"body4u", "asnbm" - Dangerous Malware Attached to NoScript

[lazygamer27]

Hello,

I just thought it was important to come to your forums here and let you know about a recent add-on-related malware that I believe has attached itself to your add-on.

The only way I found out that this had infected my computer was because I use two programs in conjunction with one another on a regular basis - a program called Peerblock, and a VPN service called Private Internet Access. PeerBlock is a free and open source software firewall application. It blocks incoming and outgoing connections to Internet IP addresses that are included on blacklists which a user selects, but also any addresses manually specified by the user. I'm frequently monitoring traffic that flows in and out of my Peerblock program in order to keep my VPN service running.

However, I recently had a problem after installing your add-on, NoScript, where I began to see two particular pings being blocked - do not attempt to access these websites, they are dangerous -- body4u.diy.myrice.com and asnbm.myftpsite.net -- I repeat, do not attempt to go to these sites.

As a result of this add-on malware, it began to make my VPN look as though it was working, however tests showed that it was being blocked. I tried uninstalling and reinstalling my Firefox browser, as well as resetting my IE browser (even though I do not use it). The pings kept coming.

I am now looking into having to reformat my entire computer. After I do so, I might try to use your add-on again, but am very hard-pressed to do so because the moment that I begin to see the pings again, I would be forced to reformat the entire computer once again. Using disks, this process takes about 2-3 hours on average. You can begin to see my hesitancy to want to take the risk.

I understand that if I really wanted to protect myself, I really would just need to educate myself about Linux and "go big or go home" as they say.

At any rate, I wanted to make sure I warned you here that there seems to be this malware attached to your add-on so that you might perhaps be able to counter and eliminate this issue in some way. I also wanted to warn your other users that use your add-on so they can try to see if they have this problem on their computers as well.

This is a link to a forum post I made over on PIA, where I also linked to another site talking about these pings and what advanced computer users had to do to get rid of it, as well as a website which goes into detail about body4u and asnbm -- http://tiny.cc/jp4ghx .

I'm sorry to be the bearer of bad news, if you have not realized this is a problem before now.

Take care.

[GµårÐïåñ]

We still don't have any tangible and actionable intelligence or data to suggest that we are affected. It could very well be limited to your particular case. Do you have anything tangible that we can use to validate this claim?

[barbaz]

NoScript does not come with any malware. I use it myself on Mac OS X and Linux, and I've put it on Windows computers before, and had no such problems (and the network usage of all these computers is controlled and constantly monitored whenever they're on - I would definitely know if anything like what you're describing is happening).

From what site did you install NoScript? The only official sites are https://addons.mozilla.org/addon/noscript/ and http://noscript.net/getit.

I understand that if I really wanted to protect myself, I really would just need to educate myself about Linux and "go big or go home" as they say.

It's possible to be safe with Windows, just that you "need" more tools than required to protect a Unix system.

[lazygamer27]

Alrighty, well it is possible that I got it elsewhere, but the major change I made was adding noscript to my browser. That was when my trouble started. No, I do not have screenshots, unfortunately.

It is definitely possible that it was just me. I have also considered the possibility that it had something to do with PIA. But I wouldn't know the first thing to do to figure that out.

The fact remains that this add-on malware is elusive, is present on the net, and is destructive. That much I know for a fact.

Yes, I downloaded it from the official firefox site as you linked, barbaz.

At least people can know about it more now. I'm frustrated that there is not more info about this on the net. One person over on bleepingcomputer said that they had found places where sites were offering help to rid their computers of this issue, however it required downloading a program. Kinda fishy and dangerous in and of itself.

From my understanding, it's not very common for an add-on program to stay on a persons computer after the browser is uninstalled and reinstalled. That's also part of why I feel this program is particularly dangerous and insidious.

[barbaz]

From my understanding, it's not very common for an add-on program to stay on a persons computer after the browser is uninstalled and reinstalled.

Depends on whether you chose to remove your user data AKA profile when uninstalling.

