-
Posts
12,164 -
Joined
-
Last visited
-
Days Won
319
Posts posted by itman
-
-
-
I am also wondering if we are looking at exploitation of a new IPv6 DoH DNS rebind vulnerability similar to the IPv4 one noted here;
QuoteVulnerability Details : CVE-2020-26961
When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped through IPv6, these addresses were erroneously let through, leading to a potential DNS Rebinding attack. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.
Now my ISP uses 6rd tunneling on its network. This is the reverse of the above in that all IPv6 traffic is tunneled through an IPv4 connection via use of a tunnel broker ISP.
Let's again review what happens when a connection is made to https://crackingpatching.com/2017/03/avast-pro-antivirus-internet-security-premier-17-2-3419-0-keys.html with DoH enabled in Firefox;
Eset Filtered Web Site log shows it blocked access;
Time;URL;Status;Detection;Application;User;IP address;Hash
3/9/2024 11:43:27 AM;https://crackingpatching.com;Blocked;Internal blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxx;104.21.43.46;F736FE1F2C3ACB8E53F9E22EFE632D18B65DECCBTime;URL;Status;Detection;Application;User;IP address;Hash
3/9/2024 11:43:28 AM;https://accounts.google.com/o/oauth2/postmessageRelay?parent=https://crackingpatching.com&jsh=m;/_/scs/abc-static/_/js/k=gapi.lb.en.8uXxGUoumbY.O/d=1/rs=AHpOoo96qx3mL4tzGUOa-0q0udyPRqEAoA/m=__features__;Blocked;Internal blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxx;2607:f8b0:4023:140d::54;F736FE1F2C3ACB8E53F9E22EFE632D18B65DECCBNotice first two connections are made with the first connection in IPv4 to the TLD. Eset doesn't alert or block the connection in this instance.
However with DoH disabled in Firefox, only one connection is being made/logged. It is to the TLD. Most important it is via IPv6. Eset alerts and blocks this connection;
Time;URL;Status;Detection;Application;User;IP address;Hash
3/11/2024 11:25:41 AM;https://crackingpatching.com;Blocked;Internal blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxxxxx;2606:4700:3034::6815:2b2e;F736FE1F2C3ACB8E53F9E22EFE632D18B65DECCBAlso significant is that the URL shown on the Eset block alert is the sub-domain; https://crackingpatching.com/2017/03/avast-pro-antivirus-internet-security-premier-17-2-3419-0-keys.html
I have seen enough that I am keeping DoH permanently disabled.
-
Quote
Are there public decryption tools for CryptoWall 2.0 and 3.0 and CryptoWall 4.0?
There are no public decryption tools available for CryptoWall 2.0, 3.0, or 4.0 at this time.
https://www.salvagedata.com/cryptowall-ransomware-data-recovery/
-
3 hours ago, SeriousHoax said:
Same here. But on Chrome and Edge it's not behaving correctly even in default settings. So, it's a far more serious issue as more people use Chrome and Edge.
My guess is Chrome and Edge are reloading the web page from their cache versus from its source as Firefox does.
-
-
Based on this forum posting: https://forum.eset.com/topic/25526-expired-license-how-to-disable-popup/ and others like it, there is no way to stop the license expiration popup alert other than by uninstalling Eset.
-
25 minutes ago, SeriousHoax said:
The above issue I showed in the GIF above is happening even when DoH is disabled in Edge. So, the problem is probably worse than we thought.
No problem in Firefox on this regard w/DoH disabled. When I select reload icon, the site is blocked again.
-
1 hour ago, SeriousHoax said:
Have a look at this weird behavior on Edge:
I would say DoH should be disabled on all browsers till Eset fixes the problem.
-
Another observation.
With DoH disabled in Firefox, attempted access to https://crackingpatching.com/2017/03/avast-pro-antivirus-internet-security-premier-17-2-3419-0-keys.html results in blocking at the TLD as should be;
Time;URL;Status;Detection;Application;User;IP address;Hash
3/10/2024 10:09:53 AM;https://crackingpatching.com;Blocked;Internal blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxxxxx;2606:4700:3034::6815:2b2e;F736FE1F2C3ACB8E53F9E22EFE632D18B65DECCB -
Your posted screen shots shows the Eset firewall blocking incoming DNS traffic from your router.
At first glance, I would say your router is not properly configured, malfunctioning, or has been hacked.
-
Did more testing with the TLD https://crackingpatching.com/
The problem is with DoH enabled in Firefox.
With DoH disabled, Eset will alert and block access every time. When any of the DoH settings are enabled, Eset might block it once after setting change but not thereafter. Doesn't matter what DoH option is selected or DoH provider selected.
I am keeping DoH disabled until this is resolved. Glad you found this problem.
-
Found the problem, I believe.
