[UNRELATED - MALWARE] Amazon.com XSS

[RipSaw006]

Ever since Amazon updated there Website I've been getting NoScript XSS warning. Don't seem to be able find cause or collect NoScript info. Amazon has been able to duplicate the problem.

Firefox v12.0
Windows XP Pro SP3

What I have:

No Script - For Firefox

4 - XSS
4.1
What is XSS and why should I care?
4.2
Looks like the Anti-XSS feature causes problems with URLs containing some characters such as <, ' (single quote) or " (double quotes). What's happening?
4.3
Can I turn off Anti-XSS activity notifications?
4.4
Can I bypass Anti-XSS filters for certain web pages?
4.5
Can I turn off the Anti-XSS protection?
4.6
Why does NoScript block documents loaded from jar: URLs?
4.7
Why are Flash applets originating from trusted sites (e.g. youtube.com movies) blocked if embedded on untrusted sites?
4.8
How does IFrame blocking work and why is it disabled by default?

https://www.amazon.com/gp/rmp/homepage/ ... &updates=1

Attempt from [https://edge.jeetyetmedia.com]


Never, ever approach a computer saying or even thinking "I will just do this quickly."

[Giorgio Maone]

Could you please search for any [NoScript XSS] line in your Error Console (Ctrl+Shift+J) and paste it here?

[Tom T.]

@ RipSaw006:

I'd like to try to reproduce your message, but there is a known issue with long links being broken. See yours in your previous post.
The workarounds are to wrap it in URL or Code tags, by selecting and highlighting the link in the Compose box, then click 'URL" or "Code" from the bar at the top.


@ Giorgio: The portion of OP's link that was visible required login. If additional info is needed, and you don't have an Amazon account, I do have an active one, and would be happy to do any tests, report info, etc.


In General: Per mywot.com, jeetyetmedia is a source that you might want to blacklist anyway, and also to block requests to it with the RequestPolicy add-on:

Information from third-party trusted sources

Third-party trusted sources provide additional information from numerous phishing and malware blacklists, and other trusted sources from the web.
Date Source Comment
01/25/2012 TRUSTe Does not meet minimum standards set by TRUSTe for data governance and privacy.

[RipSaw006]

Good afternoon,

I believe I fixed the issue, the XSS warnings don't appear on Amazon Web pages now. Here's my reply to Amazon:

I sent an e-mail concerning an XSS Java Script issue detected on your Website via NoScript, see below. You replied suggesting I call. I believed I fixed the issue, phone calls for issues like this are a real pain.

No Script - For Firefox
Attempt from [https://edge.jeetyetmedia.com]

Some research uncovered this: Edge.jeetyetmedia.com is yet another type of malware which is malicious software. Edge.jeetyetmedia.com is another type of online fraud, as malicious software is utilized to redirect your web browser to pages that the computer user did not originally intend. If you are infected with Edge.jeetyetmedia.com, when you are surfing the web, you will find yourself being redirected to websites with ads. Usually these sites are run by those who put out the Edge.jeetyetmedia.com in the first place. These sites have ads that will profit these nefarious webmasters once they are clicked on. Often the sites that are being advertised on the sites that you are redirected to have no idea that they are being used as part of Edge.jeetyetmedia.com. These advertisers are being taken advantage of as well.

My Norton Security Suite hasn't detected it. SuperAntiSpyware didn't detect it either. But, MalwareByte's detected and removed

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

The XSS NoScript warnings have now disappeared from your Web pages.

Thanks for the help and interest.

Never, ever approach a computer saying or even thinking "I will just do this quickly."

[Tom T.]

Nice detective work. I should have done a Web search in addition to the mywot inquiry.

However, in all fairness to Amazon, it is quite possible that you picked up the malware somewhere else. Visiting certain sites, such as Amazon, triggers the malware to run.

We had a similar thread, in which the malware would run whenever the user visited major search sites like Ask, Yahoo, Google, etc. This doesn't mean those sites were the source of the infection (although it's possible).

