InformAction Forums

Tom T. wrote:1) I've always gotten Fx from mozilla.org, although it now redirects to mozilla.com. Don't know if it's always been that way. I've never used firefox.com, AFAIK, unless possibly redirected there by MZ at some point in the past.

Tom T. wrote:3) When I first connected there, it was written almost entirely in an Asian language, so I don't know anything about it. I've noticed some Scroogle links are in Cyrillic (Russian) alphabet.

Tom T. wrote:4) Yes. But the discrepancy would now have to be more than two weeks for mine to have self-destructed and Montagar's not.

Tom T. wrote:5) Yes, but only after it had disappeared. No issue on 3.5.3 Portable.

6) Not that I can remember.

Tom T. wrote:7) Not during the day that I could reproduce it. I would have shut the machine off for the night and rebooted it the next day, when it disappeared. For some reason, some people leave their machine on 24/7 (waste of electricity!), so,

Tom T. wrote:@ Montagar: Have you rebooted at any time since this first appeared?
If so, then it seems that would eliminate that possiblility.

Tom T. wrote:

CF: #2. Maybe most NoScript users, being the privacy-conscious bunch we are , don't use Google - I know I personally use Scroogle, and maybe others do too.

IIRC, didn't you start using Scroogle only in the past few weeks?

Tom T. wrote:Agree that there's some percent of NS users who don't use Google, but it's surely not 100%. Also, the issue was reproduced at yahoo.com, which is a complete portal, not just a search engine. And to which you are redirected after logging out of any login Yahoo service. Surely some significant number of NS users would have been to Yahoo, either as a portal to their other services, or by being redirected there. Also, issue arose on ask. com, and *at first*, not at bing.com, but later, Montagar found it at bing.com, IIRC.

Tom T. wrote:

CF: I don't have Google whitelisted, so the whole NS icon is red while I'm on Google.com.

I have all of Google "untrusted", which has the same effect of turning the NS icon blue -- no scripts from Google are asking to run. (They show in Menu > Untrusted.) So a new third-party script, not yet in the Untrusted list, would indeed induce a color change in the NS logo.

Tom T. wrote:

if it's a local infection, why run *only* when a few sites are visited? ...

That would be easy enough for the programmer to accomplish. Possible motive -- large, popular sites. Infect as many as possible without splashing your malcode all over the Internet.

Tom T. wrote:

Tom T. wrote:

#1. Maybe this is some weird infection vector that very few people are vulnerable to.

But what is it that creates that vuln? Montagar and I seem to have not too much sw in common, other than Fx/NS.

Tom, Montagar, please list your plugins - I have a hunch. See below...

Tom T. wrote:

Montagar wrote:The script that I am dealing with is slightly different from Tom's. The script I am dealing with attempts to connect to "innoshots.org"

computerfreaker wrote:Ah. NOW we're getting someplace - perhaps you and Tom had two different, although similar, infections!

Yes, I noticed that in my first reply to OP. I tried going to innoshots.org, and got a Forbidden error. Montagar could try that -- with NS locked down, of course.) Innoshot.com is in fact a web site of some type, and that is the domain of the script that I saw. So yes, maybe they are slightly different malcodes, which might account for the fact that mine disappeared: For some reason, the .org variant is more persistent or better hidden.

Maybe this is like Conficker - each version gets more robust than the last? (btw, I got that Forbidden error on innoshots.org as well - it's certainly possible that #1 the referrer is checked or #2 only very specific pages on innoshots.org are allowed - such as malicious executable download pages)

Tom T. wrote:

Montagar wrote: Yes, and it did attempt to run the suspect script, but there are many questions as to what Portable FF shares with a local installation, and I have not attempt to "remove" my local installation as of yet.

CF wrote:Portable Fx shares plugins with a local install; AFAIK, that's it.

CF has dug pretty deeply into the documentation of the portable apps. Early in this thread, I noted that when I went to my Portable Fx, it was still using NS .11, whereas the native Fx had been updated to .14. So Portable does have its own Extensions folder and Profile folder, and plugins do seem to be the only thing shared with the local install.

