Closed Bug 536392 Opened 10 years ago Closed 8 years ago
search links hijacked and redirected to newserversearch
.com - possibly after installation of fastopenz .dll Propsys3 .dll & TR2468 .DLL
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5 I believe there is a security problem with links are being redirected to the site newserversearch.com/?q= . Many other users are being effected by this which leads me to believe this may be a maliware or virus issue. Here is one thread on this topic in the support forum. http://support.mozilla.com/nl/forum/1/521721 Reproducible: Always Steps to Reproduce: 1.Perform a Google Search 2.Click a Search Result Link 3.Opens a not found page containing the said address Filed A security report
You rightly assume this is caused by malware. There are several threads on support.mozilla.com that deal with this issue, some with feedback from users who were apparently able to remove the malware, e.g.: https://support.mozilla.com/en-US/forum/1/521721?forumId=1&comments_threshold=0&comments_parentId=521721&comments_offset=20&comments_per_page=20&thread_style=commentStyle_plain#threadId531167 The only reason this bug would need to stay open is if Firefox was the cause of your system's infection. Did you experience a crash or any other strange behavior in Firefox immediately preceding the newserversearch.com behavior?
Right now I am assuming Firefox was the cause of our systems infection. Reason being one of the links I submitted above with many Firefox users with the same malware. Perform a search and you will see that is not the only link with Firefox users complaining of this same exact malware infection. I did not experience a crash after clicking a link and redirecting to a not found page with the malware link.
Followed up with user on the security mailing list. You cannot conclude that the infection is caused by Firefox because other Firefox users have experienced the same infection. Feel free to reopen the bug if you have evidence that Firefox is the cause of your problem.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
You could be getting the virus from a multitude of places. Filesharing (limewire, bitorrent), facebook even. I would just suggest you clean the computer or have a professional do it.
Status: RESOLVED → VERIFIED
"incomplete" rather than "invalid" just because there's a lack of evidence to prove it was or wasn't Firefox. I don't think it was though, IE users end up with the exact same malware and the known infection vectors according to the anti-virus databases have used recent flash or PDF vulnerabilities.
Resolution: INVALID → INCOMPLETE
What I am saying is I can not conclude that it is from Firefox and you can not conclude that it isnt from firefox. Once your team checks it out, then I would like the correct response. The first reply here stated that it wasnt from Firefox without notification of the answer being confirmed.
Resolution: INCOMPLETE → FIXED
Daniel, thanks, that is exactly what I am talking about. I do not appreciate a response from their team that automatically is protecting firefox without investigation to this problem.
Status: VERIFIED → UNCONFIRMED
Resolution: FIXED → ---
Can you prove that this is caused by firefox?
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → INCOMPLETE
Tyler, please read the posts carefully here. If you are asking me you would know my answer to this from comment 6. Thanks
Resolution: INCOMPLETE → FIXED
Why are you marking this FIXED? There is no patch checked into the tree. We did check this out, and there is no conclusive evidence that this is firefox's fault.
Resolution: FIXED → INCOMPLETE
Tyler , who marked this fixed? Please send me the information on what was checked to verify this is not coming from Firefox. I will also give this information to everyone that is being effected by it. Thanks
Status: RESOLVED → UNCONFIRMED
Resolution: INCOMPLETE → ---
Hi Anthony, In most cases like this, the examination of how your system got infected needs to happen on your system. Virus scanners need to be run to determine the exact malware that has been installed. Your browsing history, versions of plugins you have installed, and other components of the browser need to be examined to possible help understand how the infection occurred. As Dan mentioned these examinations have to date have pointed at possible infection via exploiting known problems in older versions of plugins. To date we haven't found any infections occuring by directly attacking a vulnerability in Firefox. We certainly would want to know if that was occuring, but the investigation needs to happen on your end. If you have other thoughts about what we could investigate please make suggestions. If you can post any information in this bug about these areas that might help us to understand what is happening: - what malware was found on your system from anti-virus scans - versions of plugins installed (about:plugins ) - versions and names of addons that are installed (tools | addons ) - the URLs of sites that your browser is being redirected to when you try to use the browser - list of suspect sites that you visited just before you began noiticing the infection
If your browser has crashed recently (you can find this by typing 'about:crashes' in the location bar, please include links to the crash reports in this bug as well. that might help us to understand what malware might be running on your system.
