Re: asdf.exe / theonion.com in Security

Re: asdf.exe / theonion.com

Sun, 09 Oct 2005 20:43:40 EDT

trooper100 : it appears the the trojan horse is doing more thin would appears i left it on and did a Trace on it and it seems that it has a healthy link. i will post all in time when IM done logging it and and tracing its path it seams to be working its way around

Re: asdf.exe / theonion.com

Mon, 05 Sep 2005 09:22:13 EDT

anon : i got this file too, and now my windows is a little bit malformed (???) don´t know how to say... i´m german... but it looks slightly damaged... small white stripes all over the symbols and programs (firefox, trillian, my taskbar)

could asdf.exe have done that??

Re: asdf.exe / theonion.com

Sat, 03 Sep 2005 06:38:00 EDT

RobertLudlum :

said by justin :

quote:
if the signature key is recognized as trusted by the end system that receives the applet.

The install will default to no trust, asking the user if they want to trust and run the signed applet.

said by RobertLudum :

quote:

Well, One thing about Java is that any site can bypass the sandbox by signing the applet, and if the user accepts the cert/ trusts it by clicking through.

Exactly. People nowdays are careful about signed ActiveX, I wonder how many know this for signed Java applets?

Re: asdf.exe / theonion.com

Fri, 02 Sep 2005 17:37:16 EDT

justin :

quote:
if the signature key is recognized as trusted by the end system that receives the applet.

The install will default to no trust, asking the user if they want to trust and run the signed applet.

Re: asdf.exe / theonion.com

Fri, 02 Sep 2005 17:21:12 EDT

RobertLudlum :

said by gruntled2 :

I believe that the sandbox cannot be bypassed by a Java applet, signed or no, except in flawed implementations (that is, this is a bug, not a feature). Updating to current versions should eliminate this issue.

Sun disagrees with you?

quote:
JDK 1.1 introduced the concept of a "signed applet", as illustrated by the figure below. In that release, a correctly digitally signed applet is treated as if it is trusted local code if the signature key is recognized as trusted by the end system that receives the applet. Signed applets, together with their signatures, are delivered in the JAR (Java Archive) format. In JDK 1.1, unsigned applets still run in the sandbox.

»java.sun.com/j2se/1.3/docs/guide···oc1.html

Re: asdf.exe / theonion.com

Fri, 02 Sep 2005 16:00:00 EDT

anon : I believe that the sandbox cannot be bypassed by a Java applet, signed or no, except in flawed implementations (that is, this is a bug, not a feature). Updating to current versions should eliminate this issue.

Re: asdf.exe / theonion.com

Fri, 02 Sep 2005 06:38:03 EDT

RobertLudlum :

said by gruntled2 :

You shouldn't have to turn off Java, at least as long as you've updated. But Javascript -- which is a completely different technology, the name notwithstanding -- has historically had security issues. Security specialists typically suggest disabling Javascript except on trusted sites.

-dave

Well, One thing about Java is that any site can bypass the sandbox by signing the applet, and if the user accepts the cert/ trusts it by clicking through.

That nailed quite a few people in the past with firefox.

As for javascript, it seems that almost every exploit needs it as a launch trigger point, so turning it completely off would give you protection yes, but might break some sites.

So to get the best of both worlds, you might play with selectively turning off certain js functions. This is possible in firefox,opera and IE.

Re: asdf.exe / theonion.com

Fri, 02 Sep 2005 06:04:12 EDT

sybille :

said by Justmeagin :

I also got infected by the winsp3.exe problem immediately after downloading the newest release of Firefox.

Which version of Sun Java do you have installed?

Also, since it sounds like you're having trouble removing the infection, you might want to give the steps here a try:
»Security »I think my computer is infected or hijacked. What should I do?
There are instructions for using a series of different scanners, as well as for what to do if the scanners don't do the job.

Re: asdf.exe / theonion.com

Fri, 02 Sep 2005 02:56:03 EDT

anon : I also got infected by the winsp3.exe problem immediately after downloading the newest release of Firefox. I will not take them to task due to the wonderful work they do, but someone has really dropped the ball on this one. Actually, I really hope I'm wrong but at this point, I'm hooped. AVG sees it so does Trend, neither is effective at removing it and it shuts down Windows Beta Spyware checker very effectively.

Re: asdf.exe / theonion.com

Thu, 01 Sep 2005 22:55:16 EDT

anon : You shouldn't have to turn off Java, at least as long as you've updated. But Javascript -- which is a completely different technology, the name notwithstanding -- has historically had security issues. Security specialists typically suggest disabling Javascript except on trusted sites.

-dave

Re: asdf.exe / theonion.com

Thu, 01 Sep 2005 22:20:47 EDT

DonoftheDead : Sorry to take so long. I was(and am) using Sun Java ver. 1.4.2.08. At least 1.4.2.04. I think I d/l'ed an update not too long ago. But I know at the time the file was dropped on my box I was using 1.4.2.04 at least. Strange, it blew into town and then blew out. Who was that masked stranger? btw I turned off Java and Javascript

Re: asdf.exe / theonion.com

Thu, 01 Sep 2005 12:42:50 EDT

anon : Latest version appears to have auto alert for new updates, which should make life easier.

Re: asdf.exe / theonion.com

Thu, 01 Sep 2005 09:50:09 EDT

Worfus :

said by sybille :

It would be interesting for people who have found a copy of the asdf.exe file on their disks to post which version of Sun Java they were using when the file was downloaded. This would help to determine if the Sun Java plug-in is the culprit in this case.

I ~~have~~ had Sun Java v1.4.2_04(Build b05).

Java is one security aspect that I don't keep up on with regards to updates. That will change now. Thanks Sybille.
--
"Confusion" will be my epitaph.

Re: asdf.exe / theonion.com

Thu, 01 Sep 2005 07:48:45 EDT

anon : I concur with your assessment and am updating Java files. It's worth noting that Sun recommends deleting the old versions.

Re: asdf.exe / theonion.com

Thu, 01 Sep 2005 04:18:55 EDT

sybille :

said by jig :

said by RS412 :

So, at least in my experience so far, the sandbox has indeed been breached.

1) could someone tell me what this seeming colloquialism means?

jig , you posted while I was looking up links for my post.

Here's how the iDEFENSE advisory describes the problem:

said by »www.idefense.com/application/poi···tus=true :
II. DESCRIPTION
Remote exploitation of a design vulnerability in Sun Microsystems Inc.'s Java Plug-in technology allows attackers to bypass the Java sandbox and all security restrictions imposed within Java Applets.

A number of private Java packages exist within the Java Virtual Machine (VM) and are used internally by the VM. Security restrictions prevent Applets from accessing these packages. Any attempt to access these packages, results in a thrown exception of 'AccessControlException', unless the Applet is signed and the user has chosen to trust the issuer.

The problem specifically exists within the access controls of the Java to Javascript data exchange in web browsers using Sun's Java Plug-in technology. The vulnerability allows Javascript code to load an unsafe class which should not normally be possible from a Java Applet.

III. ANALYSIS
Successful exploitation allows remote attackers to execute hostile Applets that can access, download, upload or execute arbitrary files as well as access the network. A target user must be running a browser on top of a vulnerable Java Virtual Machine to be affected. It is possible for an attacker to create a cross-platform, cross-browser exploit for this vulnerability. Once compromised, an attacker can execute arbitrary code under the privileges of the user who instantiated the vulnerable browser.

In other words, the term "sandbox" just describes the restrictions placed on java applets, which prevent the applets from altering system files and so on. If the sandbox has been breached or broken, then java applets can do whatever they please on the system, as described above.

For example, the applet could download and run a trojan file. It is possible that this is how people have been infected with the adsf.exe file. But even if that is not the source of the infection being discussed in this thread, the vulnerability is serious enough that it is important for Sun java users to make sure their plug-in, etc. is the up-to-date, patched version.

