Closed Bug 536392 Opened 10 years ago Closed 8 years ago

search links hijacked and redirected to newserversearch.com - possibly after installation of fastopenz.dll Propsys3.dll & TR2468.DLL

Categories

(Firefox :: Security, defect, critical)

3.6 Branch
x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: arocco222, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [sg:needinfo])

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5

I believe there is a security problem with  links are being redirected to the site newserversearch.com/?q= . Many other users are being effected by this which leads me to believe this may be a maliware or virus issue. Here is one thread on this topic in the support forum. http://support.mozilla.com/nl/forum/1/521721

Reproducible: Always

Steps to Reproduce:
1.Perform a Google Search
2.Click a Search Result Link
3.Opens a not found page containing the said address



Filed A security report
CC list accessible: false
You rightly assume this is caused by malware.  There are several threads on support.mozilla.com that deal with this issue, some with feedback from users who were apparently able to remove the malware, e.g.:
https://support.mozilla.com/en-US/forum/1/521721?forumId=1&comments_threshold=0&comments_parentId=521721&comments_offset=20&comments_per_page=20&thread_style=commentStyle_plain#threadId531167

The only reason this bug would need to stay open is if Firefox was the cause of your system's infection.  Did you experience a crash or any other strange behavior in Firefox immediately preceding the newserversearch.com behavior?
Whiteboard: [sg:needinfo]
Right now I am assuming Firefox was the cause of our systems infection. Reason being one of the links I submitted above with many Firefox users with the same malware. Perform a search and you will see that is not the only link with Firefox users complaining of this same exact malware infection. I did not experience a crash after clicking a link and redirecting to a not found page with the malware link.
Followed up with user on the security mailing list.  You cannot conclude that the infection is caused by Firefox because other Firefox users have experienced the same infection.  Feel free to reopen the bug if you have evidence that Firefox is the cause of your problem.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
You could be getting the virus from a multitude of places. Filesharing (limewire, bitorrent), facebook even. I would just suggest you clean the computer or have a professional do it.
Status: RESOLVED → VERIFIED
"incomplete" rather than "invalid" just because there's a lack of evidence to prove it was or wasn't Firefox. I don't think it was though, IE users end up with the exact same malware and the known infection vectors according to the anti-virus databases have used recent flash or PDF vulnerabilities.
Resolution: INVALID → INCOMPLETE
What I am saying is I can not conclude that it is from Firefox and you can not conclude that it isnt from firefox. Once your team checks it out, then I would like the correct response. The first reply here stated that it wasnt from Firefox without notification of the answer being confirmed.
Resolution: INCOMPLETE → FIXED
Daniel, thanks, that is exactly what I am talking about. I do not appreciate a response from their team that automatically is protecting firefox without investigation to this problem.
Status: VERIFIED → UNCONFIRMED
Resolution: FIXED → ---
Can you prove that this is caused by firefox?
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → INCOMPLETE
Tyler, please read the posts carefully here. If you are asking me you would know my answer to this from comment 6. Thanks
Resolution: INCOMPLETE → FIXED
Why are you marking this FIXED? There is no patch checked into the tree.
We did check this out, and there is no conclusive evidence that this is firefox's fault.
Resolution: FIXED → INCOMPLETE
Tyler , who marked this fixed? Please send me the information on what was checked to verify this is not coming from Firefox. I will also give this information to everyone that is being effected by it. Thanks
Status: RESOLVED → UNCONFIRMED
Resolution: INCOMPLETE → ---
Version: unspecified → 3.6 Branch
Hi Anthony,
In most cases like this, the examination of how your system got infected needs to happen on your system.  Virus scanners need to be run to determine the exact malware that has been installed. Your browsing history, versions of plugins you have installed, and other components of the browser need to be examined to possible help understand how the infection occurred.  As Dan mentioned these examinations have to date have pointed at possible infection via exploiting known problems in older versions of plugins.  To date we haven't found any infections occuring by directly attacking a vulnerability in Firefox.   We certainly would want to know if that was occuring, but the investigation needs to happen on your end.   If you have other thoughts about what we could investigate please make suggestions.

