|
Edvard
|
 |
« on: January 14, 2009, 04:21:05 PM » |
|
OK, apparently this started around the middle of last month, and it's still happening. It's happened twice to my co-worker and I wonder if there's a definite fix as the AV companies apparently haven't nailed it down yet. Here's what's happening... All Google and Yahoo searches through IE and Firefox are being redirected through the address 7.7.7.0 When using Firefox, you'll notice "7.7.7.0" instead of "connecting to Google" in the status bar. The subsequent search terms show relevant results in the text and all, but the associated links are horribly wrong. When this happens, you will also find a file named wdmaud.sys and/or sysaudio.sys in C:\windows\system32. Also there will be an associated registry entry at HKLM\Software\Microsoft\Windows NT\Current Version\drivers32 It will be a key named "aux" with a value of "wdmaud.sys" The general consensus of opinions is that the attack vector is a tainted PDF that gets payloaded from a banner ad or hidden iframe, and it may also be a rootkit. Have you come across this? If so, did you get rid of it? How? Where did you find the most helpful advice? Temporary fixes include turning off javascript, redirecting 7.7.7.0 to Google via a HOSTS file, all kinds of things. The reality is that this is a new threat that needs to be dealt with quickly. Read up: http://www.google.com/search?q=7.7.7.0+redirect
Edit: Changed title of topic so folks know this about a virus, not just a personal annoyance. |
|
|
|
« Last Edit: January 15, 2009, 11:18:05 AM by Edvard »
|
Logged
|
Want moar lightsabers? -> Moar Lightsabers PLZ!!
All children left unattended will be given a mocha and a puppy. |
|
|
|
Edvard
|
|
« Reply #1 on: January 14, 2009, 05:27:07 PM » |
|
Here's a tool that may help: http://www.techish.net/20...-redirector-malware-tool/In the meanwhile, to prevent infections, there are a few things you can do. Firefox: Use the NoScript extension. Internet Explorer: Crank down your javascript permissions or disable it altogether in the "Internet Options" dialog Adobe Reader: Turn off Adobe Javascript. To do that, open Adobe Reader, and hit Edit > Preferences. Then go to the Javascript entry and tick off the "Enable Acrobat Javascript" Any other pointers? |
|
|
|
|
Logged
|
Want moar lightsabers? -> Moar Lightsabers PLZ!!
All children left unattended will be given a mocha and a puppy. |
|
|
|
app103
|
|
« Reply #2 on: January 14, 2009, 05:29:36 PM » |
|
Foxit Reader:
Go to Edit>Preferences>Javascript
uncheck the box
|
|
|
|
|
Logged
|
|
|
|
|
|
|
f0dder
|
|
« Reply #4 on: January 15, 2009, 12:26:50 AM » |
|
This sounds nasty - good thing I don't have adobe pdf reader installed (I wonder if foxit et al are vulnerable, even with javascript support enabled). NoScript + AdBlockPlus =  |
|
|
|
|
Logged
|
 - carpe noctem |
|
|
|
Josh
|
|
« Reply #5 on: January 15, 2009, 04:26:44 AM » |
|
Or perhaps just admuncher + ......Nothing = |
|
|
|
|
Logged
|
STOP THE MADNESS! Microsoft should not have to advertise it's competitors. Opera is getting far out of hand.  |
|
|
|
f0dder
|
|
« Reply #6 on: January 15, 2009, 04:38:19 AM » |
|
Whatever floats your boat - I'm personally not a fan of admuncher (probably works fine, but I only want adblocking in my browser, I don't like the idea of global winsock hooking). Besides, AM only blocks ads, right? You could get exploit-triggering outside of advertisement frames...
|
|
|
|
|
Logged
|
- carpe noctem |
|
|
|
Edvard
|
|
« Reply #7 on: January 15, 2009, 10:18:35 AM » |
|
Apparently, javascript delivered via PDF is the prime suspect in this case. So that means if your pdf reader supports embedded js, it is a vulnerability.
App's post reveals that Foxit does indeed support javascript, so make sure you've got that turned off.
lol from a poster on WoW forums:
"Send it securely to every anti-virus company. The one that sends you a fix the fastest is your new anti-virus."
|
|
|
|
|
Logged
|
Want moar lightsabers? -> Moar Lightsabers PLZ!!
All children left unattended will be given a mocha and a puppy. |
|
|
|
f0dder
|
|
« Reply #8 on: January 15, 2009, 10:23:25 AM » |
|
Apparently, javascript delivered via PDF is the prime suspect in this case. So that means if your pdf reader supports embedded js, it is a vulnerability.
