Fx apparently downloads and executes trojan asdf.exe

RESOLVED INVALID

Status

()

Firefox
Security
--
critical
RESOLVED INVALID
12 years ago
12 years ago

People

(Reporter: VanillaMozilla, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:needinfo])

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Various builds, including 1.0.6 Windows and Linux

There are several reports (e.g.,
http://www.dslreports.com/forum/remark,14196120~mode=flat ) of users visiting a
Web site, and immediately or shortly thereafter, either ProcessGuard or
ZoneAlarm alerts user to an attempt by file asdf.exe to access the Internet. 
The reports appear to be credible.  Because the users are alerted immediately,
some were able to check the time stamp on the file and determine what site they
were visiting, and determine that no other Internet program except Fx was running.

The file is a downloader, which attempts to retrive 66.159.17.156/rm/w.exe
(according to http://www.dslreports.com/forum/remark,14196120~days=9999~start=60
, message posted 8-28-2005 at 07:19).

There is one report of Fx 1.0.6 on a currently patched Win XP system (
http://forums.mozillazine.org/viewtopic.php?t=310439 , see messages of
8-28-2005, 20:58 and 21:40), and another report of Fx 1.0.6 on SuSE Linux (
http://www.dslreports.com/forum/remark,14196120~days=9999~start=20 8-25-2004 at
16:33, 8-26 at 14:46, and 8-28 at 16:28 and 17:44).  On version 1.0.6, Win XP,
"Allow websites to install software" was reportedly not checked.  Other users
confirm that installation of software was not enabled.

Other, mostly fragmentary reports can be found by Googling firefox asdf.exe .

Reproducible: Didn't try

Steps to Reproduce:
File is thought to have come from an ad in theonion.com and other sites.  Users
report that they did not click on the other ad or take any other action to
initiate download.

Actual Results:  
File asdf.exe downloaded to C:\, and executed if on Windows.  File attempts to
download one or two other files, "w.exe" and possible "1.exe" from Internet.

File asdf.exe has also been reported in file 77dwr6zp.zip, but method of
download was undetermined.

Expected Results:  
No download or execution of file.  This is a stub for downloading malware.
My first thought is "Is Java installed and enabled, and if so what version is
it?" We've seen trojans attack down-rev java in the past.

Comment 2

12 years ago
That was my first thought too.  From
http://www.dslreports.com/forum/remark,14196120~mode=flat:

"I am fairly sure java did not start. I can usually tell when that starts up due
to the long pause. But it is 1.4.1_01, anyway."

Comment 3

12 years ago
Also, he was using Firefox 1.0.3, which has publicly known security holes
(http://www.mozilla.org/projects/security/known-vulnerabilities.html).

Comment 4

12 years ago
Since the exploit is in the wild and people are discussing this in public, I'm
making this bug public too.
Group: security
Whiteboard: [sg:needinfo]
(Reporter)

Comment 5

12 years ago
As a matter of fact, the two reports for version 1.0.6 both report having Java
enabled.

Comment 6

12 years ago
Java is enabled by default, so that isn't surprising.  Do you know what versions
of Java they were using, or can you ask them?
OK, tried it first on an old but fulled patched XP system. Downloaded the latest
branch build, enabled Java (newest version) and Javascript, put some Flash in it
and went to www.theonion.com. Reloaded 10 times, but nothing happened. My Kerio
firewall did not ask me permissions for new connections and I didn't see any
traffic from suspected processes.
I did also a full online scan at housecall.trendmicro.com (asdf.exe seems to be
a process of Trojan.Downloader.Small which is in their definitions) but nope.

I tried the same on my daily computer, also XP SP2: no virus or trojan found.
(Reporter)

Comment 8

12 years ago
(In reply to comment #6)
> Java is enabled by default, so that isn't surprising.  Do you know what versions
> of Java they were using, or can you ask them?

There's no word for the Linux system.  The Windows user reports Java 2 Runtime
Environment, Standard Edition 1.3.1; Default virtual Machine Version 1.3.1.b24;
Java Plug-In 1.3.1_02.  There is a Sun advisory: 
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1 .
(Reporter)

Comment 9

12 years ago
(In reply to comment #7)
> OK, tried it first on an old but fulled patched XP system. ...Reloaded 10
times, but nothing happened.

The exploit is thought to have come from an ad that is no longer on the site.
(Reporter)

Comment 10

12 years ago
The Linux user reports having used Java 1.4.2.04.  Since a known Java flaw could
have been responsible for every incident, there is no evidence against Fx.

Assuming I am able to, I'm happily marking this bug INVALID.

There is one thing to be concerned about, however.  By default Fx will run
whatever version of Java is installed.  That means that Firefox will run an
insecure program without any warning.  Firefox users do not receive any warning,
and it's rare for users to be aware of the problem.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → INVALID

Comment 11

12 years ago
See bug 271559, "Countermeasures for Java/plugin/extension vulnerabilities
(disable, warn)".
You need to log in before you can comment on or make changes to this bug.