If you can post any information in this bug about these areas that might help us to understand what is happening:

- what malware was found on your system from anti-virus scans
- versions of plugins installed  (about:plugins )
- versions and names of addons that are installed (tools | addons )
- the URLs of sites that your browser is being redirected to when you try to use the browser
- list of suspect sites that you visited just before you began noiticing the infection
If your browser has crashed recently (you can find this by typing 'about:crashes' in the location bar, please include links to the crash reports in this bug as well.  that might help us to understand what malware might be running on your system.
Hi, thanks for the great replies. Here is the most recent crash report which was on 12-6
http://crash-stats.mozilla.com/report/index/bp-3cd3cafe-eaeb-4dda-9454-4c9022091206
I am going to get all of the information requested from you and post it here.
Signature	NPSWF32.dll@0xa8654
UUID	3cd3cafe-eaeb-4dda-9454-4c9022091206
Time 	2009-12-06 07:48:56.916594
Uptime	197
Last Crash	199 seconds before submission
Product	Firefox
Version	3.6b4
Build ID	20091124213835
Branch	1.9.2
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	GenuineIntel family 15 model 2 stepping 7
Crash Reason	EXCEPTION_PRIV_INSTRUCTION
Crash Address	0x9dd9001
User Comments	
Processor Notes 	
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 		@0x9dd9001 	
1 	NPSWF32.dll 	NPSWF32.dll@0xa8654 	
2 	NPSWF32.dll 	NPSWF32.dll@0xab0ab 	
3 	NPSWF32.dll 	NPSWF32.dll@0xed421 	
4 	NPSWF32.dll 	NPSWF32.dll@0x1392a6 	
5 	NPSWF32.dll 	NPSWF32.dll@0x139836 	
6 	xul.dll 	nsNPAPIPluginInstance::Stop 	modules/plugin/base/src/nsNPAPIPluginInstance.cpp:1178
7 	xul.dll 	DoStopPlugin 	layout/generic/nsObjectFrame.cpp:2246
8 	xul.dll 	nsStopPluginRunnable::Run 	layout/generic/nsObjectFrame.cpp:2296
9 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:527
10 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
11 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:182
12 	nspr4.dll 	PR_GetEnv 	
13 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:120
14 	firefox.exe 	__tmainCRTStartup 	obj-firefox/memory/jemalloc/crtsrc/crtexe.c:591
15 	kernel32.dll 	BaseThreadInitThunk 	
16 	ntdll.dll 	__RtlUserThreadStart 	
17 	ntdll.dll 	_RtlUserThreadStart 	

NPSWF32.dll 	10.0.32.18 	C569605C15E5448BBFD9E1FE262649B61 	NPSWF32.pdb

You aren't running the latest version of flash.
lets keep going to see if you can identify the names of the malware packages that are on your system so we can see if they line up to vulnerabilities of flash or other know exploits running in the wild.
timeless, thanks for letting me know!I just looked and it shows I have shockwave 10.0.32.18  10.0 r32, and the site says this is the newest one and I am up to date. So was this upgraded since my report above?
Ok, the mozilla plugin check located at https://www.mozilla.com/en-US/plugincheck/ is not recognizing the newer flash 10.0 r42. Its showing up to date with r32. So I went to the site and updated it. thanks
Here is the infected file

Taskname:      Ihkdqy
File:          C:\Windows\system32\fastopenz.dll
C:\Windows\system32\fastopenz.dll
-RHS- 132096 bytes
Created:  12/11/2009 12:19 PM
Modified: 12/11/2009 12:19 PM
Company:  [no info]
Parameters:    "C:\Windows\system32\fastopenz.dll",gqecb
Schedule:      On system startup
Next Run Time: 
Status:        Running
Status:        Anthony
Comments:      
C:\Windows\system32\fastopenz.dll - access denied
C:\Windows\system32\fastopenz.dll - Ownership checked
Ihkdqy - this Scheduled Task has been deleted
C:\Windows\system32\fastopenz.dll - READ-ONLY, HIDDEN and SYSTEM file attributes removed
C:\Windows\system32\fastopenz.dll - file renamed to: C:\Windows\system32\fastopenz.dll.vir
I've been doing google searches for fastopenz.dll for the past few days, and none of the major anti-virus seem to have picked this .dll up and are reporting it as a problem.  

Anthony,  which anti-virus program were you using when you made the scan in comment 19?

There is one SUMO forum thread now showing up in search results

http://support.mozilla.com/no/forum/1/521721?forumId=1&comments_threshold=0&comments_parentId=521721&comments_offset=40&comments_per_page=20&thread_style=commentStyle_plain

as another area of investigation here is something else to look at:

we are tracking a possible zero day attack against adobe acrobat that could be affecting firefox users just a few days before this bug was filed.  

