Caveat- Microsoft Press web site

I should have said "load", but that is effectively an install for a DLL.

No, but they can register/unregister DLLs programmatically.

The difference is the AV software.

All I was saying is that IE 6 may cause some AV to flag attempts to "load new or modified module".

It's good to see such messages, as they sometimes indicate serious malware issues.

I did not assume that it appies to everyone. Clearly depends on the AV used.

 

With IE6 it has a horrible time rendering PNG images and transparencies and pages can look totally "munged" if you don't apply various coding fixes/stylesheets especially for IE6.

That's what PNGFILT.DLL is all about. Considering MS has a lot of shiny stuff on that page, i'd say they are loading that dll to see if your capable of rendering the page right before showing you the "munged" version if you can't.

 

This is very interesting.

1) Since I don't have an AV that does this, shouldn't I show a new or modified DLL on my system?

2) For a new or modified DLL to load, it first has to cache as the web page is loading. I see no PNGFILT.DLL in the cache after the page loads.

3) Where is the code on the page that performs this task? The HTML source is the file, "book". I don't find anything there, but I'm not a programmer so I might have missed something. You might double-check this.

4) Doing a search for code to load a DLL in all of the other cached files, the only reference is in the "dap[1].js" file:

Code:

GetSAd=','http://a.rad.msn.com/ADSAdClient31.dll?GetSAd=', 'http://b.rad.msn.com/ADSAdClient31.dll?

As I noted in a previous post, this is not an executable file, rather, a text file for their Advertising Delivery Service (ADS)

For a new or modified DLL to get into the system, there has to be a script to do the work, don't you agree?


5) This is your AV message you posted:

Is it possible that this is just a generic alert that the existing (not necessarily new or modified) module is being loaded into Process?

Otherwise, there should evidence on your system of a new or modified PNGFILT.DLL file.

----
rich

 

Yes, it is possible. And most likely it's also exactly what happened. There wasn't any new DLL installed or created in the system. An old, existing DLL was loaded by IE to do something it had not needed to do before, and the AV picked up on that.

 

Yes and no, it's very easy to set the Created, Modified or Accessed time and date stamps on a file to anything using a SetFileTime Win32 API call so that's unreliable.

IE was just loading PNGFILT.DLL in attempt to either display the shiny .png images with transparencies or fall back to an IE6 safe rendering of the page.

I ran the page through http debugger, there's nothing untoward going on besides sloppy coding.

 

I realize that, but wouldn't that necessitate a script somewhere in the page code, or one of the .js files? And why would Microsoft fool with such a ploy on an information web site? All of this speculation is just plain silly.

I wouldn't have paid any attention to this thread except for these rather alarming statements in the first post:

So unless Howard can show otherwise, it seems to be a misinterpretation of the AV alert.

----
rich

 

Code:

http://www.microsoft.com/learning/en/us/Book.aspx?ID=13487&locale=en-us
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 

​

----
rich

 

Yes i agree, the notion of them pulling something untoward in this fashion is plain silly.. They would just do it with Windows Update and label it as "Critical".

As for needing some sort of script, yes but as for that script mentioning PNGFILT.DLL directly then no i don't think so. Just like landing on a page with .swf will cause NPSWF32.dll access, but you won't find reference to that .dll in the page source. Also regarding the source, they have js files that call other js files which call other js files and some are location specific.

http://i37.tinypic.com/2z6xgrn.png

That's why searching the cache, and checking modified times on the .dll won't show much. I believe this js file is the cause, namely AlphaImageLoader. A quick Google shows info like this mentioning IE6, AlphaImageLoader and pngfilt.dll

Anyhow it's what i though when i first read the thread, a horribly coded page using a horrible method to render png transparencies on IE6 to "try" and make their page look shiny.

They might be guilty of some things, but dumping a payload on their book page isn't one of them.

Only 258 W3C errors? You must of had it set to forgiving mode.

 

Thanks for the explanations! This is not the type of analysis I do, so it's very interesting to read.

Again, the reason I was looking for a DLL was because of the first statements by the OP, so I was expecting to see a new DLL somewhere!

The funny thing about the coding is that Microsoft many times has pages that don't render well in other browsers. I remember this in the early years of Opera, and I recall something from years ago where Microsoft was forced to change things so that other browsers could access some sites. I wish I could remember the specific incident...

----
rich

 

No problems, i'm the opposite i don't do much malware analysis but frequently i have to deal with/fix horribly coded pages like this one. I didn't look through all their scripts in depth (it's a nightmare), but i know PNGFILT.DLL handles .png image alpha transparencies and IE6 doesn't have native support for this and needs page "hacks". So i just pulled up IE6 specific files such as the ie6css.js

I'm surprised their site supports "any" browsers today the way it's mangled together, it's a wonder Lynx and screen readers don't crash trying to render it

Yes i remember something about them being pressured to support alternate browsers better a long time ago, from the quick look that's where a lot of their problems are today. Lots of old legacy hacks and quick fixes being built on over the years instead of scrapping it all and starting fresh. They need to get rid if the bloat, and standardize their web properties look (like Google) not to mention fix the navigational nightmare.