It can be very difficult to trace the source of a malware infection. If Amazon were a vector, surely we'd have more users complaining about it.
My own visits to Amazon, logged in, did not show a script trying to run from the evil source. So I would tend to give Amazon the benefit of the doubt for now.

Will mark as Resolved. Thanks for posting back.

[dhouwn]

But, MalwareByte's detected and removed

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

You yourself didn't disable these security center notifications?

[Tom T.]

But, MalwareByte's detected and removed

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

You yourself didn't disable these security center notifications?

Another question is whether MalwareBytes detected and removed the actual malware, but I would have assumed that it did so in the process of locating the Reg entries. Perhaps a mistaken assumption?


@ RipSaw006:: Was the actual infection found and removed? If so, we'd be interested in knowing the details (file names, locations, etc.).
If not, then on the next boot, the Registry keys may be installed once again. Checking those keys after a reboot may be very revealing, but even if they remain absent, some malware is trained to run only on occasion, to help avoid detection. So it could still be there.

Do you use a third-party anti-virus program? Did it never alarm, or did a scan with it not reveal an infection?

Please advise, and re-scan with both tools if necessary, thanks.

[RipSaw006]

Final update: The issue did return and here is how I got rid of it.

Even though I thought I had put an end to the No Script XSS warnings, they came back, and no security program could find the issue this time. I have finally found the root cause.

A Firefox app called Best Video Downloader, is tied in with a program called Yontoo, which seems to make money via advertising, coupons, etc., and supports app creators that support it. Yontoo is installed in the program folder in addition to Best Video Downloader which is installed in the browser, and, in turn, installed Drop Down Deals in the browser(s). At first I thought Drop Down Deals was something new on Amazon, its not. Uninstalling Yontoo put an end to all things concerning cross site scripts on Amazon and some other sites that Drop Down Deals started showing up on.

While doing my research, many Yontoo complaints were found and many called Yontoo a virus. Apparently Yontoo is making money and has freely posted complete instructions on how to remove it, in part, or completely. Complete removal also removes Best Video Downloader.

[Tom T.]

Even though I thought I had put an end to the No Script XSS warnings, they came back, ...

Which is what I was afraid of before. Merely removing Registry entries does not remove the cause.

A Firefox app called Best Video Downloader, is tied in with a program called Yontoo, which seems to make money via advertising, coupons, etc., and supports app creators that support it. Yontoo is installed in the program folder in addition to Best Video Downloader which is installed in the browser, and, in turn, installed Drop Down Deals in the browser(s). At first I thought Drop Down Deals was something new on Amazon, its not. Uninstalling Yontoo put an end to all things concerning cross site scripts on Amazon and some other sites that Drop Down Deals started showing up on.

While doing my research, many Yontoo complaints were found and many called Yontoo a virus. Apparently Yontoo is making money and has freely posted complete instructions on how to remove it, in part, or completely. Complete removal also removes Best Video Downloader.

This is apparently now called Easy YouTube Video Downloader, and there are presently 174 ratings of one star (worst), and 50 more of two stars (very bad). Sample review:

Used to be great, but... Rated 1 out of 5 stars

by sylvanmonk on May 17, 2012

This add-on used to be by far the best thing for downloading YouTube videos. Its interface inserts a simple, attractive download button right under videos on YouTube pages which you can click to choose from several file formats and video qualities. It still does all that, but not without some ridiculous bundleware from Yontoo. Those of you like me who are just finding out that your old version of Easy YouTube Video Downloader now only redirects you to a blank page will be saddened to learn you need to reinstall the latest version of this Firefox Extension with the Babylon Toolbar/Yontoo bundleware in order for it to work again. As for me, I'll go find something else to use. What a major letdown!!!

Why aren't these users -- yourself included -- complaining to Mozilla, who is supposed to be blocking misbehaved add-ons after the fact, and should be removing such add-ons from the available list? Complain, complain, complain!

Thanks for posting back and warning our users. Do please post a review at the add-on, and complain directly to Mozilla.
And be glad that NoScript alerted you to this.