"John Corliss" <
r9j...@yahoo.com> wrote
There's no reason to assume malware, and it seems to
be going to the cloudfront URL used for heartbeat. You
might be able to tell something by what's being transferred.
(Though heartbeat and malware might very well transfer
a similar record of your online activities. :)
nss3.dll is just an encryption library. An OSS alternative
to OpenSSL for cryptographic functionality.
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Overview
>From your link:
"It [the malware] hooks NSS3.DLL and NSPR4.DLL to monitor
Mozilla Firefox; WS2_32.DLL, CHROME.DLL to monitor Google
Chrome; and WININET.DLL to monitor Internet Explorer.
Ws2_32.dll is a Windows sockets DLL. It's used for
various functions to call servers, ask for files,
etc. It's basically the Internet connection library.
Wininet.dll is the IE wrapper library. It's part of the
IE install and contains higher level functions, like
UrlDownloadToFile, which calls to a server without
needing to manage winsock oneself.
Hooking, as you may know, means setting up
as a kind of man-in-the-middle at OS level. In
other words, the malware is monitoring what gets
passed in and out. The fact that nss3.dll is involved
means no more than the fact that Windows sockets
may be involved. Presumably the malware is monitoring
the input into nss3, in order to get it before it's
encrypted.
What you're proposing is not farfetched in theory,
but it would imply that Cloudfront is the malware
home base. Wouldn't it be likely that malware
would be calling to E. Europe or China, rather than
to an Amazon server in Seattle?