Broadband Tech > Security > Security > asdf.exe / theonion.com

reply to Tuulilapsi

Re: asdf.exe / theonion.com

reply to Cudni
Interesting info, Cudni , thanks.

Looking at the list, it seems to me that although the advisory has been updated, it still does not concern releases of Firefox after 1.0.4. So the current release, 1.0.6, ought to be OK.

Another reason to keep things updated.....:)

Edit: but I guess this would not account for what DonoftheDead has reported?

reply to Tuulilapsi
I may be "eccentric" but you are the patronizing one. I wouldn't want to be Jane or John Doe and know you.

As for BoClean and Process Guard, they come as close as possible to being "god" as any security device ever has. Have you ever heard of anyone running BoClean who got infected?
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus

I don't think it's very patronizing to acknowledge the fact most users don't know even the basics of computer security, nor that when software has flaws, software companies should fix them as soon as possible. The John and Jane Users that know me personally seem fairly grateful of my help, and after listening to me, they seldom need any help again.

DCS ProcessGuard is a very good tool in the right hands, and I own a license. However, for the average user that doesn't know that mssmgs.exe is malware instead of a legit application, ProcessGuard isn't nearly as useful. It's not a panacea. As for BOClean, yes, I have seen cases where people have gotten infected running BOClean. BOClean is a well-regarded anti-malware, but it's not perfect - nothing is.
--
And lead me not into temptation - for I can find my way there myself easily enough.

reply to Mele20
In my experience, most people switched to FF because it was generally considered to be a "secure" browser. In fact, I clearly remember the average DSLR FF advocate using security as the number one reason to switch from IE. I've setup plenty of non tech savy people with FF, because I believed it to be fairly secure. With the number of advisories comming out on FF, and now this issue, I won't be recommending FF as an IE replacement anymore. I think the fox had its time, but popular use has caught up with it. I really like that FF is standards compliant, but it lacks mature development on the security side. I've had good luck with IE locked down (Avant is my primary), but still use FF for web development (and still will). Personally, I'm a little scared to browse the innerweb on the fox now.

It is funny how one problem with an older version of the browser (I don't buy that the problem is 1.0.6 yet) has someone declaring the poor state of firefox security when new versions of the full default install of IE are hacked almost monthly

By the way, searches for asdf.exe hitting this topic are 50% MSIE (latest version) and 50% firefox. Of the 50% firefox, 50% are older versions doing the search. Many of the 1.0.6 visitors are curious visitors from topics at mozillazine, etc.

reply to justin
Just an update. I upgraded Suse and FF during the during installation. I didn't go on the Net until FF was v1.0.6. I never let FF d/l any plugins when it asks. I went to a Kaffeine d/l site and tried to d/l a plug-in. It didn't d/l the file I wanted, but it did drop asdf.exe on my box. Went back to site today. No problem. D/l'ed files I wanted without a hitch. Maybe it's over, now, with the "bad server" taken down. Could it be the Linux ver. of FF1.0.6 is vulnerable, the Windows ver. of FF1.0.6 isn't? Not an expert, just asking. Certainly a weird form of malware. Would like to know how it got on my Suse9.2 box. Not worried, just curious.:)

reply to justin

It really bothers me that we're five pages into this and 3.6 gazillion page views and search hits, and we have almost no documentation or live samples, other than the "dead" issue reported by the kind BOClean folks (and thank you for that guys).

I would ask Kevin to return to the thread long enough to answer some of the seemingly valid questions his report raises, particularly regarding the infection vector and what version(s) of what browser(s) may still be vulnerable to this effect.

And to the contrary, if the vector is NOT a new one, then please simply let us know which one it was....

-- B
--
In a realm outside causality and function

reply to justin
Apologies; I'm the guy who posted the report about 1.0.6 being vulnerable; I had to race out of town for a family emergency Friday and just now regained Internet access. Here are the details: My box is WinXP AMD Althon with all critical patches installed. The system is running both anti-virus and a software firewall (behind a hardware firewall). I've been running Firefox 1.0.6 since it was released in July. On Wednesday, August 24, I went to »www.fitwatch.com/caloriecounter.html to find out how many calories in a large order of fries (long story). Other common vectors, such as mail or instant mesaging were not active. Moments after visiting the site, my software firewall reported that asdf.exe was trying to access the Internet. I denied access and began researching the issue. After concluding that I could safely delete the files, I did so.

-dave

Thanks for coming back Do you have java and/or javascript enabled and on that day?

Cudni
--
What is now proved was once only imagined.
Help yourself so God can help you

While I keep javascript disabled in IE, I have enabled both Java and Javascript in Firefox.

-dave

reply to gruntled2
Should have also noted that the "Allow web sites to install software" option is not checked.

reply to gruntled2
Ads I see on that fitwatch site:

<!-- FASTCLICK.COM POP-UNDER CODE v1.7e for fitwatch.com -->
<script language="javascript"><!--
var doc=document;  var url=escape(doc.location.href); var date_ob=new Date();
doc.cookie='h2=o; path=/;';var bust=date_ob.getSeconds();
if(doc.cookie.indexOf('e=llo') <= 0 && doc.cookie.indexOf('2=o') > 0){
doc.write('<scr'+'ipt language="javascript" src="http://media.fastclick.net');
doc.write('/w/pop.cgi?sid=10991&m=2&v=1.7e&u='+url+'&c='+bust+'"></scr'+'ipt>');
date_ob.setTime(date_ob.getTime()+43200000);
doc.cookie='he=llo; path=/; expires='+ date_ob.toGMTString();} // -->
</script>
<!-- FASTCLICK.COM POP-UNDER CODE v1.7e for fitwatch.com -->

<!-- FASTCLICK.COM 120x600 and 160x600 SkyScraper CODE for fitwatch.com -->
<script language="javascript" src="http://media.fastclick.net/w/get.media?sid=10991&m=3&tp
 *=7&d=j&t=n"></script>
<noscript><a href="http://media.fastclick.net/w/click.here?sid=10991&m=3&c=1" target="_bla
 *nk">
<img src="http://media.fastclick.net/w/get.media?sid=10991&m=3&tp=7&d=s&c=1"
width=160 height=600 border=1></a></noscript>
<!-- FASTCLICK.COM 120x600 and 160x600 SkyScraper CODE for fitwatch.com -->

(*) WARNING 2 long line(s) split

<!-- FASTCLICK.COM 468x60 v1.4 for fitwatch.com -->
<script language="Javascript"><!--
var i=j=p=t=u=x=z=dc='';var id=f=0;var f=Math.floor(Math.random()*7777);
id=10991; dc=document;u='ht'+'tp://media.fastclick.net/w'; x='/get.media?t=n';
z=' width=468 height=60 border=0 ';t=z+'marginheight=0 marginwidth=';
i=u+x+'&sid='+id+'&m=1&f=b&v=1.4&c='+f+'&r='+escape(dc.referrer);
u='<a  hr'+'ef="'+u+'/click.here?sid='+id+'&m=1&c='+f+'"  target="_blank">';
dc.writeln('<ifr'+'ame src="'+i+'&d=f"'+t+'0 hspace=0 vspace=0 frameborder=0 scrolling=no>
 *');
if(navigator.appName.indexOf('Mic')<=0){dc.writeln(u+'<img src="'+i+'&d=n"'+z+'></a>');}
dc.writeln('</iframe>'); // --></script><noscript>
<a href="http://media.fastclick.net/w/click.here?sid=10991&m=1&c=1"  target="_blank">
<img src="http://media.fastclick.net/w/get.media?sid=10991&m=1&d=s&c=1&f=b&v=1.4"
width=468 height=60 border=1></a></noscript>
<!-- FASTCLICK.COM 468x60 v1.4 for fitwatch.com -->

(*) WARNING 1 long line(s) split

reply to justin

Re: asdf.exe / theonion.com

reply to justin
I think this could be an issue with prefetch in Mozilla/Firefox. Prefetch is turned on by default in Mozilla/Firefox. Basically, anything marked with a prefetched tag is brought down, and anybody can mark anything with a prefetch tag. To turn prefetching off, go to the address bar and type "about:config" and then scroll down to "network.prefetch-next". Double click on it to change the setting to False.

You're correct. Prefetch also doesn't download anything to C root.

My point is not that prefetch places a download at root; my point is that prefetch could be used to download a bit of code that then places asdf.exe at c root, and then asdf.exe then attempts to download the payload