273513 - German build corrupted?

Status: RESOLVED WORKSFORME

(mozilla.org :: FTP: Mirrors, task)

Description

[Axel Hecht]

I got a report of a infected build on this link:

http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0/win32/de-DE/Firefox%20Setup%201.0.exe

The reporter mentions a "LSSASS or something" in the unpack directory of the 
installer. This was followed by sudden activity on the machine and no install of
1.0. AntiVir and Fsecure detected a problem with TAKSMGR.EXE, but were unable to
repair it.

Google found quite a bit of unfortunate description when searching for LSSASS, 
I'm afraid that the name is right.

The machine as since been klined sadly, so it's hard to get further information.

I will ask if they happen to have the download still, but I'm afraid not.

As a later download was fine, I can't rule out a problem with a particular 
mirror. Someone with a complete list of mirrors should go for a hunt.

Comment 1

[Axel Hecht]

I got a second report, still trying to get more input on the infected downloads.

Comment 2

[Dave Miller [:justdave]]

checking the security box, just to get a copy of this mailed to the security
list.  Security flag can probably be removed once we have their attention :)

Comment 3

[Chase Phillips]

FYI the MD5 checksum of the de-DE "Firefox Setup 1.0.exe" file on
stage.mozilla.org is 003aff23bba976f415e60117a1dc14e9.  I scanned this file
locally with a virus checker and didn't turn anything up.

Comment 4

[Daniel Veditz [:dveditz] (OOO: back Aug 26)]

Do we have a full list of mirrors? I'd like to download each and every German
version we know about and compare to the checksum.

Comment 5

[Dave Miller [:justdave]]

http://www.mozilla.org/mirrors.html

The ones in the orange boxes at the top are the ones on the ftp.mozilla.org
round-robin

Comment 6

[Dave Miller [:justdave]]

Or, more accurately, here's the list taken right out of the zone file

ftp             60 IN A         131.188.3.71    ; ftp.uni-erlangen.de
ftp             60 IN A         216.165.129.134 ; mozilla.mirrors.tds.net
ftp             60 IN A         207.200.85.49   ; ftpmoz.newaol.com #1
ftp             60 IN A         64.12.168.243   ; ftpmoz.newaol.com #2
ftp             60 IN A         64.12.168.21    ; ftpmoz.newaol.com #3
ftp             60 IN A         204.152.184.113 ; mozilla.isc.org
ftp             60 IN A         130.207.108.135 ; trillian.cc.gatech.edu
ftp             60 IN A         156.56.247.196  ; mozilla.ussg.indiana.edu
ftp             60 IN A         130.206.1.5     ; zeppo.rediris.es
ftp             60 IN A         155.98.64.83    ; mozilla.cs.utah.edu
ftp             60 IN A         193.74.22.160   ; ftp.scarlet.be

I'm grabbing it off of each one now

Comment 7

[Dave Miller [:justdave]]

md5sums:

003aff23bba976f415e60117a1dc14e9  ./130.206.1.5/Firefox%20Setup%201.0.exe
003aff23bba976f415e60117a1dc14e9  ./130.207.108.135/Firefox%20Setup%201.0.exe
003aff23bba976f415e60117a1dc14e9  ./131.188.3.71/Firefox%20Setup%201.0.exe
003aff23bba976f415e60117a1dc14e9  ./155.98.64.83/Firefox%20Setup%201.0.exe
003aff23bba976f415e60117a1dc14e9  ./156.56.247.196/Firefox%20Setup%201.0.exe
003aff23bba976f415e60117a1dc14e9  ./193.74.22.160/Firefox%20Setup%201.0.exe
003aff23bba976f415e60117a1dc14e9  ./204.152.184.113/Firefox%20Setup%201.0.exe
003aff23bba976f415e60117a1dc14e9  ./207.200.85.49/Firefox%20Setup%201.0.exe
003aff23bba976f415e60117a1dc14e9  ./216.165.129.134/Firefox%20Setup%201.0.exe
003aff23bba976f415e60117a1dc14e9  ./64.12.168.243/Firefox%20Setup%201.0.exe

AOL #3 appears to be down at the moment.  They're probably the least likely to
have a problem though.

Comment 8

[Daniel Veditz [:dveditz] (OOO: back Aug 26)]

Of the manual mirrors plusline.de appears to be different. A virus scan on the
unpacked install files didn't pick up anything, but I'm scared to actually
install it so something might be compressed or hidden.

Are we sure it wasn't ftp.eu.mozilla.org instead of ftp.mozilla.org? What
mirrors does that hit? Would plusline.de be in that group?

What can we do about the bad plusline copy?

003aff23bba976f415e60117a1dc14e9 *artfiles.org.Firefox Setup 1.0.exe
003aff23bba976f415e60117a1dc14e9 *eu.mozilla.org.Firefox Setup 1.0.exe
003aff23bba976f415e60117a1dc14e9 *fh-wolfenbuettel.de.Firefox Setup 1.0.exe
003aff23bba976f415e60117a1dc14e9 *mirrorspace.org.Firefox Setup 1.0.exe
f497ea6ae2c9dc5e516d146b09d6a021 *plusline.de.Firefox Setup 1.0.exe
003aff23bba976f415e60117a1dc14e9 *sunsite.rediris.es.Firefox Setup 1.0.exe
003aff23bba976f415e60117a1dc14e9 *uni-bayreuth.de.Firefox Setup 1.0.exe
003aff23bba976f415e60117a1dc14e9 *uni-erlangen.de.Firefox Setup 1.0.exe

Comment 9

[Daniel Veditz [:dveditz] (OOO: back Aug 26)]

plusline.de has the first spin with the bad ebay search file. I just compared
that md5sum (and file date) with what chase just sent me from the version off
the CD.

Worth figuring out why the mirror didn't update, but not the source of any virus.

Comment 10

[Daniel Veditz [:dveditz] (OOO: back Aug 26)]

Unless someone can get more details of where the bad builds came from this will
have to be WFM.

Comment 11

[timeless]

at some point could we please declassify this?

Comment 12

[Daniel Veditz [:dveditz] (OOO: back Aug 26)]

Never found the source of the bogus build, all the mirrors seemed to check out.
Bouncer 2.0 should prevent this sort of thing in the future, at least for the
mirrors we know about and refer to.