Closed Bug 647832 Opened 14 years ago Closed 14 years ago

Firefox 4 - Clicking on Images in Google Image Search Installs Virus

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: b13445245, Unassigned)

References

(
URL
)

Details

Attachments

(2 files)

file from mediafire link
2.57 KB, application/java-archive
Details
html source from the possible virus site
63.74 KB, text/plain
Details
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0) Gecko/20100101 Firefox/4.0 Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0) Gecko/20100101 Firefox/4.0 After installing Firefox 4, I am now experiencing a security issue that I did not experience with Firefox 3. I search for images using Google Image Search and when I click on certain results, some sort of script attempts to install a malicious executable on my computer. The script managed to successfully install a malicious executable in my Temp folder and was able to launch the executable which immediately attempted to access the Internet. Here is the executable that was installed: http://www.mediafire.com/?7vsp86rwl6b67bc Reproducible: Always Steps to Reproduce: 1. Got to this address: http://www.google.com/imgres?imgurl=http://3.bp.blogspot.com/_7BMB2tCkzO0/TF95ws0D20I/AAAAAAAABZE/tlxDl8om33g/s1600/invincible-youth-e38.jpg&imgrefurl=http://mileycyrusheaven.com/filmography/invincible-youth&usg=__zcttnGnX_R9_N1MWE-DAan-aIYA=&h=325&w=460&sz=51&hl=en&start=5&zoom=1&tbnid=lb4SDNUltdjmTM:&tbnh=90&tbnw=128&ei=GTObTdyXAYjGsAPGkJGXBA&prev=/search%3Fq%3Dinvincible%2Byouth%2Bmembers%26um%3D1%26hl%3Den%26safe%3Doff%26sa%3DN%26biw%3D1024%26bih%3D614%26tbm%3Disch0%2C909&um=1&itbs=1&biw=1024&bih=614 Actual Results: False security alert appeared and some sort of script installed a malicious executable on my computer and launched it. Expected Results: The false security alert should not have been able to appear. The script should not have been able to install a malicious executable on my computer. I have the following Add-ons installed: DownloadThemAll 2.0.1 DownloadHelper 4.8.6 Adblock Plus 1.3.5 This has occurred five times so far within the past few hours. I was not trying to view the same image each time it occurred; I was trying to view five different images listed amongst the results returned by 3 different Google searches. Each of the three searches was for images related to Korean music and television (if that's of any interest). Only one time was the script able to install a malicious executable; the other four times, I quickly shut down Firefox to interrupt the installation. Don't bother asking me for additional info. I won't be checking up on this report.
attaching the file uploaded to mediafire, in case it goes away.
Variant on a basic trojan file dropper, seems to evade many A-V products. According VirusTotal 10/42 products detect it today; the file was reported for the first time yesterday but only 4/42 detected it then. http://www.virustotal.com/file-scan/report.html?id=8ca226cd897cb690f8ee7b5f7004bb5bd5d3bb10d0ab54d6db60b00810da9f4d-1302057779 Don't need to waste more time on that, that's a downloader installed by whatever the attack was and not the attack itself. The image search result above loads view-source:http://mileycyrusheaven.com/filmography/invincible-youth which appears to be hacked, with just a <script> tag that loads view-source:http://wxprharn.co.cc/in.cgi?2&seoref=http%3A%2F%2Fwww.google.com%2Fimgres%3Fimgurl%3Dhttp%3A%2F%2F3.bp.blogspot.com%2F_7BMB2tCkzO0%2FTF95ws0D20I%2FAAAAAAAABZE%2FtlxDl8om33g%2Fs1600%2Finvincible-youth-e38.jpg%26imgrefurl%3Dhttp%3A%2F%2Fmileycyrusheaven.com%2Ffilmography%2Finvincible-youth%26usg%3D__zcttnGnX_R9_N1MWE-DAan-aIYA%3D%26h%3D325%26w%3D460%26sz%3D51%26hl%3Den%26start%3D5%26zoom%3D1%26tbnid%3Dlb4SDNUltdjmTM%3A%26tbnh%3D90%26tbnw%3D128%26ei%3DGTObTdyXAYjGsAPGkJGXBA%26prev%3D%2Fsearch%253Fq%253Dinvincible%252Byouth%252Bmembers%2526um%253D1%2526hl%253Den%2526safe%253Doff%2526sa%253DN%2526biw%253D1024%2526bih%253D614%2526tbm%253Disch0%252C909%26um%3D1%26itbs%3D1%26biw%3D1024%26bih%3D614&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2Fmileycyrusheaven.com%2Ffilmography%2Finvincible-youth&default_keyword=default