Author Topic: Avast and jumpingcrab.com  (Read 5497 times)

0 Members and 1 Guest are viewing this topic.

Offline brotherboard

  • Newbie
  • *
  • Posts: 3
Avast and jumpingcrab.com
« on: February 23, 2013, 03:27:02 PM »
Hi. Please has anyone any answers to the following

 Netstat run from command prompt tells me Avast is connecting to Jumpingcrab.com. I have this domain blocked by redirecting the request to my local host. What is jumpingcrab.com and why would Avast want to communicate with it?
Thanks.

 TCP    127.0.0.1:12080        sendmsg.jumpingcrab.com:50474  ESTABLISHED
 [AvastSvc.exe]

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36722
Re: Avast and jumpingcrab.com
« Reply #1 on: February 23, 2013, 05:05:55 PM »
Quote
Welcome!

jumpingcrab.com is being shared via Free DNS, a dynamic DNS domain sharing project where members can setup, and administrate their dns entries on their own remote internet connected systems in real time.

 To create a free subdomain from any shared domain, you can visit the shared domain list.
For any dns related inquiries, questions, support, comments, or misuse contact dnsadmin@afraid.org for a quick response.
Free DNS is serving 90,000+ domains, 3.7 million subdomains, and processing 2,000+ dns queries per second.


Offline brotherboard

  • Newbie
  • *
  • Posts: 3
Re: Avast and jumpingcrab.com
« Reply #2 on: February 23, 2013, 05:58:58 PM »
Pondus

Thanks for the welcome and the reply.

Is Avast legitimately using this web address? If so for what purpose. Do I need to be concerned and keep directing it back to my localhost?
thanks.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: Avast and jumpingcrab.com
« Reply #3 on: February 23, 2013, 06:06:10 PM »
No it is not Avast going there it is something on your system trying to reach that address

Remember all internet requests are routed through Avast

Offline brotherboard

  • Newbie
  • *
  • Posts: 3
Re: Avast and jumpingcrab.com
« Reply #4 on: February 23, 2013, 07:00:31 PM »
Thank you very much for the reply ' essexboy '

I hadn't thought  of it like that. 

I also get the following message from Netstat

 TCP    127.0.0.1:49738        sendmsg.jumpingcrab.com:12080  ESTABLISHED
 [firefox.exe]
 Must be something to do with that


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: Avast and jumpingcrab.com
« Reply #5 on: February 23, 2013, 07:16:29 PM »
You may well have a bad firefox extension

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete



Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that

Offline Xircal

  • Jr. Member
  • **
  • Posts: 29
Re: Avast and jumpingcrab.com
« Reply #6 on: February 24, 2013, 05:19:42 PM »
Oh, oh, oh. What a mess! I've never seen such a bad example of an analysis. You guys need to read what's been written by the OP and not make assumptions about what it might be.

The domain in the message is sendmsg.jumpingcrab.com which is located in China with IP 60.10.1.118. Nothing to do with jumpingcrab.com which has IP 70.39.97.226 Even a cursory Google search would have revealed that. But nobody appears to have bothered doing that.

The OP didn't have a 'bad firefox extension' (shame on you for suggesting such a thing Essexboy), but a very sophisticated trojan installed which AVAST hasn't yet been able to detect. It's called Trojan.Upclicker and it hides its routines by linking them to a left mouse click. Since AV in general doesn't monitor the mouse, its activities are likely to remain undetected.

I suggest everyone who contributed to this thread read this FireEye article which I hope will serve to open your eyes a bit and not apply your "one-size-fits-all" attempt to try and solve every problem which appears on the horizon. http://blog.fireeye.com/research/2012/12/dont-click-the-left-mouse-button-trojan-upclicker.html

Bye-bye again for another year. ;)


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36722
Re: Avast and jumpingcrab.com
« Reply #7 on: February 24, 2013, 05:31:48 PM »
Ah....thanks, we would be completely lost without you     :P

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: Avast and jumpingcrab.com
« Reply #8 on: February 24, 2013, 05:33:16 PM »
 TCP    127.0.0.1:49738       

Note the proxy set in Firefox 

sendmsg.jumpingcrab.com is a subdomain of jumpingcrab.com

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32605
  • malware fighter
Re: Avast and jumpingcrab.com
« Reply #9 on: February 24, 2013, 10:29:17 PM »
Here is the definite write-ip about  this malware: http://blog.fireeye.com/research/2012/12/dont-click-the-left-mouse-button-trojan-upclicker.html
(blog article post authors are FireEye researchers Abhishek Singh and Yasir Khalid)
Network activity: UDP communications...<MACHINE_DNS_SERVER>:53 with a malevolent interaction route via destination ports 443 and 80.
TDS alert: Detected a Dynamic DNS URL
See: http://host.robtex.com/sendmsg.jumpingcrab.com.html
See: https://www.virustotal.com/en/file/65fdb5d460b079279a4afcb45671b4ec4d7a2d734dcf5f45232dcbdb6d08275b/analysis/
More info from here: http://www.threatexpert.com/report.aspx?md5=a1942d1cc7552387393b91a14c9a3d7
First going to request for an IP from f.root-servers dot net - Redwood City Ca
see: http://volatility-labs.blogspot.nl/2012/12/what-do-upclicker-poison-ivy-cuckoo-and.html

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Xircal

  • Jr. Member
  • **
  • Posts: 29
Re: Avast and jumpingcrab.com
« Reply #10 on: February 25, 2013, 11:18:12 AM »
You may well have a bad firefox extension

Download AdwCleaner from........
Even in the highly unlikely event that this was the case, you don't need a third party tool to remove a Firefox extension. It has it's own tools for doing that.

You guys are supposed to be the experts and users rely on you to get it right.

I tell you, if you came to my company looking for a job, I wouldn't even let you loose in the kitchen with a mop!

Offline Xircal

  • Jr. Member
  • **
  • Posts: 29
Re: Avast and jumpingcrab.com
« Reply #11 on: February 25, 2013, 11:41:44 AM »
sendmsg.jumpingcrab.com is a subdomain of jumpingcrab.com
Nope. Here's the Whois for jumpingcrab.com: http://whois.net/whois/jumpingcrab.com

And here's the one for sendmsg.jumpingcrab.com



Yes, of course it's disguised. but malware writers aren't going to make it easy for you and the "sendmsg" aspect makes it look like it's jumpingcrab sending a message using a Firefox. That's why I said that you can't apply the one-size-fits-all solution and have to treat every incident as a unique case.



Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: Avast and jumpingcrab.com
« Reply #12 on: February 25, 2013, 03:20:21 PM »
Trust me I know there is not a universal panacea for this, the malware if it is not an extension will then be hiding in the system either under a BHO or run key
And how does the OP uninstall a hidden firefox extension ?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: Avast and jumpingcrab.com
« Reply #13 on: February 25, 2013, 04:57:51 PM »
Quote
I tell you, if you came to my company looking for a job, I wouldn't even let you loose in the kitchen with a mop
Not a problem as I was always rubbish with a mop