ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Persistent malware in Edge

    Scheduled Pinned Locked Moved Solved IT Discussion
    42 Posts 4 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      It's hard to say in a generic situation which pieces of information will matter, but including more info rather than less is good. But in this situation, I was able to guess that the URL was the needed piece of the puzzle.

      We see this in WordPress infections regularly. Any given infection or attack will have a fingerprint - often it's behaviour. In this case, the behaviour was to go to a specific link (that probably generates revenue, that's the reason for the attack). By knowing who is making the money, you can tell how they likely did it.

      1 Reply Last reply Reply Quote 0
      • bbigfordB
        bbigford @scottalanmiller
        last edited by

        @scottalanmiller said in Persistent malware in Edge:

        @BBigford said in Persistent malware in Edge:

        Can you expand on what you mean with specific URLs? Do you mean determining its intent, like if it is redirecting you to a "Microsoft Support" site, vs. just hijacking your search session, etc?

        Yes, in your original post you were looking for generic Edge hijacks and intentionally blocking including the URL information of where it was going. But it was always going to the same URL. That there was an issue with Windows, Edge, hijacking or anything else was trivial compared to the importance of the URL. Why did you mention the URL but never just copy and paste it completely?

        The reason that you didn't find the fix was that you were looking for very generic information about infections, rather than the one specific piece of info that you had - the URL. The URL was very unique to the infection. Knowing the URL took us straight to the answer.

        What was it about the URL itself that you knew it had to do with the link, rather than within the application itself, regardless of where you run it from?

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @bbigford
          last edited by

          @BBigford said in Persistent malware in Edge:

          What was it about the URL itself that you knew it had to do with the link, rather than within the application itself, regardless of where you run it from?

          It was a hint in one of your posts (maybe the OP), you included the word "spigot" which is not part of any general search link. So I knew that it was not going directly to Yahoo or any other search site but to something weird and specific that we can be quite reasonably sure, was a specific money making link of some sort.

          bbigfordB DashrenderD 2 Replies Last reply Reply Quote 0
          • bbigfordB
            bbigford @scottalanmiller
            last edited by

            @scottalanmiller said in Persistent malware in Edge:

            @BBigford said in Persistent malware in Edge:

            What was it about the URL itself that you knew it had to do with the link, rather than within the application itself, regardless of where you run it from?

            It was a hint in one of your posts (maybe the OP), you included the word "spigot" which is not part of any general search link. So I knew that it was not going directly to Yahoo or any other search site but to something weird and specific that we can be quite reasonably sure, was a specific money making link of some sort.

            Ah, ok.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller
              last edited by

              In this case, it's a bit of business logic applied to the situation rather than technical. If my goal was to attack you and annoy you with sending you to a random site with cat pictures, I could hide that anywhere and could choose any of thousands of cat picture sites to send you to. It would be a funny, but useless attack. And yes, I knew someone that once made malware that only played turkey sounds at random intervals and did nothing else, it happens but... not in the "real" world.

              In the real world, any attack is out to make money. If the attack is visible, like by hijacking you, it has to do something to make money. If it is sending you to a website, chances are that site makes it money. To do that, either the attack has to be from the makers of the site itself (Yahoo is not doing that) or it has to be someone that has a deal to make money from the link itself (you can do this with nearly any major website.) So assuming basic business guesses, we can assume the later. So identify the URL, and you identify the attack.

              1 Reply Last reply Reply Quote 1
              • bbigfordB
                bbigford
                last edited by bbigford

                Here's an interesting part of running from command line @scottalanmiller ... In previous versions of Edge, it was still run as "spartan.exe" since it was originally Spartan. Then with (I think) 1607, it changed. It's not found in Program Files, it's in SystemApps... drilling down you find MicrosoftEdge, and program type is exe. Doing a run command, you can't run anything like MicrosoftEdge, or adding .exe... You have to run microsoft-edge and add the protocol : // (no space... it created an emoji. :D) at the end, then it will launch. Very weird. Then I noticed you can't run the same command microsoft-edge:// and have the program open from CMD, or even try to launch Edge from any of its directories.... just weird.

                DashrenderD 1 Reply Last reply Reply Quote 1
                • DashrenderD
                  Dashrender @scottalanmiller
                  last edited by

                  @scottalanmiller said in Persistent malware in Edge:

                  @BBigford said in Persistent malware in Edge:

                  https://search.yahoo.com/?type=994519&fr=spigot_edge_hp

                  Look in the command line in the quicklaunch shortcut for Edge. Possible that it is hidden in there. Try launching Edge from the command line directly, I bet it works. It's the shortcut that is the issue.

                  as I was reading this thread, I was wondering if this was the case.

