Closed Bug 593791 Opened 10 years ago Closed 10 years ago

Possible Firefox 0day?

Categories

(Firefox :: Security, defect, critical)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: imipak, Unassigned)

References

(Blocks 1 open bug, )

Details

User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko/20100904 Firefox/4.0b6pre
Build Identifier: Mozilla/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko/20100904 Firefox/4.0b6pre

A work colleague who uses Firefox on Windows XP was compromised via a drive-by download from the (deactivated) URL given above. The malware seems to have:
- dropped a basic root kit (blocked Task Mgr)
- deactivated the local AV (Symantc Endpoint Protection)
- installed a password sniffer / keylogger
- installed fake AV
- the usual. It /might/ be a new variant of Bredolab (Disclosure: my employer is an AV company. We are investigating internally.) 

Looking in the Event Viewer after booting into Safe Mode shows a bunch of "Application faulting: Firefox" crashes. So it makes sense that the malware's using an unpatched 

Reproducible: Always

Steps to Reproduce:
1. browse to url
2. get pwned
3. make sad face
Actual Results:  
pwned

Expected Results:  
Not pwned
What version of Firefox was your colleague using?

Did any of the Firefox crashes result in the crash-reporter sending a report to us? If so please enter the URL about:crashes in the location bar and paste the recent crash ids here in the bug. Crash IDs that start with "bp-" will auto-link to the crash-stats site, you don't need to past the links just the IDs. If you have any that do NOT start with bp- please click on those first. The lack of the bp- prefix indicates they were not submitted and are only stored locally, but clicking on the links will then submit them (at which point they will be replaced with a bp- style ID).
It was v3.6.8 , on windows. Talkback didn't fire and I'm afraid the machine's been blatted and rebuilt now. All I have is this, from the Event Logs, if it's any use(?)

Event Type:     Error
Event Source:   Application Error
Event Category: (100)
Event ID:       1000
Date:           06/09/2010
Time:           11:36:12
User:           N/A
Computer:       [hostname]
Description:
Faulting application firefox.exe, version 1.9.2.3855, faulting module unknown, version 0.0.0.0, fault address 0x5a7d30e2.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 46 61 69 6c   ion Fail
0010: 75 72 65 20 20 66 69 72   ure  fir
0018: 65 66 6f 78 2e 65 78 65   efox.exe
0020: 20 31 2e 39 2e 32 2e 33    1.9.2.3
0028: 38 35 35 20 69 6e 20 75   855 in u
0030: 6e 6b 6e 6f 77 6e 20 30   nknown 0
0038: 2e 30 2e 30 2e 30 20 61   .0.0.0 a
0040: 74 20 6f 66 66 73 65 74   t offset
0048: 20 35 61 37 64 33 30 65    5a7d30e
0050: 32                        2
How up to date was the machine? Was it a personal machine where the plugins are likely to be up-to-date (or maybe not), or was it a newly imaged test machine that might have a lot of old stuff on it? This /could/ be a new Firefox 0-day, but with what we see in the wild the odds are much higher it actually was a plugin attack (flash, pdf, IE HCP attack via WMP, etc.).

The information in comment 2 isn't all that useful, the process is already off executing in neverland. A stack that shows what it was doing before that point might have been a partial clue but it sounds like we're not going to get it.

The page was relatively uninteresting as well. There were two ads from a 3rd party provider (ad.yieldads.com) that changed on every load. If there was a malicious ad in rotation at the time we'd never know (unless yieldads discovered it and would admit it).
The OS install was a fairly new, about three months old, and up-to-date with all Microsoft patches; likewise Flash would have been upgraded to v10.1.82.76 in early September. Acrobat should also have been updated for http://www.adobe.com/support/security/bulletins/apsb10-17.html in late August. That said, yes a plugin exploit would seem more statistically likely. 

It seems that whatever it was has got away this time; I don't think there's any other forensic info I could lay my hands on. Shall I close this bug?
Unfortunately I don't think we have much choice but to close this.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.