed, even letting scripting run at innoshot. Nothing happened, though I didn't compare all 60,000 or whatever Reg entries. ;) But I did search contents of Sandboxie, which are much smaller, for anything new or suspicious. Nothing, but you can't open or copy the cloned Reg hive, since it's in use, and goes away when not in use. I had suspected that the site might have been taken down after the public discovery.

It's possible the malware could be reinstalled in Sandboxie after changing configuration so as not to auto-empty, run, and then close the bowser, copy the reg hive, and see if it's human-readable.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
computerfreaker
Senior Member
Posts: 220
Joined: Wed Sep 16, 2009 10:03 pm
Location: USA

Re: Strange script tries to run when connection is down

Post by computerfreaker » Sun Dec 20, 2009 5:14 am

computerfreaker wrote:I don't recall installing a plugin either... it probably came with the Java VM install. The interesting question, though, is "what would happen if someone didn't have the Java VM but visited a Java-based site?"

Tom T. wrote:But that wasn't my case, and "probably" wasn't Montagar's. Presumably, you'd be prompted to install the Java VM, just as you're prompted to install Flash at a Flash-based site, either if you don't have the plug-in, or if Flash is blocked in NS. But I'm not seeing the relation to this case.

No relation to this case. We were discussing two separate topics - the malware and ActiveX controls - and that was part of the ActiveX discussion. ;)

My original question about the malware remains though: can JavaScript download and install files without user interaction required? If it can, that's how the script installed itself. If it can't, we're probably looking at a Fx vuln - scary. :shock:

computerfreaker wrote:Does anybody have an old computer they'd be willing to download the malware onto and let it run? Here's what would probably need to be done...
* Install malware
* Run RegShot and save it to a CD
* Let malware run
* Run RegShot again, save the new results to a CD
* Compare regshots to see what changed
* Reimage computer to avoid all possibility of malware remaining on the computer

That's the only way we can find out what the malware was supposed to do... I'd do it myself, but I only have one computer and can't use it for this. :(

Tom T. wrote:I tried several times to let it run, sandboxed, even letting scripting run at innoshot. Nothing happened, though I didn't compare all 60,000 or whatever Reg entries. ;) But I did search contents of Sandboxie, which are much smaller, for anything new or suspicious. Nothing, but you can't open or copy the cloned Reg hive, since it's in use, and goes away when not in use. I had suspected that the site might have been taken down after the public discovery.

It's possible the malware could be reinstalled in Sandboxie after changing configuration so as not to auto-empty, run, and then close the bowser, copy the reg hive, and see if it's human-readable.

Dang.
I don't think the Reg hive is human-readable; I have my sandboxes set to keep their contents, and I've tried several times to see what the sandboxed hive contains. I've never been able to read it... probably some sort of proprietary database.
Besides, reg entries are pointless without files - like a keylogger - to accompany them.
With great power comes great responsibility.
Learn something new every day, and the rest will take care of itself.
Life is a journey, not a destination. Enjoy the trip!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Strange script tries to run when connection is down

Post by Tom T. » Sun Dec 20, 2009 6:42 am

computerfreaker wrote:My original question about the malware remains though: can JavaScript download and install files without user interaction required? If it can, that's how the script installed itself. If it can't, we're probably looking at a Fx vuln - scary. :shock:

Seems like every time you run Flash (without an LSO-blocker), you're getting a permanent file written -- the "Flash cookie", or Local Shared Object. (in Windows, to %APPDATA%\Macromedia\Flash Player\#SharedObjects.)

As for installing something that's more like an add-on,
http://en.wikipedia.org/wiki/Javascript ... ing_errors

Browser and plugin coding errors

JavaScript provides an interface to a wide range of browser capabilities, some of which may have flaws such as buffer overflows. These flaws can allow attackers to write scripts which would run any code they wish on the user's system.

These flaws have affected major browsers including Firefox, Internet Explorer, and Safari.

Plugins, such as video players, Macromedia Flash, and the wide range of ActiveX controls enabled by default in Microsoft Internet Explorer, may also have flaws exploitable via JavaScript, and such flaws have been exploited in the past.
<snip>

Sandbox implementation errors

Web browsers are capable of running JavaScript outside of the sandbox, with the privileges necessary to, for example, create or delete files.
Of course, such privileges aren't meant to be granted to code from the web. [[But it happens, right? (bold and italics are mine) -- T.T.]]

Incorrectly granting privileges to JavaScript from the web has played a role in vulnerabilities in both Internet Explorer and Firefox. In Windows XP Service Pack 2, Microsoft demoted JScript's privileges in Internet Explorer. <snip>

As to whether that can happen *without* exploiting a vuln in the broswer, fortunately, we have the world's foremost JavaScript expert among us. :D I've asked him to answer that.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
computerfreaker
Senior Member
Posts: 220
Joined: Wed Sep 16, 2009 10:03 pm
Location: USA

Re: Strange script tries to run when connection is down

Post by computerfreaker » Sun Dec 20, 2009 7:07 am

computerfreaker wrote:My original question about the malware remains though: can JavaScript download and install files without user interaction required? If it can, that's how the script installed itself. If it can't, we're probably looking at a Fx vuln - scary. :shock:

Tom T. wrote:Seems like every time you run Flash (without an LSO-blocker), you're getting a permanent file written -- the "Flash cookie", or Local Shared Object. (in Windows, to %APPDATA%\Macromedia\Flash Player\#SharedObjects.)

Doubt that could actively execute code though... unless there's a vuln in Fx that would let it get away with that. Back to a vuln again...

Tom T. wrote:As for installing something that's more like an add-on,
http://en.wikipedia.org/wiki/Javascript ... ing_errors

Browser and plugin coding errors

JavaScript provides an interface to a wide range of browser capabilities, some of which may have flaws such as buffer overflows. These flaws can allow attackers to write scripts which would run any code they wish on the user's system. [[boldface mine - computerfreaker]]

That's what this looks like. Since when does a normal browsing session install stuff without the user's consent? (Assuming you're using Fx of course; if you're using IE the answer is "all the time" :P)

These flaws have affected major browsers including Firefox, Internet Explorer, and Safari.

Plugins, such as video players, Macromedia Flash, and the wide range of ActiveX controls enabled by default in Microsoft Internet Explorer, may also have flaws exploitable via JavaScript, and such flaws have been exploited in the past.
<snip>

Sandbox implementation errors

Web browsers are capable of running JavaScript outside of the sandbox, with the privileges necessary to, for example, create or delete files.
Of course, such privileges aren't meant to be granted to code from the web. [[But it happens, right? (bold and italics are mine) -- T.T.]]

What about execute privs? That's the bigger of the 2 steps...

Incorrectly granting privileges to JavaScript from the web has played a role in vulnerabilities in both Internet Explorer and Firefox. In Windows XP Service Pack 2, Microsoft demoted JScript's privileges in Internet Explorer. <snip>

Boy, I have to wonder. Fx 3.5.6 had a font-face vuln fixed, as well as a couple of other vulns. Mr. Maone, any chance that font-face vuln could have been utilized for this? (Or any of the other vulns in the 3.5.6 release notes, for that matter; I instinctively "like" the font-face vuln as a possible vector)

Tom T. wrote:As to whether that can happen *without* exploiting a vuln in the broswer, fortunately, we have the world's foremost JavaScript expert among us. :D I've asked him to answer that.

Great, thanks! :D
With great power comes great responsibility.
Learn something new every day, and the rest will take care of itself.
Life is a journey, not a destination. Enjoy the trip!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6

Post Reply