Open Bug 947564 Opened 11 years ago Updated 7 years ago

Fake Firefox installation file discovered in local community website

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

People

(Reporter: othree, Assigned: jeff)

Details

Attachments

(1 file)

Cuckoo report of malware_contained Firefox installer
1019.89 KB, image/png
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Steps to reproduce: Taiwan's community website[1] has been hacked. And the Firefox installation file's like is lead to a fake file[2]. Not a site owned by Mozilla. The site has back to normal now. But need some follow up to prevent any other similar issue. Sorry if I assign this issue to unproper product. Hard to find a proper location for this issue. [1]: http://moztw.org [2]: http://download-installer.cdn.mozil1a.org/pub/firefox/releases/25.0.1/win32/zh-TW/Firefox%20Setup%2025.0.1.exe Actual results: If use download Firefox installation file, they will got a fake file from unknown source. Expected results: User should get file from ftp.mozilla.org
Sorry I think the point is not clear. I think someone is using firefox's name to do bad things. I want report this to Mozilla and Mozilla could do necessary actions, ex: report malware, trace source ..etc.
Already report to google malware report[1] [1]:http://www.google.com/safebrowsing/report_badware/
Reported trademark abuse to legal team. Also included this bug in the report.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Hi, We'd already looking into the local server and take down the problem link. I believed that maybe some security people can do an analysis on the fake Firefox installer, or someone may like to do a globally check for all community-powered website, to see if any other had been also hacked and link to the same fake Firefox installer.
Severity: normal → critical
Flags: needinfo?(security)
Hi Security team, since we can't estimate the impact yet, please help : 1) Define the scope We only redirect links to mozilla.org, so we want to see how the http referer from http://moztw.org/firefox/download/latest-win.html in download.mozilla.org was dropped than this was happened to identify the affected amount. 2) How to tell users? If many were affected, how should we tell users? (say, have a notice in first-run page if the affected amount were large, or simply an announcement and malware removal how-to if it was reverted in no more than a day.)
About the scope, We can only be sure that the link is correct before Oct. 16, and hard to determine that when it's been changed and point to wrong file since the access log had been all wipe-out of suspiciously items. So if someone can help us to check when the referral had drop at download.mozilla.org , maybe we can narrow down the estimate impact to more accuracy timespan.
Hi, We'd done the following things today: * A full vulnerability scan and analytic on moztw.org webserver, cleaned out several backdoor. * A Behavioral Analysis on Fake Firefox installation file and sandbox test. We had come up a process to remove the backdoor which fake Firefox would install, and we made a small handy .bat script for user to clean it. * A post on frontpage of MozTW.org and MozTW forum, announce the problem and possible resolving step to users. We still like to know *when the download referral from MozTW.org to download.mozilla.org (of zh-TW-win installer) had been decrease dramatically, for that we're still hard to determine the date when the download link had been replaced, and numbers of user affected.
We'd leave some analytic info on this MoPad: https://etherpad.mozilla.org/malware-framework and our announce article is here: http://forum.moztw.org/viewtopic.php?f=7&t=40687 (both in Chinese)