Actually, Tom, I'm speaking from personal experience here. I have a fleet of Firefox Portable "installs" - Fx 3.5.5 for browsing, Fx 3.0.13 for legacy purposes (in case my school site doesn't fully support Fx 3.5.5), another Fx 3.0.13 for web development, another Fx 3.5.5 for addon development, and even (holy cow!) a Fx 2.0.0.20 for addon development. Each of those portables has its own addons, and each of the portables has to have its addons updated separately from the rest. Only plugins are global...

Tom T. wrote:Which more and more seems to narrow this to a plugin.

MAYBE NOT.

Awhile ago, I had an issue with Firefox - it wouldn't play mp3 files properly, showing a "Loading video" placeholder instead. I tried disabling all my plugins, esp. the media plugins, then re-enabling them one by one - the problem persisted. Only after I uninstalled (TOTALLY uninstalled, not just a plugin) VLC Media Player did the problem go away. For some reason, VLC had ignored my MIME type settings, my file associations, my Fx content associations, and the WMP plugin's default status for mp3's. The VLC plugin apparently stayed running, even after it was disabled (or VLC just plain took over Fx; either one is unacceptable); maybe this is a similar thing. Hence my request for a plugin list from each of you... (btw, for those interested, the MozillaZine thread covering my VLC issue is located at http://forums.mozillazine.org/viewtopic ... &t=1526525)

GµårÐïåñ wrote:It could be that you took some action as routine that took care of the issue but he has not so the issue persists. Unfortunately no way to really know what you did and what the differences are and so on.

computerfreaker wrote:

Tom T. wrote:1) I've always gotten Fx from mozilla.org, although it now redirects to mozilla.com. Don't know if it's always been that way. I've never used firefox.com, AFAIK, unless possibly redirected there by MZ at some point in the past.

More and more, I'm "liking" this hxxp://www.firefox.com place as a possible attack vector - Montagar, you may have gotten a "loaded" Firefox install. Either way, I'm taking no chances - I've changed the link protocol.

computerfreaker wrote:

Tom T. wrote:1) I've always gotten Fx from mozilla.org, although it now redirects to mozilla.com. Don't know if it's always been that way. I've never used firefox.com, AFAIK, unless possibly redirected there by MZ at some point in the past.

More and more, I'm "liking" this hxxp://www.firefox.com place as a possible attack vector - Montagar, you may have gotten a "loaded" Firefox install. Either way, I'm taking no chances - I've changed the link protocol.

Tom T. wrote:3) When I first connected there, it was written almost entirely in an Asian language, so I don't know anything about it. I've noticed some Scroogle links are in Cyrillic (Russian) alphabet.

Ditto. I was hoping somebody had found whois records, WOT info, or something like that - I haven't been able to get my hands on anything.

P address: 210.97.228.26
No host name is associated with this IP address or no reverse lookup is configured.
Error:Host not found
210.97.228.26 is from Korea, Republic of(KR) in region Southern and Eastern Asia

Tom T. wrote:7) Not during the day that I could reproduce it. I would have shut the machine off for the night and rebooted it the next day, when it disappeared. For some reason, some people leave their machine on 24/7 (waste of electricity!), so,

You didn't reboot when you edited your HOSTS file? Correct me if I'm wrong, but don't you need to reboot to apply HOSTS changes?

Tom T. wrote:@ Montagar: Have you rebooted at any time since this first appeared?
If so, then it seems that would eliminate that possiblility.

Well, we'll see if he's rebooted or not - I'm guessing he has, because most users don't leave their machines on for 2 weeks. btw, Montagar, rebooting means shutting down or restarting; hibernate doesn't count.

Tom T. wrote:

if it's a local infection, why run *only* when a few sites are visited? ...

That would be easy enough for the programmer to accomplish. Possible motive -- large, popular sites. Infect as many as possible without splashing your malcode all over the Internet.

Well, as you mentioned, Wikipedia takes #6 rankings or something like that, and nobody's noticed innoshot there... also, since WP's universally trusted, people would be more likely to let down their shields there. If I were a malware writer, I'd hit WP for all I was worth...

CF wrote:#1. Maybe this is some weird infection vector that very few people are vulnerable to.

Tom T. wrote:But what is it that creates that vuln? Montagar and I seem to have not too much sw in common, other than Fx/NS.

CF wrote:Tom, Montagar, please list your plugins - I have a hunch. See below...

Tom T. wrote:

Montagar wrote:The script that I am dealing with is slightly different from Tom's. The script I am dealing with attempts to connect to "innoshots.org"

computerfreaker wrote:Ah. NOW we're getting someplace - perhaps you and Tom had two different, although similar, infections!

Yes, I noticed that in my first reply to OP. I tried going to innoshots.org, and got a Forbidden error. Montagar could try that -- with NS locked down, of course.) Innoshot.com is in fact a web site of some type, and that is the domain of the script that I saw. So yes, maybe they are slightly different malcodes, which might account for the fact that mine disappeared: For some reason, the .org variant is more persistent or better hidden.

Maybe this is like Conficker - each version gets more robust than the last? (btw, I got that Forbidden error on innoshots.org as well - it's certainly possible that #1 the referrer is checked or #2 only very specific pages on innoshots.org are allowed - such as malicious executable download pages)

Tom T. wrote:Which more and more seems to narrow this to a plugin.

MAYBE NOT.

Awhile ago, I had an issue with Firefox - it wouldn't play mp3 files properly, showing a "Loading video" placeholder instead. I tried disabling all my plugins, esp. the media plugins, then re-enabling them one by one - the problem persisted. Only after I uninstalled (TOTALLY uninstalled, not just a plugin) VLC Media Player did the problem go away. For some reason, VLC had ignored my MIME type settings, my file associations, my Fx content associations, and the WMP plugin's default status for mp3's. The VLC plugin apparently stayed running, even after it was disabled (or VLC just plain took over Fx; either one is unacceptable); maybe this is a similar thing. Hence my request for a plugin list from each of you... (btw, for those interested, the MozillaZine thread covering my VLC issue is located at http://forums.mozillazine.org/viewtopic ... &t=1526525)

Alan Baxter wrote:Firefox.com is legit. It redirects to http://www.mozilla.com/en-US/firefox/personal.html
http://whois.domaintools.com/firefox.com

Tom T. wrote:

computerfreaker wrote:

Tom T. wrote:1) I've always gotten Fx from mozilla.org, although it now redirects to mozilla.com. Don't know if it's always been that way. I've never used firefox.com, AFAIK, unless possibly redirected there by MZ at some point in the past.

More and more, I'm "liking" this hxxp://www.firefox.com place as a possible attack vector - Montagar, you may have gotten a "loaded" Firefox install. Either way, I'm taking no chances - I've changed the link protocol.

But I've had this antique F2 for almost a year, and OP has latest 3.5.5. Surely versions so far apart wouldn't both be corrupt, or it would have been noticed a long time ago?

Tom T. wrote:

Tom T. wrote:3) When I first connected there, it was written almost entirely in an Asian language, so I don't know anything about it. I've noticed some Scroogle links are in Cyrillic (Russian) alphabet.

Ditto. I was hoping somebody had found whois records, WOT info, or something like that - I haven't been able to get my hands on anything.

It's in Korea, if that helps. Pinged and got the IP.

Code: Select all

P address: 210.97.228.26
No host name is associated with this IP address or no reverse lookup is configured.
Error:Host not found
210.97.228.26 is from Korea, Republic of(KR) in region Southern and Eastern Asia

Tom T. wrote:

Tom T. wrote:7) Not during the day that I could reproduce it. I would have shut the machine off for the night and rebooted it the next day, when it disappeared. For some reason, some people leave their machine on 24/7 (waste of electricity!), so,

You didn't reboot when you edited your HOSTS file? Correct me if I'm wrong, but don't you need to reboot to apply HOSTS changes?

You need only restart the *browser*. Double-checked this by testing it just now.

Tom T. wrote:

Tom T. wrote:@ Montagar: Have you rebooted at any time since this first appeared?
If so, then it seems that would eliminate that possiblility.

