Mozilla and recent Java allow infection of machine with Trojan.ByteVerify at this URL

RESOLVED WORKSFORME

Status

()

Firefox
Security
--
critical
RESOLVED WORKSFORME
13 years ago
13 years ago

People

(Reporter: Alexander Burke, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:needinfo], URL)

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

This URL permits infection of a machine with what appears to be
Trojan.ByteVerify
(http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html).
I have archived a copy of what I believe to be the entire malware site at
http://www.alexburke.ca/Trojan.ByteVerify.rar -- unpack with WinRAR
(www.rarlab.com), using caution to not execute anything which is unpacked.

Reproducible: Always

Steps to Reproduce:
1. Visit http://www.i47324876348731647835473645237463254734823746823467.biz
2. Watch machine get 0wned unless you have recently-updated antivirus software
installed (like I do, natch).
Actual Results:  
Symantec AntiVirus 9.0.310, definitions dated 06/29/2005 rev 8:

Scan type:  Auto-Protect Scan
Event:  Threat Found!
Threat: Trojan.ByteVerify
File:  C:\Documents and Settings\Alex\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-55e32b5a-358c003b.class
Location:  C:\Documents and Settings\Alex\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\file
Computer:  FREEDOM
User:  Alex
Action taken:  Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Monday, July 4, 2005  3:56:09 AM

Expected Results:  
Not get infected, I suppose.
(Reporter)

Comment 1

13 years ago
Created attachment 188179 [details]
Contents of malware site, retrieved using wget (unpack with WinRAR; www.rarlab.com)

Also available at http://www.alexburke.ca/Trojan.ByteVerify.rar
Isn't this just another dupe of the "old java versions are remotely exploitable"
bugs going around?  Are you using an older Java VM?
(Reporter)

Comment 3

13 years ago
I am using Sun JRE 1.5.0_02, which is anything but old (the latest version is
1.5.0_04).
(Reporter)

Updated

13 years ago
Summary: Mozilla and Java allow infection of machine with Trojan.ByteVerify at this URL → Mozilla and recent Java allow infection of machine with Trojan.ByteVerify at this URL
On the site my scanner detected
 Exploit-MhtRedir.gen
 BackDoor-CCT
 Exploit-ByteVerify

all three are IE-only, attempting to exploit people who have not installed
Microsoft security patches.

Define "infection" -- it looks to me like the file gets downloaded so Java can
load it, and the virus checker detects its local presence. But just having the
file locally doesn't tell you whether it was able to run or not, just that it
was found on the web site.

I guess I can run this in a VMWare box when I get to work tomorrow and see if
there's any actual infection, but I think you don't have anything to worry about.
(Reporter)

Comment 5

13 years ago
Anything that's capable of downloading and executing "exploit.exe" (yes, it's in
the RAR) on a machine is a critical threat. This appeared capable of doing so,
without any help from IE, patched or otherwise. Hence the filing of this bug.
(In reply to comment #5)
> Anything that's capable of downloading and executing "exploit.exe"
> on a machine is a critical threat.

We absolutely agree on that point. But I'm not seeing this page do that (av scan
comes up clean, no "exploit.exe" in my filesystem) and the exploits that my AV
does detect in the .rar are patched IE-only ones.

I do have the slightly newer JRE than you do, but your 1.5.0_02 isn't vulnerable
to the reported attacks either.

The alert your AV gave you shows the exploit class in the Java cache which only
means it's being processed, not that it would infect you even if you did let it run.

Do you have evidence beyond the alert you posted in the original comment that
this site is infectious to Firefox?
Group: security
Whiteboard: [sg:needinfo]
(Reporter)

Comment 7

13 years ago
(In reply to comment #6)
> Do you have evidence beyond the alert you posted in the original comment that
> this site is infectious to Firefox?

No. I don't have the cojones to disable Symantec AV's AutoProtect then load the URL.

Was there any luck with the VMWare test?
> Was there any luck with the VMWare test?

Just what I reported. I could see the "BlackBox" applet being loaded in the
status bar, but nothing bad was deposited on the virtual box.

Comment 9

13 years ago
WFM:
* It sounds like Symantec might have just been complaining because Firefox
copied an infected file, not because Firefox was about to run an infected file.
 I wish antivirus software wouldn't do that.
* Dan tested with VMWare and wasn't infected.
* The reporter doesn't want to test without an antivirus program active.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.