24Dec'09 Trojan in Java (JRE) Loc Firefox 3.5.6




9 years ago
9 years ago


(Reporter: MikeSBerens, Unassigned)


Firefox Tracking Flags

(Not tracked)




9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729)

Can't determine if a) this is/not of interest and b) whether it is already in KB.

Detected by McAfee Virus Scan 24Dec'09 23:51

Exploit-ByteVerify (Trojan), Exploit-ByteVerify (Trojan),Exploit-ByteVerify (Trojan)

C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\38\1faa9526-156da9d5

This was overlooked by boithe LavaSoft's Ad-Aware and MBAM.

Reproducible: Always

Steps to Reproduce:
1. N/A
2. (I don't want to see this again)
3. Also, what does Firefox do to avoid Rogue "security" shyster sites and cross scripting????????

Expected Results:  
Avoid Trojan sites.  Also, avoid Rogue and cross-scripted sites.

You all need a tailored input for security reports that may affect you.

Life's tough and hackers/malware-makers don't help.

Comment 1

9 years ago
I will also report to OOo security and the Sun security techies.
Exploit-ByteVerify is a several years old Java flaw that isn't a worry if you have updated your Java any time in the last couple of years -- and hopefully you're more up to date than that because there are other more recently discovered vulnerabilities you could be at risk from.

This is in your Java cache because you visited a site that contained code that tried to use this malicious trick. The applet was downloaded in order to run it, but if your copy of Java (you appear to have Java 6.0, also confusingly known as 1.6) is not vulnerable then you've got nothing to worry about.

Exploit-ByteVerify was the trick used to get around restrictions in the Java engine in order to install malware, the actual payload would be something else and varies by who's attacking you. Had you been vulnerable your anti-virus would have picked up the malware running.

The exploit itself is neither adware nor malware so I'm not surprised your other two checkers found nothing. The payload might not have even been present in the applet for them to find, often it's downloaded if the initial exploit works. They probably would have detected the results if the attempt hadn't been stopped by your java engine and anti-virus.

In any case this was never a Firefox vulnerability, it was a flaw in Sun's Java which they have patched. Improvements are going into upcoming versions of Firefox to help people keep their plugins up to date and protected against old known attacks.
Last Resolved: 9 years ago
Resolution: --- → INVALID
Group: core-security

Comment 3

9 years ago
Earlier Response was helpful (2 days);  followup was 60 days; I had forgotten the incident.
Additional steps taken in late Dec'09:  
1) Downloaded fresh copies of a) JRE; b) OOo; C) Firefox.
2) Installed them in that order
3) Updated and scanned system folders with a) McAfee SecCtr; b) Ad-Aware; c) MalwareBytes AntiMalware (MBAM); d) WinCleanOneClick

Recently updated to Firefox 3.6, and Adobe's add-in play-scripter.

Note MBAM v1.44 is buggy (locksup); MB QA is working their problem.  Skip v1.44, and I would wait to read their forum issues for v1.45 when they get there.
MBAM is usually the most aggressive updater based on new malware reports. LavaSoft is pretty reliable but I've had two instances where Ad-Aware said no problems, but MBAM found them.
You need to log in before you can comment on or make changes to this bug.