Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on February 02, 2015, 09:29:22 PM
-
Greetings Avast Community,
I was browsing the internet with my fav browser when an alert popped up.
(I had just been browsing cloud storage.) An alert popped up.
URL:Mal
URL: 54.69.95.67:443/v2/links/view (Looks like an Amazon EC2 Address)
Process: Browser
Any new extentions? Not a single new extention or add-on is active.
Tried running MBAM? Running now.
Visited the IP in question on a secure self destructing remote virtual computer. Seems like the ec2 instance is running a python app (flask based).
VirusTotal Scan is a negative: https://www.virustotal.com/en/url/598c2a2d23236b5e3b6ef9b181846e77cebe940261bf004a1d3a533f9b7cbd3a/analysis/1422909804/ (https://www.virustotal.com/en/url/598c2a2d23236b5e3b6ef9b181846e77cebe940261bf004a1d3a533f9b7cbd3a/analysis/1422909804/)
URL Query is also negative : https://urlquery.net/report.php?id=1422911042861 (https://urlquery.net/report.php?id=1422911042861)
scumware has a postive: MD5 0A9C56E5140477008E2EDAC883AD4149 Threat Type: Win32/SoftPulse.W potentially unwanted application however the attack vector IP has moved since the original diagnosis.
-
Logs to assist in cleaning malware https://forum.avast.com/index.php?topic=53253.0
-
The downloads and installers from there are infested: http://urlquery.net/report.php?id=1422662377129
We find "ET POLICY Executable served from Amazon S3" IDS alert,
read about that here: https://lists.emergingthreats.net/pipermail/emerging-sigs/201-January/017028.html (so that abuse has been with us since at least 2012)
More here: http://comments.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/14206
It is all about "cybercriminals-using-amazon-web-services-aws-to-host-malware".
So attach the demanded cleansing logs and wait for a qualified remover with a cleansing script to get if off of your machine.
Follow his intructions to the dot.
polonus
-
The downloads and installers from there are infested: http://urlquery.net/report.php?id=1422662377129
We find "ET POLICY Executable served from Amazon S3" IDS alert,
read about that here: https://lists.emergingthreats.net/pipermail/emerging-sigs/201-January/017028.html (so that abuse has been with us since at least 2012)
More here: http://comments.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/14206
It is all about "cybercriminals-using-amazon-web-services-aws-to-host-malware".
So attach the demanded cleansing logs and wait for a qualified remover with a cleansing script to get if off of your machine.
Follow his intructions to the dot.
polonus
Roger that,
Awaiting for MBAM to finish scanning then will move onto the rest of the scans.
-
MBAM scan came back clean.
-
Farbar Scan Results
-
Seems like someone else has also had the exact same problem. He has traced the IP to the Mozilla Tiles service. This service is used to serve up sponsored advertisments as well as most used web sites in a tile formation.
From what i can see the IP address may have been reassigned to Mozilla unknown to them it seems they picked up a bad IP address which had been used in drive by download PuPs recently.
I shall await for the FarBar results.
-
He has traced the IP to the Mozilla Tiles service. This service is used to serve up sponsored advertisments as well as most used web sites in a tile formation.
No fair I was just about to post that
I came across this a few months back and this appears to work https://support.mozilla.org/en-US/questions/1030849
-
He has traced the IP to the Mozilla Tiles service. This service is used to serve up sponsored advertisments as well as most used web sites in a tile formation.
No fair I was just about to post that
I came across this a few months back and this appears to work https://support.mozilla.org/en-US/questions/1030849
Awesome, glad we traced the origin. :D If everything is looking good on the scan results then I can move onto uninstalling Farbar.
How do i remove Farbar again? From what i could recall there was i tool i could download to remove it completely.
Thanks again.
Oliver
-
Yup Delfix
Download and run Delfix (http://www.bleepingcomputer.com/download/delfix/)
(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)
-
Hi OliPicard and essexboy,
Good you so quickly could agree on from where that sponsored ad-launch came.
Feeding ads becomes more and more of a problem, good it was not a malicious action by design.
A decent adblocker is something one cannot do without these days.
polonus
-
Hi OliPicard and essexboy,
Good you so quickly could agree on from where that sponsored ad-launch came.