Well, we'll see if he's rebooted or not - I'm guessing he has, because most users don't leave their machines on for 2 weeks. btw, Montagar, rebooting means shutting down or restarting; hibernate doesn't count.

Somehow, I think Montagar knows that.

Tom T. wrote:

Tom T. wrote:

if it's a local infection, why run *only* when a few sites are visited? ...

That would be easy enough for the programmer to accomplish. Possible motive -- large, popular sites. Infect as many as possible without splashing your malcode all over the Internet.

Well, as you mentioned, Wikipedia takes #6 rankings or something like that, and nobody's noticed innoshot there... also, since WP's universally trusted, people would be more likely to let down their shields there. If I were a malware writer, I'd hit WP for all I was worth...

You don't need to allow JS even to *edit* WP. I know, because I've edited it "a few" times. WP.org is actually in my Untrusted list.

Tom T. wrote:

CF wrote:#1. Maybe this is some weird infection vector that very few people are vulnerable to.

Tom T. wrote:But what is it that creates that vuln? Montagar and I seem to have not too much sw in common, other than Fx/NS.

CF wrote:Tom, Montagar, please list your plugins - I have a hunch. See below...

Flash
Quicktime
Java

which probably the vast majority of Fx users have.

Tom T. wrote:

Tom T. wrote:

Montagar wrote:The script that I am dealing with is slightly different from Tom's. The script I am dealing with attempts to connect to "innoshots.org"

computerfreaker wrote:Ah. NOW we're getting someplace - perhaps you and Tom had two different, although similar, infections!

Yes, I noticed that in my first reply to OP. I tried going to innoshots.org, and got a Forbidden error. Montagar could try that -- with NS locked down, of course.) Innoshot.com is in fact a web site of some type, and that is the domain of the script that I saw. So yes, maybe they are slightly different malcodes, which might account for the fact that mine disappeared: For some reason, the .org variant is more persistent or better hidden.

Maybe this is like Conficker - each version gets more robust than the last? (btw, I got that Forbidden error on innoshots.org as well - it's certainly possible that #1 the referrer is checked or #2 only very specific pages on innoshots.org are allowed - such as malicious executable download pages)

I "found" it after OP, but yes, I could have picked it up earlier, before I blocked yahoo.com to avoid the annoying redirects from logout of Yahoo mail.

Tom T. wrote:

Tom T. wrote:Which more and more seems to narrow this to a plugin.

MAYBE NOT.

Awhile ago, I had an issue with Firefox - it wouldn't play mp3 files properly, showing a "Loading video" placeholder instead. I tried disabling all my plugins, esp. the media plugins, then re-enabling them one by one - the problem persisted. Only after I uninstalled (TOTALLY uninstalled, not just a plugin) VLC Media Player did the problem go away. For some reason, VLC had ignored my MIME type settings, my file associations, my Fx content associations, and the WMP plugin's default status for mp3's. The VLC plugin apparently stayed running, even after it was disabled (or VLC just plain took over Fx; either one is unacceptable); maybe this is a similar thing. Hence my request for a plugin list from each of you... (btw, for those interested, the MozillaZine thread covering my VLC issue is located at http://forums.mozillazine.org/viewtopic ... &t=1526525)

Intersting! I *did* install VLC a while back, on the HD, then uninstalled it and got the portable version on the USB drive. But if it were corrupted, that's *definitely* a possiblity. I didn't install it as a Fx plugin, but it could have done its damage before.

@ Montagar: Got VLC player?

CF: ...I don't think cross-version attacks would be too difficult...

There have been a few reports of malware being installed as a hidden Firefox extension, via the Windows Registry. In the reported cases, the HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\ key was used to install the malicious extension.

Last night, I got the notification that there was a new version of Firefox available, so I updated. After it had installed and I restarted, I noticed that the add-ons box popped up and it said that a new add-on had been installed, but I didn't actually see anything new.

