Closed
Bug 299608
Opened 19 years ago
Closed 19 years ago
Mozilla and recent Java allow infection of machine with Trojan.ByteVerify at this URL
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: alex, Unassigned)
References
()
Details
(Whiteboard: [sg:needinfo])
Attachments
(1 file)
|
36.09 KB,
application/octet-stream
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 This URL permits infection of a machine with what appears to be Trojan.ByteVerify (http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html). I have archived a copy of what I believe to be the entire malware site at http://www.alexburke.ca/Trojan.ByteVerify.rar -- unpack with WinRAR (www.rarlab.com), using caution to not execute anything which is unpacked. Reproducible: Always Steps to Reproduce: 1. Visit http://www.i47324876348731647835473645237463254734823746823467.biz 2. Watch machine get 0wned unless you have recently-updated antivirus software installed (like I do, natch). Actual Results: Symantec AntiVirus 9.0.310, definitions dated 06/29/2005 rev 8: Scan type: Auto-Protect Scan Event: Threat Found! Threat: Trojan.ByteVerify File: C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-55e32b5a-358c003b.class Location: C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file Computer: FREEDOM User: Alex Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied Date found: Monday, July 4, 2005 3:56:09 AM Expected Results: Not get infected, I suppose.
|
||
Comment 2•19 years ago
|
||
Isn't this just another dupe of the "old java versions are remotely exploitable" bugs going around? Are you using an older Java VM?
|
Reporter | |
Comment 3•19 years ago
|
||
I am using Sun JRE 1.5.0_02, which is anything but old (the latest version is 1.5.0_04).
|
|
Reporter | |
Updated•19 years ago
|
Summary: Mozilla and Java allow infection of machine with Trojan.ByteVerify at this URL → Mozilla and recent Java allow infection of machine with Trojan.ByteVerify at this URL
|
||
Comment 4•19 years ago
|
||
On the site my scanner detected Exploit-MhtRedir.gen BackDoor-CCT Exploit-ByteVerify all three are IE-only, attempting to exploit people who have not installed Microsoft security patches. Define "infection" -- it looks to me like the file gets downloaded so Java can load it, and the virus checker detects its local presence. But just having the file locally doesn't tell you whether it was able to run or not, just that it was found on the web site. I guess I can run this in a VMWare box when I get to work tomorrow and see if there's any actual infection, but I think you don't have anything to worry about.
|
|
Reporter | |
Comment 5•19 years ago
|
||
Anything that's capable of downloading and executing "exploit.exe" (yes, it's in the RAR) on a machine is a critical threat. This appeared capable of doing so, without any help from IE, patched or otherwise. Hence the filing of this bug.
|
|
||
Comment 6•19 years ago
|
||
(In reply to comment #5) > Anything that's capable of downloading and executing "exploit.exe" > on a machine is a critical threat. We absolutely agree on that point. But I'm not seeing this page do that (av scan comes up clean, no "exploit.exe" in my filesystem) and the exploits that my AV does detect in the .rar are patched IE-only ones. I do have the slightly newer JRE than you do, but your 1.5.0_02 isn't vulnerable to the reported attacks either. The alert your AV gave you shows the exploit class in the Java cache which only means it's being processed, not that it would infect you even if you did let it run. Do you have evidence beyond the alert you posted in the original comment that this site is infectious to Firefox?
Group: security
Whiteboard: [sg:needinfo]
|
|
Reporter | |
Comment 7•19 years ago
|
||
(In reply to comment #6) > Do you have evidence beyond the alert you posted in the original comment that > this site is infectious to Firefox? No. I don't have the cojones to disable Symantec AV's AutoProtect then load the URL. Was there any luck with the VMWare test?
|
|
||
Comment 8•19 years ago
|
||
> Was there any luck with the VMWare test?
Just what I reported. I could see the "BlackBox" applet being loaded in the
status bar, but nothing bad was deposited on the virtual box.
|
||
Comment 9•19 years ago
|
||
WFM: * It sounds like Symantec might have just been complaining because Firefox copied an infected file, not because Firefox was about to run an infected file. I wish antivirus software wouldn't do that. * Dan tested with VMWare and wasn't infected. * The reporter doesn't want to test without an antivirus program active.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•