533399 - Malware / Javascript exploit

Status: RESOLVED INVALID

(Firefox :: Security, defect)

Description

[Alan]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)

Downloads and executes malicious code.

Reproducible: Always

Steps to Reproduce:
1. Log on to website.

Comment 1

[Ria Klaassen (not reading all bugmail)]

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.3a1pre) Gecko/20091207 Minefield/3.7a1pre

I get a blank page.

Comment 2

[Matthias Versen [:Matti]]

I get a PDF download dialog (which will start a download in the background) or if you have a PDF plugin installed it should display the PDF using your installed PDF viewer.
Reporter:
How do you know that it executes malicious code ?

Comment 3

[Hermann Schwab]

JS disabled I only had a list of links. Then I temporarily enabled JS via Noscript, and immediately got a warning of my virus scanner that there is a suspicious file on my harddisk. I didn't see the path, so I assume it's in the browser's cache.

No, It's not in the cache, but plugin-example.pdf wants to be stored in c:/documents&settings/[user]/local settings/temp/plugtmp-61, and Avira blocks it as it is recognized as EXP/Piedief.AZ.50

path is german, so I tried to translate it....

Comment 4

[Hermann Schwab]

Attachment: common.js is recognized as HTML/Crypt.Gen. and contains huge eval()

function to unpack trojan

Comment 5

[Hermann Schwab]

Attachment: zip-file sdfg.txt containing AppletX.class, LoaderX.class

Attachment 416721 [details] is HTML script virus HTML/crypt.gen
This file, sdfg.txt, is a zip file containing the malware
both were found in the directory index_data_002 after downloading the URL using 'Save as Web Page, complete' 
Using 7zip, sdfg.txt generates a directory named myf containing the files AppletX.class and LoaderX.class

Comment 6

[Hermann Schwab]

Attachment: AppletX.class

Antivir recognizes common.js as

Name:  HTML/Crypted.Gen 
Entdeckt am: 18/07/2007 
Art: Trojan 

HTML/Crypted.Gen 

Beschreibung:
von HTML Malware Browser Funktionalitäten wir Java- und VisualBasic Script. Diese damit geschriebenen Skripte sind kleine und oft sehr simple verschlüsselungs Routinen, die die schädlichen Teile des Skriptes verbergen. Diese verschlüsselte Malware ist erkannt als HTML/Crypted.Gen. 

Antivir doesn't recognize sdgf.txt, LoaderX.class, AppletX.class

Comment 7

[Hermann Schwab]

Attachment: LoaderX.class

LoaderX.class

Comment 8

[Hermann Schwab]

Comment on attachment 416726 [details]
AppletX.class

changed MIME Type from application/octet-stream to text/plain, as I don't want to infect somebody

Comment 9

[Hermann Schwab]

confirming website as malicious, but that's not a browser problem?

Comment 10

[Matthias Versen [:Matti]]

This is not a Browser exploit and makes this report invalid.
This page tries to exploit some plugins.
The class files are Java files and the page also tries to exploit Adobe Acrobat with a PDF.

If you can get infected or not depends if you have the latest Plugin version installed or not or if the page tries to exploit unfixed security holes in the plugins.

That you get a warning from AV software doesn't mean that it executes remote code and a browser always downloads every code that a website wants (in the cache or as temp for for plugin/helper applications).

Use http://www.mozilla.com/en-US/plugincheck/ to be sure that you have the latest plugin installed and I suggest to use http://secunia.com/vulnerability_scanning/personal/ to be sure that you always have the latest versions installed.

The virsusscan results for the 2 PDFs from the website are here :
http://www.virustotal.com/analisis/44e493ebe16fa6f5e5b174479f08ac1bdcd1e91e01bdcbd87af6d5765d4068eb-1260369730
http://www.virustotal.com/analisis/db16ba4b3029244b4d900648e443a3f0c71bef835987c44476d1f3817a1c629d-1260227954

You should probably contact the Plugin vendors but I'm sure Adobe already knows about this security holes because the files are detected by Antivirus Software.