Closed
Bug 306606
Opened 19 years ago
Closed 19 years ago
Fx apparently downloads and executes trojan asdf.exe
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: VanillaMozilla, Unassigned)
Details
(Whiteboard: [sg:needinfo])
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Build Identifier: Various builds, including 1.0.6 Windows and Linux There are several reports (e.g., http://www.dslreports.com/forum/remark,14196120~mode=flat ) of users visiting a Web site, and immediately or shortly thereafter, either ProcessGuard or ZoneAlarm alerts user to an attempt by file asdf.exe to access the Internet. The reports appear to be credible. Because the users are alerted immediately, some were able to check the time stamp on the file and determine what site they were visiting, and determine that no other Internet program except Fx was running. The file is a downloader, which attempts to retrive 66.159.17.156/rm/w.exe (according to http://www.dslreports.com/forum/remark,14196120~days=9999~start=60 , message posted 8-28-2005 at 07:19). There is one report of Fx 1.0.6 on a currently patched Win XP system ( http://forums.mozillazine.org/viewtopic.php?t=310439 , see messages of 8-28-2005, 20:58 and 21:40), and another report of Fx 1.0.6 on SuSE Linux ( http://www.dslreports.com/forum/remark,14196120~days=9999~start=20 8-25-2004 at 16:33, 8-26 at 14:46, and 8-28 at 16:28 and 17:44). On version 1.0.6, Win XP, "Allow websites to install software" was reportedly not checked. Other users confirm that installation of software was not enabled. Other, mostly fragmentary reports can be found by Googling firefox asdf.exe . Reproducible: Didn't try Steps to Reproduce: File is thought to have come from an ad in theonion.com and other sites. Users report that they did not click on the other ad or take any other action to initiate download. Actual Results: File asdf.exe downloaded to C:\, and executed if on Windows. File attempts to download one or two other files, "w.exe" and possible "1.exe" from Internet. File asdf.exe has also been reported in file 77dwr6zp.zip, but method of download was undetermined. Expected Results: No download or execution of file. This is a stub for downloading malware.
Comment 1•19 years ago
|
||
My first thought is "Is Java installed and enabled, and if so what version is it?" We've seen trojans attack down-rev java in the past.
Comment 2•19 years ago
|
||
That was my first thought too. From http://www.dslreports.com/forum/remark,14196120~mode=flat: "I am fairly sure java did not start. I can usually tell when that starts up due to the long pause. But it is 1.4.1_01, anyway."
Comment 3•19 years ago
|
||
Also, he was using Firefox 1.0.3, which has publicly known security holes (http://www.mozilla.org/projects/security/known-vulnerabilities.html).
Comment 4•19 years ago
|
||
Since the exploit is in the wild and people are discussing this in public, I'm making this bug public too.
Group: security
Whiteboard: [sg:needinfo]
Reporter | ||
Comment 5•19 years ago
|
||
As a matter of fact, the two reports for version 1.0.6 both report having Java enabled.
Comment 6•19 years ago
|
||
Java is enabled by default, so that isn't surprising. Do you know what versions of Java they were using, or can you ask them?
Comment 7•19 years ago
|
||
OK, tried it first on an old but fulled patched XP system. Downloaded the latest branch build, enabled Java (newest version) and Javascript, put some Flash in it and went to www.theonion.com. Reloaded 10 times, but nothing happened. My Kerio firewall did not ask me permissions for new connections and I didn't see any traffic from suspected processes. I did also a full online scan at housecall.trendmicro.com (asdf.exe seems to be a process of Trojan.Downloader.Small which is in their definitions) but nope. I tried the same on my daily computer, also XP SP2: no virus or trojan found.
Reporter | ||
Comment 8•19 years ago
|
||
(In reply to comment #6) > Java is enabled by default, so that isn't surprising. Do you know what versions > of Java they were using, or can you ask them? There's no word for the Linux system. The Windows user reports Java 2 Runtime Environment, Standard Edition 1.3.1; Default virtual Machine Version 1.3.1.b24; Java Plug-In 1.3.1_02. There is a Sun advisory: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1 .
Reporter | ||
Comment 9•19 years ago
|
||
(In reply to comment #7) > OK, tried it first on an old but fulled patched XP system. ...Reloaded 10 times, but nothing happened. The exploit is thought to have come from an ad that is no longer on the site.
Reporter | ||
Comment 10•19 years ago
|
||
The Linux user reports having used Java 1.4.2.04. Since a known Java flaw could have been responsible for every incident, there is no evidence against Fx. Assuming I am able to, I'm happily marking this bug INVALID. There is one thing to be concerned about, however. By default Fx will run whatever version of Java is installed. That means that Firefox will run an insecure program without any warning. Firefox users do not receive any warning, and it's rare for users to be aware of the problem.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Comment 11•19 years ago
|
||
See bug 271559, "Countermeasures for Java/plugin/extension vulnerabilities (disable, warn)".
You need to log in
before you can comment on or make changes to this bug.
Description
•