Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Name: SRLApplet Publisher: Husdawg LLC

  1. #1
    Junior Member
    Join Date
    Jul 2011
    Posts
    5

    Default Name: SRLApplet Publisher: Husdawg LLC

    I have found this application wants to run everytime I launch Firefox, I have done some searches on Google for the keyworks "Husdawg LLC SRLApplet" and the search results are totally manufactured. Please someone verify what I am seeing. There are fake sites that come up out of the search that claim it is safe, from places that look forged:
    http://www.twcenter.net/forums/showthread.php?t=287673
    http://www.swtor.com/community/showthread.php?t=114475
    Even when I try to search for "virus security srlapplet husdawg llc" I end up getting the same message that it is safe to run, but again, this looks bogus as they say in the second post how to turn off your protections.

    Question1: This appears to be a serious threat for a long time (2009 to now) and yet no Anti-virus/Spybot/etc will find it. Seems like this really did masquarade with a valid cert for a while (expired in Feb 2011).
    Question2: What kind of stuff has 'fake' search results like this? I looked through dozens of search results and I cannot find any conversation about this applet thats trying to run on my machine.
    Question3: Could I be personally targetted? How could there be no other mentions of this anywhere on the net?
    Question4: How do I find this SRLApplet and a) quarantee it so it stops trying to start up and crashes my browser b) how do I find the executable?
    I don't even know the name of the file that is causing the security alert for me (invalid cert). Please advise.

    -chris
    Last edited by tashi; 2011-07-17 at 05:24. Reason: Removed duplicate topics :-)

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    32,699

    Default

    Hello lankro,

    Which version of Firefox do you have and what is the operating system?

    Best regards.
    Microsoft MVP. Consumer Security 2006-2014


  3. #3
    Junior Member
    Join Date
    Jul 2011
    Posts
    5

    Default Version info

    Firefox is 5.0 and OS is Windows 7 Ultimate 64-bit OEM SP1
    Intel Xeon E5520@ 2.27GHz (2 CPU) w/12G RAM

    I also located a verification that this is indeed some kind of malicious known thing:

    http://packetstormsecurity.org/files/cve/CVE-2008-4385
    http://packetstormsecurity.org/files..._unsafe.rb.txt

    Now I just need to figure out how to capture and send it to you.
    Last edited by lankro; 2011-07-17 at 21:12.

  4. #4
    Junior Member
    Join Date
    Jul 2011
    Posts
    5

    Default More Info

    So I tracked down the source URL of this malicious Applet:
    http://www.nvidia.com/Download/Scan.aspx?lang=en-us

    Please verify?
    Last edited by tashi; 2011-07-18 at 05:53. Reason: Disabled link

  5. #5
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    32,699

    Default

    Hello lankro,

    I left a note bringing this thread to the attention of our detectives.

    Best regards.
    Microsoft MVP. Consumer Security 2006-2014


  6. #6
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,111

    Default

    This is no threat.
    The software in question is used by various vendors like NVidia to determine installed hardware on the computer. In case of NVidia it is used to determine the graphics card so the NVidia website can offer the corresponding driver update to make it easier for the user to find the correct driver update.

    However on some systems this software does not appear to be working correctly, in my tests I was not able to install or run the Husdawg software from the NVidia site with the Firefox, only with the Internet Explorer.

    You should be able to uninstall or disable the browser-addon within your browser if it causes trouble.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  7. #7
    Junior Member
    Join Date
    Jul 2011
    Posts
    5

    Default

    I understand what the application is claiming to do, but what efforts have been taken to really understand what this software does? Also, why is it listed as a known threat on a security website?

    I understand that the 'authorities' see this as not a threat, but what kind of technical evaluation of the applet has been done. Is there a way I could enable it in a safe mode that tracks all operations it takes so that I can personally audit its behavior? I'd be willing to buy software if it exists that could wrap around it to see what its doing. Anything like that out there?

    Thank you for looking in to this, I'm hoping to use this as an exercise to learn sometime new.

    -chris

  8. #8
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    32,699

    Default

    Hi lankro,
    Quote Originally Posted by lankro View Post
    I understand what the application is claiming to do, but what efforts have been taken to really understand what this software does?
    Quote Originally Posted by Yodama View Post
    The software in question is used by various vendors like NVidia to determine installed hardware on the computer. In case of NVidia it is used to determine the graphics card so the NVidia website can offer the corresponding driver update to make it easier for the user to find the correct driver update.
    Quote Originally Posted by lankro View Post
    Also, why is it listed as a known threat on a security website?
    Perhaps the website was noting a vulnerability, such happens. US-CERT: http://www.kb.cert.org/vuls/id/166651

    Quote Originally Posted by lankro View Post
    Seems like this really did masquarade with a valid cert for a while (expired in Feb 2011).
    It appears for whatever reason that HusDawgLlc is no longer a registered domain. However vendors may still be using the product to determine installed hardware on a computer.
    Quote Originally Posted by Yodama View Post
    You should be able to uninstall or disable the browser-addon within your browser if it causes trouble.
    Have you tried that?

    Best regards.
    Microsoft MVP. Consumer Security 2006-2014


  9. #9
    Junior Member
    Join Date
    Jul 2011
    Posts
    5

    Default Protection

    So I'm still a little confused that this applet is a known threat that is ignored by SpyBot (not to mention everyone else), with suspicious sites created just to encourage users to run it, yet it is insecure?

    Why wouldn't SpyBot automatically protect my system from this vulnerablitiy based on the fact that it is a legitimate security concern as you have mentioned: http://www.kb.cert.org/vuls/id/166651

    I have applied the registry protection cited in the article above:

    Disable the System Requirements Lab ActiveX controls in Internet Explorer

    The vulnerable ActiveX controls can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs:

    {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE}
    {BE833F39-1E0C-468C-BA70-25AAEE55775E}
    {BE833F39-1E0C-468C-BA70-25AAEE55775F}

    More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for these controls:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{67A5F8DC-1A4B-4D66-9F24-A704AD929EEE}]
    "Compatibility Flags"=dword:00000400

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BE833F39-1E0C-468C-BA70-25AAEE55775E}]
    "Compatibility Flags"=dword:00000400

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BE833F39-1E0C-468C-BA70-25AAEE55775F}]
    "Compatibility Flags"=dword:00000400


    Is it unreasonable to ask that SpyBot simply do this automatically?

    I'm still struggling to understand the statement: "This is no threat," when clearly the Dept. of Homeland Security says: "The Husdawg, LLC. System Requirements Lab ActiveX control and Java applet allow an unauthenticated remote attacker to download and execute arbitrary code."

    Can you explain why this is not a threat please?

  10. #10
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    32,699

    Default

    Hello lankro,

    Quote Originally Posted by lankro View Post
    Why wouldn't SpyBot automatically protect my system from this vulnerablitiy based on the fact that it is a legitimate security concern as you have mentioned: http://www.kb.cert.org/vuls/id/166651
    To clarify,
    Quote Originally Posted by tashi View Post
    Perhaps the website was noting a vulnerability, such happens. US-CERT: http://www.kb.cert.org/vuls/id/166651
    "III. Solution
    Apply an update"

    The same for vulnerabilities found in browsers, Adobe products, Java, Windows, etc. Once a fix is provided we users can update.

    Useful news is provided by AplusWebMaster in one of our sub-forums: General Security Alerts

    Best regards.
    Microsoft MVP. Consumer Security 2006-2014


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •