Author Topic: URL:Mal 54.69.95.67:443/v2/links/view  (Read 8899 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
URL:Mal 54.69.95.67:443/v2/links/view
« on: February 02, 2015, 09:29:22 PM »
Greetings Avast Community,

I was browsing the internet with my fav browser when an alert popped up.

(I had just been browsing cloud storage.) An alert popped up.

URL:Mal

URL: 54.69.95.67:443/v2/links/view (Looks like an Amazon EC2 Address)

Process: Browser

Any new extentions? Not a single new extention or add-on is active.

Tried running MBAM? Running now.

Visited the IP in question on a secure self destructing remote virtual computer. Seems like the ec2 instance is running a python app (flask based).

VirusTotal Scan is a negative: https://www.virustotal.com/en/url/598c2a2d23236b5e3b6ef9b181846e77cebe940261bf004a1d3a533f9b7cbd3a/analysis/1422909804/
URL Query is also negative : https://urlquery.net/report.php?id=1422911042861
scumware has a postive: MD5 0A9C56E5140477008E2EDAC883AD4149 Threat Type: Win32/SoftPulse.W potentially unwanted application however the attack vector IP has moved since the original diagnosis.

« Last Edit: February 02, 2015, 10:33:19 PM by OliPicard »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: URL:Mal 54.69.95.67:443/v2/links/view
« Reply #1 on: February 02, 2015, 09:31:49 PM »
Logs to assist in cleaning malware  https://forum.avast.com/index.php?topic=53253.0


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: URL:Mal 54.69.95.67:443/v2/links/view
« Reply #2 on: February 02, 2015, 10:26:38 PM »
The downloads and installers from there are infested: http://urlquery.net/report.php?id=1422662377129
We find "ET POLICY Executable   served from Amazon S3" IDS alert,
read about that here: https://lists.emergingthreats.net/pipermail/emerging-sigs/201-January/017028.html  (so that abuse has been with us since at least 2012)
More here: http://comments.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/14206
It is all about "cybercriminals-using-amazon-web-services-aws-to-host-malware".

So attach the demanded cleansing logs and wait for a qualified remover with a cleansing script to get if off of your machine.
Follow his intructions to the dot.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: URL:Mal 54.69.95.67:443/v2/links/view
« Reply #3 on: February 02, 2015, 10:31:26 PM »
The downloads and installers from there are infested: http://urlquery.net/report.php?id=1422662377129
We find "ET POLICY Executable   served from Amazon S3" IDS alert,
read about that here: https://lists.emergingthreats.net/pipermail/emerging-sigs/201-January/017028.html  (so that abuse has been with us since at least 2012)
More here: http://comments.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/14206
It is all about "cybercriminals-using-amazon-web-services-aws-to-host-malware".

So attach the demanded cleansing logs and wait for a qualified remover with a cleansing script to get if off of your machine.
Follow his intructions to the dot.

polonus

Roger that,

Awaiting for MBAM to finish scanning then will move onto the rest of the scans.


REDACTED

  • Guest
Re: URL:Mal 54.69.95.67:443/v2/links/view
« Reply #4 on: February 02, 2015, 10:45:18 PM »
MBAM scan came back clean.
« Last Edit: February 02, 2015, 11:12:47 PM by OliPicard »

REDACTED

  • Guest
Re: URL:Mal 54.69.95.67:443/v2/links/view
« Reply #5 on: February 02, 2015, 10:52:42 PM »
Farbar Scan Results
« Last Edit: February 02, 2015, 11:12:34 PM by OliPicard »

REDACTED

  • Guest
Re: URL:Mal 54.69.95.67:443/v2/links/view
« Reply #6 on: February 02, 2015, 11:05:08 PM »
Seems like someone else has also had the exact same problem. He has traced the IP to the Mozilla Tiles service. This service is used to serve up sponsored advertisments as well as most used web sites in a tile formation.

From what i can see the IP address may have been reassigned to Mozilla unknown to them it seems they picked up a bad IP address which had been used in drive by download PuPs recently.

I shall await for the FarBar results.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: URL:Mal 54.69.95.67:443/v2/links/view
« Reply #7 on: February 02, 2015, 11:07:12 PM »
Quote
He has traced the IP to the Mozilla Tiles service. This service is used to serve up sponsored advertisments as well as most used web sites in a tile formation.
No fair I was just about to post that

I came across this a few months back and this appears to work  https://support.mozilla.org/en-US/questions/1030849

REDACTED

  • Guest
Re: URL:Mal 54.69.95.67:443/v2/links/view
« Reply #8 on: February 02, 2015, 11:10:16 PM »
Quote
He has traced the IP to the Mozilla Tiles service. This service is used to serve up sponsored advertisments as well as most used web sites in a tile formation.
No fair I was just about to post that

I came across this a few months back and this appears to work  https://support.mozilla.org/en-US/questions/1030849

Awesome, glad we traced the origin. :D If everything is looking good on the scan results then I can move onto uninstalling Farbar.

