InformAction Forums

Mac 10.5.8, Firefox 15.0.1, Opera 12

Sophos AV has quarantined Mal/Badsrc-M - this is a Windows virus so done no damage to my computer.

http://www.sophos.com/en-us/threat-cent ... src-M.aspx

This malware has been repeatedly downloading and I have been manually removing it and clearing the FF cache and back it came again and again.

I found out a bit more about it here, including that the problem might have come from a script redirecting to a site with a domain name ending "rr.nu"

http://openforum.sophos.com/t5/Sophos-A ... o/m-p/3225

I wondered why I had had no warnings from NoScript, checked the settings and found they were "globally allow"! Not intended this so no idea how long that has been the case.

Sorted that out and then I went back through my browser history until I found the site that was causing the problem (I have contacted the owner). This is a phpBB3 bulletin board. (The "normal page" that is a link to the forum Log In page is OK.)

I looked at the source code for a couple of pages and it looks as if a slightly different script has been smuggled into each page right at the bottom.

Examples from two different pages:

Forum Index Page:

Forum Lobby Page:

Now what is puzzling me is:

1. I have set NoScript to "Forbid" both the forum and "rr.nu". After deleting all instances of the quarantined virus and clearing the cache, I visit the forum using Firefox and Sophos alerts me that a new copy of the virus has been downloaded - and there is is in the Quarantine.

I thought that the Firefox NoScript "forbid" setting would stop this happening?

2. However, if I visit the same forum using Opera, without any "blockers" switched on, the virus does not download.

I would be grateful for any suggestions as to how, if possible, I can stop Firefox from allowing this virus to download and wonder if anyone can explain why Opera seems to be able to block it?

Many thanks,
Liz

UPDATE:

I tried to edit the post above to include an update but when I try to preview I get a page saying that "something in you post triggered the anti-spam filter". I don't know what it triggering it and I have tried all sorts of re-edits and given up.

The updates are:

1. Hope these image links work better than the ones in the original post:

Examples from two different pages:

Forum Index Page:


Forum Lobby Page:




2. Opera:

I tried to use Opera to view the source code of one of the pages listed above and doing that let the virus download and all I could see was a blank page ;-/

Lizzie

I don't get the redirect from the first site to the second, so presumably, it's been fixed.
In NoScript Options > Advanced > Untrusted, have you checked "Forbid META redirections inside NoScript elements"? -- just for safety.

I can't see your images. Perhaps use a different host, such as imageshack? (I block most of Google because of their privacy invasiveness. IMHO. YMMV.)

I tried going directly to the malware site, but got a "Proxy Error", and that it was trying to redirect to My HOSTS file blocks the above, as being a known parking place or proxy for malware, presumably. You may wish to consider using one of the several free HOSTS services that block your browser from visiting known bad sites. Currently, about 16,000 sites in mine. More info on request. (Not everyone likes using Hosts as a site-blocker, but I've been doing so for years. If you're a home user, probably no problem; if you're running a server, that's a different story.)

If the evil code was embedded in the page itself, then NoScript would not block it. It can block script sources and plugin sources (Flash, e. g.,) by domain name, but can't selectively block certain code that is part of the site itself, the site you are viewing. That is why we have AV.

It is possible that this virus exploits a flaw in Firefox (and possibly IE) that is not present in Opera.
Perhaps notify Firefox and file a report?

If there is something you need to post that is triggering the spam filter, PM it to me, and I'll get it posted. Without knowing what it is, I can't tell what the trigger is.

Hi Tom,

Many thanks for the swift reply and the advice!

don't get the redirect from the first site to the second, so presumably, it's been fixed.

I don't understand this bit - I am starting off well, aren't I?

I didn't mention where the pages were located - I assume that is what you mean by "the first site"?

I will PM you the url of the "landing page" - which seems fine. There is nowhere else to go from there but to the Forum. The "Forum" link takes you to the forum (phbBB3) login page, which is where the barrage of virus downloads started with FF. Just about every action on the forum triggered a further virus download.

However - no one else seems to have experienced this problem (although see further update below - something suspicious not detected by Macafee).

have you checked "Forbid META redirections inside NoScript elements"

No - but I have now!

