Closed
Bug 533399
Opened 15 years ago
Closed 15 years ago
Malware / Javascript exploit
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: alan.cocox, Unassigned)
References
()
Details
Attachments
(4 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) Downloads and executes malicious code. Reproducible: Always Steps to Reproduce: 1. Log on to website.
Comment 1•15 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.3a1pre) Gecko/20091207 Minefield/3.7a1pre I get a blank page.
Component: General → Security
QA Contact: general → firefox
Comment 2•15 years ago
|
||
I get a PDF download dialog (which will start a download in the background) or if you have a PDF plugin installed it should display the PDF using your installed PDF viewer. Reporter: How do you know that it executes malicious code ?
Comment 3•15 years ago
|
||
JS disabled I only had a list of links. Then I temporarily enabled JS via Noscript, and immediately got a warning of my virus scanner that there is a suspicious file on my harddisk. I didn't see the path, so I assume it's in the browser's cache. No, It's not in the cache, but plugin-example.pdf wants to be stored in c:/documents&settings/[user]/local settings/temp/plugtmp-61, and Avira blocks it as it is recognized as EXP/Piedief.AZ.50 path is german, so I tried to translate it....
Comment 4•15 years ago
|
||
function to unpack trojan
Comment 5•15 years ago
|
||
Attachment 416721 [details] is HTML script virus HTML/crypt.gen
This file, sdfg.txt, is a zip file containing the malware
both were found in the directory index_data_002 after downloading the URL using 'Save as Web Page, complete'
Using 7zip, sdfg.txt generates a directory named myf containing the files AppletX.class and LoaderX.class
Comment 6•15 years ago
|
||
Antivir recognizes common.js as Name: HTML/Crypted.Gen Entdeckt am: 18/07/2007 Art: Trojan HTML/Crypted.Gen Beschreibung: von HTML Malware Browser Funktionalitäten wir Java- und VisualBasic Script. Diese damit geschriebenen Skripte sind kleine und oft sehr simple verschlüsselungs Routinen, die die schädlichen Teile des Skriptes verbergen. Diese verschlüsselte Malware ist erkannt als HTML/Crypted.Gen. Antivir doesn't recognize sdgf.txt, LoaderX.class, AppletX.class
Comment 7•15 years ago
|
||
LoaderX.class
Comment 8•15 years ago
|
||
Comment on attachment 416726 [details]
AppletX.class
changed MIME Type from application/octet-stream to text/plain, as I don't want to infect somebody
Attachment #416726 -
Attachment mime type: application/octet-stream → text/plain
Updated•15 years ago
|
Attachment #416721 -
Attachment description: eval() → common.js is recognized as HTML/Crypt.Gen. and contains huge eval()
Attachment #416721 -
Attachment mime type: text/x-js → text/plain
Comment 9•15 years ago
|
||
confirming website as malicious, but that's not a browser problem?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 10•15 years ago
|
||
This is not a Browser exploit and makes this report invalid. This page tries to exploit some plugins. The class files are Java files and the page also tries to exploit Adobe Acrobat with a PDF. If you can get infected or not depends if you have the latest Plugin version installed or not or if the page tries to exploit unfixed security holes in the plugins. That you get a warning from AV software doesn't mean that it executes remote code and a browser always downloads every code that a website wants (in the cache or as temp for for plugin/helper applications). Use http://www.mozilla.com/en-US/plugincheck/ to be sure that you have the latest plugin installed and I suggest to use http://secunia.com/vulnerability_scanning/personal/ to be sure that you always have the latest versions installed. The virsusscan results for the 2 PDFs from the website are here : http://www.virustotal.com/analisis/44e493ebe16fa6f5e5b174479f08ac1bdcd1e91e01bdcbd87af6d5765d4068eb-1260369730 http://www.virustotal.com/analisis/db16ba4b3029244b4d900648e443a3f0c71bef835987c44476d1f3817a1c629d-1260227954 You should probably contact the Plugin vendors but I'm sure Adobe already knows about this security holes because the files are detected by Antivirus Software.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•