How do i remove Farbar again? From what i could recall there was i tool i could download to remove it completely.

Thanks again.
Oliver


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: URL:Mal 54.69.95.67:443/v2/links/view
« Reply #9 on: February 02, 2015, 11:11:33 PM »
Yup Delfix

Download and run Delfix



Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: URL:Mal 54.69.95.67:443/v2/links/view
« Reply #10 on: February 02, 2015, 11:45:20 PM »
Hi OliPicard and essexboy,

Good you so quickly could agree on from where that sponsored ad-launch came.
Feeding ads becomes more and more of a problem, good it was not a malicious action by design.
A decent adblocker is something one cannot do without these days.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: URL:Mal 54.69.95.67:443/v2/links/view
« Reply #11 on: February 02, 2015, 11:48:38 PM »
Hi OliPicard and essexboy,

Good you so quickly could agree on from where that sponsored ad-launch came.
Feeding ads becomes more and more of a problem, good it was not a malicious action by design.
A decent adblocker is something one cannot do without these days.

polonus

Unfortunately it's hard coded into the browser's design. Even the classic mode is showing signs of having the sponsored ads. No browser based ad block can currently block this type of attack.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: URL:Mal 54.69.95.67:443/v2/links/view
« Reply #12 on: February 02, 2015, 11:55:28 PM »
Hi OliPicard,

At least you know or are aware at least what is going on. This seems to demonstrate again that marketing is ruling software everywhere and the routes to cheap money are even part of the browser design. I use sleipnir but I wonder if it is not the same tracking and ad-launching machine as Google Chrome is. Can you comment here, because I think you have relevant knowledge there for us  ;),

Damian
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: URL:Mal 54.69.95.67:443/v2/links/view
« Reply #13 on: February 03, 2015, 12:12:02 AM »
Hi OliPicard,

At least you know or are aware at least what is going on. This seems to demonstrate again that marketing is ruling software everywhere and the routes to cheap money are even part of the browser design. I use sleipnir but I wonder if it is not the same tracking and ad-launching machine as Google Chrome is. Can you comment here, because I think you have relevant knowledge there for us  ;),

Damian


Sure would be happy to elaborate!

Mozilla as a company is focused on making open source free software, They have had a long running 10 year deal with Google, Unfortunately the deal is coming to the end and as such Mozilla is looking at finding additional revenue streams to fund development of there software, Some of the funding comes from Donations from the community, Some comes from refferal links inside Google's default search option (this will soon be Yahoo however) and some from the Enhanced Tiles service.

Firefox introduced tiles in the classic form. Originally the tiles served as a Quick Dial purpose (you could see a site you previously visited and click on it.) The service would load in images of previous sites as well. In November 2014 Mozilla introduced "Enhanced Tiles", These new tiles allow Mozilla to make additional revenue on blank/newly installed firefox installations by showing sponsored content. Normally ads showing from companies for booking websites and password generators would show up but now it seems the ad system is being opened up to other sponsors. Althought Mozilla is keen to make everyone aware that the ads in question are being closely filtered. Mozilla's current platform is using Amazon Web Services to host the ad platform. It seems that the IP address in question was rolled out without the developer's knowledge of it's bad past (just had a chat with the tiles team at Mozilla).

Soon Mozilla is rolling out Yahoo as the default search for new users. (Just wanted to make you all aware of this.) as there long term support relationship with Google is coming to an end. You can select your default search engine as Google and if your already using Google as your default search engine you won't have to change the search provider.


If you use a firewall/Router

You can block the tiles in-bound requests from a firewall by using the following ruleset.

HTTP/HTTPS blocking rules

https://tiles.services.mozilla.com/v2/links/*
https://tiles.services.mozilla.com/v2/links/view

If you want to modify your firefox installation you can use the following steps

Go to about:config
(agree to the disclosure if you dare.)

locate and edit the browser.newpage.directory.source to the following empty string
browser.newtabpage.directory.source= <empty>
Visit about:cache, locate the location of the cache and go one step up. Locate and find directoryLinks.json   
delete directoryLinks.json


I hope this helps
Oliver


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: URL:Mal 54.69.95.67:443/v2/links/view
« Reply #14 on: February 03, 2015, 12:30:25 AM »
Hi Oliver,

Thank you for filling us in with this information.  ;D
I know all interested forum users will highly appreciate to hear your informed views.
Glad to have you here.

kind regards,

Damian
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!