App's post reveals that Foxit does indeed support javascript, so make sure you've got that turned off. There's javascript and there's javascript - you don't necessarily need to expose filesystem writing capabilities to the scripting engine. That said, I don't know how much functionality Foxit Reader exposes, so it could be that it's vulnerable, and it might as well be that it isn't. |
|
|
|
|
Logged
|
- carpe noctem |
|
|
|
app103
|
|
« Reply #9 on: January 15, 2009, 10:24:53 AM » |
|
That said, I don't know how much functionality Foxit Reader exposes, so it could be that it's vulnerable, and it might as well be that it isn't.
But why take a chance? Can you see any reason NOT to turn it off? |
|
|
|
|
Logged
|
|
|
|
|
Edvard
|
|
« Reply #10 on: January 15, 2009, 10:25:41 AM » |
|
I have also seen a handful of reports that it interferes with anti-virus and anti-malware programs via the TDSSserv trojan. See here: http://forums.cnet.com/52...ag=forums06;posts#2926532@f0dder: That's beyond what I can tell you. I'd be all for writing the author(s) of Foxit and ask the question just for your own peace of mind. |
|
|
|
« Last Edit: January 15, 2009, 10:27:53 AM by Edvard »
|
Logged
|
Want moar lightsabers? -> Moar Lightsabers PLZ!!
All children left unattended will be given a mocha and a puppy. |
|
|
|
f0dder
|
|
« Reply #11 on: January 15, 2009, 10:31:28 AM » |
|
That said, I don't know how much functionality Foxit Reader exposes, so it could be that it's vulnerable, and it might as well be that it isn't.
But why take a chance? Can you see any reason NOT to turn it off? Indeed - I don't have a use for JS in PDFs, so I might as well do that... except JS can't be turned off in foxit  . Mailing them might be a good idea. I don't use in-browser PDF anyway, so the exploit would have to be able to download+launch an external file - and it would have to be able to do that in spite of noscript+adblockplus. |
|
|
|
|
Logged
|
- carpe noctem |
|
|
|
Edvard
|
|
« Reply #12 on: January 15, 2009, 10:32:36 AM » |
|
Also, read the responses on the DSLReports link: http://www.dslreports.com...7770-interesting~start=40Some folks have tracked down individual sites that are either infected and spreading this, or are the culprits themselves. Also finding out exactly how the infection happens. Interesting read. |
|
|
|
|
Logged
|
Want moar lightsabers? -> Moar Lightsabers PLZ!!
All children left unattended will be given a mocha and a puppy. |
|
|
|
app103
|
|
« Reply #13 on: January 15, 2009, 10:35:34 AM » |
|
Indeed - I don't have a use for JS in PDFs, so I might as well do that... except JS can't be turned off in foxit . Mailing them might be a good idea. I don't use in-browser PDF anyway, so the exploit would have to be able to download+launch an external file - and it would have to be able to do that in spite of noscript+adblockplus. What do you mean it can't be turned off? I told you how: Foxit Reader:
Go to Edit>Preferences>Javascript
uncheck the box
 |
|
|
|
|
Logged
|
|
|
|
|
f0dder
|
|
« Reply #14 on: January 15, 2009, 10:37:55 AM » |
|
It's not present in the 2.2 version I use - perhaps it's time to upgrade  |
|
|
|
|
Logged
|
- carpe noctem |
|
|
|
Edvard
|
|
« Reply #15 on: January 15, 2009, 10:42:15 AM » |
|
@f0dder: I just downloaded Foxit version 3 and confirmed app's fix.
If version 2.2 isn't bugging you and for all you know it doesn't do the javascript, you may be safe with it.
Also installed SumatraPDF to test for js capability and it has no way to set preferences, so who knows?
|
|
|
|
|
Logged
|
Want moar lightsabers? -> Moar Lightsabers PLZ!!
All children left unattended will be given a mocha and a puppy. |
|
|
|
app103
|
|
« Reply #16 on: January 15, 2009, 10:45:26 AM » |
|
Also installed SumatraPDF to test for js capability and it has no way to set preferences, so who knows?
Sumatra is pretty no-frills, so it's probably not likely that it even supports js. |
|
|
|
|
Logged
|
|
|
|
|
Edvard
|
|
« Reply #17 on: January 15, 2009, 10:46:05 AM » |
|
If you do install Foxit 3, use the custom installation. In there, you can tell it whether to install the Firefox plugin.
If you use Firefox, it would probably be smart to say 'no' to that one...
|
|
|
|
|
Logged
|
Want moar lightsabers? -> Moar Lightsabers PLZ!!
All children left unattended will be given a mocha and a puppy. |
|
|
|
f0dder
|
|
« Reply #18 on: January 15, 2009, 10:49:29 AM » |
|
Edvard: 2.2 has Javascript, but no option to turn it off. I like Sumatra because it doesn't have the insanely-slow-rendering-on-x64 that FoxIt (at least 2.2) has... but it's been too unstable for me, unfortunately. And yeah, definitely no browser plugins for me, I hate having various document types render in-browser.
|
|
|
|
|
Logged
|
- carpe noctem |
|
|
|
app103
|
|
« Reply #19 on: January 15, 2009, 11:00:35 AM » |
|
This might be a good idea for anyone, whether they have plugins in their browser to view PDF files in-browser or not. One of my favorite browser plugins. PDF Download Available for both IE & Firefox, whenever you come across a pdf file, it asks you what to do with it. options are: 1. view in browser 2. convert and view as html (much better than google's view as html option) 3. download (it also turns web pages into pdf files, if you want, preserving links quite well) |
|
|
|
|
Logged
|
|
|
|
|
Nod5
|
|
« Reply #20 on: January 15, 2009, 01:03:14 PM » |
|
@app: I didn't know that Foxit had JS activated by default. Deactivated now. Thanks! edit:Edvards first post states that a symptom of the problem is if sysaudio.sys or wdmaud.sys exists in C:\WINDOWS\system32\ It is then best to add that files with those names exist in the C:\WINDOWS\system32\drivers\ , at least on my (supposedly clean) Win Xp Pro system. The files with the MD5 values below passed the test at http://virusscan.jotti.org/ a minute ago: C:\WINDOWS\system32\drivers\sysaudio.sys 8b83f3ed0f1688b4958f77cd6d2bf290 C:\WINDOWS\system32\drivers\wdmaud.sys 6768acf64b18196494413695f0c3a00f I also have a registry entry very similar to the one Edvard talks about at HKLM\Software\Microsoft\Windows NT\Current Version\drivers32 But the difference is that my (again supposedly clean) computer has a "aux" key with the value: "wdmaud.drv" (NOT "wdmaud.sys") I guess it is yet an example of the common practice for malware to have deceptively similar names and locations as legit Windows files. A good way to counter that is to post and check file hashes. |
|
|
|
« Last Edit: January 15, 2009, 01:25:59 PM by Nod5 »
|
Logged
|
|
|
|
|
Edvard
|
|
« Reply #21 on: January 15, 2009, 01:39:08 PM » |
|
The ones in C:\WINDOWS\system32\drivers\ are fine. It's always if they are found in the c:\WINDOWS or system32.
If your registry says wdmaud.drv it should be fine as well.
|
|
|
|
|
Logged
|
Want moar lightsabers? -> Moar Lightsabers PLZ!!
All children left unattended will be given a mocha and a puppy. |
|
|
|
Edvard
|
|
« Reply #22 on: January 15, 2009, 07:33:33 PM » |
|
OK, some instructions for removing this thing have been posted at http://www.myantispyware....remove-trojan-dnschanger/The best thing is to NOT get infected in the first place, but if you do, there's some sound advice. I've also seen a lot of reports that it prevents Malwarebytes' Anti-Malware program from running. I'd say that's as good as an advertisement of MBAM's effectiveness in removing malware. Apparently it is freeware as a scanning tool but a paid registration gives you "Realtime Protection". Has anybody had any experience with this tool? @Nod5: Here is the MD5 for the "bad" wdmaud.sys. 63453ec7d65a333a0a645cc50195990a Also, the bad one is only about 17K where the real one is 74 or 82k |
|
|
|
« Last Edit: January 15, 2009, 07:38:30 PM by Edvard »
|
Logged
|
Want moar lightsabers? -> Moar Lightsabers PLZ!!
All children left unattended will be given a mocha and a puppy. |
|
|
|
Stoic Joker
|
|
« Reply #23 on: January 17, 2009, 02:11:29 PM » |
|
Malwarebytes' Anti-Malware = Yes
When dealing with end user/client machines 90% of the time Spybot Search and Destroy works for me, the other 10% requires Malwarebytes.
...Okay, 5% of the time I just flatten the box... But Malwarebytes is an excellent utility which is also (highly) MS MVP recommended.
|
|
|
|
|
Logged
|
|
|
|
|
Zedar
|
|
« Reply #24 on: February 08, 2009, 10:24:13 AM » |
|
Just a quick note I'll add to the discussion after dealing with this today. I run Win XP 64 bit edition - and the wdmaud.sys file can be found in the C:\windows\syswow64 folder.
After doing a search for the file, the infected version has a description of "Meikiemos Rules" in the tooltip description.
|
|
|
|
|
Logged
|
|
|
|
|
