I have found this application wants to run everytime I launch Firefox, I have done some searches on Google for the keyworks "Husdawg LLC SRLApplet" and the search results are totally manufactured. Please someone verify what I am seeing. There are fake sites that come up out of the search that claim it is safe, from places that look forged:
http://www.twcenter.net/forums/showthread.php?t=287673
http://www.swtor.com/community/showthread.php?t=114475
Even when I try to search for "virus security srlapplet husdawg llc" I end up getting the same message that it is safe to run, but again, this looks bogus as they say in the second post how to turn off your protections.

Question1: This appears to be a serious threat for a long time (2009 to now) and yet no Anti-virus/Spybot/etc will find it. Seems like this really did masquarade with a valid cert for a while (expired in Feb 2011).
Question2: What kind of stuff has 'fake' search results like this? I looked through dozens of search results and I cannot find any conversation about this applet thats trying to run on my machine.
Question3: Could I be personally targetted? How could there be no other mentions of this anywhere on the net?
Question4: How do I find this SRLApplet and a) quarantee it so it stops trying to start up and crashes my browser b) how do I find the executable?
I don't even know the name of the file that is causing the security alert for me (invalid cert). Please advise.

-chris

Hello lankro,

Which version of Firefox do you have and what is the operating system?

Best regards.

Firefox is 5.0 and OS is Windows 7 Ultimate 64-bit OEM SP1
Intel Xeon E5520@ 2.27GHz (2 CPU) w/12G RAM

I also located a verification that this is indeed some kind of malicious known thing:

http://packetstormsecurity.org/files/cve/CVE-2008-4385
http://packetstormsecurity.org/files/view/83118/systemrequirementslab_unsafe.rb.txt

Now I just need to figure out how to capture and send it to you.

So I tracked down the source URL of this malicious Applet:
http://www.nvidia.com/Download/Scan.aspx?lang=en-us

Please verify?

Hello lankro,

I left a note bringing this thread to the attention of our detectives. :)

Best regards.

This is no threat.
The software in question is used by various vendors like NVidia to determine installed hardware on the computer. In case of NVidia it is used to determine the graphics card so the NVidia website can offer the corresponding driver update to make it easier for the user to find the correct driver update.

However on some systems this software does not appear to be working correctly, in my tests I was not able to install or run the Husdawg software from the NVidia site with the Firefox, only with the Internet Explorer.

You should be able to uninstall or disable the browser-addon within your browser if it causes trouble.

I understand what the application is claiming to do, but what efforts have been taken to really understand what this software does? Also, why is it listed as a known threat on a security website?

I understand that the 'authorities' see this as not a threat, but what kind of technical evaluation of the applet has been done. Is there a way I could enable it in a safe mode that tracks all operations it takes so that I can personally audit its behavior? I'd be willing to buy software if it exists that could wrap around it to see what its doing. Anything like that out there?

Thank you for looking in to this, I'm hoping to use this as an exercise to learn sometime new.

-chris

Hi lankro,

I understand what the application is claiming to do, but what efforts have been taken to really understand what this software does?


The software in question is used by various vendors like NVidia to determine installed hardware on the computer. In case of NVidia it is used to determine the graphics card so the NVidia website can offer the corresponding driver update to make it easier for the user to find the correct driver update.


Also, why is it listed as a known threat on a security website?
Perhaps the website was noting a vulnerability, such happens. US-CERT: http://www.kb.cert.org/vuls/id/166651


Seems like this really did masquarade with a valid cert for a while (expired in Feb 2011).

It appears for whatever reason that HusDawgLlc is no longer a registered domain. However vendors may still be using the product to determine installed hardware on a computer.


You should be able to uninstall or disable the browser-addon within your browser if it causes trouble.

Have you tried that? :)

Best regards.

So I'm still a little confused that this applet is a known threat that is ignored by SpyBot (not to mention everyone else), with suspicious sites created just to encourage users to run it, yet it is insecure?

Why wouldn't SpyBot automatically protect my system from this vulnerablitiy based on the fact that it is a legitimate security concern as you have mentioned: http://www.kb.cert.org/vuls/id/166651

I have applied the registry protection cited in the article above:

Disable the System Requirements Lab ActiveX controls in Internet Explorer

The vulnerable ActiveX controls can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs:

{67A5F8DC-1A4B-4D66-9F24-A704AD929EEE}
{BE833F39-1E0C-468C-BA70-25AAEE55775E}
{BE833F39-1E0C-468C-BA70-25AAEE55775F}

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for these controls:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{67A5F8DC-1A4B-4D66-9F24-A704AD929EEE}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BE833F39-1E0C-468C-BA70-25AAEE55775E}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BE833F39-1E0C-468C-BA70-25AAEE55775F}]
"Compatibility Flags"=dword:00000400


Is it unreasonable to ask that SpyBot simply do this automatically?

I'm still struggling to understand the statement: "This is no threat," when clearly the Dept. of Homeland Security says: "The Husdawg, LLC. System Requirements Lab ActiveX control and Java applet allow an unauthenticated remote attacker to download and execute arbitrary code."

Can you explain why this is not a threat please?

Hello lankro,



Why wouldn't SpyBot automatically protect my system from this vulnerablitiy based on the fact that it is a legitimate security concern as you have mentioned: http://www.kb.cert.org/vuls/id/166651


To clarify,


Perhaps the website was noting a vulnerability, such happens. US-CERT: http://www.kb.cert.org/vuls/id/166651

"III. Solution
Apply an update"

The same for vulnerabilities found in browsers, Adobe products, Java, Windows, etc. Once a fix is provided we users can update. :)

Useful news is provided by AplusWebMaster in one of our sub-forums: General Security Alerts (http://forums.spybot.info/forumdisplay.php?f=28)

Best regards.

I had to give permission to download/install SRLApplet in order for the Intel site (http://www.intel.com/p/en_US/support/detect?iid=dc_iduu) to do a driver scan of my machine to tell me which of their drivers need to be updated.

.........Curtis.........

10727