Feeding ads becomes more and more of a problem, good it was not a malicious action by design.
A decent adblocker is something one cannot do without these days.
polonus
Unfortunately it's hard coded into the browser's design. Even the classic mode is showing signs of having the sponsored ads. No browser based ad block can currently block this type of attack.
-
Hi OliPicard,
At least you know or are aware at least what is going on. This seems to demonstrate again that marketing is ruling software everywhere and the routes to cheap money are even part of the browser design. I use sleipnir but I wonder if it is not the same tracking and ad-launching machine as Google Chrome is. Can you comment here, because I think you have relevant knowledge there for us ;),
Damian
-
Hi OliPicard,
At least you know or are aware at least what is going on. This seems to demonstrate again that marketing is ruling software everywhere and the routes to cheap money are even part of the browser design. I use sleipnir but I wonder if it is not the same tracking and ad-launching machine as Google Chrome is. Can you comment here, because I think you have relevant knowledge there for us ;),
Damian
Sure would be happy to elaborate!
Mozilla as a company is focused on making open source free software, They have had a long running 10 year deal with Google, Unfortunately the deal is coming to the end and as such Mozilla is looking at finding additional revenue streams to fund development of there software, Some of the funding comes from Donations from the community, Some comes from refferal links inside Google's default search option (this will soon be Yahoo however) and some from the Enhanced Tiles service.
Firefox introduced tiles in the classic form. Originally the tiles served as a Quick Dial purpose (you could see a site you previously visited and click on it.) The service would load in images of previous sites as well. In November 2014 Mozilla introduced "Enhanced Tiles", These new tiles allow Mozilla to make additional revenue on blank/newly installed firefox installations by showing sponsored content. Normally ads showing from companies for booking websites and password generators would show up but now it seems the ad system is being opened up to other sponsors. Althought Mozilla is keen to make everyone aware that the ads in question are being closely filtered. Mozilla's current platform is using Amazon Web Services to host the ad platform. It seems that the IP address in question was rolled out without the developer's knowledge of it's bad past (just had a chat with the tiles team at Mozilla).
Soon Mozilla is rolling out Yahoo as the default search for new users. (Just wanted to make you all aware of this.) as there long term support relationship with Google is coming to an end. You can select your default search engine as Google and if your already using Google as your default search engine you won't have to change the search provider.
If you use a firewall/Router
You can block the tiles in-bound requests from a firewall by using the following ruleset.
HTTP/HTTPS blocking rules
https://tiles.services.mozilla.com/v2/links/*
https://tiles.services.mozilla.com/v2/links/view
If you want to modify your firefox installation you can use the following steps
Go to about:config
(agree to the disclosure if you dare.)
locate and edit the browser.newpage.directory.source to the following empty string
browser.newtabpage.directory.source= <empty>
Visit about:cache, locate the location of the cache and go one step up. Locate and find directoryLinks.json
delete directoryLinks.json
I hope this helps
Oliver
-
Hi Oliver,
Thank you for filling us in with this information. ;D
I know all interested forum users will highly appreciate to hear your informed views.
Glad to have you here.
kind regards,
Damian
-
Hi guys,
I would just like to give thanks for this information. I've received this alert twice today morning and I was worried. Now I'm relieved. :)
I wonder if it's affecting a lot of users around the world or just a handful. I also wonder if users with other browsers are getting the same alert.
Anyway, I'm just glad to know I'm not the only one with this issue. ;)
Regards,
Eyalin
-
Hi guys,
the URL 54.69.95.67 had been used for malicious purposes until ~7 days ago (domains such as 00dvla.t2gdssvyy.com, 00hot7kwwgk.xtdq3k9.com, 00lcpudbamm.uvxdiu5i.com pointed here). 7 days ago, virtually all the traffic stopped, and then traffic rose yesterday 16:00 CET. This is commonly caused by somebody buying the IP.
I just now unblocked the IP, so there should be no more popups for you:-)!
-
Hi HonzaZ,
To be hoped buyer is a sinkholer so the malicious activity will be mitigated.
It is a pity it is only a certain class of domains that qualify for sinkholing,
else you have no other option then to block.
polonus