CpaText aka NetSecurity Web Virus Discovery

I discovered this virus behaviour, when I just tested my simple local HTML file on FireFox only. But this virus behaviours was repeating on all sites/pages I was surfing. That is why it so f*cking sloooow.

cpa-text-332x229And when I refresh page, in my NET tab I saw XHR requests (GET and POST):

cpatext1

In fact request were coming to https : // api . cpatext . ru / cpatext . js file which parse POST and GET data and did something. When I open https : //  cpatext . ru I saw this:

cpatext2_site

which does mean, that this is site to collect advertisement results which are fetched from different sites, where specific vulnerable JavaScript cals are calling from.

I googled that it’s kinda virus/malware. And that there is treatment like this – remove files:

C:\Users\123\AppData\Local\Google\Chrome\User Data\Default\preferences
C:\Users\123\AppData\Roaming\Mozilla\Firefox\Profi les\xn05scp5.default\prefs.js

But it’s very cruel to drop all preferences.  So i just run CCleaner first.

Nevertheless, real treatment is Disabling addon “NetSecurity”

I went to my Firefox Add-ons \ Extensions lists and one by one started to disable and restart FireFox. And find out, that NetSecurity does the cause.
cpatext_netsecuritySo I disabled/enabled/disabled/enabled and I could reproduce that this vulnerability still can be active.

Crap …  but now it’s fine.

 

PS. So where I caught this virus? I remember I was downloading DownloadApp.exe to install Adobe Audition 1.5. As result there was installed Opera for me, webget and possibly something else. Then I removed this all shit, but I did not take to account, that FireFox was updated by this crappy NetSecurity add on.

PS2. Considering that this is RU and UA domains, I would say – F*CK YOU hackers from UA and RU, WTF? Why I don’t have such issues with US/GB sites? Are there smarter people? Are they more confident than this UA/RU ppl?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s