u.asx as it appeared in the firefox disk cache (including http headers) and hcp.html downloaded 2010.07.20
2.24 KB, application/x-zip-compressed
5.13 KB, text/plain
18.45 KB, application/zip
What version of Windows Media Player and IE were on your computer? I'm curious whether out-of-date components were involved. If you use a new Firefox profile, does Firefox prompt before opening WMP? Firefox is supposed to prompt unless you check "don't ask me again" or "always this action for this question" for a given file type or external protocol.
I managed to restore the machine this was happened on. So additional version information FireFox: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:188.8.131.52) Gecko/20100504 Firefox/3.5.10 (.NET CLR 3.5.30729) MediaPlayer: possibly 9, I temporary disabled the player, the file that still resides in the folder (wmplayer.exe) reports 9.00.00.4503. I didn't care for MediaPlayer since I started using 3d party media-players that can possibly the case for a general user. At least default install Windows XP SP2 -> SP3 -> security updates will not change the default version of the player, just would apply some previously known security updates. Windows: XP SP3, security sensitive updates included, I always manually confirm them, if something was related to MediaPlayer, I didn't bypass it. Firefox didn't ask for anything, I remember it since I'm always very sensitive about such things, smallest doubt - I refuse. Moreover, when I did research on another machine using my backup data (Windows 7), this page opened this file (u.asx) also silently, but I can not confirm this exploit since Winamp was installed there and it only showed accessing some stream. The firefox on that machine is up to date 3.6.? and I never confirmed any default "don't ask" for asx files just because I never use them. I also attached the files involved (u.asx and hcp.html). They were zipped in order to be safe for others).
(In reply to comment #1) > If you use a new Firefox profile, does Firefox prompt before opening WMP? > Firefox is supposed to prompt unless you check "don't ask me again" or "always > this action for this question" for a given file type or external protocol. WMP installs a plugin which is loaded by Content-type -- no prompt. The prompt only applies to external schemes or when there's an external helper app. We could maybe blocklist the plugin (even though WMP doesn't actually suffer from the bug) but then the content-type will trigger an attempt to launch WMP as a helper app at which point many users will have checked the "do this every time" box. How many other apps out there call IE explicitly rather than the default browser? As long as there is one attackers can always create innocuous-looking content that users may open up, creating a chain from content in Firefox to content in IE with more or fewer required clicks from users. The real problem here is the unfixed HCP windows bug. The onlyumpc site was probably hacked, the first line of http://onlyumpc.com/wp-content/themes/onlyumpc-v2/js/k2functions.js contains obfuscated script unrelated to the rest of the file that turns into a <script> tag of /data/mootools.js on one of 124 hosts randomly selected (31 subdomains times four domains). SafeBrowsing blocks one of the domains completely (gaindirectory.org), and many other hosts return error pages, but some are still active. Currently I can reach obfuscated attack code at http://lime.ideacoreportal.com/data/mootools.js
Created attachment 458956 [details] one variant of mootools.js Here's an example of what I got from lime.ideacoreportal.com/data/mootools.js -- seemed encoded differently each time I loaded it but structurally the same so probably just obfuscation differences. Haven't decoded it further yet.
I confirm the plugin Daniel mentioned listed as == Windows Media Player Plug-in Dynamic Link Library 184.108.40.2069 == npdsplay.dll on the previously infected computer
I don't know whether it will help or not, but while trying figure the things out with onlyumpc.com the next day (17.07.2010) on another computer, a new item from flywintech appeared in the ff cache (http://flywintech.com/px/index.php), currenly it seems it is not available on the site (I have a copy from that day). It was detected as HTML:Downloader-S on the virustotal by 3 AV software, and Avast listed it as added 14.7.2010 The file starts with <body><applet code='dev.s.AdgredY' archive='tmp/des.jar' Possibly some automatically downloaded html intended directly on IE users and having no effect in ff
I have some thoughts about how it could be fixed. Confirmations are a compromise that we at least have currently. For example the shortest unbreakable chain is exe activation. There will be a confirmation box and if no AV installed, the user will be infected. The question is: is it technically possible to develop and silently install (when ff is not running) a plugin that will bypass exe confirmation? If it's not possible ok.. vbs activation? The list of dangerous file formats isn'tshort. So maybe a blacklist should exist, types from it no plug-in can override for auto-activation. And from version to version, if a vulnerability found for a new type, it can be extended with it. Even if we ended up with a bad user experience asking a confirmation for every possible file format so far, maybe a next step would be to introduce a setting to disable it for those who know what they're doing.