I can't see your images. Perhaps use a different host, such as imageshack?

I am now part of the Frog Family.

Forum Index Page:




Forum Lobby Page:

several free HOSTS services that block your browser from visiting known bad sites

I am on to it! Quickly looked at a few suggestions for Mac but if there is anything in particular you would recommend, please do let me know. Not something I had come across before. I have tried WOT previously but there are so many false-positive bad ratings due to people not agreeing with content, or trying to nobble competitors, and outdated warnings that I ditched it very quickly.

If the evil code was embedded in the page itself, then NoScript would not block it. It can block script sources and plugin sources (Flash, e. g.,) by domain name, but can't selectively block certain code that is part of the site itself, the site you are viewing. That is why we have AV

Thank you I didn't understand at all how it worked before. (I feel sure that I must be missing something about setting up NoScript - is there a way that I can tell it to always block googleadservices, for instance, so that it doesn't keep asking me if I would like to allow it?)

It is possible that this virus exploits a flaw in Firefox (and possibly IE) that is not present in Opera.
Perhaps notify Firefox and file a report?

Ah, now. All is not well with Opera since I first wrote. A very odd thing happened. This is the story . . .

The forum owner said that she had looked at the page sources and that she could not see the nasty code.

However, one of the forum users said that he could see the code (as per one of the images above) but that he had no virus warnings (Windows, Macafee AV - he didn't mention which browser.)

I then wondered if what I had been viewing with FF was the cached version of the page. I had kept clearing the cache and removing the viruses so many times that it seemed possible that I had slipped up and had viewed the source whilst there was still a dodgy page in the cache. (Using FF add-on "View Source Chart").

Since there had been no warnings from Sophos when I was using Opera to access the site, I decided to view the source with Opera. I had already cleared the cache anyway to be on the safe side.

When I went to view the source with Opera, immediately and for the first time with Opera I got a virus download message from Sophos AV. I could not see anything on the source page, just white space, and then Opera crashed. I sent the site details and info from Sophos with the crash report.

Immediately after that, I restarted Opera. Straight away, there was a message that I should upgrade to the latest version.

The next dialogue box said that automated update would not work and I needed to download and install manually. Did that.

Relaunched Opera - unexpected bookmark on the toolbar. I only have two bookmarks there so spotted it straight away.

The rogue bookmark was a link to the site .

Hovering over the bookmark produced a warning symbol in the Opera status bar.

Checked the cache and there were several things in there with ".ru" in them including .ico files.

Afraid that I just got on deleting all this nasty stuff and only thought afterwards that I should have made a note of what it was.

It might just be a coincidence but it seems as if viewing the source in Opera enabled something to get into the browser.

Not sure if this is connected as several peopl are complaining about it on the Opera forums about this update but lots of sites are rendering badly, eg. can only see the top bar on Facebook. No slagging-off FB today - it was how I managed to contact the forum owner without going back on the site

I had not noticed previously but in Opera you can select to retain page content in the history or just the urls and page content had been selected, so I changed that.

After that, I checked FF for any similar bookmarks or nasties in the history or cache but there didn't seem to be anything.

I have also run a full Sophos AV scan on my computer and it has not found anything untoward.

The forum owner is running a scan overnight so we'll have to wait and see if anything turns up.

I would quite like to go back there with Opera again to see what if anything happens this time and make a note of it, but it takes such an age to clean everything up afterwards.

I guess I should really have posted this in the "Security" sub-forum rather than this one - but that was because I didn't understand how NoScript worked and imagined that it would react to the script within pages, rather than what you said

Many thanks again for your help - I haven't yet followed your suggestion to post to FF about a possible security hole but will do.

Will PM you the site url so you can have a poke around if you feel like it

Best wishes,
Liz

CrlyWrly wrote:

Tom T. wrote: don't get the redirect from the first site to the second, so presumably, it's been fixed.

I don't understand this bit - I am starting off well, aren't I?

I didn't mention where the pages were located - I assume that is what you mean by "the first site"?

It appears as though I'm the one who didn't understand exactly which site, in what order, did what, when.

I will PM you the url of the "landing page" - which seems fine. There is nowhere else to go from there but to the Forum. The "Forum" link takes you to the forum (phbBB3) login page, which is where the barrage of virus downloads started with FF. Just about every action on the forum triggered a further virus download.

Ah, so it's that Forum that was corrupted. I thought the open-mic site was the villain, sorry.

Side note: You may be fascinated by the JSView add-on, in which you can r-click and "View Page Info". It will show you the full URLs from which scripts are called, such as this one, one of the 120 or so run by my Yahoo webmail: and also shows you how many are "Embedded". At Yahoo Mail, that's most of them. I have to allow mail.yahoo.com to use the site, so those scripts come with it, no choice.


Forum Index Page:




Forum Lobby Page:

several free HOSTS services that block your browser from visiting known bad sites

I am on to it! Quickly looked at a few suggestions for Mac but if there is anything in particular you would recommend, please do let me know....

The service I use is Windows-only, and I am not Mac-friendly, so you could look around Mac community sites, check the various services for independent reviews, etc.

Caveat: Most such services redirect the bad sites to 127.0.0.1, which is the "loopback" or "localhost" address -- your machine talking to itself, as it were. There as some good arguments to be made against using this address. If you are interested in Giorgio Maone's discussion of why, it starts here, where I relay my email conversation with the provider to Giorgio, who responds, uh, "strongly".

*Personally*, I have found that changing the redirect address simply to 0 -- just zero, nothing else, no dots -- causes immediate recognition of an invalid destination, while not mucking up anything. This is undocumented, AFAIK, so please, no liability here if you choose to do this.

(I feel sure that I must be missing something about setting up NoScript - is there a way that I can tell it to always block googleadservices, for instance, so that it doesn't keep asking me if I would like to allow it?)

When it asks if you want to allow, click "Mark as Untrusted". This adds it to the "Untrusted" list, and those disappear from the main menu. This is covered in the opening paragraph of SOME SITES YOU MIGHT NOT WANT TO ALLOW.

For what it's worth, I disable offline caching in Firefox, through the Fx GUI Advanced > Network (set offline to 0), and about:config
browser.cache.disk.enable
browser.cache.offline.enable
both toggled to False.

Also, I use (yet another) Windows-only tool called Sandboxie, to trap stuff inside the sandbox (virtual browser) so that it cannot write to the hard drive. It's configured so that at every close of the browser, which is frequent, *everything* is dumped, including malware. (You can give specific permission to save bookmarks, NS settings, various Fx settings, etc. for permanent use.) There are many sandboxing or virtualizing solutions out there -- I think VMWare Workstation may work on Mac -- and some are free or donor-ware. Another good layer of defense-in-depth.

I have also run a full Sophos AV scan on my computer and it has not found anything untoward.

A lot of users like the free trial of MalwareBytes Anti-Malware (www.malwarebytes.org), but I don't see a Mac version listed. Any chance of running it on a Windows emulator? It seems like the malware has gotten hold of your machine, and is avoiding removal -- probably because there is a file or two that regenerates the actual virus every time it is removed. Some of these get very clever, splitting themselves in two and renaming themselves, possibly mimicking legitimate file names. If an online tool can't find the source of reinfection, it may require competent, local professional help. It's the fact that new bookmarks are being generated that makes me suspect a more permanent, "parent' infection, possibly the dreaded rootkit.

I guess I should really have posted this in the "Security" sub-forum rather than this one - but that was because I didn't understand how NoScript worked and imagined that it would react to the script within pages, rather than what you said

No, you were fine. The "Security" sub-forum is for topics that are known to be not directly related to NS, but are of interest to security-minded users in general. This was as good a place to start this topic as any.

Will PM you the site url so you can have a poke around if you feel like it

Thanks. It may not be immediately, because it may take some thorough investigation, but hopefully, within a day or two. Just wanted to get these comments to you in the meantime.

Regards,
Tom

From what I have have found, it seems the link to the malware domain is in a script tag in the hosting sites webpage.

So if the hosting site is not allowed, then the script should not fire.
(Unless it were inline script?)

And in any case, scripts (which needn't necessarily be the case) on *.rr.nu wouldn't be allowed, unless you specifically allowed that domain.

