Malware / Javascript exploit

RESOLVED INVALID

Status

()

Firefox
Security
--
critical
RESOLVED INVALID
9 years ago
9 years ago

People

(Reporter: Alan, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(4 attachments)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)

Downloads and executes malicious code.

Reproducible: Always

Steps to Reproduce:
1. Log on to website.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.3a1pre) Gecko/20091207 Minefield/3.7a1pre

I get a blank page.
Component: General → Security
QA Contact: general → firefox
I get a PDF download dialog (which will start a download in the background) or if you have a PDF plugin installed it should display the PDF using your installed PDF viewer.
Reporter:
How do you know that it executes malicious code ?

Comment 3

9 years ago
JS disabled I only had a list of links. Then I temporarily enabled JS via Noscript, and immediately got a warning of my virus scanner that there is a suspicious file on my harddisk. I didn't see the path, so I assume it's in the browser's cache.

No, It's not in the cache, but plugin-example.pdf wants to be stored in c:/documents&settings/[user]/local settings/temp/plugtmp-61, and Avira blocks it as it is recognized as EXP/Piedief.AZ.50

path is german, so I tried to translate it....

Comment 4

9 years ago
Created attachment 416721 [details]
common.js is recognized as HTML/Crypt.Gen. and contains huge eval()

function to unpack trojan

Comment 5

9 years ago
Created attachment 416725 [details]
zip-file sdfg.txt containing AppletX.class, LoaderX.class

Attachment 416721 [details] is HTML script virus HTML/crypt.gen
This file, sdfg.txt, is a zip file containing the malware
both were found in the directory index_data_002 after downloading the URL using 'Save as Web Page, complete' 
Using 7zip, sdfg.txt generates a directory named myf containing the files AppletX.class and LoaderX.class

Comment 6

9 years ago
Created attachment 416726 [details]
AppletX.class

Antivir recognizes common.js as

Name:  HTML/Crypted.Gen 
Entdeckt am: 18/07/2007 
Art: Trojan 

HTML/Crypted.Gen 

Beschreibung:
von HTML Malware Browser Funktionalitäten wir Java- und VisualBasic Script. Diese damit geschriebenen Skripte sind kleine und oft sehr simple verschlüsselungs Routinen, die die schädlichen Teile des Skriptes verbergen. Diese verschlüsselte Malware ist erkannt als HTML/Crypted.Gen. 

Antivir doesn't recognize sdgf.txt, LoaderX.class, AppletX.class

Comment 7

9 years ago
Created attachment 416727 [details]
LoaderX.class

LoaderX.class

Comment 8

9 years ago
Comment on attachment 416726 [details]
AppletX.class

changed MIME Type from application/octet-stream to text/plain, as I don't want to infect somebody
Attachment #416726 - Attachment mime type: application/octet-stream → text/plain

Updated

9 years ago
Attachment #416721 - Attachment description: eval() → common.js is recognized as HTML/Crypt.Gen. and contains huge eval()
Attachment #416721 - Attachment mime type: text/x-js → text/plain

Comment 9

9 years ago
confirming website as malicious, but that's not a browser problem?
Status: UNCONFIRMED → NEW
Ever confirmed: true
This is not a Browser exploit and makes this report invalid.
This page tries to exploit some plugins.
The class files are Java files and the page also tries to exploit Adobe Acrobat with a PDF.

If you can get infected or not depends if you have the latest Plugin version installed or not or if the page tries to exploit unfixed security holes in the plugins.

That you get a warning from AV software doesn't mean that it executes remote code and a browser always downloads every code that a website wants (in the cache or as temp for for plugin/helper applications).

Use http://www.mozilla.com/en-US/plugincheck/ to be sure that you have the latest plugin installed and I suggest to use http://secunia.com/vulnerability_scanning/personal/ to be sure that you always have the latest versions installed.

The virsusscan results for the 2 PDFs from the website are here :
http://www.virustotal.com/analisis/44e493ebe16fa6f5e5b174479f08ac1bdcd1e91e01bdcbd87af6d5765d4068eb-1260369730
http://www.virustotal.com/analisis/db16ba4b3029244b4d900648e443a3f0c71bef835987c44476d1f3817a1c629d-1260227954

You should probably contact the Plugin vendors but I'm sure Adobe already knows about this security holes because the files are detected by Antivirus Software.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.