If you are a user of myspace,  bittorrent download sites, or some other possibilities, are running the latest version of acrobat (9.2.0.124),  and/or have seen crashes like shown in bug 536974  you might have been exposed to exploit attempts via acrobat.
Trojan Remover from Simply Super Software.

The only site I use with constant flash requirements are the games on Facebook. I sumbitted this to the bounty department for Firefox and before they even investigated this, they said it had nothing to do with Firefox.
Hi Anthony,

You have helped gather some interesting data that helps to understand some aspects of malware that is attacking Firefox, and we want to thank you for that.  But we still aren't much closer to figuring out the exact set of steps or proof of concept that shows how that malware got installed, and if firefox was used as the vector for that installation.  That is what we would need for you to be eligible for a security bug bounty. See: http://www.mozilla.org/security/bug-bounty.html   

Until then we definitely want to continue to study this to understand what steps might lead to the installation and any other common characteristics of the systems affected by this problem.

Its interesting that Trojan Remover from Simply Super Software seems to be the only anti-virus package that is able to detect and remove this malware so far. That is pretty unusual.  Simply Super Software doesn't post any details on it site about the virus' it detects, .dll's removed, or details or affects on the malware it finds, so not much to be learned there if they have figured out how the malware is acutally being installed.

I found some more info that indicates a couple of rootkit .dlls are used to keep the malware on the system once it is installed.

http://answers.yahoo.com/question/index?qid=20091216165323AAMZ1Sv

  Download PrevX
  Do a PrevX scan to identify malware files, in my case they were:

  Propsys3.dll
  TR2468.DLL

  This infection is using rootkit techniques to hide from Anti-Malware programs, the files are hidden and inaccessible see source reference.
Summary: Links are redirected to another site → search links hijacked and redirected to newserversearch.com - possibly after installation of fastopenz.dll Propsys3.dll & TR2468.DLL
Ok, I will make sure I get all the information to you for the bounty. I am getting closer to my whereabouts during the time when I was infected.

 Here goes:

The infection occured on 12/11/2009 at 12:19 PM

At 11:47am I performed a search for "firefox right click menu save images" which resulted in me visiting mozilla.org at this link:

http://www.google.com/history/url?url=https://addons.mozilla.org/en-US/firefox/addon/3404&ei=rz4-S6CNIJPgxQXD-YypAQ&sig2=Hluo2cFpCTaiB1YEKxqzuA&ct=w

At 12:00 PM I performed a search for " firefox right click save image automatically"
Which resulted in me visiting clipmarks.com at this link:
http://www.google.com/history/url?url=http://clipmarks.com/clipmark/DAAF5C7B-2FB8-4ADF-A6D5-ECFC3BA1D027/&ei=rz4-S6CNIJPgxQXD-YypAQ&sig2=G7Q6DIoot66r8k-CC_OgSA&ct=w
	
At 12:03PM I performed a search for "firefox right click save image quick"

I then visited 1 result from the search at lifehacker.com
at this link
http://www.google.com/history/url?url=http://lifehacker.com/129658/geek-to-live-fifteen-firefox-quick-searches&ei=rz4-S6CNIJPgxQXD-YypAQ&sig2=PP0O2bGkIftgzK4XOYzJQQ&ct=w

I will be back with more info
I am searching the crash reports and there are some from facebook with the game restaurantcity. I visit this everyday to play. On the thread I submitted, is there a way I can ask the users with the same problem for information on their crash reports? I would like to research this information. If not I would like to work with a Mozilla employee that is able to
Your searches about trying to save images are a possible area to examine.  In general saving images or any other kind of files to your hard drive can be risky if the source of the files are a dangerous site.

Are there files that you downloaded, saved, or programs that you install preceding when you started to see the affects of the malware?
I looked in the restore area and my installation log for restore points did not go back far enough. I also did a search on my computer for "created" on that day and only the infected file came up. Anyone know of any good freeware programs that will allow me to trace what I did on my computer?
This is over two years old at this point and the Firefox's role was never confirmed.

Without additional data and evidence that points to this being a problem in the current version of Firefox (version 10), I am resolving this as incomplete.

Please re-open if you have actionable data that you can add to this, Anthony.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.