263461 - spyware programs installed via java

Status: VERIFIED INVALID

(Firefox :: General, defect)

Description

[dan]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.1

I was browsing some dark backward part of the net and suddenly everything slowed
down and the hard disk became quite active, which usually means the Java VM has
started up. After a bit, I got some cryptic error that I can't recall, and
closed the window. I continued on with my business for a bit until I needed to
browse My Computer. When I opened it, however, it immediately closed down and I
realized that somehow I had been infected with some evil browser-hijacker.
AdAware confirmed this (some CasinoPalazzo thing, log included). I suppose I
could have been duped by some fake error message working through Java that
allowed me to install this. Is this a Java bug? Should I update my VM? Either
way, Java ought to be disabled by default (if it isn't already) and some warning
included in the options pannel.

Reproducible: Didn't try
Steps to Reproduce:
I've included AdAware logs. I bet they could provide you with the exact files if
needed.
Actual Results:  
Symptoms associated with use of IE.

Expected Results:  
FireFox should do better than this.

 CasinoPalazzo Object recognized!
    Type               : RegKey
    Data               : 
    Category           : Misc
    Comment            : c:\windows\system32\mtc.dll
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : CLSID\{9EAC0102-5E61-2312-BC2D-4D54434D5443}


 CasinoPalazzo Object recognized!
    Type               : File
    Data               : mtc.dll
    Category           : Misc
    Comment            : 
    Object             : c:\windows\system32\
    FileSize           : 64 KB
    Created on         : 10/8/2004 7:47:43 AM
    Last accessed      : 10/8/2004 9:31:36 AM
    Last modified      : 10/8/2004 7:47:55 AM



 CasinoPalazzo Object recognized!
    Type               : RegKey
    Data               : c:\windows\system32\mtc.dll
    Category           : Misc
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : TYPELIB\{9EAC0102-5E61-2312-BC2B-4D54434D5443}


 CasinoPalazzo Object recognized!
    Type               : RegKey
    Data               : 
    Category           : Misc
    Comment            : ({9EAC0102-5E61-2312-BC2D-4D54434D5443})
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : Tubby.ToolBandObj


 CasinoPalazzo Object recognized!
    Type               : RegKey
    Data               : 
    Category           : Misc
    Comment            : ({9EAC0102-5E61-2312-BC2D-4D54434D5443})
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : Tubby.ToolBandObj.1


 CasinoPalazzo Object recognized!
    Type               : RegValue
    Data               : 
    Category           : Misc
    Comment            : ({9EAC0102-5E61-2312-BC2D-4D54434D5443})
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\Microsoft\Internet Explorer\Toolbar
    Value              : {9EAC0102-5E61-2312-BC2D-4D54434D5443}


 CasinoPalazzo Object recognized!
    Type               : RegKey
    Data               : 
    Category           : Misc
    Comment            : c:\windows\system32\mtc.dll
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             :
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{9EAC0102-5E61-2312-BC2D-4D54434D5443}
-------------------------------------------------------------------------
JAVA info:
J2RE: 1.4.1_01

Comment 1

[Ben Bucksch (:BenB)]

Nothing in your report tells us *how* you got infected, apart from that it has
'something to do with Java'. Obviously, we need to know that to do anything.
INVALID until we get further information.

Comment 2

[Ben Bucksch (:BenB)]

BTW: Even if you are right, it's most likely a Java bug, not a Mozilla bug, i.e.
to be reported to Sun, not mozilla.org.

Comment 3

[dan]

(In reply to comment #2)
> BTW: Even if you are right, it's most likely a Java bug, not a Mozilla bug, i.e.
> to be reported to Sun, not mozilla.org.

You're not addressing the issue here. Spyware was installed on my computer while
using FireFox. If Java viruses can be downloaded and run unhindered as long as
Java is enabled, then perhaps you ought to put some more thought into having
Java enabled by default and warning users of this obvious vulnerability. Relying
on Sun to fix these issues promptly - and relying on your users to make sure
they have the most up to date version of Java - seems incredibly presumptuous.

I searched the forums and found a similar thread about the Java ByteVerify
virus. I am clearly not the only person experiencing these problems. In there,
somebody suggested turning off the Java cache as a means of preventing these
things. Could this be done from within FireFox somehow? 

Comment 4

[Daniel Veditz [:dveditz]]

> JAVA info:
> J2RE: 1.4.1_01

Oh lordy, that one has tons of known vulnerabilities.

Added bug 265835 for a new feature that would help.