Wy is Vivaldi trying to connect too savepic.net



  • Hi, I run MalwareBytes anti-malware software on my Windows 10 laptop and I'm getting a hit on the following with Domain: savepic.su IP: 5.9.99.35 Port: 59946 Type: Outbound I've attached am image showing the detection. I've run a complete scan with BitDeffender and found nothing, I also run MalwareBytes Anti-Exploit. Vivaldi 1.0.403.24 (Beta 3) (32-bit) Revision 0c0e1eb245235dfafc6a82065b23d3eaf464c8d1 OS Windows Blink 537.36 (@0) JavaScript V8 4.8.271.19 Flash 20.0.0.306 User Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36 Vivaldi/1.0.403.24



  • If I were to run across anything on my system attempting to call out to savepic.su (5.9.99.35), I'd be immediately concerned about the possibility of a Dridex or similar banking-trojan infection. Usually, such a thing arrives via a fake eMail with an infected Word document attachment containing a macro with malicious VisualBasic scripting. If executed, it then retrieves a downloader (like Chanitor) which immediately retrieves a malware installer (like Vawtrak) that infects the computer with the trojan payload. These are sophisticated pieces of malware and, especially in their variants' early stages, can be hard for AV programs to pick up.

    Infection-related traffic analysis of this sort of malware very frequently reveals HTTP traffic with savepic to pull images and route DNS traffic to/from that site. There's some question about what the role of the savepic images actually is: possibly they contain metadata or obfuscated code used by the infection programs, or perhaps they allow the authors to track number of accesses to the savepic images to determine how often the Word macro has been run, and thus may ascertain the effectiveness of a particular infection mechanism.

    Unless you have legitimate transactions with savepic, you may want to consider deeper scanning of your system for malware, including the use of alternate tools to what you've already used.

    Otherwise, is Vivaldi your default browser? Do you have any extensions installed? Do you start Vivaldi with saved sessions or tabs?



  • Possibly something like Dridex Banking Trojan messing with the system and using Vivaldi? See: http://www.bleepingcomputer.com/forums/t/572650/another-look-at-the-dridex-banking-trojan/

    "Additionally, URLs were found that were used to download images, that I have not yet analyzed in-depth. But, if I were to guess, I would imagine that these images (unless simply used for tracking purposes) may be heavily obfuscated, and/or contain metadata that will be used for HTML injection once a user has become infected with the Dridex Trojan. The URLs accessed to pull these images are as follows:

    hXXp://savepic.su/5533663.png
    hXXp://savepic.su/5530591.png "
    (URLs obfuscated intentionally)

    Port 59946 is a bi-directional "dynamic and/or private" TCP/UDP port.

    1. Is Vivaldi set as your default browser?
    2. Does it have any extensions?
    3. Do you have Vivaldi set for any particular startup page or session tab that might be pulling down a legitimate image from that site?
    4. Have you knowingly downloaded a picture from savepic.su for some reason, or had other contact with the site?



  • NOTE: my two previous posts were both hung up in the forum spam-filter and my account blocked for each. After the first unblocking, I attempted to post some of the same material a second time by omitting URLs, but the spam-filter trapped that one too and re-blocked the account… hence the redundancy in the two posts. /NOTE

    Bottom line here: from everything I'm seeing in search responses, downloads and DNS pings involving the s*****c domain are often associated with the kind of trojan described earlier. A browser attempting to 'spontaneously' contact that domain is more than ample grounds for concern regarding either an infection or a partial infection of the computer.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.