plugins can be dropped into firefox folders at any time w/o any confirmation from firefox. user state is owned by the user, so if a bad application wants to update the user's firefox plugin cache while firefox isn't running so that firefox thinks it already approved a given plugin, that application running as that user can do so. the general assumption is that plugins are installed by users for themselves and asking users to confirm something which they presumably intentionally did will just cause them to: 1. get annoyed 2. blindly click a confirm button 3. ignore the message in the future
It's interesting that there's no such file as npdsplay.dll in any of ff subfolders Searching led to the following (CMIIW): - According to http://kb.mozillazine.org/Windows_Media_Player the plug-in installed through plug-in scanning in external folders. I was not aware of such thing. - This plug-in existed for ages (actually since Netscape time), according to http://technet.microsoft.com/en-us/library/bb676136.aspx "As Netscape Navigator cannot communicate directly with Microsoft ActiveX controls, Microsoft Windows Media Player includes a plug-in (Npdsplay.dll) to allow users of Netscape Navigator to watch ASF content.". Earliest mentioning on the microsoft.com: http://support.microsoft.com/kb/243505 Contents of the Mplayer2.cab (IE 4.01 Service Pack 2)... ... Npdsplay dll 347,648 06-25-98 8:55A Npdsplay.dll Just wondering can this system of external scanning be a potential security threat? I am personally almost ready to disable the external scanning completely in my ff.
security is generally defined as keeping bad things out of a closed system. once bad stuff is in your closed system, it's too late. the ability for someone to run code which installs a plugin on your system means they can first and foremost: RUN CODE ON YOUR SYSTEM. IOW: "No".
Using a combination of technical and social methods, we could prevent honest software vendors from silently installing stuff into Firefox. See bug 565565 comment 1. Whether it's worth the ux-interruption, or would actually improve security in cases like this one, is another question.
Jess, I agree, there's something we can do. Also, as for new information, I got one. - On a second computer I mentioned i didn't find any MediaPlayer plugin, but I have a saved profile a cache profile that triggers asx opening. I repeated it dozen of times. - With this working profile I tried to disable different plug-ins and restart, the plugin that triggers asx opening is Adobe Reader, nppdf32.dll, file version 220.127.116.119022700, MD5: 28D2C5CE5944E1B027CF5C8004CF89A1. So it looks like the path is a little bit longer. - I switched LiveHeaders extension (allows to monitor HTTP headers and response) and once I managed to catch the full F5 downloading leading to asx opening. I'll attach it and also I'll attach a pdf mentioned there and vbs mentioned in the pdf (both downloaded today using the links appeared in the file). The strange thing is that the order of files in LiveHeaders is u.asx -> pdf, so if pdf triggers something, u.asx is already loaded (if LiveHeaders works sequentially) I looked at the version of Adobe Reader as a program here, it's 9.2.0, I know it's not the latest, and I didn't yet upgraded it now in order to keep the current state for testing purposes. Still can not figure out an exact trigger code allowing this chain. Any suggestions? Also wanted to compare LiveHeaders results in case of Adobe Reader disabled, but unfortunately F5 for this infected page not always works.
Created attachment 459530 [details] Live Headers (HTTP Requests/Response) of a full reload operation LiveHeaders - the contents of the Live Headers extension window after successfull reload (F5) operation leading to automatic asx opening pdfopen.pdf.txt - the contents of http://flywintech.com/px/tmp/pdfopen.pdf file (mentioned in headers) m.vbs.txt - the contents of m.vbs file mentioned in http://flywintech.com/px/tmp/pdfopen.pdf vbs and pdf files use StrReverse extensively to hide the names of Windows object used (Scripting.FileSystemObject, WScript.Shell, MSXML2.XMLHTML, ADODB.Stream)
Upgrading to the latest version (nppdf32.dll: 18.104.22.168) stopped automatic asx downloading at least for the saved profile I mentioned. It seems that this was fully Adobe Reader related. But some things still puzzle me. It looks like the u.asx downloading (that was actually listed in the download list) was a kind of mozilla downloading but on behave of some scripting request from a plugin. Also the full path of actions is still hidden behind a complex logic. Another thing. As long as "You should upgrade your flash..." warning was at least once used for Your Browser Updated page, is it possible to do the same for Adobe Reader plugin from time to time?