justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
2 edits |  asdf.exe / theonion.com
update: to save reading this topic the executive summary: asdf.exe appears to be dropped onto c:\ by an exploit targetting firefox, at least old versions. The exploit will also attempt to run asdf.exe at which point asdf.exe tries to download more malware. The exploit appears to be delivered from one or more banner-ad companies of the type used by name-brand sites such as theonion.com. There is no firm evidence yet that it gets through firefox 1.0.6(en) although that is a possibility as nobody has offered an explanation of exactly how it gets through even older versions of firefox.
My original post continues:
most peculiar, perhaps someone can shed some light.
I use firefox, and processguard (great program).
I visited theonion.com and the home page, labelled as theonion, said "if you are not redirected click here". At that point firefox crashed and tried to run drwatson, and the other microsoft debugger (caught by processguard).
I restarted firefox (no problem) and went back to theonion.com. here is where it got weird:
processguard told me that firefox was trying to run c:\asdf.exe (a file 1550 bytes in size and dated 8:39pm). I denied it, and firefox crashed again via dr watson etc. This is the first time since installation of processguard months ago that it has caught some badware trying to execute.
My conclusion is the act of visiting theonion.com (the only site I visited at 8:39pm!) deposited this keylogger on c:\ The other possibility is that the act of closing some tabs at the crash point deposited the keylogger. But the tabs were benign sites: yahoo / dslr / theonion .. I have a short list of "sites visited today" and they are all legit big name sites.
Infected by theonion? by a big name site? Unlikely? seems very unlikely. But I can't think of any other explanation right now.
I'm also surprised there is a keylogger drop exploit floating around for firefox 1.0.3 .. anyone confirm that?
PS: ping theonion.com is 66.216.104.235 for me. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | did you confirm that asdf.exe is malware?
Cudni |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI | reply to justin
The addy has been hacked, no telling what's on the server at this point in time. |
|
purelander
Premium
join:2003-07-11
忍
| reply to justin
i went to theonion.com, i didnt get any redirect message, no crash or any exe file, the page loaded in 5 seconds.
i use FF 1.0PR, see the attached log for theonion.com. |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
1 edit | reply to Cudni
yep
ntiVir 6.31.1.0/20050822 found [TR/Dldr.Small.bhf]
Avast 4.6.695.0/20050822 found nothing
AVG 718/20050822 found nothing
Avira 6.31.1.0/20050822 found [TR/Dldr.Small.bhf]
BitDefender 7.0/20050822 found [Trojan.Downloader.Small.GJ]
CAT-QuickHeal 8.00/20050822 found [TrojanDownloader.Small.bhf]
ClamAV devel-20050725/20050822 found nothing
DrWeb 4.32b/20050822 found nothing
eTrust-Iris 7.1.194.0/20050823 found nothing
eTrust-Vet 11.9.1.0/20050822 found [Win32.SillyDl.TQ]
Fortinet 2.41.0.0/20050823 found [W32/Dloader.AB-dldr]
F-Prot 3.16c/20050822 found [could be infected with an unknown virus]
Ikarus 0.2.59.0/20050822 found nothing
Kaspersky 4.0.2.24/20050823 found
[Trojan-Downloader.Win32.Small.bhf]
McAfee 4564/20050822 found [Generic Downloader.ab]
NOD32v2 1.1199/20050822 found [Win32/TrojanDownloader.Small.NEU]
Norman 5.70.10/20050818 found [W32/Downloader]
Panda 8.02.00/20050822 found [Trj/Downloader.EGF]
Sophos 3.96.0/20050822 found nothing
Sybari 7.5.1314/20050823 found [Win32.SillyDl.TQ]
Symantec 8.0/20050821 found nothing
TheHacker 5.8.2.092/20050822 found nothing
VBA32 3.10.4/20050822 found [Trojan-Downloader.Win32.Small.bhf]
And here is the sequence from processguard:
(visit theonion.com - crashes firefox)
Mon 22 - 20:38:50 [EXECUTION] "c:\windows\system32\dwwin.exe" was blocked from running
[EXECUTION] Started by "c:\program files\mozilla firefox\firefox.exe" [1432]
[EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -x -s 1072 ]
Mon 22 - 20:38:51 [EXECUTION] "c:\windows\system32\drwtsn32.exe" was blocked from running
[EXECUTION] Started by "c:\program files\mozilla firefox\firefox.exe" [1432]
[EXECUTION] Commandline - [ drwtsn32 -p 1432 -e 3024 -g ]
(restart firefox)
Mon 22 - 20:38:54 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1932]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
(visit theonion.com again - firefox tries to run asdf.exe dated 8:39pm)
Mon 22 - 20:40:21 [EXECUTION] "c:\asdf.exe" was blocked from running
[EXECUTION] Started by "c:\program files\mozilla firefox\firefox.exe" [5964]
[EXECUTION] Commandline - [ c:\asdf.exe ]
(I wig out and open a command line, and deny asdf.exe)
Mon 22 - 20:40:22 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1932]
[EXECUTION] Commandline - [ "c:\windows\system32\cmd.exe" ]
(firefox crashes again because I denied asdf or because of theonion.com or both)
Mon 22 - 20:41:18 [EXECUTION] "c:\windows\system32\dwwin.exe" was blocked from running
[EXECUTION] Started by "c:\program files\mozilla firefox\firefox.exe" [5964]
[EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -x -s 536 ]
Mon 22 - 20:41:21 [EXECUTION] "c:\windows\system32\drwtsn32.exe" was blocked from running
[EXECUTION] Started by "c:\program files\mozilla firefox\firefox.exe" [5964]
[EXECUTION] Commandline - [ drwtsn32 -p 5964 -e 668 -g ]
(i re-open firefox to post here, and ping theonion.com to get an IP address)
Mon 22 - 20:41:25 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1932]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Mon 22 - 20:52:29 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [4712]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /s /d /c" dir " ]
Mon 22 - 20:53:35 [EXECUTION] "c:\windows\system32\ping.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [4712]
[EXECUTION] Commandline - [ ping theonion.com ] |
|
KingWaffle
Premium
join:2004-06-12 | reply to justin
Page opened just fine over here in Firefox. I got the redirect thing, and let it sit, and it took me to the page just fine. |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| reply to justin
For what it is worth - I updated firefox to 1.0.6 and then went back to theonion.com
I got the "premercial" page that says "if you are not automatically redirected" and then the home page.
I think the "premercial" page is *supposed* to be an advertising page.
I posit that someone has managed to convince theonion.com to show firefox 1.0.3 or earlier (or IE probably) killing malware as adverts! |
|
KingWaffle
Premium
join:2004-06-12 | I loaded the page in IE, and it loaded the premerical page, but no ad. It rendered the page with errors however. |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| said by KingWaffle  :I loaded the page in IE, and it loaded the premerical page, but no ad. It rendered the page with errors however. The premerical page probably rotates advertisers via cookies and whatnot. I think it is like a loaded gun with one bullet you may get, or may not.
I emailed the onion about it, maybe they can look into it.
If it happened to me (luckily caught by processguard) it must be infecting many many PCs per minute. I think many firefox users are not aware there are actual malware delivery vectors out there, that target older versions of the browser.. |
|
sheiny
join:2005-03-13
Turlock, CA
| reply to justin
said by justin :I'm also surprised there is a keylogger drop exploit floating around for firefox 1.0.3 .. anyone confirm that? PS: ping theonion.com is 66.216.104.235 for me. There was the cross site scripting vulnerability in Firefox 1.0.3 and earlier.