Eset Filtered Web Site log shows it blocked access;
Time;URL;Status;Detection;Application;User;IP address;Hash
3/9/2024 11:43:27 AM;https://crackingpatching.com;Blocked;Internal blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxx;104.21.43.46;F736FE1F2C3ACB8E53F9E22EFE632D18B65DECCBTime;URL;Status;Detection;Application;User;IP address;Hash
3/9/2024 11:43:28 AM;https://accounts.google.com/o/oauth2/postmessageRelay?parent=https://crackingpatching.com&jsh=m;/_/scs/abc-static/_/js/k=gapi.lb.en.8uXxGUoumbY.O/d=1/rs=AHpOoo96qx3mL4tzGUOa-0q0udyPRqEAoA/m=__features__;Blocked;Internal blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxx;2607:f8b0:4023:140d::54;F736FE1F2C3ACB8E53F9E22EFE632D18B65DECCBBut web site access is not blocked.
Notice the redirect to Google. Looks like someone has figured out how to bypass Eset Web Filtering on Firefox.
-
4 hours ago, SeriousHoax said:
For example, here's a VT link of a fake crack program website already in ESET's blacklist: https://www.virustotal.com/gui/url/5583ee6d3fa820c9c851f37746d9b5a896da37bc7ce93329d6dcc02e4b7d9daa/detection
But with above DNS settings, it is not blocked:
I have Firefox DNS over HTTPS set to Default level w/CloudFlare as DNS provider. I am also using CloudFlare as my Win 10 DNS provider.
When I try to access the malicious URL in question, I can access the web site and even download the malicious crack.
QuoteWhen I set Firefox's DNS over HTTPS settings to Off, ESET blocks it.
Same here.
I am wondering if this is a FireFox problem since Eset blocks the URL on Chrome?
-EDIT-
I set Firefox DNS over HTTPS to Increased Protection using CloudFlare as DNS provider, Eset alert now displayed on attempted web page access. However, w/ DNS over HTTPS set to Maximum protection, no web site blocking occurs. Also when setting back to Increased Protection, no Eset alert. Clearing all browser cache settings, restarting Firefox, setting to Default protection, Eset now alerts. Repeat test at Default protection, Eset still alerts.
I would say this is indeed a Firefox bug.
-
Quote
Canary file
A canary file is a fake computer document placed amongst actual documents to aid in the early detection of unauthorized data access, copying or modification.
https://help.eset.com/glossary/en-US/canary_file.html
Assumed here is these are "bait" files which are commonly used in anti-ransomware apps to detect ransomware encryption activities.
-
17 minutes ago, Marcos said:
What do you mean by "Node JS"?
He's referring to Node.js based malware; example here: https://any.run/cybersecurity-blog/lu0bot-analysis/ .
-
I will also add that Eset doesn't perform SSL/TLS scanning on every HTTPS web site. Select trusted sites known to Eset are excluded.
-
You can no longer rename or modify any network connection Eset creates other than change its profile type.
You can however create a new network connection which Eset now calls a Profile.
-
22 minutes ago, SeriousHoax said:
The help link you gave above has the link to the extension in Chrome store:
https://chromewebstore.google.com/detail/eset-browser-privacy-secu/oombnmpbbhbakfpfgdflaajkhicgfaam
True. But this extension will not show when searching Chrome Store Extensions under "Eset" criteria.
You can try it in Brave and see if it installs. If it does install, my guess is it won't work.
-
2 hours ago, SeriousHoax said:
Not even if I manually install it?
Not possible.
Brave uses extensions from the Chrome Store. The only Eset extension available there is for Eset Password Manager.
-
As far as Eset previous detections of this malware, refer to this thread: https://forum.eset.com/topic/36848-jsspybankerkn/ .
-
-
15 minutes ago, SeriousHoax said:
Also, I'm curious to know if "ESET Browser Privacy & Security" extension with Secure Search works in Brave. Do you know
It does not support Brave;
QuoteBrowser Privacy & Security
You can enable the Browser Privacy & Security feature through a custom extension available on supported browsers (Google Chrome, Mozilla Firefox and Microsoft Edge only).
https://help.eset.com/essp/17/en-US/banking_and_payment_protection.html?idh_config_bps.html
-
2 hours ago, Purpleroses said:
I looked in my Eset its says it was cleaned by deleting. Does that mean I don't have a virus on my computer?
Yes.
However, you are using Brave browser. Brave is not a Secured Browser protection supported browser. This leaves you vulnerable to browser memory based code injection attacks, keyloggers, etc.
-
There's an older thread in the forum on a similar PowerShell malware. In this case, a rogue sub-directory was created in C:\Windows\System32: https://forum.eset.com/topic/32653-annoying-powershellagentaew-on-each-start-need-assitence/#elControls_152733_menu .
In any case, diagnosis will be a bit involved.
ESET Web Protection doesn't block websites on Firefox
in ESET Internet Security & ESET Smart Security Premium
Posted
Confirmed. DoH does not prevent a DNS rebind attack;
https://research.nccgroup.com/2020/03/30/impact-of-dns-over-https-doh-on-dns-rebinding-attacks/