                  1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @bbigford
                    last edited by

                    @BBigford said in Persistent malware in Edge:

                    Here's an interesting part of running from command line @scottalanmiller ... In previous versions of Edge, it was still run as "spartan.exe" since it was originally Spartan. Then with (I think) 1607, it changed. It's not found in Program Files, it's in SystemApps... drilling down you find MicrosoftEdge, and program type is exe. Doing a run command, you can't run anything like MicrosoftEdge, or adding .exe... You have to run microsoft-edge and add the protocol : // (no space... it created an emoji. :D) at the end, then it will launch. Very weird. Then I noticed you can't run the same command microsoft-edge:// and have the program open from CMD, or even try to launch Edge from any of its directories.... just weird.

                    this is probably because it's a UWP app now instead of a traditional x86 app.

                    bbigfordB 1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @scottalanmiller
                      last edited by

                      @scottalanmiller said in Persistent malware in Edge:

                      @BBigford said in Persistent malware in Edge:

                      What was it about the URL itself that you knew it had to do with the link, rather than within the application itself, regardless of where you run it from?

                      It was a hint in one of your posts (maybe the OP), you included the word "spigot" which is not part of any general search link. So I knew that it was not going directly to Yahoo or any other search site but to something weird and specific that we can be quite reasonably sure, was a specific money making link of some sort.

                      @scottalanmiller said in Persistent malware in Edge:

                      @BBigford said in Persistent malware in Edge:

                      What was it about the URL itself that you knew it had to do with the link, rather than within the application itself, regardless of where you run it from?

                      It was a hint in one of your posts (maybe the OP), you included the word "spigot" which is not part of any general search link. So I knew that it was not going directly to Yahoo or any other search site but to something weird and specific that we can be quite reasonably sure, was a specific money making link of some sort.

                      You've completely lost me here. You're saying that you were able to deduce that the URL was injected via the launching shortcut because it went to the same URL everytime? What brings you to that conclusion? This could have just as easily been in homepage field within the browser setttings itself (can't recall if he said he checked that, but it would be one of the first places I would have checked). The shortcut would have been on a short list place for me to look as well.

                      Another thing I would have checked was to make sure the shortcut for Edge was really going to edge and not going to another file that was acting like a MITM.

                      But the idea that the URL itself would somehow lead to the conclusion that it was in the shortcut and not buried somewhere deeper in the system, I just don't understand that.

                      scottalanmillerS bbigfordB 2 Replies Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said in Persistent malware in Edge:

                        You've completely lost me here. You're saying that you were able to deduce that the URL was injected via the launching shortcut because it went to the same URL everytime? What brings you to that conclusion?

                        Because that specific URL is indicative of that specific attack. It's not that it is "a URL", it was that it was "that URL."

                        DashrenderD bbigfordB 2 Replies Last reply Reply Quote 1
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said in Persistent malware in Edge:

                          @Dashrender said in Persistent malware in Edge:

                          You've completely lost me here. You're saying that you were able to deduce that the URL was injected via the launching shortcut because it went to the same URL everytime? What brings you to that conclusion?

                          Because that specific URL is indicative of that specific attack. It's not that it is "a URL", it was that it was "that URL."

                          oh, I guess that means you've seen that attack before. OK that does make sense then.
                          Thanks.

                          scottalanmillerS 1 Reply Last reply Reply Quote 1
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said in Persistent malware in Edge:

                            @scottalanmiller said in Persistent malware in Edge:

                            @Dashrender said in Persistent malware in Edge:

                            You've completely lost me here. You're saying that you were able to deduce that the URL was injected via the launching shortcut because it went to the same URL everytime? What brings you to that conclusion?

                            Because that specific URL is indicative of that specific attack. It's not that it is "a URL", it was that it was "that URL."

                            oh, I guess that means you've seen that attack before. OK that does make sense then.
                            Thanks.

                            Yes, it's a known attack. I wouldn't say popular, but known. That URL essentially only exists for the purposes of this one attack vector.

                            1 Reply Last reply Reply Quote 0
                            • bbigfordB
                              bbigford @Dashrender
                              last edited by

                              @Dashrender said in Persistent malware in Edge:

                              @scottalanmiller said in Persistent malware in Edge:

                              @BBigford said in Persistent malware in Edge:

                              What was it about the URL itself that you knew it had to do with the link, rather than within the application itself, regardless of where you run it from?

                              It was a hint in one of your posts (maybe the OP), you included the word "spigot" which is not part of any general search link. So I knew that it was not going directly to Yahoo or any other search site but to something weird and specific that we can be quite reasonably sure, was a specific money making link of some sort.

                              @scottalanmiller said in Persistent malware in Edge:

                              @BBigford said in Persistent malware in Edge:

                              What was it about the URL itself that you knew it had to do with the link, rather than within the application itself, regardless of where you run it from?

                              It was a hint in one of your posts (maybe the OP), you included the word "spigot" which is not part of any general search link. So I knew that it was not going directly to Yahoo or any other search site but to something weird and specific that we can be quite reasonably sure, was a specific money making link of some sort.

