Security issue: The web site "http://a9zlg.ru/adser" installed malicious programs on my hard disk without permission.

RESOLVED WONTFIX

Status

()

RESOLVED WONTFIX
7 years ago
7 years ago

People

(Reporter: FreeBraine, Unassigned)

Tracking

9 Branch
x86
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

7 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Build ID: 20111220165912

Steps to reproduce:

I was routed to the website "http://a9zlg.ru/adser" then "http://a9zlg.ru/404.php"


Actual results:

2 Java applets appear have been run, and 2 ".exe" files were saved under my "C:\Users\id\Roaming" directory (on in the Macromedia folder under Roaming).  All running programs were terminated, including Firefox, and a mock scan program was initiated called "isecurity.exe".  It would all me to start nothing but Windows Explorer.


Expected results:

Nothing.  Firefox should have asked me before installing anything on my hard disk.
(Reporter)

Updated

7 years ago
Component: Untriaged → Security
Which Java version and which Flash version do you have installed ?
Enter about:plugins in Firefox as URL to get a list of installed Plugins.
Note: This doesn't look like a Firefox bug if they used a security hole in a third-party plugin.
QA Contact: untriaged → firefox
(Reporter)

Comment 2

7 years ago
Flash 11.0.1.102.55, Java 6.0.260.3

Bad news "a9zlg.ru/adser" is no longer a valid web site, I was hoping to set this up as a repeatable failure.  I'm not entirely certain I got the right web location, but what was in my Firefox History is very close to the URL I saw in the location bar.  This makes me wonder if the malicious software can modify Firefox History (in which case why not delete it entirely!?) or the web site goes off the air as soon as it finds a victim, and comes up as another web site, waiting for another victim.

I agree, if the hole was in the Flash player then it belongs to Adobe, not Firefox, but I do not yet have the knowledge to make that call, only the fact that one of the two ".exe" files was found in the Flash Player directories of the AppData folder.  Is that enough to convict the Flash Player as the culprit?

I got nailed with a different web site 3 weeks ago, which stored their two ".exe" files directly in "..\AppData\Local", so that doesn't seem likely to be the Flash Player.  The site that got me is forcing me to rebuild my system, but before I do I've been searching the web for the site again, unfortunately I didn't have any tracks I could follow back to the problem site.  I thought I had a shot at one of these S.O.B.s last night, but without repeatability, I'm afraid this is another dead end.

The mechanism being used to fish for victims is to use web sites that have hotspots that route users randomly to either the advertised page, or an arbitrary page (for which the 1st site probably gets paid).  In this situation there is no way to know the ultimate destination until you have been routed to the location.

So it is back to the drawing boards, with what I've learned, and see if find something more definite next time.  If anyone with knowledge of Firefox and plugins can give me some pointers on how to determine the weakness being exploited, I'm all ears.

My other objective in hunting for these malicious web sites, is to learn how to better set the security of my PC to reduce my risk.  I know a lot more than I did 3 weeks ago, and I'm pretty certain the attack from "a9zlg.ru/adser" did no damage what-so-ever, other than to make the ID on my PC unusable for about 10 minutes.
Can you please open http://www.mozilla.org/en-US/plugincheck/. This site should check your installed plugins.
I have flash 11.1.102.55 and Java Version: 6.0.300.12

There is not much we could do without the original website that did this. It's unlikely that this website used an unknown exploit and they use in most cases older plugins with known security holes. Older and unpatched versions of the adobe Flash player, Java or the Adobe Reader plugin are usually the entry doors to infect a system.
(Reporter)

Comment 4

7 years ago
No can do.  Since it is not repeatable, I've had to temporarily abandon my efforts to get enough information to find a fix and have begun to rebuild my PC.  If I get something more definitive next time, I'll start another post if needed.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.