Setting needinfo from some OpSec folks for their advice on incident response. Have also cc'ed dveditz for his thoughts.
Flags: needinfo?(mpurzynski)
Flags: needinfo?(mhenry)
Flags: needinfo?(gdestuynder)
(In reply to othree (MozTW) from comment #0) > [2]: > http://download-installer.cdn.mozil1a.org/pub/firefox/releases/25.0.1/win32/ > zh-TW/Firefox%20Setup%2025.0.1.exe In case someone wonders as I did at first, "How did they get a fake file on our cdn?", that's mozil-one-a.org. In the bugzilla font on my computer it's nearly indistinguishable from mozilla, but maybe others won't have the same problems (it was obvious once I had pasted that link somewhere else).
mozil1a.org ------------- Domain ID:D170179003-LROR Domain Name:MOZIL1A.ORG Created On:15-Nov-2013 07:56:40 UTC Last Updated On:15-Nov-2013 07:56:42 UTC Expiration Date:15-Nov-2014 07:56:40 UTC Sponsoring Registrar:eNom, Inc. (R39-LROR) Registrant ID:01c2dac56f8ba951 Registrant Name:WhoisGuard Protected Registrant Organization:WhoisGuard, Inc. Registrant Street1:P.O. Box 0823-03411 Registrant Street2: Registrant Street3: Registrant City:Panama Registrant State/Province:Panama Registrant Postal Code:NA Registrant Country:PA Registrant Phone:+507.8365503 Registrant Phone Ext.: Registrant FAX:+51.17057182 Registrant FAX Ext.: Registrant Email:4494c064d94042d7825da58a149d6bc4.protect@whoisguard.com for reference also since creation date is 15-Nov-2013 07:56:40 UTC, it's likely that this is the date when moztw started linking to this site as well.
Flags: needinfo?(gdestuynder)
Hi, We'd narrow down the predict malware online time span to Nov/27 to noon of Dec/7. We suspect the download link was changed at Dec/5, but still have not enough proof for that. This is the current discover of this incident, 2013-11-15 Cracker had got the privilege of server through a weak point and leaked account from phpbb forum 2013-11-15 mozil1a.org been registered 2013-11-25~26 suspect malware create time 2013-11-28 malware (Firefox Setup 25.0.1.exe) had been captured by security company's protect system 2013-12-01 mozil1a.org domain been pointed to 108.61.31.194 2013-12-02 FrameWork.exe/MainExe.exe had been captured on internet 2013-12-04 Firefox Setup 25.0.1.exe had been captured on internet detect queries to download-installer.cdn.mozil1a.org domain begins 2013-12-05 we'd some error access log to /download-installer.cdn.mozil1a.org/pub/firefox/releases/25.0.1/win32/zh-TW/Firefox%20Setup%2025.0.1.exe on server, this is the suspect link replaced time (with little evidence). 2013-12-07 12:12 user report the problem to moztw mailing list 2013-12-07 12:42 link to malware had been took down 12-07~08 we had many friends from security background helping us doing multiple analysis to our server 2013-12-08 03:47 The announcement of incident and malware cleaning tools had been posted to moztw.org We're still doing the analysis on the logs, and hope to have more clear understanding of how the cracker got the privilege of the server, and when the malware link had been replaced on website.
Flags: needinfo?(mpurzynski)
Assignee: nobody → jbryner
Flags: needinfo?(security)
Flags: needinfo?(mhenry)
I've contacted the registrar and the company hosting the IP address to let them know of the incident and request any assistance they can offer. I'll see what I can do to determine any change over time in the download referral from MozTW.org to download.mozilla.org. Let me know if I can help in any other way.
Status: NEW → ASSIGNED