[lazygamer27]

Yes, I removed all of the data completely.

[GµårÐïåñ]

Where did you download NoScript from?
Do you remember what version this was?
Were you connected to any proxy or VPN at the time you downloaded NoScript?

Some questions to aid me in doing a little digging to find out what might have happened to you. Each question is designed to help me with one possible theory.

[lazygamer27]

I downloaded it from https://addons.mozilla.org/en-US/firefo ... /noscript/ .

I downloaded it within the last week.

I first downloaded it onto my computer, with my VPN on, from a US server - the same country I reside in. I then downloaded it to my partners computer on my guest account. I had my VPN on then as well.

I was getting spammed on my peerblock from the three lists on iblocklist designated to "IANA" hits. I removed those because it was so congested, I figured I was doing something wrong. I then saw that the spamming was replaced by the "bogon" lists. I decided it was still having a problem. After that, body4u and asnbm started popping up. I looked to my own computer and removed the IANA lists and bogon lists as the same thing was happening - and the body4u and asnbm hits started happening again, on my computer.

I had just recently added noscript to my own computer, and to my partners computer on my account.

Since I'm not an advanced computer user, and can't even exactly wrap my head around exactly what peerblock is doing, it's hard for me to articulate exactly what has happened.

As you can see over at bleepingcomputer, however, this is not just a problem that an average user like myself could figure out. Far more advanced users were scratching their heads for over a week trying to figure out what this was - and even still are not sure what happened. http://www.bleepingcomputer.com/forums/ ... myricecom/

When it comes to using a VPN, as I stated over on PIA forums, this thing made my VPN appear like it was working, but it was NOT working. This is after uninstalling my firefox browser and reinstalling it, as well as resetting my IE browser even though I don't even use that thing ever. PIA post - http://tiny.cc/jp4ghx .

Good luck on forming these theories of yours. Perhaps it would help the people at bleepingcomputer as well as myself.

PS. Also note on my PIA post, I made it clear that these pings were taking place as indicated on my peerblock roster even with my wifi turned off.

[boostmachines]

0.0.0.0:68 - that's the port your system uses to map a new IP address to the remote DHCP server for PIA. You focused on the first part of your problem, and you may have one, but the asnbm.myftpsite.net is the host name used by PIA to function. So, when your PeerBlock doesn't allow traffic out, the application can't contact the remote VPN server - you get no VPN service. Read more here: http://forums.comodo.com/firewall-help- ... 525.0.html

[boostmachines]

Another way to do this is: disable PeerBlock, get a successful connection with PIA, then enable PeerBlock. You have your VPN connection and you have your list blocks.

[lazygamer27]

Oh, wow.

Well, seeing as how I'm a novice with this level of computer technology, that stuff is hard for me to understand without a translation. But I noticed on what dennis linked to wikipedia, I think that's what happened to me - specifically this part here: http://en.wikipedia.org/wiki/Dynamic_Ho ... l#Security

When I called my ISP to garner more info about my situation, I heard him take a look at my system and said blutly "you have had a DDOS malware attack on your computer. You need to take your computer to a shop." He sounded like it was a total mess, and all hope was lost.

I think I'm sort of understanding, but I think I need a translation.

body4u and asnbm are known malicious redirect malware problems. (see this link here: http://www.safebro.com/body4u-diy-myric ... rus-remove )

In the meantime since starting this thread here, I've been over on bleepingcomputer and working with their team to fix up my stuff.

For the time being, my router does not seem to be functioning properly even with a factory reset, and I have had to wire directly into my modem.

I seemed to have fixed my notebook for the time being, and am not using a vpn for now until I can learn more about this, but from what it says on wikipedia, there is little protection from this "DHCP snooping" issue (I assume unless I am an advanced computer user).

Thank you for the links.


PS. No, disabling peerblock while enabling the vpn, followed by starting peerblock, does not work to avoid this issue even if it was not a malware. I've figured out how to allow the vpn while peerblock is running.