Closed
Bug 481949
Opened 15 years ago
Closed 15 years ago
for daniel veditz @ security@mozilla.org
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: duane, Unassigned)
Details
(Whiteboard: [sg:investigate])
Attachments
(1 file)
28.56 KB,
application/x-zip
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 for daniel veditz @ security@mozilla.org Reproducible: Always Steps to Reproduce: for daniel veditz @ security@mozilla.org Actual Results: for daniel veditz @ security@mozilla.org Expected Results: for daniel veditz @ security@mozilla.org for daniel veditz @ security@mozilla.org
Updated•15 years ago
|
Attachment #366011 -
Attachment mime type: application/octet-stream → application/x-zip
Comment 2•15 years ago
|
||
The 30+ products used at www.virustotal.com didn't find anything wrong so I don't know why this keeps getting bounced. I've got the spam to prove it's not some inherent distaste for zip attachments. The Anti-Virus products don't always identify "adware" though (not serious enough?) which gave rise to the separate "anti-spyware/anti-adware" class of products. Anyway, of the extensions you've got {972ce4c6-... is the placeholder for the default theme and {CAFEEFAC-... is the legit Java Console (there are complaints Sun installs the Addon without asking, but it's a legit part of Java). The {F182886B-... thing you identified is the malware. It does not appear to be particularly malicious, not at all like the nasty Trojan.Vundo thing your scanner caught elsewhere on the machine. It's an adware parasite that surreptitiously rewrites search results. Basically it watches for page loads, and if it finds you've opened a page with a URI that looks like a search query it loads a script from http://v1.adwarefeed.com, passing the engine and search terms in the URL. For example http://v1.adwarefeed.com/ffjs.php?u=1890194948-328088019-1884981375-199093677&a=998&s=3&v=icv20020901ff&e=google&q=Toyota I get different results with different engines and terms, and even different results if I reload the same query. All in the same form though. The k= line is the deobfuscator, and seems to be always the same code with varying numbers of space characters ('32') inserted to foil signature matching. The 's' string is the payload to be deobfuscated. It's mostly the same each time, with a huge "container" variable that contain different links (in part containing your search terms). Then it goes through and re-writes links in the search results to point at the URLs in the container array. Doesn't matter what the search result link actually is, the first container.length clicks (3 in the variants I saw) will go to the adware links. If you open more results than that from one page then you start getting the real links. Kind of ironic that this fraudulent adware is using links to http://clickfraudmanager.com
Whiteboard: [sg:investigate]
Comment 3•15 years ago
|
||
Not sure where to go with this. It's definitely an unwanted adware/malware addon, but there's no evidence it was installed through a Firefox flaw. It may have been, but since we've not gotten other reports it's more likely piggybacked along with something else since that's very common. The "something else" might have been a funding source bundled with something you installed on purpose, or since your scanner found other malware it may have come through when that was installed. Possibly by a plugin exploit? There's a PDF exploit active now, and Flash, Java and QuickTime are perennial favorites with exploit writers because they're so ubiquitous. Please check that you have the latest of all of those, especially Adobe Acrobat. If you need help check with http://support.mozilla.com
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•