Most often this looks to be associated with Wordpress.
Saw one instance with phpBB, so maybe what they are doing there is different?

Malware Campaign from .rr.nu


> The rogue (Opera) bookmark was a link to the site (bookings.com)

That's interesting.

Hi therube and Tom T - I wrote a lengthy reply but it can't get past your spam filter and I have messed around with it for ages.

I even made into images and embedded two but then when I added the third the damned spam filter kicked in again.

So I am going to try posting each on as a separate reply:

Reply page 1:

Reply page 3:



Where there's a will, there's a way

Best wishes,
Liz

There was a temporary issue with the spam rule that affected many posters as well as emails he didn't get either, so the issue has been fixed and should not be an issue anymore, are you facing trouble posting still?

Sorry for the late reply. Trying to make a living, and all that.

CrlyWrly wrote:Hi therube and Tom T - I wrote a lengthy reply but it can't get past your spam filter ....

I believe there is a length limit on messages, so you may be tripping merely on length, although I suspect that the spam filter might not have liked rr dot nu. But putting that in code tags theoretically should avoid that. Sorry for your inconvenience.

IIRC, the issue with the filter that GµårÐïåñ mentioned occurred and was fixed before your OP, and certainly before your last post.

I even made into images and embedded two but then when I added the third the darned spam filter kicked in again.
So I am going to try posting each on as a separate reply:

Yes, I'd try that whenever a message becomes very lengthy. Let us know if it helps.

Please keep in mind that *no* anti-virus picks up 100% of all malware.
In addition, if one were to create a new virus and release it immediately, some number of users would be infected before the AV companies get this virus's "signature" on their list, and their heueristic detector may not pick it up, either. Av is definitely useful, but not infallible. Hence, "defense in depth".

*NO* site should ever trigger outbound requests. Only you should initiate outbound requests. I assume that your firewall alerted you, and you denied the request? .. and that you do not have 8.8.8.8 listed as one of your DNS servers yourself?
IMHO, this is more evidence that there is malware on the machine. Don't try this, but I'd guess that if you allowed the outbound connection, you'd be taken somewhere else -- visibly or invisibly -- that is registered at that Google DNS server.

I would not use PayPal at all until you are 100% certain that your machine is clean. I would also not do any online banking, or other sensitive activity, for the same reason.

There is a very fine freeware tool called RootkitRevealer by the well-respected Mark Russinovich, but again, it's Windows-only. (And people ask why I don't use Mac or *nix. ) Also, it runs only on XP and Server 2003, as it was created as part of the Sony rootkit scandal of 2005. There may be other, newer tools of this type that will run on Mac. I am not aware of any and can't speak to their effectiveness. Also please note that a common scam is to sell or give away anti-virus or anti-malware "tools" that are in themselves malware, so please check carefully any such tool that you are considering using.

I have not yet read your PMs, but intend to fairly soon. Back later.

p.s.: We know how trying and annoying computer problems can be. (Try solving them long-distance when you can't see the screen. ) But we try to keep our forum family-friendly for all ages and for all sensibilities, so please avoid even mild expletives. (You know the two to which I refer.) Unfortunately, while posts can be edited, I can't edit them out of your images. Not a big deal this time, but your cooperation is appreciated.

ETA: From my first reply:

Tom T. wrote:If there is something you need to post that is triggering the spam filter, PM it to me, and I'll get it posted. Without knowing what it is, I can't tell what the trigger is.

(To all)

CrlyWrly a/k/a Liz PM'd me the link to the forum that was apparently the vector for infection.
I went there, but there was only a message that the site was "closed for housekeeping due to a malware scare".
Which is good.
But it means that now there is no way to determine the exact method by which the infection occurred.

When I posted my reply below, I also sent a message to Giorgio to take a look. There ARE still some issues lingering, especially affecting his emails, I should know as 8 of my messages didn't get to him and when I found out finally I had to communicate them to him through other means, so he is aware, working on it and I am surprised he hasn't replied here yet, but probably because he is analyzing it to have something to say. Just because a problem gets "fixed" doesn't mean its wholly covers all instances. Although everything you said is still a valid potential reason for it triggering the filters.