Late Night Computer Security: Half asleep at the keyboard
I was up until 3:30am this morning researching something on the Internet and then all of a sudden, my desktop firewall pops-up a message asking me if I want to allow an unfamiliar “.exe” file to access the Internet. My firewall is setup, so that anytime an executable that I haven’t marked as safe wants to access the Internet, it prompts me if I want to let it out. “Oh great,” I thought to myself, “I must have been hit by some type of zero-day exploit.” I click the disallow button and right after I click the button I think, “Wait. What was the name of that executable again?” Doh!
So then I’m sitting there thinking to myself, half-awake, that it really doesn’t matter if I go back to that Website, because at this point, I’m just going to save this VMware image for analysis. I go back to the Website, click on link and sure enough, I get the firewall prompt again. The file is named plugin-container.exe. “What the heck is this?” I think. A quick Google check and yes, you probably already know this – it’s a Firefox process that runs your plug-ins under a separate process.
I recall reading headlines over the past week that Firefox has a new crash protection feature, but I didn’t realize this was it. The crash feature is mentioned in the release notes and on Mozilla’s blog, but there is no mention that this feature spawns a new process named plugin-container.exe. Lame.
I hate when stuff like this happens, but I guess it’s to be expected when I’m half asleep at the keyboard.
I actually had a similar thing happen to me late one night. I was analyzing a fresh packet capture in Netwitness Investigator and several warning messages came up. Suspicious .EXE, and suspicious communication type alarms.
I thought I somehow got infected. It was great though, because Netwitness captured everything. As I analyzed the data, I realized that I wasn’t infected, I had just captured my Anti-Virus doing a product update. Lol….
That’s funny! Thanks for sharing your story.