Closed Bug 550951 Opened 14 years ago Closed 14 years ago

Security hole(s) allow websites to infect pc with HTML/Rce.Gen Trojan

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: benjamin-schwarz, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a3pre) Gecko/20100307 BetterPrivacy-1.47 Minefield/3.7a3pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a3pre) Gecko/20100307 BetterPrivacy-1.47 Minefield/3.7a3pre

Every time i visit http://mjavaboy.latinowebs.com/ i get a file stored under
C:\Users\User Name\AppData\Local\Mozilla\Firefox\Profiles\cc1d2gek.default\Cache\09712902d01 (where "User Name" is the name of my Windows user account),
which is recognized as HTML/Rce.Gen (AntiVir) / JS/Dccrypt.B.gen (F-Prot) / Heuristic.Script.Rce (McAfee-GW-Edition).

Reproducible: Always

Steps to Reproduce:
1. Visit http://mjavaboy.latinowebs.com/
Actual Results:  
The computer gets infected by the script virus variant HTML/Rce.Gen

Expected Results:  
Firefox shold prevent websites from infecting the computer.
That file is in your Firefox cache directory, so it has not been installed or executed.  This cache directory temporarily keeps a copy of files & content you come across on the web for performance reasons.  In this case its simply matching some HTML/JavaScript that it believes is malware on a webpage you are visting.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
Ah, it's ok then...
The description on the Avira website says that it was installed throgh a security hole in my browser, so i reported it.
Thank you for your quick response!
Blocks: malware-attacks
mjavaboy.latinowebs.com definitely has suspicious-looking content -- I've reported it to the Safe Browsing service. At the very top is an escaped string that turns into a Decode() function, and then later are two calls to this function with cryptic strings. These translate to add the following script tags to the page:

<script language="javascript" type="text/javascript" src="/cgi-bin/validate_banner?enc=uwj2uwjd%3D7862utxyd%3E57%3E5"></script>
<script language="javascript" type="text/javascript" src="/cgi-bin/validate_banner?enc=qptu.1"></script>

Those links give me a 200 status code ("ok") with the content "page not accessible" -- a little odd, usually you'd expect a "403 Forbidden" status if the server didn't want to give it to me. tried faking referers but no dice.

According to various antivirus databases the warnings you saw seem to map to heuristics unhappy with the obfuscation technique rather than any specific malware (and I agree it's very very suspicious). The cache file "09712902d01" maps to the main page, not any included script files (we use a deterministic naming algorithm -- I get the same file name). It's possible you got the same innocuous "page not accessible" content I'm seeing now, or that if you got malicious content it was specific to Internet Explorer users and wouldn't affect you.

If you had gotten infected the Anti-Virus would have started warning about the payload being installed somewhere outside the cache directory.
You need to log in before you can comment on or make changes to this bug.