Hi, thanks for the great replies. Here is the most recent crash report which was on 12-6 http://crash-stats.mozilla.com/report/index/bp-3cd3cafe-eaeb-4dda-9454-4c9022091206 I am going to get all of the information requested from you and post it here.
Signature NPSWF32.dll@0xa8654 UUID 3cd3cafe-eaeb-4dda-9454-4c9022091206 Time 2009-12-06 07:48:56.916594 Uptime 197 Last Crash 199 seconds before submission Product Firefox Version 3.6b4 Build ID 20091124213835 Branch 1.9.2 OS Windows NT OS Version 6.1.7600 CPU x86 CPU Info GenuineIntel family 15 model 2 stepping 7 Crash Reason EXCEPTION_PRIV_INSTRUCTION Crash Address 0x9dd9001 User Comments Processor Notes Crashing Thread Frame Module Signature [Expand] Source 0 @0x9dd9001 1 NPSWF32.dll NPSWF32.dll@0xa8654 2 NPSWF32.dll NPSWF32.dll@0xab0ab 3 NPSWF32.dll NPSWF32.dll@0xed421 4 NPSWF32.dll NPSWF32.dll@0x1392a6 5 NPSWF32.dll NPSWF32.dll@0x139836 6 xul.dll nsNPAPIPluginInstance::Stop modules/plugin/base/src/nsNPAPIPluginInstance.cpp:1178 7 xul.dll DoStopPlugin layout/generic/nsObjectFrame.cpp:2246 8 xul.dll nsStopPluginRunnable::Run layout/generic/nsObjectFrame.cpp:2296 9 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:527 10 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:170 11 xul.dll nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:182 12 nspr4.dll PR_GetEnv 13 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:120 14 firefox.exe __tmainCRTStartup obj-firefox/memory/jemalloc/crtsrc/crtexe.c:591 15 kernel32.dll BaseThreadInitThunk 16 ntdll.dll __RtlUserThreadStart 17 ntdll.dll _RtlUserThreadStart NPSWF32.dll 10.0.32.18 C569605C15E5448BBFD9E1FE262649B61 NPSWF32.pdb You aren't running the latest version of flash.
lets keep going to see if you can identify the names of the malware packages that are on your system so we can see if they line up to vulnerabilities of flash or other know exploits running in the wild.
timeless, thanks for letting me know!I just looked and it shows I have shockwave 10.0.32.18 10.0 r32, and the site says this is the newest one and I am up to date. So was this upgraded since my report above?
Ok, the mozilla plugin check located at https://www.mozilla.com/en-US/plugincheck/ is not recognizing the newer flash 10.0 r42. Its showing up to date with r32. So I went to the site and updated it. thanks
Here is the infected file Taskname: Ihkdqy File: C:\Windows\system32\fastopenz.dll C:\Windows\system32\fastopenz.dll -RHS- 132096 bytes Created: 12/11/2009 12:19 PM Modified: 12/11/2009 12:19 PM Company: [no info] Parameters: "C:\Windows\system32\fastopenz.dll",gqecb Schedule: On system startup Next Run Time: Status: Running Status: Anthony Comments: C:\Windows\system32\fastopenz.dll - access denied C:\Windows\system32\fastopenz.dll - Ownership checked Ihkdqy - this Scheduled Task has been deleted C:\Windows\system32\fastopenz.dll - READ-ONLY, HIDDEN and SYSTEM file attributes removed C:\Windows\system32\fastopenz.dll - file renamed to: C:\Windows\system32\fastopenz.dll.vir
I've been doing google searches for fastopenz.dll for the past few days, and none of the major anti-virus seem to have picked this .dll up and are reporting it as a problem. Anthony, which anti-virus program were you using when you made the scan in comment 19? There is one SUMO forum thread now showing up in search results http://support.mozilla.com/no/forum/1/521721?forumId=1&comments_threshold=0&comments_parentId=521721&comments_offset=40&comments_per_page=20&thread_style=commentStyle_plain as another area of investigation here is something else to look at: we are tracking a possible zero day attack against adobe acrobat that could be affecting firefox users just a few days before this bug was filed. If you are a user of myspace, bittorrent download sites, or some other possibilities, are running the latest version of acrobat (18.104.22.168), and/or have seen crashes like shown in bug 536974 you might have been exposed to exploit attempts via acrobat.
