Closed Bug 593791 Opened 10 years ago Closed 10 years ago
Possible Firefox 0day?
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko/20100904 Firefox/4.0b6pre Build Identifier: Mozilla/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko/20100904 Firefox/4.0b6pre A work colleague who uses Firefox on Windows XP was compromised via a drive-by download from the (deactivated) URL given above. The malware seems to have: - dropped a basic root kit (blocked Task Mgr) - deactivated the local AV (Symantc Endpoint Protection) - installed a password sniffer / keylogger - installed fake AV - the usual. It /might/ be a new variant of Bredolab (Disclosure: my employer is an AV company. We are investigating internally.) Looking in the Event Viewer after booting into Safe Mode shows a bunch of "Application faulting: Firefox" crashes. So it makes sense that the malware's using an unpatched Reproducible: Always Steps to Reproduce: 1. browse to url 2. get pwned 3. make sad face Actual Results: pwned Expected Results: Not pwned
What version of Firefox was your colleague using? Did any of the Firefox crashes result in the crash-reporter sending a report to us? If so please enter the URL about:crashes in the location bar and paste the recent crash ids here in the bug. Crash IDs that start with "bp-" will auto-link to the crash-stats site, you don't need to past the links just the IDs. If you have any that do NOT start with bp- please click on those first. The lack of the bp- prefix indicates they were not submitted and are only stored locally, but clicking on the links will then submit them (at which point they will be replaced with a bp- style ID).
It was v3.6.8 , on windows. Talkback didn't fire and I'm afraid the machine's been blatted and rebuilt now. All I have is this, from the Event Logs, if it's any use(?) Event Type: Error Event Source: Application Error Event Category: (100) Event ID: 1000 Date: 06/09/2010 Time: 11:36:12 User: N/A Computer: [hostname] Description: Faulting application firefox.exe, version 22.214.171.12455, faulting module unknown, version 0.0.0.0, fault address 0x5a7d30e2. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 41 70 70 6c 69 63 61 74 Applicat 0008: 69 6f 6e 20 46 61 69 6c ion Fail 0010: 75 72 65 20 20 66 69 72 ure fir 0018: 65 66 6f 78 2e 65 78 65 efox.exe 0020: 20 31 2e 39 2e 32 2e 33 126.96.36.199 0028: 38 35 35 20 69 6e 20 75 855 in u 0030: 6e 6b 6e 6f 77 6e 20 30 nknown 0 0038: 2e 30 2e 30 2e 30 20 61 .0.0.0 a 0040: 74 20 6f 66 66 73 65 74 t offset 0048: 20 35 61 37 64 33 30 65 5a7d30e 0050: 32 2
How up to date was the machine? Was it a personal machine where the plugins are likely to be up-to-date (or maybe not), or was it a newly imaged test machine that might have a lot of old stuff on it? This /could/ be a new Firefox 0-day, but with what we see in the wild the odds are much higher it actually was a plugin attack (flash, pdf, IE HCP attack via WMP, etc.). The information in comment 2 isn't all that useful, the process is already off executing in neverland. A stack that shows what it was doing before that point might have been a partial clue but it sounds like we're not going to get it. The page was relatively uninteresting as well. There were two ads from a 3rd party provider (ad.yieldads.com) that changed on every load. If there was a malicious ad in rotation at the time we'd never know (unless yieldads discovered it and would admit it).
The OS install was a fairly new, about three months old, and up-to-date with all Microsoft patches; likewise Flash would have been upgraded to v10.1.82.76 in early September. Acrobat should also have been updated for http://www.adobe.com/support/security/bulletins/apsb10-17.html in late August. That said, yes a plugin exploit would seem more statistically likely. It seems that whatever it was has got away this time; I don't think there's any other forensic info I could lay my hands on. Shall I close this bug?
Unfortunately I don't think we have much choice but to close this.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.