Closed
Bug 658901
Opened 13 years ago
Closed 13 years ago
Malicious webpage loads malware when loaded
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: frank.drebin68, Unassigned)
References
(Blocks 1 open bug)
Details
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 A malicious webpage can install malware when visited. I retrieved the malicious webpage and it's a large javascript script. It may be loading vulnerabilities in addons/extensions/plugins, but I cannot decipher the code. When I encountered the malicious website, it installed the malware "MS-Removal Tool." It makes applications unbootable and gives numerous warnings about infections and directs user to upgrade "MS-Removal Tool" in order to remove the infection (itself). The malicious code was contained in the URL abcabriotras.THIS_WEBSITE_MAY_LOAD_MALWARE.co.cc/1940a2b0030fa05f/sa1/2 (remove warning to get real URL). Reproducible: Always Steps to Reproduce: 1. Visit website with malicious code.
Comment 1•13 years ago
|
||
The page is currently blank. It appears (http://blogs.msdn.com/b/securitytipstalk/archive/2011/05/06/fraud-alert-ms-removal-tool.aspx) that this is a scam that convinces users to download and run the executable which then infects the pc. Did you download and run anything in response to an alert about a virus scan?
Reporter | ||
Comment 2•13 years ago
|
||
I promise that this was a successful malware infection from only visiting a webpage (okay, I also clicked a popup that appeared, but it was not the browser's run/save prompt). I was infected because I went to google images, typed in "desert eagle 357 magnum" (no quotes), went to the 17th image, which is of a desert eagle on its side with bullets scattered near it, and linked to timmersgems.com. Once clicking the link I got a "you may be infected" type webpage, which included a scan progress type graphic and various warnings about viruses. I immediately recognized the scam and attempted to close the page and got a modal popup that said something about being sure I wanted to leave (I had to click OK/cancel to leave, but I did not save/run/execute any executables). I was then infected and my computer was mostly useless until I did a system restore. I went back to the website with javascript disabled and found the malicious javascript I linked to in my bug post. I can include it, but it's a monster 200KB and apparently dangerous, so I linked it instead of including it. One of the difficulties of this malware is the company previously made a big push, and various anti-malware apps caught its definitions. However, based upon the dates of those definitions, and the fact that those programs could not clean the infection, I suspect the "company" has come out with a new push, but people seem to think it's the old issue.
Reporter | ||
Comment 3•13 years ago
|
||
Okay, I may owe an apology. I checked my flash plugin and I was running 10.2.152.32, which I upgraded to 10.3.181.14. Now, the same page loads the same "you may be infected" type page, but instead of the modal popup and subsequent infection, I get the browser's download prompt for the executable. I suspect when I clicked "ok/cancel" on the popup, it might have been malicious/exploitable flash. So, I don't know if Firefox tries to block these types of attacks, but if not, then I imagine this bug can be closed.
Comment 4•13 years ago
|
||
Good that you updated Flash. I was just about to ask. Please visit http://www.mozilla.com/en-US/plugincheck/ and make sure that everything is up to date. Java in particular should be at Java 6 update 25 in order to be safe. Please let us know if any of your other plugins are marked out of date. If you don't mind, go to Help, then Troubleshooting information, click the copy to clipboard button, then paste the results here. Thanks.
Updated•13 years ago
|
Blocks: malware-attacks
Reporter | ||
Comment 5•13 years ago
|
||
I updated Java as well, but I did not catch the previous version. However, I checked System Restore and see that I updated Java on April 22nd, and update 25 was released on the 21st. However, Java apparently updated when I clicked update, so I must have still been running 24. The only other plugin I use is Silverlight, which I installed the other day. I don't use any toolbars or anything like that. Application Basics Name Firefox Version 4.0.1 User Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Profile Directory Open Containing Folder Enabled Plugins about:plugins Build Configuration about:buildconfig Extensions Name Version Enabled ID XJZ Survey Remover 2.0.2 false survey-remover@gmx.com Java Console 6.0.22 true {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} Java Console 6.0.25 true {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} Modified Preferences Name Value accessibility.typeaheadfind.flashBar 0 browser.history_expire_days.mirror 180 browser.places.importBookmarksHTML false browser.places.smartBookmarksVersion 2 browser.startup.homepage_override.buildID 20110413222027 browser.startup.homepage_override.mstone rv:2.0.1 browser.tabs.warnOnClose false extensions.lastAppVersion 4.0.1 network.cookie.prefsMigrated true places.database.lastMaintenance 1306093488 places.history.expiration.transient_current_max_pages 48270 places.last_vacuum 1302966361 privacy.sanitize.migrateFx3Prefs true security.warn_viewing_mixed false Graphics Adapter Description NVIDIA GeForce 9800 GT (Microsoft Corporation - WDDM v1.1) Vendor ID 10de Device ID 0605 Adapter RAM 1024 Adapter Drivers nvd3dumx,nvd3dum nvwgf2umx, nvwgf2um Driver Version 8.15.11.8593 Driver Date 5-14-2009 Direct2D Enabled Blocked on your graphics driver. Try updating your graphics driver to version 257.21 or newer. DirectWrite Enabled false (6.1.7600.16763, font cache n/a) WebGL Renderer (WebGL unavailable) GPU Accelerated Windows 0/5
Comment 6•13 years ago
|
||
Ok. Using a fully patched machine I did the image search and restricted it to timmersgems.com, then clicked on an image. I got the scam security alert followed by the fake scan and a dialog to download freessytemscan.exe. opening up and marking works for me.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•