Re: asdf.exe / theonion.com

Thu, 01 Sep 2005 04:00:17 EDT

sybille :

said by gruntled2 :

I am running Java 2 Runtime Environment, Standard Edition 1.3.1; Default virtual Machine Version 1.3.1.b24; Java Plug-In 1.3.1_02

Are the people who have experienced this sure they are running the most recent version of Sun java?

There is a security advisory for JRE (the plug-in) and SDK (the development package) for versions prior to 1.4.2_06 and 1.3.1_13. See:
»sunsolve.sun.com/search/document···-57591-1

said by the Sun advisory :
A vulnerability in the Java Plug-in may allow an untrusted applet to escalate privileges, through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet.

In other words, the vulnerability does involve the breaking of the sandbox.

Also see:
»secunia.com/advisories/13271/
»www.idefense.com/application/poi···tus=true
»www.kb.cert.org/vuls/id/760344

To check what version of Sun java is on a PC, Sun recommends that the following command be run:
% java -fullversion

Whether this particular vulnerability is responsible for the asdf.exe infection or not, it seems very important to make sure that the java plug-in being used is not one of the vulnerable versions.

Edit: It would be interesting for people who have found a copy of the asdf.exe file on their disks to post which version of Sun Java they were using when the file was downloaded. This would help to determine if the Sun Java plug-in is the culprit in this case.

Re: asdf.exe / theonion.com

Thu, 01 Sep 2005 03:56:03 EDT

jig :

said by RS412 :

So, at least in my experience so far, the sandbox has indeed been breached.

1) could someone tell me what this seeming colloquialism means?

2) aren't you guys using an old version of java, or is that the version that runs with FF?

aside to justin: i misread your original post. you were asking about a separate program that was a keylogger.

Re: asdf.exe / theonion.com

Thu, 01 Sep 2005 03:30:41 EDT

anon : I am running Java 2 Runtime Environment, Standard Edition 1.3.1; Default virtual Machine Version 1.3.1.b24; Java Plug-In 1.3.1_02

I would be flabbergasted if this is a Java implementation issue; if the sandbox model is broken we're in deep trouble indeed.
*****************************************************
I too have just gotten rid of the asdf.exe virus (I hope). I use FF 1.0.6 and AOL (using IE 6), so I can't help with which one downloads the file. HiJackThis showed 2 alerts for a file called vtsts.dll I then tracked this through Google to the Download.Trojan virus. Norton found 2 instances of this while in safe mode, including the time.class file. However, after rebooting to normal, I still got pop-ups for winfixer and random searches on Lycos. Remembering that time.class is java, I opened control panel to the Java console and unchecked the option allowing it to be the default Virtual Machine for IE. So far, 3 hours later, no pop-ups. So, at least in my experience so far, the sandbox has indeed been breached.

Re: asdf.exe / theonion.com

Thu, 01 Sep 2005 01:06:18 EDT

Mele20 : I see no ads there. :) Proxo with Sidki's filters. I do see 15 toggle flash notations though. That is real overkill. :( I'm on Opera and I don't even have Flash for it or Fx. If I really want to view flash content on some site, I go use IE ...so I have to really want to see the Flash movie as I have to first lift the killbit for Flash for IE in Spyware Blaster. I think sites are stupid for using so much Flash.
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus

Re: asdf.exe / theonion.com

Wed, 31 Aug 2005 23:53:53 EDT

B : It seems The Onion has JUST re-done its entire web site, purposely adding tons more ads and abandoning their paid "Premium" service level.

They've also gone to some abomination of web design called "sifr" that manages to use the dreaded Flash SWF even more than normal humans thought possible -- for text headlines. Hitting the page with AdBlock results in dozens of "ADBLOCK" tags next to every darned subheading.

See more at »www.subtraction.com/archives/200···ew_f.php

and discussion at »www.metafilter.com/mefi/44720

To block this blatantly evil "sifr" nonsense, add "*/sifr.js" to your AdBlock file. (Use */sifr.swf to get rid of all of it at The Onion, but the headlines won't appear.)

And my point is... is this merely coincidence? I think not.

-- B
--
In a realm outside causality and function

Re: asdf.exe / theonion.com

Wed, 31 Aug 2005 22:44:25 EDT

Re: asdf.exe / theonion.com

Wed, 31 Aug 2005 18:26:53 EDT

anon : Gruntled2 and DonoftheDead,
Can you tell us what versions of Java you were using?

Re: asdf.exe / theonion.com

Tue, 30 Aug 2005 21:51:40 EDT

Name Game : »3dgpu.com/forums/lofiversion/ind···976.html

NOD recognizes it as Win32/trojanDownloader.Small.NEU trojan.

Jotti's malware scan 2.99-TRANSITION_TO_3.00

AntiVir Found TR/Dldr.Small.bhf
ArcaVir Found Trojan.Downloader.Small.Bhf
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Downloader.Small.GJ
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found unknown virus (probable variant)
Fortinet Found W32/Dloader.AB-dldr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.bhf
NOD32 Found Win32/TrojanDownloader.Small.NEU
Norman Virus Control Found Sandbox: W32/Downloader; [ General information ]

* File length: 1550 bytes.

[ Changes to filesystem ]
* Creates file C:\1.exe.

[ Network services ]
* Downloads file from hXXp://66.159.17.156/rm/w.exe as c:\1.exe.

[ Security issues ]
* Starting downloaded file - potential security problem.

UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.Small.bhf

Funny that cause i had ben trying to run IPCONFIG in the CMD and it never worked. As soon as i let NOD32 clean the Trojan, it works. Thus if you have that file, you may have a Trojan.

--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/

Re: asdf.exe / theonion.com

Tue, 30 Aug 2005 15:35:27 EDT

KyeU : There are probably variants of it.

Perhaps some download spyware and another downloads a trojan...you never know :(

Re: asdf.exe / theonion.com

Tue, 30 Aug 2005 15:05:24 EDT

justin : I don't know that it is a keylogger, if I said so, then i was mistaken. It is a very small program that is a downloader stub, and who knows what it drags in if given the chance to execute. The guy who looked at my copy said that the site it downloads from was dead.

Re: asdf.exe / theonion.com

Tue, 30 Aug 2005 14:52:17 EDT

jig : justin:

you said in the beginning that this was a keylogger. others have stated that it is a downloader... i know that once it starts downloading things, a keylogger can be installed, but did you ever actually read a description that said it downloaded a keylogger, or did you catch it in the act?

Re: asdf.exe / theonion.com

Tue, 30 Aug 2005 14:36:36 EDT

anon : It is of course always possible that I am mistaken.

In any event, I have taken the precaution of disabling prefetch. I would urge others to do the same.

-dave

Re: asdf.exe / theonion.com

Tue, 30 Aug 2005 13:55:49 EDT

Tuulilapsi : Well, yes, I suppose prefetch could be used to download a malicious executable or a video of Bin Laden breakdancing, but unless the downloaded files are executed, they can do nothing at all. As far as I know, Firefox does not randomly execute prefetched files, however, and I'm not even sure it prefeches anything but html files.
--
And lead me not into temptation - for I can find my way there myself easily enough.

Re: asdf.exe / theonion.com

Tue, 30 Aug 2005 13:38:40 EDT

justin :

said by gruntled2 :

To reiterate, yet again, I received this file via Firefox 1.0.6, which I have been using since it was released in July.

-dave

Yes I know you are reiterating it :) but security is a tricky beast and so are malware and trojans. Unless someone can reproduce the problem with 1.0.6 I'm privately betting you are mistaken for some reason.
The installed base of 1.0.6 is large and malware authors react instantly to opportunities. It just doesn't feel like a standard install of 1.0.6(en) is currently vulnerable given the lack of confirmation and continued infection stories.

Re: asdf.exe / theonion.com

Tue, 30 Aug 2005 13:31:15 EDT

anon : To reiterate, yet again, I received this file via Firefox 1.0.6, which I have been using since it was released in July.

-dave

Re: asdf.exe / theonion.com

Tue, 30 Aug 2005 12:47:55 EDT

justin : no this is a red herring. Performance enhancements such as pre-fetech are nothing to do with security vulnerabilities. Whatever was the vector via old versions of firefox (I still feel it cannot be via new versions, as there is not sufficient interest in this infection) it would be nothing to do with any more recent firefox options that improve rendering speed.

Re: asdf.exe / theonion.com

Tue, 30 Aug 2005 12:40:38 EDT

anon : My point is not that prefetch places a download at root; my point is that prefetch could be used to download a bit of code that then places asdf.exe at c root, and then asdf.exe then attempts to download the payload

Re: asdf.exe / theonion.com

Tue, 30 Aug 2005 11:34:13 EDT

Tuulilapsi : You're correct. Prefetch also doesn't download anything to C root.

Re: asdf.exe / theonion.com

Tue, 30 Aug 2005 09:58:40 EDT

jp10558 :

said by Gruntled2 :

I think this could be an issue with prefetch in Mozilla/Firefox. Prefetch is turned on by default in Mozilla/Firefox. Basically, anything marked with a prefetched tag is brought down, and anybody can mark anything with a prefetch tag. To turn prefetching off, go to the address bar and type "about:config" and then scroll down to "network.prefetch-next". Double click on it to change the setting to False.

But why would that cause the cached items to be able to attempt to make outgoing connections? Surely prefetch doesn't attempt to execute anything it downloads?
--
Opera 8.02(Build 7680); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Outpost Pro 2.7;Proxomitron 4.5j Grypen 8/28/05(Opera mod),GPG ID:0x0A1C6EE3

Re: asdf.exe / theonion.com

Tue, 30 Aug 2005 09:01:32 EDT

anon : I think this could be an issue with prefetch in Mozilla/Firefox. Prefetch is turned on by default in Mozilla/Firefox. Basically, anything marked with a prefetched tag is brought down, and anybody can mark anything with a prefetch tag. To turn prefetching off, go to the address bar and type "about:config" and then scroll down to "network.prefetch-next". Double click on it to change the setting to False.

Re: asdf.exe / theonion.com

Mon, 29 Aug 2005 14:18:20 EDT

RobertLudlum : Another data point.

Routine scanning of my temp folder found a file 77dwr6zp.zip which contained asdf.exe . It doesn't seems to have being executed though.

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 23:19:16 EDT

KyeU : Ads I see on that fitwatch site:






(*) WARNING 2 long line(s) split





(*) WARNING 1 long line(s) split

I will take a look at these ads, to see if there's any suspicious code.

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 21:40:25 EDT

anon : Should have also noted that the "Allow web sites to install software" option is not checked.

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 21:06:46 EDT

anon : While I keep javascript disabled in IE, I have enabled both Java and Javascript in Firefox.

-dave

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 21:00:36 EDT

Cudni : Thanks for coming back :) Do you have java and/or javascript enabled and on that day?

Cudni
--
What is now proved was once only imagined.
Help yourself so God can help you

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 20:58:54 EDT

anon : Apologies; I'm the guy who posted the report about 1.0.6 being vulnerable; I had to race out of town for a family emergency Friday and just now regained Internet access. Here are the details: My box is WinXP AMD Althon with all critical patches installed. The system is running both anti-virus and a software firewall (behind a hardware firewall). I've been running Firefox 1.0.6 since it was released in July. On Wednesday, August 24, I went to »www.fitwatch.com/caloriecounter.html to find out how many calories in a large order of fries (long story). Other common vectors, such as mail or instant mesaging were not active. Moments after visiting the site, my software firewall reported that asdf.exe was trying to access the Internet. I denied access and began researching the issue. After concluding that I could safely delete the files, I did so.

-dave

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 19:53:10 EDT

B :
It really bothers me that we're five pages into this and 3.6 gazillion page views and search hits, and we have almost no documentation or live samples, other than the "dead" issue reported by the kind BOClean folks (and thank you for that guys).

I would ask Kevin to return to the thread long enough to answer some of the seemingly valid questions his report raises, particularly regarding the infection vector and what version(s) of what browser(s) may still be vulnerable to this effect.

And to the contrary, if the vector is NOT a new one, then please simply let us know which one it was....

-- B
--
In a realm outside causality and function

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 17:44:20 EDT

DonoftheDead : Just an update. I upgraded Suse and FF during the during installation. I didn't go on the Net until FF was v1.0.6. I never let FF d/l any plugins when it asks. I went to a Kaffeine d/l site and tried to d/l a plug-in. It didn't d/l the file I wanted, but it did drop asdf.exe on my box. Went back to site today. No problem. D/l'ed files I wanted without a hitch. Maybe it's over, now, with the "bad server" taken down. Could it be the Linux ver. of FF1.0.6 is vulnerable, the Windows ver. of FF1.0.6 isn't? Not an expert, just asking. Certainly a weird form of malware. Would like to know how it got on my Suse9.2 box. Not worried, just curious.:)

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 16:28:08 EDT

justin : It is funny how one problem with an older version of the browser (I don't buy that the problem is 1.0.6 yet) has someone declaring the poor state of firefox security when new versions of the full default install of IE are hacked almost monthly :)

By the way, searches for asdf.exe hitting this topic are 50% MSIE (latest version) and 50% firefox. Of the 50% firefox, 50% are older versions doing the search. Many of the 1.0.6 visitors are curious visitors from topics at mozillazine, etc.

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 12:24:17 EDT

barky : In my experience, most people switched to FF because it was generally considered to be a "secure" browser. In fact, I clearly remember the average DSLR FF advocate using security as the number one reason to switch from IE. I've setup plenty of non tech savy people with FF, because I believed it to be fairly secure. With the number of advisories comming out on FF, and now this issue, I won't be recommending FF as an IE replacement anymore. I think the fox had its time, but popular use has caught up with it. I really like that FF is standards compliant, but it lacks mature development on the security side. I've had good luck with IE locked down (Avant is my primary), but still use FF for web development (and still will). Personally, I'm a little scared to browse the innerweb on the fox now.

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 08:48:34 EDT

Tuulilapsi : I don't think it's very patronizing to acknowledge the fact most users don't know even the basics of computer security, nor that when software has flaws, software companies should fix them as soon as possible. The John and Jane Users that know me personally seem fairly grateful of my help, and after listening to me, they seldom need any help again.

DCS ProcessGuard is a very good tool in the right hands, and I own a license. However, for the average user that doesn't know that mssmgs.exe is malware instead of a legit application, ProcessGuard isn't nearly as useful. It's not a panacea. As for BOClean, yes, I have seen cases where people have gotten infected running BOClean. BOClean is a well-regarded anti-malware, but it's not perfect - nothing is.
--
And lead me not into temptation - for I can find my way there myself easily enough.

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 08:34:03 EDT

Mele20 : I may be "eccentric" ;) but you are the patronizing one. :) I wouldn't want to be Jane or John Doe and know you.

As for BoClean and Process Guard, they come as close as possible to being "god" as any security device ever has. Have you ever heard of anyone running BoClean who got infected?
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 08:24:35 EDT

sybille : Interesting info, Cudni , thanks.

Looking at the list, it seems to me that although the advisory has been updated, it still does not concern releases of Firefox after 1.0.4. So the current release, 1.0.6, ought to be OK.

Another reason to keep things updated.....:)

Edit: but I guess this would not account for what DonoftheDead has reported?

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 08:24:25 EDT

Tuulilapsi :

said by Mele20 :

Most folks use Fx because they like it. Security isn't that important of a reason to use Fx. It is NOT the reason people use Fx. If I liked IE, I would use it. Simple as that. I don't like IE. I like Fx but not a great deal. It is better though than IE. Mozilla is the best browser but it lacks an essential extension. Opera costs too much. Which is the most secure? I don't know and don't care. Fx does itself harm by this campaign to claim it is superior security wise.

If I was as concerned as you appear to be, I would simply buy BoClean and be done with it. :) (Oh...and of course make sure I have either Process Guard or KIS 2006 which has a Process Guard).

Riiiight. I suppose no one has changed from IE to Fx because Fx is, or was, less vulnerable to drive-by-downloads of badware of the day than IE. Fact is, many people do use Fx because they think it's more secure than IE. You have an annoying habit of trying to project your own, often quite eccentric, opinions on other people. Just because you don't use Fx for security reasons doesn't mean other people don't, either.

I'm not concerned for my own security, which I feel confident in, but I am concerned for the security of John and Jane User. BOClean is no computer security Jesus, protecting from all malware known to man. If there's a hole in Fx that can be fixed, it should be fixed as soon as possible to protect users. Simple as that. Since this would seem to be the (one of) the first cases of drive-by-downloads in Fx, this is an important issue that deserves all the attention it can get.
--
And lead me not into temptation - for I can find my way there myself easily enough.

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 07:55:49 EDT

Mele20 : Most folks use Fx because they like it. Security isn't that important of a reason to use Fx. It is NOT the reason people use Fx. If I liked IE, I would use it. Simple as that. I don't like IE. I like Fx but not a great deal. It is better though than IE. Mozilla is the best browser but it lacks an essential extension. Opera costs too much. Which is the most secure? I don't know and don't care. Fx does itself harm by this campaign to claim it is superior security wise.

If I was as concerned as you appear to be, I would simply buy BoClean and be done with it. :) (Oh...and of course make sure I have either Process Guard or KIS 2006 which has a Process Guard).
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 07:46:32 EDT

Cudni : »www.securityfocus.com/bid/14242/discuss
"..
The Mozilla Foundation has released 12 security advisories specifying security vulnerabilities in Mozilla Suite, Firefox, and Thunderbird.

These vulnerabilities allow attackers to execute arbitrary machine code in the context of the vulnerable application, bypass security checks, execute script code in the context of targeted Web sites to disclose confidential information; other attacks are also possible. .."

and
»www.securityfocus.com/bid/14242/info

Cudni
--
What is now proved was once only imagined.
Help yourself so God can help you

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 07:41:49 EDT

Tuulilapsi : I strongly disagree. If this malware isn't functional anymore, that doesn't mean the exploit used by it isn't a very serious problem. Users of Firefox mostly have a strong faith in the security of their browser, and since this exploit seems to affect even the most up-to-date versions of Fx, it's a very critical problem. Any other malware could use the same exploits used here, even if asdf.exe is non-risk. This is a very serious problem, and the exploit needs to be identified and the vulnerability patched asap.
--
And lead me not into temptation - for I can find my way there myself easily enough.

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 07:31:49 EDT

Cudni : Thanks for the info. Do you know how the file gets dropped on the system?

Cudni

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 07:19:02 EDT

K McAleavey : Sorry to see this is still ongoing. We looked into this several days ago, and it's a dead file, although we covered it anyway. I'm going to post SPECIFICS since the link is *dead* and cannot function.

"ASDF.EXE" is hard-coded to go to a specific IP and download a specific file. When first discovered a few days ago, the site was torn down and the IP itself is "unassigned" and therefore SAFE to specify here ...

ASDF is a downloader which attempts to retrieve:

»66.159.17.156/rm/w.exe

W.EXE is "VXGAME15" as known to BOClean, a "casino" hijacker which would have installed "SORTED LINKS" (associated with IST) on the affected machine, replete with desktop icons and all for "Poker" and some porn sites. No desktop icons, no infection. "VXGAME" was a little IST escapade to find the most talented script kiddies who could write "undetectables" and was part of a rather large contest to see who could infect the most and the fastest. Contest remains ongoing, and the "VXGAME" and "VXDIALER" series of events are continuing.

66.159.17.156 was registered to:

Williams Communications, Incorporated WCG-BLK-2 (NET-66-159-0-0-1)
66.159.0.0 - 66.159.31.255
IIC Internet WLCO-TWC874610-IICINT (NET-66-159-16-0-1)
66.159.16.0 - 66.159.20.255

# ARIN WHOIS database, last updated 2005-08-27 19:10

Upon notification of the activities to Williams Communications, the site was torn down within 30 minutes and GONE.

So if the file exists, just delete it, nothing to see here and we covered the downloader as well as what it wanted to download. Game over for these kids at least. Bottom line, no risk anymore. Usual suspects, nothing to see. :)
--
Kevin McAleavey support@nsclean.com (Makers of BOClean anti-malware protection) »www.nsclean.com

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 02:26:58 EDT

amysheehan :

said by AnonymousAnderson :

Hey guys,

I found asdf.exe in my c:\ directory, I've been using both IE and Firefox all day and both have crashed at some stage in the day so I couldn't tell you which dropped the file in there.

Upshot: even after deleting asdf.exe ipconfig is broken and won't run properly (running ipconfig /all just flashes a blank MS-DOS box on the screen for a second).

Any ideas?

If the file should reappear PLEASE submit it for analysis by following the guidelines here: »Security

Thanks :)

Re: asdf.exe / theonion.com

Sun, 28 Aug 2005 01:27:55 EDT

anon : Hey guys,

I found asdf.exe in my c:\ directory, I've been using both IE and Firefox all day and both have crashed at some stage in the day so I couldn't tell you which dropped the file in there.

Upshot: even after deleting asdf.exe ipconfig is broken and won't run properly (running ipconfig /all just flashes a blank MS-DOS box on the screen for a second).

Any ideas?

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 17:24:33 EDT

KyeU : I wrote a filter for this

This will work unless they have used Javascript to break up the sentence structure, or they have encoded it :(

It's very hard to match encoded/broken up versions, but I'll try to revise the filter.

EDIT: Made it somehow match broken up versions.

Since whatever's after name and src can be anything, I'm focusing on the name and src tags themselves.

For example, if iframe's name tag is broken up as

document.write ('na');
document.write ('me');

document.write ('n');
document.write ('a');
document.write ('m');
document.write ('e');

document.write ('nam');
document.write ('e');

Similarily, iframe's src tag will be detected if it's broken up as:

document.write ('sr');
document.write ('c');

document.write ('s');
document.write ('r');
document.write ('c');

It may produce some false positives, but still, who would make a website contain one of the above combinations?

Let me tell you, this filter's not going to be nice to look at ;)

I will work now on encoded versions of "name=" and "src="

EDIT2: Now matches hex encoded "name" and "src"

'%6E%61%6D%65' = 'name' in hex

Matches:

document.write( unescape ('%6E%61%6D%65') );

document.write( unescape ('%6E%61') );
document.write( unescape ('%6D%65') );

Etc...

EDIT3: Now matches Unicode

filter.zip 552 bytes
Proxomitron Filter
(filter.txt)

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 16:13:07 EDT

KyeU : Did some research: http://www.lurhq.com/iframeads.html

"IFRAME Vulnerability Being Exploited Through Banner Ads"

Could this be the method asdf.exe is being downloaded?

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 14:36:15 EDT

justin : For what it is worth only one anon referer so far (last twenty minutes) has firefox (1.0.1), the rest (19 of them) are using IE 6.0. All were searching google for asdf.exe info.

I suppose asdf.exe is a popular downloader now, involved in more than one exploit, not specifically a firefox/opera thing.

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 14:27:35 EDT

KyeU : Ah, I see...

Well, if anyone knows of a specific URL that is serving asdf.exe, tell me ;)

EDIT: I have written this Proxomitron filter to detect ASDF (to aid my search):

[Patterns]
Name = "ASDF hunter"
Active = TRUE
Limit = 4
Match = "asdf"
Replace = "asdf"
          "$ALERT(asdf detected on:\n\n\u)"

I've also disabled URL Filtering on my IPCop server, disabled AdBlock and NoScript and disabled my HOSTS file. We'll see how it goes.

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 14:18:14 EDT

justin :

said by KyeU :

Did anyone ever discover the code to this exploit?

I'm doing some searching of my own right now, but it'd save me lots of time if someone already got the exploit code stored up somewhere :)

Not that I know of. People tend to find asdf.exe after they have visited several pages, or a page that has ad-server rotation. So going back doesn't necessarily re-infect.

I would imagine if you know a site is serving the bad page you can trigger it eventually, and capture the URLS involved. That is, if they are still up and infecting.

Anon referers to this topic are still growing (sorry to those that could not read page 2 due to an anon reader forum display bug here!) but a lot of them are referers from topics at security forums pointing here, rather than actual newly infected.

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 14:07:52 EDT

KyeU : Did anyone ever discover the code to this exploit?

I'm doing some searching of my own right now, but it'd save me lots of time if someone already got the exploit code stored up somewhere :)

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 13:48:26 EDT

justin :

said by RobertLudlum :

The referrer views on this topic are still growing. I believe they are from people with older versions of firefox.

You're getting the useragents from the servers logs? Curiouser and curiouser.

No, But I just turned on something that will be collecting exact user agents for people who google this topic. We'll see what it says by the end of today.

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 13:44:01 EDT

justin :

said by Tuulilapsi :

What about this, then?

said by Donofthedead :
I was running Suse 9.2,FF 1.0.6. and got one of these dropped in my home directory as user. I forgot to mention I had my settings at: Java and javascript turned on, install s/w turned off, Load images on (for originating site off), Block Popups on. A javascript thing ?

Hm, that is correct, I was thinking windows. but perhaps the asdf.exe was there from before. Before the firefox upgrade? The timestamp on asdf.exe is key.

The anon user posted in mozillazine as well:
»forums.mozillazine.org/viewtopic···t=310439
that he "confirms" that asdf.exe can be downloaded by 1.0.6

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 12:52:57 EDT

RobertLudlum :

said by justin :

One disappointing note: I wrote to theonion.com pointing out that this was a problem, giving them most of the info they would need to complain to whatever advertising network they use.

Well visiting the site with adblock shows the possible source as »adtrafficmp.com . It's already blocked with Adblock+ filtersetg . Possibly any decent regexp filter will catch it too. Not sure about hosts lists, probably blocked already.

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 12:15:39 EDT

RobertLudlum :

said by justin :

I don't yet believe it can attack firefox 1.0.6 - one anonymous post here, with no detail, is no confirmation AT ALL that 1.0.6 has such a major problem.

Especially since people have asked the anonymous person for
details and none are forthcoming.

Well Donofthedead reported it on Suse 9.2,FF 1.0.6.

The referrer views on this topic are still growing. I believe they are from people with older versions of firefox.

You're getting the useragents from the servers logs? Curiouser and curiouser.

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 12:15:34 EDT

Tuulilapsi : What about this, then?

said by Donofthedead :
I was running Suse 9.2,FF 1.0.6. and got one of these dropped in my home directory as user. I forgot to mention I had my settings at: Java and javascript turned on, install s/w turned off, Load images on (for originating site off), Block Popups on. A javascript thing ?

--
And lead me not into temptation - for I can find my way there myself easily enough.

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 12:07:10 EDT

justin :

said by RobertLudlum :

If Noscript doesn't and it works on firefox (latest version) and more, then we are really facing a serious threat here.

I don't yet believe it can attack firefox 1.0.6 - one anonymous post here, with no detail, is no confirmation AT ALL that 1.0.6 has such a major problem.

Especially since people have asked the anonymous person for details and none are forthcoming.

The referrer views on this topic are still growing. I believe they are from people with older versions of firefox.

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 11:58:11 EDT

RobertLudlum :

said by richrf :

Hi,

As far as I have been able to glean so far from this thread, ProcessGuard was able to detect and stop this exploit. Is this correct? Also, has anyone determined whether the FireFox extension NoScript is able to stop this exploit? Thanks for any info.

It seems that it's not really catching the specific exploit , rather it's noticing an unknown process that hasn't being whitelisted starting.

This exploit is probably javascript or Java based, so Noscript should stop it. If Noscript doesn't and it works on firefox (latest version) and more, then we are really facing a serious threat here.

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 11:16:15 EDT

RobertLudlum :

quote:
I use Process Guard and Fx 1.0PR on my host box (1.0.6 on my virtual box). I also use Proxo on both boxes. If this is coming from ads...well, I don't see ads. I'm not convinced I need to upgrade Fx and I used RIP to permanently zap the ad here telling me I need to upgrade Fx.
--

You probably already know this but RIP hides the Ads it doesn't really stop them from being downloaded unlike Adblock.

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 11:10:40 EDT

purelander :

the exploit comes from the ad-servers, so the best defence is to use hpguru host file, or ad blocking programs that use Eric Howes's block lists. there is nothing better than blocking the ad hosts.
--
"I'm sure we all agree that we ought to love one another, and I know there are people in the world that do not love their fellow human beings , and I hate people like that!" - Tom Lehrer

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 10:23:46 EDT

richrf : Hi,

As far as I have been able to glean so far from this thread, ProcessGuard was able to detect and stop this exploit. Is this correct? Also, has anyone determined whether the FireFox extension NoScript is able to stop this exploit? Thanks for any info.

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 02:19:32 EDT

jig : is there a good writeup on what asdf.exe is and what it does? i know i've seen it before on a computer i cleaned, but i don't remember finding lots of info on it.

-jig

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 01:55:05 EDT

Mele20 : I'd also like to know if adblocking stops it. I bet it doesn't get through Proxo with current configs from Sidki, Grypen, etc.

Re: asdf.exe / theonion.com

Sat, 27 Aug 2005 00:50:28 EDT

jimmie :

said by jp10558 :

What I don't get is how this would be run via Opera... I've never had Opera autorun anything in my entire experiance with it. Also, is adblocking a mitigating factor with this?

I don't know it came through opera, just that it did not come through firefox. Security on this system is lacking, no real time virus or spyware protection,just a linksys router and windows firewall. It was also a couple of months behind on critical updates at the time. I didn't find the asdf.exe until a couple of days after it was created and am not sure what would have been happening at that time.

Re: asdf.exe / theonion.com

Fri, 26 Aug 2005 14:46:03 EDT

DonoftheDead : I was running Suse 9.2,FF 1.0.6. and got one of these dropped in my home directory as user. I forgot to mention I had my settings at: Java and javascript turned on, install s/w turned off, Load images on (for originating site off), Block Popups on. A javascript thing ?
Edit: I was all over the the Net looking for text files on what were secure sites dealing with FAH(which I believe is not the source). But I was going to non-FAH sites that looked ok. I went to a site to d/l and Lib file and a text file. I believe I could have gotten it there. It was the ony site where I d/l'ed anything.FWIW:)

Re: asdf.exe / theonion.com

Fri, 26 Aug 2005 14:31:57 EDT

Tuulilapsi : Correct, Ezboards serve (a lot of) ads. We need confirmation on the Javascript settings of those who got infected just to be sure this is a script exploit. If this affects Opera as well, then it's really getting interesting.

I've been on lookout for asdf.exe, running a Firefox 1.03 here (dug it up from my so called archives), but so far I haven't found diddly squat. It's typical, really. When you want to get infected, you won't, but when you least expect it...
--
And lead me not into temptation - for I can find my way there myself easily enough.

Re: asdf.exe / theonion.com

Fri, 26 Aug 2005 13:45:45 EDT

Cudni : this might have been going on for awhile
»p103.ezboard.com/fezboardfrm98.s···&stop=20
"...
Some of our people got infected and some did not.

We have managed to glean the following.

Some did not get infected because their antivirus warned them of a trojan attack.

Some only got asdf.exe and not the other two files.

Others got all three files. asdf.exe, 1.exe and w.exe. ..."

edit: and a FF got infected on that board. ezboard serves adds does it not?

Cudni

Re: asdf.exe / theonion.com

Fri, 26 Aug 2005 13:45:28 EDT

jp10558 :

said by jimmie :

Not sure about firefox. asdf.exe was dropped onto my C drive (not my system drive) and I do not use firefox. I didn't know it was there until a couple of days later when I opened IE (I use opera 8.02) and got a popup which led me to find a bho named pmnno.dll which could not be deleted even in safemode. A scan picked up asdf.exe which may or may not be related as the pmnno.dll was not created until I opened IE.

What I don't get is how this would be run via Opera... I've never had Opera autorun anything in my entire experiance with it. Also, is adblocking a mitigating factor with this?
--
Opera 8.02(Build 7680); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Outpost Pro 2.7;Proxomitron 4.5j Grypen 7/26/05(Opera mod),GPG ID:0x0A1C6EE3

Re: asdf.exe / theonion.com

Fri, 26 Aug 2005 12:58:45 EDT

Cudni : Could you expand a bit more on your confirmation of FF exploit?

Cudni

Re: asdf.exe / theonion.com

Fri, 26 Aug 2005 12:56:50 EDT

jimmie : Just saying that it's not only firefox.

Re: asdf.exe / theonion.com

Fri, 26 Aug 2005 12:52:29 EDT

anon : I can confirm this exploit affects Firefox 1.0.6.

-dave

Re: asdf.exe / theonion.com

Fri, 26 Aug 2005 12:52:26 EDT

jimmie : Not sure about firefox. asdf.exe was dropped onto my C drive (not my system drive) and I do not use firefox. I didn't know it was there until a couple of days later when I opened IE (I use opera 8.02) and got a popup which led me to find a bho named pmnno.dll which could not be deleted even in safemode. A scan picked up asdf.exe which may or may not be related as the pmnno.dll was not created until I opened IE.

Re: asdf.exe / theonion.com

Fri, 26 Aug 2005 12:25:05 EDT

justin :

said by Cudni :

i make 286 referrers in that post ;)

Cudni

Yeah and don't forget that is only those who recognized the infection perhaps through zone alarm, and searched google or whatever, and clicked the link to this topic.
I would guess that for every 1 that did that, there are 10 that didn't catch it or if they did, didn't visit this topic. A lot of people use firefox now but still don't bother with zonealarm or processguard, or click 'yes' to everything zonealarm says.

Re: asdf.exe / theonion.com

Fri, 26 Aug 2005 12:22:17 EDT

Cudni : i make 286 referrers in that post ;)

Cudni

Re: asdf.exe / theonion.com

Fri, 26 Aug 2005 12:21:49 EDT

catseyenu : Ouch! :(

Re: asdf.exe / theonion.com

Fri, 26 Aug 2005 12:11:35 EDT

Re: asdf.exe on Suse9.2

Fri, 26 Aug 2005 11:11:34 EDT

justin :

said by Tuulilapsi :

Yea, but if we can locate even one of the sites and locate the actual ad that's doing this, we'll find the infected adserver.

Well, one way would be to install an old copy of firefox, processguard, and clear cookies and repeatedly type theonion.com (logging the requests with the web-developer plugin) until asdf.exe turns up.

That is if that ad server is still compromised. My asdf.exe of a few days ago contains a download URL (that asdf.exe would try to use to bootstrap the malware onto your machine) that is no longer active.

Re: asdf.exe on Suse9.2

Fri, 26 Aug 2005 11:06:00 EDT

Tuulilapsi : Yea, but if we can locate even one of the sites and locate the actual ad that's doing this, we'll find the infected adserver.
--
And lead me not into temptation - for I can find my way there myself easily enough.

Re: asdf.exe on Suse9.2

Fri, 26 Aug 2005 11:01:28 EDT

justin :

said by Tuulilapsi :

Have you identified the source of the file? Was it from theonion.com, too, or from another source? Do you have Java and Javascript disabled or enabled in Firefox?

Edit: Damn, Cudni, you're fast. ;)

If this thing is coming from a compromised ad server as I think is very likely, then theonion.com would be only one of perhaps many name sites that are getting the bad javascript/html combo through ad server ad rotation.

disgruntled: are you sure the date on the asdf.exe file is after the date you upgraded to 1.0.6?

Re: asdf.exe on Suse9.2

Fri, 26 Aug 2005 10:33:06 EDT

Tuulilapsi : Have you identified the source of the file? Was it from theonion.com, too, or from another source? Do you have Java and Javascript disabled or enabled in Firefox?

Edit: Damn, Cudni, you're fast. ;)
--
And lead me not into temptation - for I can find my way there myself easily enough.

Re: asdf.exe on Suse9.2

Fri, 26 Aug 2005 10:32:55 EDT

Cudni : Do you know or suspect the site you possibly got it through?

Cudni

Re: asdf.exe on Suse9.2

Fri, 26 Aug 2005 10:25:39 EDT

anon : Sorry for anonymous post, just been researching this myself: I got this dropped in through Firefox 1.0.6, latest version with "Allow Websites to install software" unchecked. Something is seriously wrong here.

Re: asdf.exe / theonion.com

Fri, 26 Aug 2005 09:49:08 EDT

justin : It is the bbr instant message checker, probably an early version before it was taken over properly.

Re: asdf.exe / theonion.com

Fri, 26 Aug 2005 09:30:06 EDT

vlad_so : Justin, this plugin (from your install.log) looks suspicious:

Install completed successfully -- 2004-12-10 14:17:57

-------------------------------------------------------------------------------
»s116948610.onlinehome.us/bbrim_v0.6.1p.xpi -- 2005-04-02 20:09:45
-------------------------------------------------------------------------------

Any ideea what it is supposed to be? The link is dead, BTW.

Vlad

Re: asdf.exe on Suse9.2

Fri, 26 Aug 2005 09:23:47 EDT

justin : I've been watching the referer logs and increasing numbers of people per day are finding this topic via google.

To all of those people
a) make sure you and your friends have updated to the latest firefox
b) if you are searching for asdf.exe it is probably because zonealarm blocked it. Delete it. Otherwise, do a complete system scan.

Re: asdf.exe on Suse9.2

Fri, 26 Aug 2005 07:08:46 EDT

Tuulilapsi : Hmm, so 1.0.6. would possibly be vulnerable to this thing too? This needs more attention.

Re: asdf.exe / theonion.com

Thu, 25 Aug 2005 18:59:01 EDT

justin : an A/V guy around here found it was a minor variation of a previously known trojan with a downloading URL that is currently offline.

As to what ad server was infected and whether it is still happening, who knows, but there are a number of recent google hits for firefox and asdf.exe. Zone alarm is the safety net for some people (asdf.exe is trying to...) but I prefer processguard.

As for theonion, I didn't really expect a reply. What companies reply promptly to unsolicited email anymore? Email, like snail mail, is rendered nearly useless by junk.

Re: asdf.exe / theonion.com

Thu, 25 Aug 2005 18:43:04 EDT

B : But you're justin goddamit. Seriously. They really should listen. You've got one of the most popular tech sites in the world. Time for a front page appearance?

I'm also surprised that more of the regulars haven't chimed in trying to help out on this. Yes, CJ, I'm looking at you, but not in that way. :)

-- B
--
In a realm outside causality and function

Re: asdf.exe / theonion.com

Thu, 25 Aug 2005 18:38:38 EDT

justin : I guess it has occured to the gangs than monetize zombie nets that the fastest way to get them spread is by tricking legit sites, especially via the murky world of online advertising.

One disappointing note: I wrote to theonion.com pointing out that this was a problem, giving them most of the info they would need to complain to whatever advertising network they use.

I didn't even get a reply. At least not so far (2 days).

Re: asdf.exe / theonion.com

Thu, 25 Aug 2005 17:55:00 EDT

Doctor Four : Reading this topic reminds me of the time that Falk AG's
ad servers were infected by the Bofra/iFrame exploit
several months ago, and just visiting a site like the UK
Register (they used Falk AG as one of their advertisers)
could get you infected.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors. To RIAA/MPAA - You can sue but you can't catch everyone!

Re: asdf.exe / theonion.com

Thu, 25 Aug 2005 17:29:54 EDT

deadi : I have to wonder, are any malware, trojan removers or antivirus progams detecting Firefox vulnerabilties?