Thanks to the metrics team it looks like 12/4 through 12/6 are the key dates: downloads with referrer '%moztw.org%' 2013-11-28 2355 2013-11-29 1983 2013-11-30 3817 2013-12-01 3756 2013-12-02 2646 2013-12-03 1038 2013-12-04 560 2013-12-05 532 2013-12-06 521 2013-12-07 3498 2013-12-08 3967
> downloads with referrer '%moztw.org%' fwiw, that's 24,773 downloads, or ~25k in the affected time range.
According to Google Analytics, we have about 16k downloads during 12-04 ~ 12-06 -- just FYI
I've asked our U.S. trademark counsel to look into this.
It looks like mozil1a.org is down as is the ftp site. Did anyone check out the download that was being distributed by the hackers? We're wondering whether it contained malware.
https://bugzilla.mozilla.org/show_bug.cgi?id=947564#c7 appears to indicate the installer left behind a backdoor for those who used it to install firefox.
This is the fake installer. https://www.dropbox.com/s/xvabmp1vy16sl8r/Firefox%20Setup%2025.0.1.exe !! Don't install it outside a sandbox environment !! Yes, it contains malware.
What we know so far for the fake installer, # Once execute, It'll extract to FrameWork.exe , setup.exe , MainEv1.0.3.1.rar , setup.exe is real Firefox installer, MainEv.rar is Trojan, MainEv will fetch the update version of FrameWork.exe and execute. * We'd got a Cuckoo report of the whole install process, https://bugzilla.mozilla.org/attachment.cgi?id=8350489 * And VirusTotal scanned report of MainEv1.0.3.1.rar, https://www.virustotal.com/en/file/04a5b762a8074543b05af6fa914d1b29820c66d14012e1e222e0db9c07b2e002/analysis/1386412616/ # The net activity of FrameWork.exe via port 80 & 443 209.236.114.105:443 209.236.114.105:80 URL: http://www.firmday.com:443/a123o/Post.aspx TYPE: POST USER AGENT: None URL: http://www.firmday.com:443/a123o/Get.aspx?s=078BF9FF-000206D700000000-00000000-0800273cb533 TYPE: GET USER AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0) Content SQR POST http://www.firmday.com/a123o/post.aspx s1 : lS oEW P0qEA49tPpbV00GV8943mph6odcMVlV GD7oP p2BGnEgaUOjfWNVtk4NT3zrUl02 TSxJkdIcgRdaBNlRjjqq0n/XRFdPYOcqkwwYpqITFNUi3aweugFwL7HmPGP3dOhLSPpK0t2L Dbk85a7Mob1FWQZIHbmuoCLTLenDpXmidRgN4mVInKQ39uh0WY84SxhBKVhSb6H2ES75L9Fu 9kMaZHS63Fdm63NIH9S7hIGQhRfN8B pf89ph108D8Q3wks4xUnrvii5TgAzK53hI BH4VA2 TAL5RGam qj0kEs8rPIYAZmlCgrAP5zEcKoOluHQSFoYeuZMteCaweI0y4xutaB4GKaiExTV It2Joz9BnMN65xAyfNb0qc2dbxQtRV8bvcIZK4LqnrQ79zbjwW T9ZtzAiC8GbO1QpssOCpJ eqxaSempESyucP10chiHHZn4O7KArt2rRj1F xieuC0EQ7rXzW9ApGLtosoakxYDorKKrcYL IFd4uRkIarbR qxkciAqK3o7 6bdc2A2rZSM8M8rMU00xjE0w6Rl/BUzXnLHQC5f1ki1t pw PuMBnWut0/0JC0AG7unjvn45pu5uCTSdlCOz3PCcDRwa3h/QakQfBmC459wAOpWVHajPSHPD kbFg7Sfsto3U6GGmC4Ybddpg/zlzYcT45eXY1adzX8lehoBa1k7aLUzyW9G7auXE2Uv8IOtB Cz2BcOcH96FB2p1GEexiUouio6giYoQO2dHLg0ml15pC5HZP6ZOFnqq129pDVzDMfNRd4Q== s2 : 1FEBFBFF-000206A700000000-00000000-000c29b1b73f Content SQR s1 : lS oEW P0qEA49tPpbV00GV8943mph6odcMVlV GD7oP p2BGnEgaUOjfWNVtk4NT3zrUl02 TSxJkdIcgRdaBNlRjjqq0n/XW kI FNZAA41 xnbZbu3Mei8pq20WixSNyL8G1BMFY45UdSh alYT26dSO/e1WQYMqELTjsjO/fWEgEsYL0Pt0uWCC7f1/7vo s2 : 1FEBFBFF-000206A700000000-00000000-000c29b1b73f Content SQR http://www.firmday.com/a123o/post.aspx
Status: ASSIGNED → NEW
Thanks for the analysis. I'm in discussions with law enforcement to see if they are interested in this.
Hi Jeff - any interest from law enforcement?
Yes, working with the local agent and awaiting his availability.
Hi Jeff, may I ask what the law and local agent is using for? Is it for the registrator of mozil1a.org?
Yes the registration of the site and distribution of malware. I've sent him your analysis and a copy of the malware and he is going to see if he can make a case to pursue it.
@Jeff, understood, thanks!
Hi Jeff, any update?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: