dns locker adware resides only on firefox but not detected, possibly by maintenance service

RESOLVED INCOMPLETE

Status

()

Firefox
Untriaged
--
critical
RESOLVED INCOMPLETE
2 years ago
2 years ago

People

(Reporter: sakhtosaz.link@gmail.com, Unassigned)

Tracking

({hang, helpwanted, highrisk})

41 Branch
x86_64
Windows 10
hang, helpwanted, highrisk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; rv:11.0) like Gecko

Steps to reproduce:

during the last 2 days orange firefox and firefox for developers were infected by DNS Locker adware. other browsers including Edge, IE11 and Chrome are completely intact and clean.

PC uses ESET nod, fully protected. there was no risky web surfing, no infected emails, no new applications installed.

checking the system according to guides... there were no suspicious applications in Programs and Features, no unknown add-ons and extentions on browser(s). also, all suggested registry keys are clean and valid.

The most recent installs in Programs and Features are Mozilla Maintenance Service, only two days before malware started to show up. also "Block reported attack sites" section of options only contain two default firefox related domains as exceptions, add-ons and market place.

the above increases the posibility that this malware has been installed by firefox updates and is limited to it, maybe as a hidden add-on.



Actual results:

after reviewing many guides and how-tos and performing many checks, I uninstalled firefox, delete all related folders and cleaned registry, then installed a fresh copy. in the second run dns locker showed up! 

the only thing i could do was bloking related ad links via NOD: 
*.adnxs.com
*.amazonaws.com
*.atemda.com
*.bestpriceninja.com
*.bidswitch.net
*.clkmon.com
*.cloudflare.com
*.contextweb.com
*.criteo.com
*.dnsqa.me
*.eshopcomp.com
*.gmdelivery.com
*.icontentkey.com
*.k1wmm.com
*.ltmmty.com
*.metrigo.com
*.quantserve.com
*.smartadserver.com
*.teracreative.com
*.visadd.com
*.yabidos.com

this prevents ads to activate but firefox CPU usage is too high.



Expected results:

if there is an add-on it must be visible in Add-ons Manager, at least in safe mode. so what is this?
(Reporter)

Updated

2 years ago
Severity: normal → critical
Keywords: hang, helpwanted, highrisk
OS: Unspecified → Windows 10
Hardware: Unspecified → x86_64

Comment 1

2 years ago
Hi, 
Thank you for reporting this, first of all I want to tell you that releases from Mozilla go through virus scanning before being put on public sites and all updates are sent to users over secure connections to avoid any malware from intercepting them and doing bad things. 
What can I suggested about the malware removal tool is to use something like malwarebytes and ensuring that you flash plugin is up to date.
Flags: needinfo?(sakhtosaz.link)

Comment 2

2 years ago
Marking this as Resolved: Incomplete due to the lack of response from the reporter.
If anyone can still reproduce it on latest versions, feel free to reopen the issue and provide more information.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INCOMPLETE
Flags: needinfo?(sakhtosaz.link)

Comment 3

2 years ago
Given the addresses mentioned, it's almost certainly related to the "malvertising" campaign that was discovered late last year (2015). It's not a firefox-specific issue and it's certainly not bug-related.

More information: https://blog.malwarebytes.org/malvertising-2/2015/09/large-malvertising-campaign-goes-almost-undetected/
You need to log in before you can comment on or make changes to this bug.