Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtualbox connecting to x.ss2.us?


  • Please log in to reply
4 replies to this topic

#1 blankiq

blankiq

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 12 February 2017 - 09:43 AM

I'm running windows 7 inside virtualbox on my main machine. Avast has now twice warned me about vitualbox connecting to x.ss2.us/x.cer. Inside the browser I was on sourceforge at the time but that should be clean :/

 

Do you think a process is trying to inject itself into virtualbox?



BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,284 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:08:37 AM

Posted 12 February 2017 - 09:58 AM

FWIW:  https://www.threatminer.org/domain.php?q=x.ss2.us .

 

Louis



#3 blankiq

blankiq
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 12 February 2017 - 10:13 AM

Yeah, it looks pretty clean from what I've seen. Some extra info:

I'm using OpenDNS

My main computer is running avast and windows 7. I don't think I have a virus, no extra processes, no CPU usage extra. 

The virtual machine comes from Microsoft's developer page.

Avast detects the page as "URI:Malware".

I have a cracked program on here though, I scanned it and did some hybrid analysis and it came out clean.

 

Either it's a false positive or I might have a rootkit installed. I'm going to run TDSSKiller (rootkit detector)

 

Thanks

 

EDIT: no rootkits detected


Edited by blankiq, 12 February 2017 - 10:14 AM.


#4 newtothis2017

newtothis2017

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 14 February 2017 - 01:29 AM

I got the same warning. Here is the log message below.

 

 
12/02/2017 9:58:58 AM http://x.ss2.us/x.cer [L] URL:Mal (0)
 
I was in hotmail and I suddenly got the error message 2 days ago like yourself.
 
I freshly installed Windows 7 from an image I'm familiar with 2 days ago on my lenovo computer and a few programs, so all the programs I installed I'm quite familiar with.
 
And I freshly installed Chrome and only went to known websites I regularly visit and then to hotmail. That's when I got the message about http://x.ss2.us/x.cer  without clicking on any suspicious emails.
 
So I thought it was strange how this website can be linked or associated to anything I was doing at the time, though I suspect it is some sort of email security threat.
 
 
All I can guess what program caused this was I installed UltraVNC which I have installed before was maybe not from the official site.
 
So I'm wondering how this could be triggered on such a freshly installed Windows 7 and programs. Please let me know what you think happen.

Edited by newtothis2017, 14 February 2017 - 01:33 AM.


#5 blankiq

blankiq
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 14 February 2017 - 09:57 AM

Same, freshly installed windows a few weeks ago. There's not much info about it though. I think it may be some kind of backdoor in programs. I looked up x.cer and a "suspicious file" analysis popped up on google.

 

54.230.45.225:80 (x.ss2.us)     GET     /x.cer     GET /x.cer HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: x.ss2.us

 

The fact that it is using Crypto-API worries me as I hope this is not ransomware. I'm doing a full system scan to see if anything comes up.


Edited by blankiq, 14 February 2017 - 10:00 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users