which meta-refreshes to view-source:http://www.offerssuperior.com/rl_cmprwm.php?ct=Nspm1 which 302 redirects to view-source:http://www.directoffers4u.com/rl.php?ct=9vsEv&idr=4180&s1=102z94z1z0 which 302 redirects to view-source:http://www.ac-tracking.com/evotrack.php?gct=4mK3SJ6oMstseVg6UgSnb15hn2.hYbvNsdRjrGz1sPI- which 302 redirects to view-source:http://www.planet49.us/cgi-bin/wingame.pl?partner_pk=108&wingame_pk=40&sub_id=8 ... where there's some actual content. Looks like a scam sweepstakes (spot the differences in two iPhones for a chance to win an iPhone) that's trying to gather personal info for marketing purposes. I didn't see any direct attacks. There were popunders to more ads, maybe the ads rotate? The ones I saw were tricky in that they tried to keep you in their system (redirecting to differently branded sites with identical code) but I didn't see any javascript exploit code nor any plugin content. Different, malicious, ads when you visited? Maybe I haven't sufficiently faked my referrer and the site is covering its tracks? > Don't bother asking me for additional info. > I won't be checking up on this report. If that's true we're probably not going to get much further. I'll ask anyway though: what plugins do you have and what version are they? You can find this information by visiting https://www.mozilla.com/en-US/plugincheck/ > After installing Firefox 4, I am now experiencing a security issue that > I did not experience with Firefox 3. Is it possible that's coincidental? Have you visited those exact image search results in Firefox 3? Looks to me like the mileycyrusheaven site was hacked, and there's currently a wave of attacks against sites using a flaw in some common framework software they all use so it might have affected other images you were looking at as well. I should repeat this investigation using a VM that looks like your original system. Hard to believe an attacker would go to that trouble on the off chance a mileycyrus fan would fill in a fake survey instead of heading off in a huff when they didn't get the content they expected. I may have missed something, or maybe the sites detected things about the tools I was using to load the site that made them serve alternate content.
Tomcat: is this one you can try in a Windows XP VM for me?
(In reply to comment #3) > Tomcat: is this one you can try in a Windows XP VM for me? yeah will do dan!
ok, here we go, the file that raised the virus alert is this here: http://jokerblog.info/1TF19jb loading this via the url from comment 0 or this url directly triggers a virus alert in my scanner - identified as Win32/Kryptik.MOF Trojan Variant. seems this tried to load C:\Program Files\Java\jre6\bin\java.exe Virus alert via IE, Firefox 4 and Firefox 3.6 when i load http://jokerblog.info/1TF19jb
please not that is the html source of the site that triggers the virus alert so be careful when running this as html
There are two malicious-looking bits of that page. The Java applet is obvious and was caught by Tomcat's virus scanner. I am sure this is what infected Kim (the reporter). There was also a chunk of obfuscated javascript. When expanded it tries to decrypt the contents of the "meego_dc#" <input> elements into a new script and presumably run that. However several of the required chunks are missing (meego_dc3, meego_dc4, meego_dc18, and meego_dc19). When it can't find the right element the script dies, so whatever it was trying to do can't hurt you. To see if your java is out of date please visit https://www.mozilla.com/en-US/plugincheck/ or www.java.com
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: