Technical Tidbits™

Over the weekend the roomie notifies me that not only did Trend Micro catch a few Trojan viruses, there appeared to be some malcode in his Firefox folder!

First, the Trend Micro results prompted the roomie to do a full Malwarebytes scan.  That turned up the interesting results shown below.

(Click to view full image)

Trend Micro had by this time quarantined or deleted some of the other files.  All were the same Trojan with variant extensions.

Notice in the image above, that the worm and Trojan agent are found in what is usually the “typical” installation of Firefox. If you install Firefox on a Windows computer, it will put Mozilla Firefox folder in the Program Files. But notice I also said, a “typical” installation of Firefox!

My roomie is aware of the dangers of the web. He’s no stranger to this stuff. (Wonder why?)  So, he NEVER installed his Firefox browser on his computer. Instead, he uses the Portable Apps version that is on his Flash Drive or USB stick.

It never was a typical installation – which may have been what saved his computer from a whole lot of damage!

The files that were found beneath this folder give me an indication that this was a theme or persona he tried out when the new Firefox was released.  The install.rdf resembles – somewhat – the typical install.rdf in a theme with some minor alterations to the file. (Please note: I’ve saved the original files as TEXT so you can see what I see.)

There were a few other files that I will need to open in another program to read as they are not text readable.  Not sure exactly what kind of code it is yet and frankly, it doesn’t look like it’s even English programming code.  But if anyone from Mozilla would like the files, I’ll be happy to turn them over to someone in that community or to any security researcher.

There was another strange code inside a folder which was structured like this: C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul.  As far as I can remember, I do not remember seeing a timer anything in Firefox files.

So, I opened that up in my text editor to find this:

This code led to a site that does not have a home page if you back out the extraneous stuff after the .com.  So, full security enabled, I went to the full link to be displayed a blank page. However, I right clicked on that page and saw that there was code beneath the blank white page.

This:

PLEASE DO NOT ACCESS THESE SITES ON YOUR OWN! I have a high level of security on my test machine and do not put my own private PC at risk.

I won’t get into the details of what the code does but suffice it to say that it’s really redirecting you to the site specified in the code.  And guess what Trend Micro says about that site?

Interesting that if you do a search on this website, it’s listed as everything from web search hijacker to a virus!

And it’s run by some shady characters.  Just look here – it’s safe – http://www.robtex.com/dns/mysearchcorp.com.html.

Okay, so we tracked down the bad guys. The point is how did this get into my roomie’s computer?

He was downloading and trying on different Themes and Persona’s.  And due to the fact that all the code points to a directory on his computer that should have never been created because he uses Firefox on his flash drive, AND the fact that it created an install.rdf and a few other files synonymous with a theme.  Plus the fact that the timer.xul has references to an “overlay” and a blacked out background makes me also suspicious.

When my roomie went back to Trend because we couldn’t see the network shared folder so he could pass on these files to me, it was discovered that all his Network Protocol entries under his firewall settings had been damaged or deleted. He had to uninstall and reinstall Trend Micro once again.  In all my years of working with Trend Micro, I’ve never seen anything take out the protocols under the firewall before! Very scary!

Lastly, he tells me that around this time, he may – or may not – have had his Trend Micro RUBotted trigger when he was visiting sites.  Bad sign!

Since many of the files were damaged or deleted in the scans, I can’t say with 100% certainty that this was a theme or persona. But I am saying BE CAREFUL in case it is a new attack vector. We’ve seen some Firefox add-ons removed due to their containing malware in the past. Did the jerks move to persona’s and themes next?

Some disturbing news hit the wires yesterday late in the afternoon that I really need to make you aware of.

As we’ve discussed in our recent radio show broadcast on Technical Tidbits in the Social Media Remorse episode, many of us are using smart phones to engage and keep up-to-date. Besides being a quick way to respond – and not always thinking before we do as that episode points out, there’s yet another danger that has been brought to light by a Free Mobile Security provider for Smartphones – Lookout.

The AP reported that Lookout has found that many of the apps you use on your iPhone and Android enabled smart phone, are sending back some of your personally sensitive data and forwarding it to third parties without your consent or knowledge.

