Anyone know what this is?

Viruses and worms
1

Attached find .jpeg of browser window at Symantec blog site: hxxp://www.symantec.com/connect/blogs/downloaderponik-seeks-long-term-relationship

Blog is unreadable at the moment. Never seen before, so suggest not visiting unless operating in a virtual environment.

2

To me it just looks like screwed up page coding and the format is screwed up and also displaying the page source. Most likely a missing tag so the formatting is lost and the page source displayed as text.

3

@ DavidR,

Well, there may be more to be seen than meets the eye. I note that there is a second address bar in the .jpeg attached for the browser window. Seems strange that it is there. Not only that, the WebReb and WOT icons are clickable as well.

4

Hi mchain,

PM-ed you about the code overlay you had in that image you gave us or what I could grasp of it. According to me this is compromising MS webserver core webdav exploit code. Not new, actually dating from 2003, but coming in various variants - typical is the repeated “U300E %u300e% u74da” pattern in the working attack…

Damian

5

Could be the hole ridden WordPress blog engine?

6

Just in case anyone who had a look at the first .jpeg could not/did not see the second address bar where there should not be one, see the attached Greenshot capture attached below. Is this something peculiar to the forum protocols here? Or other?

7

There are many sites that have a search function within the site, usually it is something like a customised google search, but restricted to the site.

8

True, but this additional ‘search’ function is not present in the original screen capture. It is not present on the Symantec website either.

As the original question remains, what is this?

Do other attached browser window images posted here in other topics show this modification for you, or is it just on my system? Yes, I know the original question was posed for a different reason altogether, but perhaps stumbled on this issue after visiting the infected Symantec site?

I have Polonus’s informed information stating that the corruption of the browser window screenshot is due to a Windows 2000 server exploit dating to 2003, that it was the server that was infected, so…

9

Now I’m confused, I really don’t know what it is that you refer to as I see a site search in both images you posted, extract from the first that I’m talking about.

10

Hi mchain,

I have to agree with DavidR that this search bar should be there. At first, I myself couldn’t understand what you meant by ‘second address bar’. You would only imagine an address bar would be built-in the browser; not part of the website itself.

By Symantec website I assume you’re referring to http://www.symantec.com/. Did you notice how their blog is designed different from their main site? The main site itself also has a search feature, just not as UX/UI orientated. Thus, more users would notice and use the search future on their blog as opposed to the main site.

If you want further proof, have a look at the following code parsed through their server:

[code=HTML - Beautified]





Symantec Connect


        <form action="/connect/search/apachesolr_search?filters=tid%3A2261%20type%3Ablog" method="post" id="custom-search">
            <div id="search-input-wrapper" class="clearfix">
                <a href="/connect/search-tips" class="search-tip">Search Tips</a>
                <input id="search-header-terms" name="keys" class="form-text" value="Enter keywords to search..."/>
            </div>
            <div id="search-button">
                <input id="search-submit" type="submit" name="op" value="Search" />
            </div>
        </form>
    </div>
</div>
```

Do note that this is not dynamically generated with JavaScript whilst most online malware is.

Hi Polonus and others,

Compare This: http://browsershots.org/screenshots/7f70112d4b40c7a6f154cfb8149ee453
To This: http://browsershots.org/screenshots/4f7123b75e13f76b5e4776816b357dbd

Notice how the navigation (located below the logo) is not featured in the first image. If you look closely enough, JSON data was returned to the client but was not parsed. Also notice how the JSON data included “navigation” as the first key in the object. To find the source of this data, I searched “navigation” in the server response. The following code induces this data:

[code=JavaScript - Beautified]




So in summary, a misunderstanding.
~!Donovan
11

It is apparent that no one can see what I see when I open any of the posted captures here. I note that the capture by DavidR is not showing this anomaly, so the difference may be on my system.

One more try attached below:

12

Hi mchain,

While viewing an image, there should be an address bar. The second address bar you mention is that of the image?

Edit: See attached.

~!Donovan

13

Oh my god, now it is growing, now there’s three ;D

14

Exactly!!

Now you can see why I wonder what is going on. :o Could this have to do with the forum itself or is it just me?

BTW, the file intercepted by OA is Sti_Trace.log as suspicious as in WINDOWS/Sti_Trace.log when Greenshot is operated in screen capture. For some reason, there is a keylogger for Greenshot posted in the Anti-Keylogger section. Do not know why that is there.

15

It is the avast forums, just that you don’t realise when avast opens an attachment that is to large to open in-line (e.g. within the post itself) it opens a new window for the attachment.

That new window would normally be the same window format if you had opened a new window yourself albeit some of the elements aren’t displayed…

16

This behavior is standard. When a new window is opened, naturally an address bar will also be shown.
More Information: http://www.w3schools.com/jsref/met_win_open.asp

~!Donovan

17

Well folks, let us view it in a more unconventional way then: https://docs.google.com/viewer?url=www.symantec.com/connect/blogs/downloaderponik-seeks-long-term-relationship

polonus