Anywho, let's say you search for something on Google or Yahoo (ask.com was mentioned as well, but I didn't try that). Let's also say that the first result for your search is http://www.mozilla.com. When you mouseover the link, you see http://www.mozilla.com in the status bar, but when you click it, you go to something like...

I've already got it fixed... as mentioned on the first link, you need to delete the folder:

Documents and Settings\(your name)\Local Settings\Application Data\{33238016-EFEB-43AA-8BCE-3CA12861EE79}

{33238016-EFEB-43AA-8BCE-3CA12861EE79} seems to be unique to each computer - mine was named {385E83C1-7EFE-491C-B303-2F462B11E491}.

Recently, I noted that when opening search results from Google in Firefox 3.0.3, I would occasionally get redirected to a different, unrelated website than the one I thought I was headed for.

Guardian wrote: You will ALWAYS see an extension that is installed in the your extensions list and/or plugins page. That registry key is very helpful in removing stubborn global installs that won't go away on their own but nothing malicious can hide there long unless people just don't check their addons and what they are running.

GµårÐïåñ wrote:First off, I was going to say it but since Alan already has, I have to say that he is correct, firefox.com is just fine and is legit and unlikely to be an attack vector. That being said the "hidden" extensions as is called here and there, are not so hidden. They may be installed using code directly into the registry like some well known companies (Microsoft, VideoLAN, DigitalPersona, RoboForm, RealPlayer, etc etc) but although the installation may be silent the presence is NOT. You will ALWAYS see an extension that is installed in the your extensions list and/or plugins page. That registry key is very helpful in removing stubborn global installs that won't go away on their own but nothing malicious can hide there long unless people just don't check their addons and what they are running.

GµårÐïåñ wrote:As a POC, it is possible to load a compiled dll that piggy backs on an extension that is trusted and then do damage but the presence of it will be felt regardless because in order to exploit the admin/privileges access of chrome through an extension, it has to register it with the browser's core, hence, not hidden, just silent. Hidden action (clandestine) does not mean its hidden (transparent). You send in the spec-ops they will kill and leave before you know they were there, but you WILL know they were there shortly after. You may have been exposed to a hit and run code, extension, rogue extension, addon, or exploited addon/extension but its not "hidden" hidden, you just have to look to see if something is there that you didn't put there and then if you can't remove it because its global, then hit the registry. Just saying, let's not rush to judgment.

Tom T. wrote:I'm sorry, my wording wasn't clear. The link you gave said that the poster got the infection *in a Fx update*. What I was trying to say is that Fx2 hasn't been updated since Dec. 2008, whereas OP has the latest update. So the chance of last year's update of 2.x19 to 2.x20, *and* OP's several updates of 3.5.x *both* containing malware seem slim. Surely millions would have seen this?

Tom T. wrote:Nothing unusual in that Registry key or values, nor in the corresponding files and folders.

Tom T. wrote:

Last night, I got the notification that there was a new version of Firefox available, so I updated. After it had installed and I restarted, I noticed that the add-ons box popped up and it said that a new add-on had been installed, but I didn't actually see anything new.

I'm sure that I would have seen and investigated such a pop-up message. I'm sure that I haven't seen one.

Tom T. wrote:

Anywho, let's say you search for something on Google or Yahoo (ask.com was mentioned as well, but I didn't try that). Let's also say that the first result for your search is http://www.mozilla.com. When you mouseover the link, you see http://www.mozilla.com in the status bar, but when you click it, you go to something like...

This is *not* the same issue as OP. He and I both saw it *upon first connecting* to Google, *without* clicking or mouseover any links -- and even when no Internet connection was available.

Tom T. wrote:The above-linked poster's fix:

I've already got it fixed... as mentioned on the first link, you need to delete the folder:

Documents and Settings\(your name)\Local Settings\Application Data\{33238016-EFEB-43AA-8BCE-3CA12861EE79}

{33238016-EFEB-43AA-8BCE-3CA12861EE79} seems to be unique to each computer - mine was named {385E83C1-7EFE-491C-B303-2F462B11E491}.

I have no such string-named folder at that location. There was a long-string .ini, but a quick search showed that that was a Media Player Classic file.

