Closed Bug 282148 Opened 20 years ago Closed 20 years ago

Firefox donwloads and installs a trojaner !

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: Thorsten_Reichelt, Assigned: dveditz)

References

(
URL
)

Details

(Whiteboard: [sg:needinfo]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.5) Gecko/20041108 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.5) Gecko/20041108 Firefox/1.0

There must be something on this site that causes Firefox to download and install
a trojaner without the possibility to prevent this. 

Reproducible: Sometimes

Steps to Reproduce:
1. Visit http://www.flashworker.de/tutorial/41/001.html (DANGER! COULD RESULT IN
TROJANER INFECTION!!)


Actual Results:  
Look on c:\. There should be a bla.exe file. This is a trojaner downloader
(Trojan-Downloader.Win32.Small.aaq). bla.exe accesses tools.binfinity.com to
download something. There is an advertisement banner on top of the side
(Iframe?). This seems to be the cause of the security hole.

Expected Results:  
The trojaner downloader should not be downloaded and installed by Firefox.
I don't get infected when I visit that page, is there any more information you
could give?

The only suspect things on that page are the ad block at the top and the flash
example. The site looks legit so I don't really suspect the flash, but what
version of flash do you have? The Site specifies version 5.0 which is quite old
and has known security holes, but it's probably just an old tutorial. Running
the example with flash 7.0.19 doesn't infect me.

Do you have Java 1.4.2_05 or lower by chance? We've been seeing
Java.ByteVerifier infections attacking an announced hole in older JVM's. But
that's not the infection you report, however, and I don't see any Java on the page.

It's possible the ad server was hacked--it's happened before, they are
attractive targets--and has since been fixed. Is there a chance you have the
page in your cache? Without a copy of the exploit it's nearly impossible to know
what needs fixing.
Assignee: firefox → dveditz
Whiteboard: [sg:needinfo]
(In reply to comment #1)
> I don't get infected when I visit that page, is there any more information you
> could give?

I am sorry but I cannot give you more information. Only that two times I visited
this side bla.exe was installed. I told two friends and they tried it on his
computer. They got the bla.exe, too.
But today I tried again (reloaded the page at least 20 times with cleaning all
cookies/cache before reload) but I did not get the bla.exe. :-(

> and has known security holes, but it's probably just an old tutorial. Running
> the example with flash 7.0.19 doesn't infect me.

I'm running Flash 7.0.19.0.

> Do you have Java 1.4.2_05 or lower by chance? We've been seeing

Mmmm, I have Java 1.4.2_04-b05 installed. 

> Is there a chance you have the page in your cache? 
> Without a copy of the exploit it's nearly impossible to know
> what needs fixing.

Oh, damned. I cleaned the cache not to get the bla.exe any more from cached
code.:-( But I will ask my two friends. Eventually they didn't clean the cache.

  Thorsten


Unfortunately there's not information here to be able to fix anything. Please
let us know if this happens again, and if possible capture the page contents
locally. The page looks legit, it's possible someone hacked the ad-server and
adforce.de has detected and removed the hack.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.