Trojan Remover from Simply Super Software. The only site I use with constant flash requirements are the games on Facebook. I sumbitted this to the bounty department for Firefox and before they even investigated this, they said it had nothing to do with Firefox.
Hi Anthony, You have helped gather some interesting data that helps to understand some aspects of malware that is attacking Firefox, and we want to thank you for that. But we still aren't much closer to figuring out the exact set of steps or proof of concept that shows how that malware got installed, and if firefox was used as the vector for that installation. That is what we would need for you to be eligible for a security bug bounty. See: http://www.mozilla.org/security/bug-bounty.html Until then we definitely want to continue to study this to understand what steps might lead to the installation and any other common characteristics of the systems affected by this problem. Its interesting that Trojan Remover from Simply Super Software seems to be the only anti-virus package that is able to detect and remove this malware so far. That is pretty unusual. Simply Super Software doesn't post any details on it site about the virus' it detects, .dll's removed, or details or affects on the malware it finds, so not much to be learned there if they have figured out how the malware is acutally being installed. I found some more info that indicates a couple of rootkit .dlls are used to keep the malware on the system once it is installed. http://answers.yahoo.com/question/index?qid=20091216165323AAMZ1Sv Download PrevX Do a PrevX scan to identify malware files, in my case they were: Propsys3.dll TR2468.DLL This infection is using rootkit techniques to hide from Anti-Malware programs, the files are hidden and inaccessible see source reference.
Summary: Links are redirected to another site → search links hijacked and redirected to newserversearch.com - possibly after installation of fastopenz.dll Propsys3.dll & TR2468.DLL
Ok, I will make sure I get all the information to you for the bounty. I am getting closer to my whereabouts during the time when I was infected. Here goes: The infection occured on 12/11/2009 at 12:19 PM At 11:47am I performed a search for "firefox right click menu save images" which resulted in me visiting mozilla.org at this link: http://www.google.com/history/url?url=https://addons.mozilla.org/en-US/firefox/addon/3404&ei=rz4-S6CNIJPgxQXD-YypAQ&sig2=Hluo2cFpCTaiB1YEKxqzuA&ct=w At 12:00 PM I performed a search for " firefox right click save image automatically" Which resulted in me visiting clipmarks.com at this link: http://www.google.com/history/url?url=http://clipmarks.com/clipmark/DAAF5C7B-2FB8-4ADF-A6D5-ECFC3BA1D027/&ei=rz4-S6CNIJPgxQXD-YypAQ&sig2=G7Q6DIoot66r8k-CC_OgSA&ct=w At 12:03PM I performed a search for "firefox right click save image quick" I then visited 1 result from the search at lifehacker.com at this link http://www.google.com/history/url?url=http://lifehacker.com/129658/geek-to-live-fifteen-firefox-quick-searches&ei=rz4-S6CNIJPgxQXD-YypAQ&sig2=PP0O2bGkIftgzK4XOYzJQQ&ct=w I will be back with more info
I am searching the crash reports and there are some from facebook with the game restaurantcity. I visit this everyday to play. On the thread I submitted, is there a way I can ask the users with the same problem for information on their crash reports? I would like to research this information. If not I would like to work with a Mozilla employee that is able to
Your searches about trying to save images are a possible area to examine. In general saving images or any other kind of files to your hard drive can be risky if the source of the files are a dangerous site. Are there files that you downloaded, saved, or programs that you install preceding when you started to see the affects of the malware?
I looked in the restore area and my installation log for restore points did not go back far enough. I also did a search on my computer for "created" on that day and only the infected file came up. Anyone know of any good freeware programs that will allow me to trace what I did on my computer?
This is over two years old at this point and the Firefox's role was never confirmed. Without additional data and evidence that points to this being a problem in the current version of Firefox (version 10), I am resolving this as incomplete. Please re-open if you have actionable data that you can add to this, Anthony.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago → 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.