Anyhow i guess the MS Bookstore payload conspiracy is debunked, what else can we pull apart?

 

Yes, but PNGFILT.DLL is already on the system.

They are trying to load a new/modified version, that's what KAV is detecting.

I have removed the BLOCK from KAV.
When I get a chance, I'll try again, allowing the module to be loaded

 

The question is, how has this been confirmed? It's not nearly enough to say that "KAV says so." Is KAV reporting that the checksum of the PNGFILT.DLL file has changed? If so, is it reporting that it only changed just now, as the MS press site was loaded? Or does it not report when this change occurred? Because things like IE security updates can change such files. I'd bet money that the MS press site is not trying to change any DLLs on your system or replace them with new or different versions. What's happening is that KAV is just noticing the DLL is being loaded by IE for PNG image rendering, and since it was not loaded by IE before, KAV alerts about that. If KAV claims the checksum has been changed since last load, that's 99,9 % likely explained by IE security updates. There is no security issue here. And this is a good example of how HIPS alerts can confuse people.

 

I believe that.

I hardly ever use IE 6 for browsing.
I did this time because Firefocx would not process the site.

 

AS I staed in anotyher post, many/most web sites hide their code in PHP or javascript modules. You are not going to see the code just by looking at the target web page.

I just explained in another post in this thread what Kaspersky is doing.

 

As I recall, the validation service does not verify what happens when the code is exeuted.

 

On the other hand, it's extremely difficult and in many cases practically impossible to create a different version of some file that still has exactly the same cryptographic hash as the original file, as long as you're using a decently secure hash algorithm. You obviously don't have to and should not rely on file dates and sizes alone to determine if the file has been modified.

This is of course entirely wrong. You can, for example, just limit privileges so that everyone can't modify system files. For example, in the account I'm using now to write this post, I simply cannot modify or delete or do anything except read and execute to PNGFILT.DLL, even if I want to, and neither can any software running in this account (without privilege escalation exploits - good luck finding and exploiting one, and then only using it to modify some dlll file when you could totally own a system). Another approach is to just keep a list of checksums of the important files and review it when you desire. Any changed checksum would be a certain sign of a modified file. AVs are not needed for any of this stuff.

If you believe that, then what is the problem here? The only thing that happened was that IE loaded an old, already installed dll to render PNG images. That's completely harmless and working as designed. The only reason KAV warned about it is that the dll wasn't loaded before, since it wasn't needed before. So there really is no caveat or something to beware of in this case. Well, except one thing: beware of misleading HIPS alerts that may make you think something malicious is happening when everything is perfectly normal.

 

The reason I started using Firefox was that IE 6 did not render pages at MSFT web sites correctly, especially if you wanted to save/print the pages.

IE 8 is better than IE 6, but I gave up on IE 8 a few weeks ago when I found a document that it could not render, but Firefox could. See Getting PHP Manual as a PDF file.

 

Kaspersky keeps track of ALL files and marks those that have been previously scanned. Unless you ask it to do so, Kaspersky will not normally rescan a file, unless it detects certain things. for example, a few daze ago, Kaspersky decided to do a scan of ALL files, I guess because I had changed so many in recent nonths.

So somewhere, KAV keeps info that allows it to detect when there is an attempt to modify a file.

In the case of DLLs, Kaspersky goes one step further and detects that an an attempt is made to load or change a module. AFAIK, Kaspersky is not the only AV that does this.

 

THe problem is that KAV was warning about a change, and I had no idea what the module did. I will not allow a new/changed module unless I have an idea what it is for.

The danger is that even if the file itself cannot be changed, a new/modified version could be loaded, and then malware could have a field day.

 

That does not answer the question: how has it been confirmed that the MS press web site changed the pngfilt.dll? Of course, it's rather hard to confirm that since it didn't happen, but that's kind of my point.

What KAV is doing to check for loading DLLs is typical HIPS software behavior. The good side is that it can detect some malicious actions. The bad side is that it can make people think normal, legitimate actions are somehow malicious, and give them an entirely wrong idea of what's happening. The latter seems to be the case here.

In other words, it could be said the problem is that KAV is asking users questions that the users aren't qualified to answer - the users don't know what some DLL does, why it's being loaded, and so on. If there wasn't a default whitelist of MS signed executables, and every user followed the "will not approve anything I don't know" philosophy, most users would be unable to even get their browser running because they'd block many necessary DLLs from being loaded simply because they don't know what they are. That's the problem with HIPS.

As for the supposed danger, not even IE allows any website to just silently create DLLs on the system and then load them without any user interaction, assuming IE's security settings aren't "allow absolutely everything, no prompts, I like to live dangerously."

 

Which is why this feature doesn't exist in the last two versions of the product (in this form)