Edit: I should rephrase that or ask the question, Is anyone keeping track of malware written to attack Firefox and are there definitions to detect them?

--
ERROR:Bad Command Or File Name, Go Stand In Corner.

Re: asdf.exe on Suse9.2

Thu, 25 Aug 2005 17:18:24 EDT

B :

said by justin :

I think this infection via some bad ad server must be widespread.

I dunno. This thread's the 4th or 5th Google hit for "asdf.exe". Usually by now we'd see a bunch of anonymous posters with the same complaint...?

-- B
--
In a realm outside causality and function

Re: asdf.exe on Suse9.2

Thu, 25 Aug 2005 17:14:46 EDT

justin : yes, probably. But it wouldn't do any good as the exe is a windows trojan downloader of some kind.

I think this infection via some bad ad server must be widespread.

Re: asdf.exe on Suse9.2

Thu, 25 Aug 2005 16:33:25 EDT

DonoftheDead : Runnin' Suse9.2 with Firefox1.0.6. I found a compressed file named asdf.exe. Suse didn't recognize the format and did nothing with it. I couldn't open it (unrecognized format thing) I chucked it and no problems so far. The only sites I went to were related to FaH on Linux. Not sure which one d/l'ed the file. Could this be the same thing? Could it get into a Linux box through Firefox? Just curious.:)

Re: asdf.exe / theonion.com

Thu, 25 Aug 2005 10:29:31 EDT

howardfine :

quote:
explorer.exe is not the same as iexplore.exe

Yes, I know, but explorer.exe is part of windows and, as you said, windows is IE based. All window panes are IE based.

Re: asdf.exe / theonion.com

Thu, 25 Aug 2005 10:26:43 EDT

Tuulilapsi : Well, what do you know - Javascript exploits! :D

The first thing I do to any browser I use is kill Java and Javascript. This is why I do it.

(As a side note, were you surfing as admin, Justin? Because I don't see why a regular user account should even have write access to C root.)

--
And lead me not into temptation - for I can find my way there myself easily enough.

Re: asdf.exe / theonion.com

Thu, 25 Aug 2005 09:47:14 EDT

justin :

said by howardfine :

You run IE. Windows Explorer is IE based as are most windows you run. Most browsers use ActiveX to some degree. You just don't realize you're running IE.

windows is IE based but explorer.exe is not the same as iexplore.exe and the "windows that are explorer based" are just viewing my local file folders and running the systray etc. There are no infection vectors via browser hijacks if you rename iexplore and just use explore for viewing file folders, instead of starting up the full thing for web pages.

I don't use any programs that use IE DLLs as an html preview pane, either.

Re: asdf.exe / theonion.com

Thu, 25 Aug 2005 02:28:08 EDT

Mele20 : Actually I was considering going back to 0.8 which was the last really good version.

Re: asdf.exe / theonion.com

Thu, 25 Aug 2005 01:29:38 EDT

Worfus :

said by Ryan F :

said by Worfus :

Edit: Forgot to mention I'm using IE not FF.

Have you ever had Firefox installed? If so, what version and when?

No, never installed on this machine.
--
"Confusion" will be my epitaph.

Re: asdf.exe / theonion.com

Thu, 25 Aug 2005 01:27:41 EDT

Ryan F :

said by Mele20 :

Fx 1.0PR

There's really no point in running a version that out of date. There are over 25 critical exploits in 1.0PR - it's only a matter of time until one affects you.

Re: asdf.exe / theonion.com

Thu, 25 Aug 2005 01:12:51 EDT

Ryan F :

said by Worfus :

Edit: Forgot to mention I'm using IE not FF.

Have you ever had Firefox installed? If so, what version and when?

Re: asdf.exe / theonion.com

Thu, 25 Aug 2005 01:12:06 EDT

Mele20 : I use Process Guard and Fx 1.0PR on my host box (1.0.6 on my virtual box). I also use Proxo on both boxes. If this is coming from ads...well, I don't see ads. :D I'm not convinced I need to upgrade Fx and I used RIP to permanently zap the ad here telling me I need to upgrade Fx.
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus

Re: asdf.exe / theonion.com

Thu, 25 Aug 2005 00:47:00 EDT

Worfus : I had the same program dropped in my root directory last night at 11:37. ZA stopped it from running. I clicked DENY because I didn't expect anything new to be connecting. I was in a hurry, looking up info on an infection in a relatives computer (ironic, huh?) so I went on about my business and later forgot about it.

This evening I get home to see that NAV found the file and was at a dialog box asking what to do with it. So, sorry to say I'm glad you got it first Justin but at least I could confirm that it wasn't a FP and out it went.

Another example of "Thanks to Justin and the members of this community for this fine site."

At the time the file arrived, I was at startup.iamnotageek.com and there must have been an ad or popup that went to media.fastclick.net as it was also displayed at that time.

I'll assume that an email to the media.fastclick people wouldn't do any good since I don't have any "real" evidence outside of corresponding times.

Edit: Forgot to mention I'm using IE not FF.
Yes, go ahead, everybody can tell me I had it coming then. :)
--
"Confusion" will be my epitaph.

Re: asdf.exe / theonion.com

Thu, 25 Aug 2005 00:06:12 EDT

B : Three thoughts.

1. I'm glad I upgraded to Moz 1.7.8 a while ago.

2. ASDF.exe is not a typical random name; someone chose it (it's of course the keys under QWERTY). Therefore we'll either see a lot more of it as this infection gains ground in the wild, or this attack was somehow targeted at justin .

There seems to be another recent infection over at »forums.spywareinfo.com/lofiversi···765.html

Sounds like a match -- and it put itself in Windows/Prefetch.

3. I gotta take another look at ProcessGuard!

Good luck, Justin. What punishment gets wreaked on the first person to send you to »Security »I think my computer is infected or hijacked. What should I do? ?

-- B
--
In a realm outside causality and function

Re: asdf.exe / theonion.com

Wed, 24 Aug 2005 23:23:58 EDT

howardfine : You run IE. Windows Explorer is IE based as are most windows you run. Most browsers use ActiveX to some degree. You just don't realize you're running IE.

Re: asdf.exe / theonion.com

Tue, 23 Aug 2005 00:42:34 EDT

Ryan F : Install log looks clean, so asdf.exe wasn't dropped through the XPI install or .jar unpacking processes.

MFSA 2005-43 combined with MFSA 2005-37 (both fixed in 1.0.4) allows for the delivery and execution of arbitrary code. I bet that's what happened here and that would make this the first example I've seen of those in the wild :p

It can't be all bad though, I see that the move to 1.0.6 also got you to upgrade to the latest version of my extension. :D

Edit: I'm guessing that this new feature is a result of your near-exploit experience? ;)
[att=1]

Re: asdf.exe / theonion.com

Tue, 23 Aug 2005 00:07:25 EDT

justin : I am fairly sure java did not start. I can usually tell when that starts up due to the long pause. But it is 1.4.1_01, anyway.

install log is attached.

IE is renamed and I don't even remember what I renamed it too, it could not run, and nothing else did, otherwise I'd have a processguard alert.

install.zip 7,032 bytes
(install.log)

Re: asdf.exe / theonion.com

Mon, 22 Aug 2005 23:10:17 EDT

Ryan F : Could you post your Java version and the contents of your Firefox install.log file (C:\Program Files\Mozilla Firefox\install.log)?

Re: asdf.exe / theonion.com

Mon, 22 Aug 2005 21:31:59 EDT

justin : yeah but that notification says "Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org")."

maybe there is a better exploit out now. One that is silent and deadly.

Re: asdf.exe / theonion.com

Mon, 22 Aug 2005 21:30:16 EDT

sheiny :

said by justin :

I'm also surprised there is a keylogger drop exploit floating around for firefox 1.0.3 .. anyone confirm that?

PS: ping theonion.com is 66.216.104.235 for me.

