How to prove which Firefox add-on is trying to access 128.127.110.10 ?

[IainB]

For some time now, my Malwarebytes has kept announcing that it has blocked an attempt to access 128.127.110.10 - which is in MWB's blacklist. I checked, and it seems to be an IP address in Denmark. The certainty of this location may be in some doubt, as, when I googled it, various diverse and misleading results popped up in the search.

The MWB announcement occurred every time I started up Firefox. I therefore concluded that a FF Add-on was probably making the outgoing call - i.e., rather than FF itself.
I was going to post a query in DCF today to ask for help but have luckily discovered, by a process of elimination, that it is the FF add-on Google Reverse Image Search that is apparently making the calls.

The call to that IP address occurs every time FF is started up, without fail.
Disabling/removing the add-on causes the calls to not occur when FF is started up (all other features of FF remaining the same).

I had previously searched for that IP address string inside the files in the directory for FF and for its add-ons, but did not come up with any hits.

I would be interested if anyone has any ideas as to how you could identify/prove the source of such an outgoing call from an add-on, other than the hit-or-miss process of elimination that I employed.

[Curt]

The various security related programs that I have, can merely tell it came from Firefox, not which add-on.

[Carol Haynes]

Simple - disable 50% of your addons and see if it goes away - and continue by salami tactics until you find the offending addon!

Should be able to get it in a few tries.

Don't know any other way to do it.

[4wd]

Probably the most efficient way to narrow it down is just using a good old fashioned binary chop search on your add-ons.  eg. For my 25 add-ons it would have taken a maximum of 5 Firefox restarts to find the offensive add-on.

Worst cases:
Disable 13
Disable 6
Disable 3
Disable 1 - at this point you've found it, or
Disable 1 - it's this one or the one still enabled.

Disable 13
Enable 7 + Disable other 12
Disable 3
Disable 2
Disable 1 - this one or the one still enabled.

EDIT: Carol beat me

[IainB]

Simple - disable 50% of your addons and see if it goes away

-Carol Haynes (July 06, 2012, 07:48 AM)

Yes, that's exactly what I did - that's what I mean by "a process of elimination".
I felt sure there could be a more techie approach though!

[IainB]

Presumably the outgoing call was up to no good - 128.127.110.10 is on the MWB blacklist, for example, and when you google it, it is not a good look.
If that is true, then it raises concerns about what sort of trojans etc. developers might be building into their add-ons.
Made me even more cautious anyway.

[IainB]

Maybe what we need is a security auditing add-on to audit the installed add-ons...   

[40hz]

Maybe what we need is a security auditing add-on to audit the installed add-ons...    

-IainB (July 06, 2012, 08:23 AM)

It would be too easy to get around. As it stands, the binary "salami chop" (love that!) method suggested by Carol and 4wd is still your best bet. Don't be surprised if it turns out not to be caused by an add-on however. I've seen some incredibly subtle and clever bugs that install in drive-by fashion if you so much as land on the wrong website. A few of them even got by fully updated antimalware products and weren't caught by them until much later. It's a jungle out there.

FWIW there used to be an old MacOS (not OSX) app called Conflict Catcher that diagnosed startup extension problems by doing the exact same thing Carol suggested, albeit in a semi-automated fashion. It would disable half your extensions and then reboot and ask if everything looked ok. It would then repeat the process in binary tree fashion until it found the culprit. It was an extremely useful and popular (i.e. widely bootlegged ) app. Almost every Mac I ever saw had a copy installed.

 

[Carol Haynes]

Not sure about MWB web blocking - I get constant pops whenever I use a torrent client and have to disable the scanner. Seems more a nuisance than a help - just ramps up the paranoia!

[Curt]

128.127.110.10 seems to be an IP address in Denmark.

-IainB (July 06, 2012, 05:19 AM)

Servers in Netherlands and United Kingdom (Isle Of Man), office in Sweden
- but not Denmark.

inetnum:         128.127.110.0 - 128.127.111.255
netname:         AS51430-NL
descr:           AltusHost Inc.
remarks:         AW-INFRA
country:         NL
admin-c:         AHN-RIPE
tech-c:          AHN-RIPE
status:          ASSIGNED PA
mnt-by:          ALTUSHOST-MNT
mnt-by:          ALTUSHOST-MNT
mnt-lower:       ALTUSHOST-MNT
mnt-routes:      ALTUSHOST-MNT
source:          RIPE # Filtered

role:            AltusHost - Contact Role
address:         ALTUSHOST INC.
address:         Artillerigatan 6
address:         SE-114 51 Stockholm
address:         Sweden
phone:           +46.852506060
fax-no:          +46.844680015
abuse-mailbox:   Search for this email address

[Curt]

@IainB - I don't know why your version didn't work properly, but GRIS was updated the day before yesterday and works perfectly. And it doesn't do anything out of order.

https://addons.mozil...everse-image-search/

 

Notice who the author is: Baris Derin (Readability, etcetera) http://barisderin.com

[J-Mac]

I'd say that you are infected. Take a look at  http://www.scumware.org/report/128.127.110.10

Might want to run a few online scans, like Eset's and Kaspersky's. It appears that a lot of malware sites are based at that same server/host.