Tom T. wrote:Note the difference in symptoms also in Link #3:

Recently, I noted that when opening search results from Google in Firefox 3.0.3, I would occasionally get redirected to a different, unrelated website than the one I thought I was headed for.

Again, that is *not* the issue. We were *not* being redirected from search results in Google, but rather saw this script trying to run even if we couldn't get to Google. (Internet connection off.)

Tom T. wrote:As said, nothing in the extensions or plugins list, folders, etc.; nothing in that registry key -- just the paths to the appropriate folders:
HKLM\SW\MZ\MZ Fx 2.0.0.20\Extensions (pardon the abbreviations, since we're all talking about the same key)

Components: = REG_SZ C:\Program Files\Mozilla Firefox\components
Plugins: = REG_SZ C:\Program Files\Mozilla Firefox\plugins

Two below that subkey in the Software folder is MozillaPlugins, with the only subkey: @adobe.com/FlashPlayer, and all of those entries look like perfectly normal entries related to Flash; no anomalies.

Tom T. wrote:Appreciate all the time and effort you've put into this, CF, but these don't quite seem to fit, either.

Tom T. wrote:But since I can't reproduce it, and OP apparently still can, Montagar should definitely check all of the above folder locations and Registry keys. But according to Guardian, they would show up in the Extensions or Plugins list anyway.

Tom T. wrote:@ Guardian: Is it possible that a "legitimate" extension was corrupted to contain the rogue script? Should we check checksums on those extension folders? (Since I can't reproduce it, I doubt I'd find anything.)

Montagar wrote:THAT'S IT! computerfreaker's links have pointed to a different version of the same type of rouge extension "blank" install.

C:\Documents and Settings\user\Local Settings\Application Data\{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}

that folder contains the following:

chrome.manifest (file)
install.rdf (file)
chrome (folder, contents bellow)
content (folder, contents bellow)
_cfg.js (file)
overlay.xul (file)

associated registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}"="C:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}"

I have removed all of the above and the innoshots.org script is gone.

I don't remember having a blank extension install verification screen come up, but anything is possible I guess. I am thinking that it might have piggybacked it's way on the install of something else.

Thanks to all of you for your diligence in trying to solve this problem!

C:\Documents and Settings\user\Local Settings\Application Data\{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}

that folder contains the following:

chrome.manifest (file)
install.rdf (file)
chrome (folder, contents bellow)
content (folder, contents bellow)
_cfg.js (file)
overlay.xul (file)

associated registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}"="C:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}"

therube wrote:And so what was it? Do you still have the items? What are the dates or the directories/files?

Just thinking. It may not have even been a "Mozilla" (like FF) related application.
Think, MediaCoder, which uses (used) the Mozilla (XUL, whatever you may call it) backend.

Obviously \Local Settings\Application Data\ is not a typical place for a FF extension to place itself.

(Just the other day I was looking at <McAfee> SiteAdvisor <which may be causing problems in SeaMonkey> & noticed that it set itself up in HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions. I forced it upon SeaMonkey <which it would not ordinarily do> by adding its key to HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey\Extensions, but <at least> that alone would not allow it to run.)

Montagar wrote:

therube wrote:And so what was it? Do you still have the items? What are the dates or the directories/files?

Just thinking. It may not have even been a "Mozilla" (like FF) related application.
Think, MediaCoder, which uses (used) the Mozilla (XUL, whatever you may call it) backend.

Obviously \Local Settings\Application Data\ is not a typical place for a FF extension to place itself.

(Just the other day I was looking at <McAfee> SiteAdvisor <which may be causing problems in SeaMonkey> & noticed that it set itself up in HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions. I forced it upon SeaMonkey <which it would not ordinarily do> by adding its key to HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey\Extensions, but <at least> that alone would not allow it to run.)

I still have the items, but I have not investigated them any further at this point. Everything was created on 10/8, so it had only been there for about a week before I installed NoScript and started to notice it (I did a few days of research before I started this thread).

Can a separate program can install an extension into FF and have it not show up in the extensions or add-ons list all without any warning or installation confirmation from FF?