There was the cross site scripting vulnerability in Firefox 1.0.3 and earlier.
»secunia.com/advisories/15292

Re: asdf.exe / theonion.com

Mon, 22 Aug 2005 21:26:45 EDT

justin :

said by kw :

I loaded the page in IE, and it loaded the premerical page, but no ad. It rendered the page with errors however.

The premerical page probably rotates advertisers via cookies and whatnot. I think it is like a loaded gun with one bullet you may get, or may not.

I emailed the onion about it, maybe they can look into it.

If it happened to me (luckily caught by processguard) it must be infecting many many PCs per minute. I think many firefox users are not aware there are actual malware delivery vectors out there, that target older versions of the browser..

Re: asdf.exe / theonion.com

Mon, 22 Aug 2005 21:22:11 EDT

kw : I loaded the page in IE, and it loaded the premerical page, but no ad. It rendered the page with errors however.

Re: asdf.exe / theonion.com

Mon, 22 Aug 2005 21:20:09 EDT

justin : For what it is worth - I updated firefox to 1.0.6 and then went back to theonion.com

I got the "premercial" page that says "if you are not automatically redirected" and then the home page.

I think the "premercial" page is *supposed* to be an advertising page.

I posit that someone has managed to convince theonion.com to show firefox 1.0.3 or earlier (or IE probably) killing malware as adverts!

Re: asdf.exe / theonion.com

Mon, 22 Aug 2005 21:18:07 EDT

kw : Page opened just fine over here in Firefox. I got the redirect thing, and let it sit, and it took me to the page just fine.

Re: asdf.exe / theonion.com

Mon, 22 Aug 2005 21:14:54 EDT

justin : yep

ntiVir 6.31.1.0/20050822 found [TR/Dldr.Small.bhf]
Avast 4.6.695.0/20050822 found nothing
AVG 718/20050822 found nothing
Avira 6.31.1.0/20050822 found [TR/Dldr.Small.bhf]
BitDefender 7.0/20050822 found [Trojan.Downloader.Small.GJ]
CAT-QuickHeal 8.00/20050822 found [TrojanDownloader.Small.bhf]
ClamAV devel-20050725/20050822 found nothing
DrWeb 4.32b/20050822 found nothing
eTrust-Iris 7.1.194.0/20050823 found nothing
eTrust-Vet 11.9.1.0/20050822 found [Win32.SillyDl.TQ]
Fortinet 2.41.0.0/20050823 found [W32/Dloader.AB-dldr]
F-Prot 3.16c/20050822 found [could be infected with an unknown virus]
Ikarus 0.2.59.0/20050822 found nothing
Kaspersky 4.0.2.24/20050823 found
[Trojan-Downloader.Win32.Small.bhf]
McAfee 4564/20050822 found [Generic Downloader.ab]
NOD32v2 1.1199/20050822 found [Win32/TrojanDownloader.Small.NEU]
Norman 5.70.10/20050818 found [W32/Downloader]
Panda 8.02.00/20050822 found [Trj/Downloader.EGF]
Sophos 3.96.0/20050822 found nothing
Sybari 7.5.1314/20050823 found [Win32.SillyDl.TQ]
Symantec 8.0/20050821 found nothing
TheHacker 5.8.2.092/20050822 found nothing
VBA32 3.10.4/20050822 found [Trojan-Downloader.Win32.Small.bhf]

And here is the sequence from processguard:

(visit theonion.com - crashes firefox)

Mon 22 - 20:38:50 [EXECUTION] "c:\windows\system32\dwwin.exe" was blocked from running
[EXECUTION] Started by "c:\program files\mozilla firefox\firefox.exe" [1432]
[EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -x -s 1072 ]
Mon 22 - 20:38:51 [EXECUTION] "c:\windows\system32\drwtsn32.exe" was blocked from running
[EXECUTION] Started by "c:\program files\mozilla firefox\firefox.exe" [1432]
[EXECUTION] Commandline - [ drwtsn32 -p 1432 -e 3024 -g ]

(restart firefox)

Mon 22 - 20:38:54 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1932]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]

(visit theonion.com again - firefox tries to run asdf.exe dated 8:39pm)

Mon 22 - 20:40:21 [EXECUTION] "c:\asdf.exe" was blocked from running
[EXECUTION] Started by "c:\program files\mozilla firefox\firefox.exe" [5964]
[EXECUTION] Commandline - [ c:\asdf.exe ]

(I wig out and open a command line, and deny asdf.exe)

Mon 22 - 20:40:22 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1932]
[EXECUTION] Commandline - [ "c:\windows\system32\cmd.exe" ]

(firefox crashes again because I denied asdf or because of theonion.com or both)

Mon 22 - 20:41:18 [EXECUTION] "c:\windows\system32\dwwin.exe" was blocked from running
[EXECUTION] Started by "c:\program files\mozilla firefox\firefox.exe" [5964]
[EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -x -s 536 ]
Mon 22 - 20:41:21 [EXECUTION] "c:\windows\system32\drwtsn32.exe" was blocked from running
[EXECUTION] Started by "c:\program files\mozilla firefox\firefox.exe" [5964]
[EXECUTION] Commandline - [ drwtsn32 -p 5964 -e 668 -g ]

(i re-open firefox to post here, and ping theonion.com to get an IP address)

Mon 22 - 20:41:25 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1932]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Mon 22 - 20:52:29 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [4712]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /s /d /c" dir " ]
Mon 22 - 20:53:35 [EXECUTION] "c:\windows\system32\ping.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [4712]
[EXECUTION] Commandline - [ ping theonion.com ]

Re: asdf.exe / theonion.com

Mon, 22 Aug 2005 21:12:25 EDT

purelander : i went to theonion.com, i didnt get any redirect message, no crash or any exe file, the page loaded in 5 seconds.

i use FF 1.0PR, see the attached log for theonion.com.

onion.zip 3,124 bytes

Re: asdf.exe / theonion.com

Mon, 22 Aug 2005 21:11:32 EDT

SnowyOne : The addy has been hacked, no telling what's on the server at this point in time.

Re: asdf.exe / theonion.com

Mon, 22 Aug 2005 21:05:04 EDT

Cudni : did you confirm that asdf.exe is malware?

Cudni

asdf.exe / theonion.com

Mon, 22 Aug 2005 20:58:38 EDT

justin : update: to save reading this topic the executive summary: asdf.exe appears to be dropped onto c:\ by an exploit targetting firefox, at least old versions. The exploit will also attempt to run asdf.exe at which point asdf.exe tries to download more malware. The exploit appears to be delivered from one or more banner-ad companies of the type used by name-brand sites such as theonion.com. There is no firm evidence yet that it gets through firefox 1.0.6(en) although that is a possibility as nobody has offered an explanation of exactly how it gets through even older versions of firefox.

My original post continues:

most peculiar, perhaps someone can shed some light.

I use firefox, and processguard (great program).

I visited theonion.com and the home page, labelled as theonion, said "if you are not redirected click here". At that point firefox crashed and tried to run drwatson, and the other microsoft debugger (caught by processguard).

I restarted firefox (no problem) and went back to theonion.com. here is where it got weird:

processguard told me that firefox was trying to run c:\asdf.exe (a file 1550 bytes in size and dated 8:39pm). I denied it, and firefox crashed again via dr watson etc. This is the first time since installation of processguard months ago that it has caught some badware trying to execute.

My conclusion is the act of visiting theonion.com (the only site I visited at 8:39pm!) deposited this keylogger on c:\ The other possibility is that the act of closing some tabs at the crash point deposited the keylogger. But the tabs were benign sites: yahoo / dslr / theonion .. I have a short list of "sites visited today" and they are all legit big name sites.

Infected by theonion? by a big name site? Unlikely? seems very unlikely. But I can't think of any other explanation right now.

I'm also surprised there is a keylogger drop exploit floating around for firefox 1.0.3 .. anyone confirm that?

PS: ping theonion.com is 66.216.104.235 for me.