Closed Bug 658901 Opened 13 years ago Closed 13 years ago

Malicious webpage loads malware when loaded

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: frank.drebin68, Unassigned)

References

(Blocks 1 open bug)

Details

User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

A malicious webpage can install malware when visited. I retrieved the malicious webpage and it's a large javascript script. It may be loading vulnerabilities in addons/extensions/plugins, but I cannot decipher the code.

When I encountered the malicious website, it installed the malware "MS-Removal Tool." It makes applications unbootable and gives numerous warnings about infections and directs user to upgrade "MS-Removal Tool" in order to remove the infection (itself).  The malicious code was contained in the URL abcabriotras.THIS_WEBSITE_MAY_LOAD_MALWARE.co.cc/1940a2b0030fa05f/sa1/2 (remove warning to get real URL).

Reproducible: Always

Steps to Reproduce:
1. Visit website with malicious code.
The page is currently blank.

It appears (http://blogs.msdn.com/b/securitytipstalk/archive/2011/05/06/fraud-alert-ms-removal-tool.aspx) that this is a scam that convinces users to download and run the executable which then infects the pc.

Did you download and run anything in response to an alert about a virus scan?
I promise that this was a successful malware infection from only visiting a webpage (okay, I also clicked a popup that appeared, but it was not the browser's run/save prompt). I was infected because I went to google images, typed in "desert eagle 357 magnum" (no quotes), went to the 17th image, which is of a desert eagle on its side with bullets scattered near it, and linked to timmersgems.com. Once clicking the link I got a "you may be infected" type webpage, which included a scan progress type graphic and various warnings about viruses. I immediately recognized the scam and attempted to close the page and got a modal popup that said something about being sure I wanted to leave (I had to click OK/cancel to leave, but I did not save/run/execute any executables). I was then infected and my computer was mostly useless until I did a system restore. I went back to the website with javascript disabled and found the malicious javascript I linked to in my bug post. I can include it, but it's a monster 200KB and apparently dangerous, so I linked it instead of including it.

One of the difficulties of this malware is the company previously made a big push, and various anti-malware apps caught its definitions. However, based upon the dates of those definitions, and the fact that those programs could not clean the infection, I suspect the "company" has come out with a new push, but people seem to think it's the old issue.
Okay, I may owe an apology. I checked my flash plugin and I was running 10.2.152.32, which I upgraded to 10.3.181.14. Now, the same page loads the same "you may be infected" type page, but instead of the modal popup and subsequent infection, I get the browser's download prompt for the executable. I suspect when I clicked "ok/cancel" on the popup, it might have been malicious/exploitable flash. So, I don't know if Firefox tries to block these types of attacks, but if not, then I imagine this bug can be closed.
Good that you updated Flash. I was just about to ask. Please visit http://www.mozilla.com/en-US/plugincheck/ and make sure that everything is up to date. Java in particular should be at Java 6 update 25 in order to be safe. Please let us know if any of your other plugins are marked out of date. 

If you don't mind, go to Help, then Troubleshooting information, click the copy to clipboard button, then paste the results here.

Thanks.
I updated Java as well, but I did not catch the previous version. However, I checked System Restore and see that I updated Java on April 22nd, and update 25 was released on the 21st. However, Java apparently updated when I clicked update, so I must have still been running 24.

The only other plugin I use is Silverlight, which I installed the other day. I don't use any toolbars or anything like that.

  Application Basics

        Name
        Firefox

        Version
        4.0.1

        User Agent
        Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

        Profile Directory

          Open Containing Folder

        Enabled Plugins

          about:plugins

        Build Configuration

          about:buildconfig

  Extensions

        Name

        Version

        Enabled

        ID

        XJZ Survey Remover
        2.0.2
        false
        survey-remover@gmx.com

        Java Console
        6.0.22
        true
        {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

        Java Console
        6.0.25
        true
        {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}

  Modified Preferences

      Name

      Value

        accessibility.typeaheadfind.flashBar
        0

        browser.history_expire_days.mirror
        180

        browser.places.importBookmarksHTML
        false

        browser.places.smartBookmarksVersion
        2

        browser.startup.homepage_override.buildID
        20110413222027

        browser.startup.homepage_override.mstone
        rv:2.0.1

        browser.tabs.warnOnClose
        false

        extensions.lastAppVersion
        4.0.1

        network.cookie.prefsMigrated
        true

        places.database.lastMaintenance
        1306093488

        places.history.expiration.transient_current_max_pages
        48270

        places.last_vacuum
        1302966361

        privacy.sanitize.migrateFx3Prefs
        true

        security.warn_viewing_mixed
        false

  Graphics

        Adapter Description
        NVIDIA GeForce 9800 GT (Microsoft Corporation - WDDM v1.1)

        Vendor ID
        10de

        Device ID
        0605

        Adapter RAM
        1024

        Adapter Drivers
        nvd3dumx,nvd3dum nvwgf2umx, nvwgf2um

        Driver Version
        8.15.11.8593

        Driver Date
        5-14-2009

        Direct2D Enabled
        Blocked on your graphics driver. Try updating your graphics driver to version 257.21 or newer.

        DirectWrite Enabled
        false (6.1.7600.16763, font cache n/a)

        WebGL Renderer
        (WebGL unavailable)

        GPU Accelerated Windows
        0/5
Ok. Using a fully patched machine I did the image search and restricted it to timmersgems.com, then clicked on an image. I got the scam security alert followed by the fake scan and a dialog to download freessytemscan.exe.

opening up and marking works for me.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.