I believe I've turned up a new method of attack.
Short Story -
A piece of malware used the "use automatic configuration script" to insert an infected URL into a Windows system. One can navigate to this by going to
Control Panel / Internet Properties / Connections / LAN Settings
The malware inserted a URL in the "use automatic configuration script" field.
Long Story -
A customer brought me an infected computer. The system was running Kaspersky. I hooked it up at the office, but kept it offline. It seemed to work fine. As soon as it went online a fake BSOD screen appeared. While I could use Ctrl-Alt-Delete and Alt-Tab, I couldn't get back to a clean desktop. I took the system offline and restarted. I downloaded Malwarebytes and Microsoft Safety tool to another system and moved these to the infected system via USB. MalwareBytes removed about 300 items. Microsoft removed about a dozen things. Kaspersky removed about a dozen items. I uninstalled some questionable programs. I brought the system back online and again got a fake BSOD. Disconnect and restart. Ran Kaspersky full scan, Malwarebytes and Microsoft again. This time all clean. Bring online and fake BSOD. Disconnect and restart again. Setup up Kaspersky to update. Brought online and fake BSOD. I was able to watch Kaspersky get updates. Disconnect and restart again. Ran full scans. Nothing found. Connect and get fake BSOD. Disconnect and restart. This time I started looking at a number of settings. I found a URL in the "use automatic configuration script". I cut the URL and pasted to notepad. Brought the system online. This time everything worked fine. I took the URL and contacted Kaspersky and MalwareBytes. Since neither of them picked up on this method. Kaspersky brushed me off. The folks at MalwareBytes were interested. I did not try inserting this into my Norton protected system. Thought I did contact Norton support. I did a few searches and didn't find anyone reporting this method. So, I decided to start here and let others know. The URL I found is:
[Removed]
If anyone has any questions, I'm happy to answer what I can.
[Admin Edit: Removing link to a potentially malicious website to conform with the Participation Guidelines and Terms of Service]
Malwarebytes is much more invested in detecting Potentially Unwanted Modifications (PUMs) than is Norton. Malwarebytes checks many Windows settings and will alert to anything that has been changed from the Windows default setting. While this may detect the actions of malware, it also causes false positives when a user or a legitimate installed program intentionally changes something, which happens frequently. While an entry in the automatic configuration script field might be able to be detected, there would be no way of knowing if it was malicious or user-created. While Malwarebytes might be willing to endure the FPs associated with PUMs, the same might not be true for Symantec. I don't know if Malwarebytes specifically looks at the automatic configuration setting.
Well silly me, I searched for "automatic configuration script". Not an abbreviation "Auto-Config".
Still, I would expect a full scan to detect the presence of a URL in the "Auto-config". At least give someone a heads up that it needs checked.
Microsoft published an article on malicious Proxy Auto-Config files in February, 2014:
Malicious Proxy Auto-Config redirection
There wasn't an infected file on the computer.
Rather, the URL in the "use automatic configuration script" pointed to a malicious site. I did submit the URL to Symantec. They reported that the URL does not point to a file. That's one convenient thing about using a URL. One minute it could be fine, the next minute it might be changed to a malicious script.
My concern isn't that any particular web site might host malicious code. I have 2 concerns. First - It's the way the the URL is in-bedded in the windows computer. I did some searches and did not find any other reports of malicious code using this particular method. Second and most important - That 3 companies scanning functions all failed to detect the presence of a URL in the "automatic configuration script".
I hope someone from Symantec looks this over and decides to scan the "use automatic configuration script" field in the future. So far, the engineers at MalwareBytes are the only ones that I'm sure are working on this. It's been all quiet from Symantec.
Hello Mark
You can submit files to Symantec using this link so that they can analyze them and add to their data base.
Please use this link if you think that a file is a false positive:
https://submit.symantec.com/dispute/
If there is a possibility that the file might be infected, please submit it to Symantec using this link:
https://submit.symantec.com/websubmit/retail.cgi?OpenDocument&src=submit
Another alternative which is fast you can use Virus Total
http://www.virustotal.com/index.html
Thanks.