Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Why would a .dll filepath(?) be in front of a url in the address bar online?


  • Please log in to reply
9 replies to this topic

#1 i.hate.open.cloud

i.hate.open.cloud

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 11 February 2015 - 11:34 PM

Earlier I was online and had an e-mail from my phone carrier asking me to take a survey. Everything looked legit and they e-mail me from time to time so I went ahead and clicked the survey link within the message (copying the link location gives me a URL of http://t2.ktrmr.com/surveys.aspx?pid=72581187&i.project=D5FX3&s=GEN24&id=1&chk=967&rs=1). This opened a new tab and the address bar showed a string of characters that ended in .dll in front of the http://.... URL. Nothing was visibly loaded on the page (possibly due to Firefox forbidding a redirect or NoScript doing its thing), but I got scared and killed the tab as fast as I could and started running the virus scans. Sorry, I didn't get more of the filepath.

 

So, I'm a little out of my depth here. Is there any legitimate reason a .dll would be part of a URL? Nothing weird has occurred since then, nor did my protective programs ping anything, but this seems really odd to me. I've run a full scan with MalwareBytes and then with Microsoft Security Essentials (both came back clean), and plan to endure the 12-hour nightmare of HouseCall. Is there any other action I should take?

 

Vitals: Windows 7, Firefox 35.0.1 w/ NoScript.

 

Thank you for your time, and I appreciate any information or help you can give me.


Edited by i.hate.open.cloud, 12 February 2015 - 02:12 AM.


BC AdBot (Login to Remove)

 


m

#2 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:12:48 AM

Posted 12 February 2015 - 12:30 AM

Doesn't necessarily mean the site or URL was malicious in nature.  Depends on how the site was designed; realistically, you could implement rewrite rules to display whatever extension you wanted to for the pages of your website, as well as not display an extension at all (as do these forums; take a look at the address bar).  You don't think the topic title in the URL actually references a directory, do you?  it's simply rewritten to look cleaner and mask the parameters passed to the server to retrieve the thread information and subsequent messages posted within the thread (generally a parameter that passes the thread ID to the server).

 

For example -- If you have an account on eBay, you will notice that many of their pages can be found to end with a .dll extension (e.g. the "My eBay" page).


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#3 i.hate.open.cloud

i.hate.open.cloud
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 12 February 2015 - 01:31 AM

Good to know that it could be a legitimate, albeit nonstandard, URL display. I've never seen one with the .dll string before the http:// before, so I was afraid it was attempting to access or download something. Thanks.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:48 PM

Posted 12 February 2015 - 07:37 AM

There are number of web sites where you can check suspicious sites or get second opinions using various URL Link Scanners:


-- Use several different vendors when performing queries to confirm the results of page content. Even doing this, you still need to be cautions of other links on the page itself which can redirect to a malicious page.
 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:11:48 PM

Posted 12 February 2015 - 08:39 AM

Well, I went ahead on that website and it's giving me a survey, like your email said. I checked the source of the page and there's quite a few <script> in it, most likely because it's a survey and and it's being displayed via Javascript so it's normal that it wouldn't work on your browser with NoScript active. I also scanned the URL on VirusTotal and it came back clean:

https://www.virustotal.com/fr/url/eeb1b263c75c2e331568490ed781211b6a1ceabe9e8df7eab86aedacbe4b6a6b/analysis/1423748223/

However, it's the first time that it was ever scanned, so I would re-scan it in 1-2 days to see if the results are still the same. Concerning the .dll, it's mrIWeb.dll, which looks to be often associated with webpages and websites having surveys hosted on them. Everything looks good on my side, but that's just my call.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:48 PM

Posted 12 February 2015 - 12:34 PM

I scanned the url too so it should indicate two scans at some point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:48 AM

Posted 12 February 2015 - 05:00 PM

No, this looks normal.

 

Web servers that run Windows can have DLLs as programs. Like this http://www.example.com/web.dll

Often it will be with parameters: http://www.example.com/web.dll?id=1

This DLLs runs on the web server, not on your machine.

But this can be confusing, because you can also have a website that offers a DLL for download. Like this: http://www.example.com/program.dll

It's the configuration of the webserver that define if a DLL is executed on the webserver or if it offered for download.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 i.hate.open.cloud

i.hate.open.cloud
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 13 February 2015 - 09:45 AM

Thanks for the updates guys. I learned something new.



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:11:48 PM

Posted 13 February 2015 - 09:46 AM

No problem, our pleasure :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:48 AM

Posted 13 February 2015 - 05:20 PM

You're welcome.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users