Jim

[PhilB66]

1tvlive.in Server Details
 
IP address: 128.127.110.10
 
Server Location: Netherlands
 
ISP: Altushost

1tvlive.in  Whois

Registrar: Net4India (R7-AFIN)
 
Registrant: 
NET4INDIA NET4INDIA
D-25,Sec-3
Noida, Ut 201301
IN
Telephone: +91.1204323500
Fax: +91.120432350
Email: [email protected]

Administrative Contact:
NET4INDIA NET4INDIA
D-25,Sec-3
Noida, Ut 201301
IN
Telephone: +91.1204323500
Fax: +91.120432350
Email: [email protected]

Technical Contact:
NET4INDIA NET4INDIA
D-25,Sec-3
Noida, Ut 201301
IN
Telephone: +91.1204323500
Fax: +91.120432350
Email: [email protected]

Nameservers:
NS21.ALTUSHOST.COM
NS22.ALTUSHOST.COM

Scan result: clean
http://www.urlvoid.com/scan/1tvlive.in/

[PhilB66]

The site had issues before but seems clean now:

http://support.clean...p;sort=netname%20ASC

[tslim]

I would be interested if anyone has any ideas as to how you could identify/prove the source of such an outgoing call from an add-on, other than the hit-or-miss process of elimination that I employed.

-IainB (July 06, 2012, 05:19 AM)

Knowing exactly who is the sender and thus able to block outgoing traffic is supposed to be the job of a firewall -- a software firewall like Outpost Pro. This is the major reason I do not use a hardware firewall (generally speaking, one which is made available in a modem or networking switch) which is hopeless in filtering outgoing traffic.

If you use Outpost, just disable the Windows DNS Client Service and that will force every single outgoing traffic to use Outpost's service (for DNS request). You can then tells exactly "what program" is trying to call home... It is the "Should I allow" or "Should I block" game that I often play with Outpost firewall.

Try it and you will like it.

[IainB]

Many thanks to you for all the helpful suggestions above. What a "Brains trust"!
Situation so far:

• My Malwarebytes repeatedly announced, every time FF started up, that it had blocked an attempt to by FF (the Firefox process) to access 128.127.110.10 - which is in MWB's blacklist. This alert/block was logged by MWB.
• On googling, that IP address seems to come up with various mention as an undesirable source of malware.
• That IP address is apparently located (per whois, etc.) on a server in the Netherlands, and is registered to an India-based agent.
• Removing the FF Add-on GRIS (Google Reverse Image Search) caused the MWB alert to not repeat. (No other changes were made.)

Conclusions and implications at this stage:

• Therefore, by deduction, the GRIS (Google Reverse Image Search) add-on to Firefox was somehow making/enabling the call to access 128.127.110.10
• We have not identified a forensic IT method of otherwise proving whether this add-on was making the call, nor (by extension) how it might be doing so.
• The GRIS add-on either contained or enabled malware functionality.
• Firefox add-ons as a whole cannot be trusted/guaranteed to not contain either malware or malware-enabling functionality.
• MWB is successful at blocking running processes from accessing IP addresses in its blocklist database.
• MWB or similar provide a useful/necessary additional layer of security if the user wishes to overcome some of the potential lack of trust/insecurity of a FF process with malware or malware-enabling add-ons.
• Since the usefulness of FF is for many users dependent on its large library of add-ons, then it is safest to suppose that FF is always likely to be a potential security risk.

I find this quite surprising, really. Have I made a mistake somewhere?

[4wd]

I find this quite surprising, really. Have I made a mistake somewhere?

-IainB (July 07, 2012, 07:01 PM)

• You have failed to prove whether it is repeatable, (ie. you didn't re-install the add-on to verify or you haven't said), and;
• You haven't installed the add-on into a new installation of Firefox, (preferably on a base Windows install), to prove whether it happens in conjunction with something else or not.

Reason for the last point: the conditions that are present for the phenomenon to occur could still be present awaiting a specific confluence of events that will make it manifest itself again, (ie. maybe the addition of another add-on, another process running, etc).

That's just the technician in me coming out, the need to definitely pin it down.

BTW, I looked through the GRIS javascript, (and the other files), and couldn't see anything other than barisderin.com, (and Google naturally), as a destination point.
Are you running any other add-ons that might perform an IP redirection, (like the MAFIAAFire add-on does) ?

[IainB]

...

• You have failed to prove whether it is repeatable, (ie. you didn't re-install the add-on to verify or you haven't said), and;
• You haven't installed the add-on into a new installation of Firefox, (preferably on a base Windows install), to prove whether it happens in conjunction with something else or not.

...
BTW, I looked through the GRIS javascript, (and the other files), and couldn't see anything other than barisderin.com, (and Google naturally), as a destination point.
Are you running any other add-ons that might perform an IP redirection, (like the MAFIAAFire add-on does) ?

-4wd (July 07, 2012, 10:36 PM)

Yes, you are quite right, of course.
I did consider pinning it down as you say, but decided against it - as I didn't really want to invest any more of my cognitive surplus in the thing by proving repeatability on the current or a new platform. I had spent enough time fiddling about over it already. I was just glad to be shot of it actually. I'm not intending to be a ß-tester or virus-hunter on this.
I too looked through the javascript and the other files, and could not identify anything amiss (could have missed something though).

The thing that surprised me was the conclusion that FF could actually be a big risk - in a corporate environment, never mind as a personal browser.
I had a degree of trust in FF and that trust was rather shattered.

I am using MAFIAAFire redirection, yes, but there's no more calls happening to IP 128...

[4wd]

The thing that surprised me was the conclusion that FF could actually be a big risk - in a corporate environment, never mind as a personal browser.

-IainB (July 07, 2012, 11:21 PM)

It's always been the case - unless every add-on for a browser, (any browser), is subject to analysis before release then I guess it's going to be always that way.

And that's why we have so many anti-virus, anti-malware, anti-everything software