The AP article, What your phone doesn’t say: It’s watching, Reporter, Jordan Robertson states:

Lookout Inc., a mobile-phone security firm, scanned nearly 300,000 free applications for Apple Inc.’s iPhone and phones built around Google Inc.’s Android software. It found that many of them secretly pull sensitive data off users’ phones and ship them off to third parties without notification.

The article points out:

The data can include full details about users’ contacts, their pictures, text messages and Internet and search histories. The third parties can include advertisers and companies that analyze data on users.

The information is used by companies to target ads and learn more about their users. The danger, though, is that the data become vulnerable to hacking and use in identity theft if the third party isn’t careful about securing the information.

This is a disturbing piece of information for all smart phone users! And it’s not just the new evil-doers of wifi data collection Google! Apple’s apps are guilty too!

Well, Microsoft, move over! You’ve got company on the “evil” sofa of software developers in the hall shame!

And shame on the app developers and the third parties collecting this data! You’re all GUILTY in this one!

A special thank you to Lookout, Inc. for discovering this! I’m glad someone is watching!  (And no! The links are not affiliate links! The software is free!)

Read the full article: What your phone doesn’t say: It’s watching

I have to admire what Google has done to try to stay on top of security issues. Kudo’s  to Google for recording my IP address and alerting me when I sign in that another IP address has accessed my account. Thank you Google.

But! I about had a heart attack this morning!

I use my gmail account for a ton of reasons – mainly, I am too involved on the web to open my Thunderbird – which I now hate since upgrading to the 3.0 version. But that’s another story for another blog post.

Anyway, I log in this morning to check out the last minute details about the radio show this morning (which was AWESOME I might add!), and they notify me that my account has been accessed by another IP address. YIKES!

Did I get compromised by corresponding with a certain individual who has had his network taken over by the hacking underground? Did I tick off someone with an article, a blog post? WTF?

What is important to note in this post is that I remembered what I did the day before which helped me track down the culprit. And this is what I want you to learn from this. Don’t panic!

Gmail advised me to change my password. I’m using 344 bit encryption in my password. It’s over 30 characters long! How could anyone have hacked that?

So I copied the IP address that they said was the one that accessed my email account. The culprit came from 209.18.68.125.  Ok, good! I have an IP address of the lousy hacker.

I do a search on WhatIsMyIp.com and find this:

(Click to see larger image)

That still tells me nothing! As far as I know, I haven’t ticked off any hackers in New Jersey!  But it’s also a corporate network which add to my suspicion that this isn’t a hack at all. Hackers wouldn’t use a corporate network! At least not REAL hackers!

Okay, so then whom might that be?

That’s when my thoughts raced back to what I did yesterday.  I did allow a new website to access my Gmail contacts so I could tell them that I was now on a new social networking site.  What the heck was the name of it? Oh yes! IMfaceplate.com! (If you want to see my profile, it’s here: DebbieMahler)

So, now I do a “Whois” lookup for IMfaceplate.com!  And in the image below you’ll see where I put a red box around the Name Servers for the website:

(Click for larger view)

Now, look between the first graphic of my WhatIs look up of the IP address and the second graphic of the WhoIs look up. See how easy that was!

So, when I allowed the site access to my Gmail account so I could grab my contacts list, it actually logged into my account and Gmail recorded the IP address! Pretty cool security feature, I must say! But also a huge panic attack on my part this morning!

The take-away from this post is, don’t panic if you get the notice from Gmail that you’ve been hacked. Do a simple look up like I have and see if it jogs your memory about what you were doing the day of or before the alleged hack attack.

If you still can’t find the culprit, change your password. I’m not going to preach about passwords in this post because I’ve written articles about how to create a secure password until I’m blue in the face!  But if you must have a refresher course, here’s an easy read!)

That being said, I was not hacked but I did change my 30+ password anyway!

Now, I would be remiss in commenting about this IMFaceplate.com while I’m on the subject. I don’t know if it’s going to catch on.  It’s simple enough to sign up for an account but do we really need another social networking site? I mean really?

That aside, I met the owner on my twitter account. I kind of got spammed – so to speak – but that’s another post too! Suffice it to say that after getting off to a rather shaky start, he’s really a good guy trying to promote his business.  Luke Risley, (@BIGtime222) is really a nice person and a great new twitter friend.

Now, whether I need a new social network or not, I’m supporting him in his endeavor and signed up! Ya never know, it might be the next big thing! You just can’t tell these days!