»secunia.com/advisories/15292 |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| yeah but that notification says "Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org")."
maybe there is a better exploit out now. One that is silent and deadly. |
|
Ryan F
Take Back The Web
Premium
join:2002-10-18
Alexandria, VA | reply to justin
Could you post your Java version and the contents of your Firefox install.log file (C:\Program Files\Mozilla Firefox\install.log)? |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| I am fairly sure java did not start. I can usually tell when that starts up due to the long pause. But it is 1.4.1_01, anyway.
install log is attached.
IE is renamed and I don't even remember what I renamed it too, it could not run, and nothing else did, otherwise I'd have a processguard alert. |
|
Ryan F
Take Back The Web
Premium
join:2002-10-18
Alexandria, VA
2 edits | Install log looks clean, so asdf.exe wasn't dropped through the XPI install or .jar unpacking processes.
MFSA 2005-43 combined with MFSA 2005-37 (both fixed in 1.0.4) allows for the delivery and execution of arbitrary code. I bet that's what happened here and that would make this the first example I've seen of those in the wild 
It can't be all bad though, I see that the move to 1.0.6 also got you to upgrade to the latest version of my extension. 
Edit: I'm guessing that this new feature is a result of your near-exploit experience? 
|
|
howardfine
join:2002-08-09
Saint Charles, MO | reply to justin
You run IE. Windows Explorer is IE based as are most windows you run. Most browsers use ActiveX to some degree. You just don't realize you're running IE. |
|
B
Premium,MVM
join:2000-10-28
| reply to Ryan F
Three thoughts.
1. I'm glad I upgraded to Moz 1.7.8 a while ago.
2. ASDF.exe is not a typical random name; someone chose it (it's of course the keys under QWERTY). Therefore we'll either see a lot more of it as this infection gains ground in the wild, or this attack was somehow targeted at justin .
There seems to be another recent infection over at »forums.spywareinfo.com/lofiversi···765.html
Sounds like a match -- and it put itself in Windows/Prefetch.
3. I gotta take another look at ProcessGuard!
Good luck, Justin. What punishment gets wreaked on the first person to send you to »Security »I think my computer is infected or hijacked. What should I do? ?
-- B
--
In a realm outside causality and function |
|
Worfus
The cake is a lie
join:2001-01-23
Richfield, WI
clubs: 
1 edit | reply to justin
I had the same program dropped in my root directory last night at 11:37. ZA stopped it from running. I clicked DENY because I didn't expect anything new to be connecting. I was in a hurry, looking up info on an infection in a relatives computer (ironic, huh?) so I went on about my business and later forgot about it.
This evening I get home to see that NAV found the file and was at a dialog box asking what to do with it. So, sorry to say I'm glad you got it first Justin but at least I could confirm that it wasn't a FP and out it went.
Another example of "Thanks to Justin and the members of this community for this fine site."
At the time the file arrived, I was at startup.iamnotageek.com and there must have been an ad or popup that went to media.fastclick.net as it was also displayed at that time.
I'll assume that an email to the media.fastclick people wouldn't do any good since I don't have any "real" evidence outside of corresponding times.
Edit: Forgot to mention I'm using IE not FF.
Yes, go ahead, everybody can tell me I had it coming then. 
--
"Confusion" will be my epitaph. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to justin
I use Process Guard and Fx 1.0PR on my host box (1.0.6 on my virtual box). I also use Proxo on both boxes. If this is coming from ads...well, I don't see ads. I'm not convinced I need to upgrade Fx and I used RIP to permanently zap the ad here telling me I need to upgrade Fx.
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus |
|
Ryan F
Take Back The Web
Premium
join:2002-10-18
Alexandria, VA
| reply to Worfus
said by Worfus :Edit: Forgot to mention I'm using IE not FF. Have you ever had Firefox installed? If so, what version and when? |
|
Ryan F
Take Back The Web
Premium
join:2002-10-18
Alexandria, VA
|  reply to Mele20
said by Mele20 :Fx 1.0PR There's really no point in running a version that out of date. There are over 25 critical exploits in 1.0PR - it's only a matter of time until one affects you. |
|