                              You've completely lost me here. You're saying that you were able to deduce that the URL was injected via the launching shortcut because it went to the same URL everytime? What brings you to that conclusion? This could have just as easily been in homepage field within the browser setttings itself (can't recall if he said he checked that, but it would be one of the first places I would have checked). The shortcut would have been on a short list place for me to look as well.

                              Another thing I would have checked was to make sure the shortcut for Edge was really going to edge and not going to another file that was acting like a MITM.

                              But the idea that the URL itself would somehow lead to the conclusion that it was in the shortcut and not buried somewhere deeper in the system, I just don't understand that.

                              I can't open the properties of a taskbar icon like you can a desktop shortcut. I'm sure there is some metadata somewhere in System32 or (more likely) SystemApps, but I just deleted the shortcut, quoted them for a reimage, and moved on.

                              1 Reply Last reply Reply Quote 0
                              • bbigfordB
                                bbigford @scottalanmiller
                                last edited by

                                @scottalanmiller said in Persistent malware in Edge:

                                @Dashrender said in Persistent malware in Edge:

                                You've completely lost me here. You're saying that you were able to deduce that the URL was injected via the launching shortcut because it went to the same URL everytime? What brings you to that conclusion?

                                Because that specific URL is indicative of that specific attack. It's not that it is "a URL", it was that it was "that URL."

                                I was wondering if you had deduced the kind of attack from seeing Spigot in the URL before. I haven't saw that specific one in some time. Didn't even occur to me until you mentioned the shortcut that "oh yeah... infected shortcut."

                                1 Reply Last reply Reply Quote 0
                                • bbigfordB
                                  bbigford @Dashrender
                                  last edited by bbigford

                                  @Dashrender said:

                                  @BBigford said in Persistent malware in Edge:

                                  Here's an interesting part of running from command line @scottalanmiller ... In previous versions of Edge, it was still run as "spartan.exe" since it was originally Spartan. Then with (I think) 1607, it changed. It's not found in Program Files, it's in SystemApps... drilling down you find MicrosoftEdge, and program type is exe. Doing a run command, you can't run anything like MicrosoftEdge, or adding .exe... You have to run microsoft-edge and add the protocol : // (no space... it created an emoji. :D) at the end, then it will launch. Very weird. Then I noticed you can't run the same command microsoft-edge:// and have the program open from CMD, or even try to launch Edge from any of its directories.... just weird.

                                  this is probably because it's a UWP app now instead of a traditional x86 app.

                                  Yup. That's exactly what it is. I found later something along the lines of "this is an Internet application, not a program in the traditional sense. So you have to put the protocol in the command." -MSDN. I wonder how you're supposed to realistically launch it from CMD PowerShell, cause the commands I found were ridiculous. Unless Windows is just getting more pointy clicky than ever.

                                  Overall, not being able to easily launch a program/app from CMD or PS is dumb.

                                  Edit: CMD deprecation soon for PowerShell.

                                  1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender
                                    last edited by

                                    UWP apps are like Android apps or iPhone apps. you uninstall the whole thing, then reinstall it.

                                    bbigfordB 1 Reply Last reply Reply Quote 0
                                    • bbigfordB
                                      bbigford @Dashrender
                                      last edited by

                                      @Dashrender said in Persistent malware in Edge:

                                      UWP apps are like Android apps or iPhone apps. you uninstall the whole thing, then reinstall it.

                                      What about organizations that allow Edge, but not the Windows Store? You wouldn't be able to reinstall Edge in that case.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @bbigford
                                        last edited by

                                        @BBigford said in Persistent malware in Edge:

                                        @Dashrender said in Persistent malware in Edge:

                                        UWP apps are like Android apps or iPhone apps. you uninstall the whole thing, then reinstall it.

                                        What about organizations that allow Edge, but not the Windows Store? You wouldn't be able to reinstall Edge in that case.

                                        Perfect

                                        bbigfordB 1 Reply Last reply Reply Quote 1
                                        • bbigfordB
                                          bbigford @scottalanmiller
                                          last edited by bbigford

                                          @scottalanmiller said in Persistent malware in Edge:

                                          @BBigford said in Persistent malware in Edge:

                                          @Dashrender said in Persistent malware in Edge:

                                          UWP apps are like Android apps or iPhone apps. you uninstall the whole thing, then reinstall it.

                                          What about organizations that allow Edge, but not the Windows Store? You wouldn't be able to reinstall Edge in that case.

                                          Perfect

                                          lmao, perfect trickery. Tell someone to uninstall, don't allow reinstall.

                                          1 Reply Last reply Reply Quote 1
                                          • DashrenderD
                                            Dashrender
                                            last edited by

                                            Not sure a non admin can uninstall UWP apps. Store access should be available to admins.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 2 / 3
                                            • First post
                                              Last post