Closed Bug 475510 Opened 11 years ago Closed 11 years ago

MALWARE attack on Firefox from http://creditoslibres.piczo.com/ -> blocked by forgery alert

Categories

(Firefox :: Security, defect, critical)

3.0 Branch
x86
Windows Vista
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: alan.cocox, Unassigned)

References

(Blocks 1 open bug, )

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

Ok, this time i haven't reported the websites, so they should still be active for you all to see (assuming someone else doesn't report it to the web-host).

These websites exploit the latest version of FireFox and install malware that is disguised as a Shockwave update. It causes some MAC users to have system failure. Windows VISTA users are IMMUNE if they click "CANCEL" on the dialogue box.

Reproducible: Always

Steps to Reproduce:
1. Log on to http://creditoslibres.piczo.com/register?cr=3
2. Log on to http://retro-extremo-.piczo.com/?g=34878834&cr=3
3. 
Actual Results:  
Installs malware / system crash / infection.
Can you please provide some more accurate steps to reproduce, I just visited both sites and saw no particular problem.
Component: General → Security
QA Contact: general → firefox
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090125 Minefield/3.2a1pre

The first site is not displayed here: This web site at creditoslibres.piczo.com has been reported as a web forgery and has been blocked based on your security preferences.
I visited both sites with a sandboxed Firefox3.0.5 and can not see changed files in the sandbox. Is visting the sites enough or do i must do anything else there ?
Which Flash Player/Acrobat/quicktime plugin version are you using ?
I'm able to see both urls on XP and Linux, vms and hardware, and the first url
on my Mac using 3.0.7pre.

In none of these did I notice the browser become slow, nor did it freeze, and I couldn't see anything other than annoying pop-ups.

It could be that both of these urls were very recently flagged as malware/phishing sites, and this information has not been propagated yet to the stored safebrowsing data in these machines.

I'll check later again, and see if the urls trigger the warning pages.
Version: unspecified → 3.0 Branch
I'm now getting a web forgery alert for creditoslibres.piczo.com. The code I can see on it looks pretty normal. There's a lot of script so I may have missed something subtle, but it looks like they just copied everything from the site they're trying to mimic (lots of Yahoo UI library boilerplate).

There is a suspicious looking hidden iframe though. When I try to load it directly I get 200 response with 0-length content. When loaded as intended there's a small payload I haven't captured yet, my NoScript is interfering and I end up with a different 404 page).

The original name of the resource:
http://lh-ec2.dyndns.org/lt/lt2.php?new_hit=1&type=1&pid=c0e11bb596a28ac3ab06770195eb6cb6

But then I end up trying to load 
http://lh-ec2.dyndns.org/lt/MSXML2.XMLHTTP.3.0

which sounds like an exploit based on the recent IE thing, if names can be believed.
Summary: FireFox MALWARE exploit → MALWARE attack on Firefox from http://creditoslibres.piczo.com/ -> blocked by forgery alert
I'd call this one fixed by malware blocking.  reopen if you disagree.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.