Closed Bug 281867 Opened 20 years ago Closed 20 years ago

allows malicious spyware to download to windows temp folder and install, which dials out an gets more spyware on host computer. note: NO WAY TO STOP THIS FROM DOWNLOADING EXCEPT BY THIRD PARTY SOTWARE (that I know of)

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
1.0 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: 012255662111, Assigned: bugs)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

visitng site allows malicious spyware to download to windows temp folder and
install, which dials out an gets more spyware on host computer.  note: NO WAY TO
STOP THIS FROM DOWNLOADING EXCEPT BY THIRD PARTY SOTWARE (that I know of).  The
spyware is called IST Bar, or Integrated Search Technologies.  It immediately
installs a program "iinstal.xxx" where xxx is a constantly changing couple of
numbers.  It may also add registry keys, but I'm not sure about this.  It may
also be related to install.xxxtoolbar.com. Somehow, this even breaks through
firefox's protections

Reproducible: Always

Steps to Reproduce:
1. NOTE THIS WILL POSSIBLY INFECT YOUR WINDOWS COMPUTER EVEN IF IT'S NOT RUNNING
WINDOWS XP.  ONLY TRY THIS IF YOU HAVE A LEGITIMITE ANTISPY PROGRAM (OR THREE)
2. Visit www.seriall.com
3. Click on any link.

Actual Results:  
The program(s?) downloaded, immediately ran without prompting me first, and
attempted to dial out, after which my firewall caught them.  They also attempted
to modify my registry (blocked by Lavasoft Ad-Watch Pro)

Expected Results:  
It should never have been downloaded, much less run.  All content from
"Integrated Search Technologies" should be banned, with some type of dowload
lockdown in firefox to prevent the infection in the first place.

Default theme, custom buildt Windows XP, running SP2 and _all_ microsoft
security patches, Zonelabs pro firewall, Spybot search+destroy, webroot,
microsoft antispy, lavasoft antispy, and Norton Coporate Antivirus 9 (all updated)
That site does nothing special and certainly doesn't install any spyware for me.
Are you sure that this is caused by Firefox?
Component: OS Integration → General
This could be related to bug 69938 if you have no prompt downloading enabled I
suppose.
(In reply to comment #2)
> This could be related to bug 69938 if you have no prompt downloading enabled I
> suppose.

i don't have it enabled for anything, much less .exe files, so i am somewhat
certain that isn't the cause...

(In reply to comment #1)
> That site does nothing special and certainly doesn't install any spyware for me.
> Are you sure that this is caused by Firefox?
as i'm new to this whole bug filing thingy, perhaps i misclassified it, but i
don't think this is caused by firefox, it is some sort of exploit.  some flaw in
firefox (i think) caused the ISTBar to download on my machine.  Does it really
not do anything on yours?  if so, may i ask what are your internet explorer
security settings are.  if they are on the highest setting, firefox always
crashes when it loads this site (on mine), but if it's lower, firefox says it
blocked the site from installing software, although some still can sneak past.
there's some sort of internet explorer integration with the temp folder issue,
or somesuch insanity.  this is a bit over my head, but I know my computer has
been repeatedly infected with ISTBar from www.seriall.com while surfing with
firefox 1.0. thanks for any info/help you all can offer
Internet Explorer settings have nothing to do with Firefox and have no effect on
the way it deals with websites. Odds are you got the virus using IE or through
some other means. Do you have any solid evidence that Firefox is actually at fault?
(In reply to comment #4)
> Internet Explorer settings have nothing to do with Firefox and have no effect on
> the way it deals with websites. Odds are you got the virus using IE or through
> some other means. Do you have any solid evidence that Firefox is actually at
fault?

well, i sure as heck wasn't using ie, i never do that.  i was surfing, perfectly
contently, in firefox 1.0 and yet somehow this thingy installed itself.  if you
want to close this thread, that's fine.  perhaps this is just some bizarrity due
to my machine's config.  i just thought i'd mention it, as more attention has
been drawn recently to upcoming spyware for firefox.
Severity: critical → minor
THIS BUG HAS BEEN REPORTED BY THE NEWS-CHECK OUT THE PICTURES OF THE PROMPT FOR
INTEGRATED SEARCH TECHNOLOGIES.
http://www.theregister.co.uk/2005/03/11/alternative_slimeware/
http://www.vitalsecurity.org/2005/03/firefox-spyware-infects-ie.html
Version: unspecified → 1.0 Branch
(In reply to comment #6)
> THIS BUG HAS BEEN REPORTED BY THE NEWS-CHECK OUT THE PICTURES OF THE PROMPT
> FOR INTEGRATED SEARCH TECHNOLOGIES.

You didn't mention a prompt before. Yes, if you grant Java permission to step
outside the safe "sandbox" then it can do *anything*. It is at that point as
powerful as any installed software you could run from the command-line or by
double-clicking on the desktop.

We already have bugs on making this clearer for users, and possibly even
blocking it except for whitelisted sites. But this one ought to be closed if you
gave something permission to install.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.