36.09 KB, application/octet-stream
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 This URL permits infection of a machine with what appears to be Trojan.ByteVerify (http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html). I have archived a copy of what I believe to be the entire malware site at http://www.alexburke.ca/Trojan.ByteVerify.rar -- unpack with WinRAR (www.rarlab.com), using caution to not execute anything which is unpacked. Reproducible: Always Steps to Reproduce: 1. Visit http://www.i47324876348731647835473645237463254734823746823467.biz 2. Watch machine get 0wned unless you have recently-updated antivirus software installed (like I do, natch). Actual Results: Symantec AntiVirus 9.0.310, definitions dated 06/29/2005 rev 8: Scan type: Auto-Protect Scan Event: Threat Found! Threat: Trojan.ByteVerify File: C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-55e32b5a-358c003b.class Location: C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file Computer: FREEDOM User: Alex Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied Date found: Monday, July 4, 2005 3:56:09 AM Expected Results: Not get infected, I suppose.
Created attachment 188179 [details] Contents of malware site, retrieved using wget (unpack with WinRAR; www.rarlab.com) Also available at http://www.alexburke.ca/Trojan.ByteVerify.rar
Isn't this just another dupe of the "old java versions are remotely exploitable" bugs going around? Are you using an older Java VM?
I am using Sun JRE 1.5.0_02, which is anything but old (the latest version is 1.5.0_04).
Summary: Mozilla and Java allow infection of machine with Trojan.ByteVerify at this URL → Mozilla and recent Java allow infection of machine with Trojan.ByteVerify at this URL
On the site my scanner detected Exploit-MhtRedir.gen BackDoor-CCT Exploit-ByteVerify all three are IE-only, attempting to exploit people who have not installed Microsoft security patches. Define "infection" -- it looks to me like the file gets downloaded so Java can load it, and the virus checker detects its local presence. But just having the file locally doesn't tell you whether it was able to run or not, just that it was found on the web site. I guess I can run this in a VMWare box when I get to work tomorrow and see if there's any actual infection, but I think you don't have anything to worry about.
Anything that's capable of downloading and executing "exploit.exe" (yes, it's in the RAR) on a machine is a critical threat. This appeared capable of doing so, without any help from IE, patched or otherwise. Hence the filing of this bug.
(In reply to comment #5) > Anything that's capable of downloading and executing "exploit.exe" > on a machine is a critical threat. We absolutely agree on that point. But I'm not seeing this page do that (av scan comes up clean, no "exploit.exe" in my filesystem) and the exploits that my AV does detect in the .rar are patched IE-only ones. I do have the slightly newer JRE than you do, but your 1.5.0_02 isn't vulnerable to the reported attacks either. The alert your AV gave you shows the exploit class in the Java cache which only means it's being processed, not that it would infect you even if you did let it run. Do you have evidence beyond the alert you posted in the original comment that this site is infectious to Firefox?
(In reply to comment #6) > Do you have evidence beyond the alert you posted in the original comment that > this site is infectious to Firefox? No. I don't have the cojones to disable Symantec AV's AutoProtect then load the URL. Was there any luck with the VMWare test?
> Was there any luck with the VMWare test? Just what I reported. I could see the "BlackBox" applet being loaded in the status bar, but nothing bad was deposited on the virtual box.
WFM: * It sounds like Symantec might have just been complaining because Firefox copied an infected file, not because Firefox was about to run an infected file. I wish antivirus software wouldn't do that. * Dan tested with VMWare and wasn't infected. * The reporter doesn't want to test without an antivirus program active.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.