481949 - for daniel veditz @ security@mozilla.org

Status: RESOLVED INCOMPLETE

(Firefox :: Security, defect)

Description

[duane]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7

for daniel veditz @ security@mozilla.org

Reproducible: Always

Steps to Reproduce:
for daniel veditz @ security@mozilla.org
Actual Results:  
for daniel veditz @ security@mozilla.org

Expected Results:  
for daniel veditz @ security@mozilla.org

for daniel veditz @ security@mozilla.org

Comment 1

[duane]

Attachment: this is the extension files that I am trying to send to daniel veditz and it keeps bouncing.

Internal password is "infected" - per daniels instructions.

Comment 2

[Daniel Veditz [:dveditz]]

The 30+ products used at www.virustotal.com didn't find anything wrong so I don't know why this keeps getting bounced. I've got the spam to prove it's not some inherent distaste for zip attachments. The Anti-Virus products don't always identify "adware" though (not serious enough?) which gave rise to the separate "anti-spyware/anti-adware" class of products.

Anyway, of the extensions you've got {972ce4c6-... is the placeholder for the default theme and {CAFEEFAC-... is the legit Java Console (there are complaints Sun installs the Addon without asking, but it's a legit part of Java). The {F182886B-... thing you identified is the malware.

It does not appear to be particularly malicious, not at all like the nasty Trojan.Vundo thing your scanner caught elsewhere on the machine. It's an adware parasite that surreptitiously rewrites search results. Basically it watches for page loads, and if it finds you've opened a page with a URI that looks like a search query it loads a script from http://v1.adwarefeed.com, passing the engine and search terms in the URL. For example

http://v1.adwarefeed.com/ffjs.php?u=1890194948-328088019-1884981375-199093677&a=998&s=3&v=icv20020901ff&e=google&q=Toyota

I get different results with different engines and terms, and even different results if I reload the same query. All in the same form though. The k= line is the deobfuscator, and seems to be always the same code with varying numbers of space characters ('32') inserted to foil signature matching. The 's' string is the payload to be deobfuscated. It's mostly the same each time, with a huge "container" variable that contain different links (in part containing your search terms). Then it goes through and re-writes links in the search results to point at the URLs in the container array. Doesn't matter what the search result link actually is, the first container.length clicks (3 in the variants I saw) will go to the adware links. If you open more results than that from one page then you start getting the real links.

Kind of ironic that this fraudulent adware is using links to http://clickfraudmanager.com

Comment 3

[Daniel Veditz [:dveditz]]

Not sure where to go with this. It's definitely an unwanted adware/malware addon, but there's no evidence it was installed through a Firefox flaw. It may have been, but since we've not gotten other reports it's more likely piggybacked along with something else since that's very common.

The "something else" might have been a funding source bundled with something you installed on purpose, or since your scanner found other malware it may have come through when that was installed. Possibly by a plugin exploit? There's a PDF exploit active now, and Flash, Java and QuickTime are perennial favorites with exploit writers because they're so ubiquitous. Please check that you have the latest of all of those, especially Adobe Acrobat. If you need help check with http://support.mozilla.com