Closed Bug 449878 Opened 16 years ago Closed 13 years ago

Malicious site exploits offline mode to force users to download fake antivirus tool

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
3.0 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: carlp-mozilla, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

firefox offline mode should not be adjustable by javascript on a web page.  

Right now lots of people are downloading from 
MALICIOUS SITE 
http://scan.powerantivirus2009.com/?aff=1539

described at 

http://www.2-spyware.com/remove-powerantivirus2009.html

and the reason they think they "need" to download the bogus software is that their browser "stops working" because it is in Offline mode.  

Very sneaky, and the browser should not have allowed itself to be put in offline mode.  

Reproducible: Always

Steps to Reproduce:
1.  Go to malicious ssite above.  
2.   Verify that browser is in offline mode.  
3.
Actual Results:  
offline mode 

Expected Results:  
Message
"do you really want to go to offline mode"  
or 
"malicious website detected."
It doesn't switch my Firefox 3.01 in Offline mode.
If you are in the offline mode, how would you be able to download software ?
I see only Javascript Alert with "your system is slower than usual....."
Component: Phishing Protection → Security
QA Contact: phishing.protection → firefox
I sent a note to google about this page.I hope they will include it in their safebrowsing/phishing database and Firefox as user of this Database will block it.

Clarifiaction:   The browser went in "Offline Mode" just after the trojan payload file download had been completed and Firefox was asking (in my case) where to save it.   

Clearly it would not make much sense to make the browser offline BEFORE downloading the trojan.  

The browser also disappointed me by naming the file incorrectly IMO.   In the form I directed that it be named   "whatever.exe.off" instead of "whatever.exe" to guard against accidental execution.   But the browser redid the hazardous choice, saving the file as "whatever.exe.off.exe"   
We must be very careful not to save files as executables when the user doesn't expect it!  Dropping executables in the wrong directory can get them to be run automatically, soon or at reboot.   Never add a executable suffix without the users' knowledge!  I assume the MIME type was used to add the "correct" suffix, contradicting the suffix I chose.  

carlp, can you file a separate bug report about ".exe" being added at an inappropriate time?  You should be able to use https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/3.0/win32/en-US/ as a testcase.
(In reply to comment #1)
> It doesn't switch my Firefox 3.01 in Offline mode.
> If you are in the offline mode, how would you be able to download software ?
> I see only Javascript Alert with "your system is slower than usual....."

so this is INVALID?
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
Status: RESOLVED → VERIFIED
Version: unspecified → 3.0 Branch
You need to log in before you can comment on or make changes to this bug.