Open
Bug 947564
Opened 11 years ago
Updated 7 years ago
Fake Firefox installation file discovered in local community website
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
NEW
People
(Reporter: othree, Assigned: jeff)
Details
Attachments
(1 file)
1019.89 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Steps to reproduce:
Taiwan's community website[1] has been hacked.
And the Firefox installation file's like is lead to a fake file[2].
Not a site owned by Mozilla.
The site has back to normal now. But need some follow up to prevent any other similar issue.
Sorry if I assign this issue to unproper product. Hard to find a proper location for this issue.
[1]: http://moztw.org
[2]: http://download-installer.cdn.mozil1a.org/pub/firefox/releases/25.0.1/win32/zh-TW/Firefox%20Setup%2025.0.1.exe
Actual results:
If use download Firefox installation file, they will got a fake file from unknown source.
Expected results:
User should get file from ftp.mozilla.org
Reporter | ||
Comment 1•11 years ago
|
||
Sorry I think the point is not clear.
I think someone is using firefox's name to do bad things.
I want report this to Mozilla and Mozilla could do necessary actions, ex: report malware, trace source ..etc.
Reporter | ||
Comment 2•11 years ago
|
||
Already report to google malware report[1]
[1]:http://www.google.com/safebrowsing/report_badware/
Comment 3•11 years ago
|
||
Reported trademark abuse to legal team. Also included this bug in the report.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 4•11 years ago
|
||
Hi, We'd already looking into the local server and take down the problem link.
I believed that maybe some security people can do an analysis on the fake Firefox installer, or someone may like to do a globally check for all community-powered website, to see if any other had been also hacked and link to the same fake Firefox installer.
Updated•11 years ago
|
Severity: normal → critical
Updated•11 years ago
|
Flags: needinfo?(security)
Comment 5•11 years ago
|
||
Hi Security team, since we can't estimate the impact yet, please help :
1) Define the scope
We only redirect links to mozilla.org, so we want to see how the http referer from http://moztw.org/firefox/download/latest-win.html in download.mozilla.org was dropped than this was happened to identify the affected amount.
2) How to tell users?
If many were affected, how should we tell users? (say, have a notice in first-run page if the affected amount were large, or simply an announcement and malware removal how-to if it was reverted in no more than a day.)
Comment 6•11 years ago
|
||
About the scope,
We can only be sure that the link is correct before Oct. 16, and hard to determine that when it's been changed and point to wrong file since the access log had been all wipe-out of suspiciously items.
So if someone can help us to check when the referral had drop at download.mozilla.org , maybe we can narrow down the estimate impact to more accuracy timespan.
Comment 7•11 years ago
|
||
Hi,
We'd done the following things today:
* A full vulnerability scan and analytic on moztw.org webserver, cleaned out several backdoor.
* A Behavioral Analysis on Fake Firefox installation file and sandbox test. We had come up a process to remove the backdoor which fake Firefox would install, and we made a small handy .bat script for user to clean it.
* A post on frontpage of MozTW.org and MozTW forum, announce the problem and possible resolving step to users.
We still like to know *when the download referral from MozTW.org to download.mozilla.org (of zh-TW-win installer) had been decrease dramatically, for that we're still hard to determine the date when the download link had been replaced, and numbers of user affected.
Comment 8•11 years ago
|
||
We'd leave some analytic info on this MoPad: https://etherpad.mozilla.org/malware-framework
and our announce article is here: http://forum.moztw.org/viewtopic.php?f=7&t=40687 (both in Chinese)
Comment 9•11 years ago
|
||
Setting needinfo from some OpSec folks for their advice on incident response. Have also cc'ed dveditz for his thoughts.
Flags: needinfo?(mpurzynski)
Flags: needinfo?(mhenry)
Flags: needinfo?(gdestuynder)
Comment 10•11 years ago
|
||
(In reply to othree (MozTW) from comment #0)
> [2]:
> http://download-installer.cdn.mozil1a.org/pub/firefox/releases/25.0.1/win32/
> zh-TW/Firefox%20Setup%2025.0.1.exe
In case someone wonders as I did at first, "How did they get a fake file on our cdn?", that's mozil-one-a.org. In the bugzilla font on my computer it's nearly indistinguishable from mozilla, but maybe others won't have the same problems (it was obvious once I had pasted that link somewhere else).
mozil1a.org
-------------
Domain ID:D170179003-LROR
Domain Name:MOZIL1A.ORG
Created On:15-Nov-2013 07:56:40 UTC
Last Updated On:15-Nov-2013 07:56:42 UTC
Expiration Date:15-Nov-2014 07:56:40 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Registrant ID:01c2dac56f8ba951
Registrant Name:WhoisGuard Protected
Registrant Organization:WhoisGuard, Inc.
Registrant Street1:P.O. Box 0823-03411
Registrant Street2:
Registrant Street3:
Registrant City:Panama
Registrant State/Province:Panama
Registrant Postal Code:NA
Registrant Country:PA
Registrant Phone:+507.8365503
Registrant Phone Ext.:
Registrant FAX:+51.17057182
Registrant FAX Ext.:
Registrant Email:4494c064d94042d7825da58a149d6bc4.protect@whoisguard.com
for reference
also since creation date is 15-Nov-2013 07:56:40 UTC, it's likely that this is the date when moztw started linking to this site as well.
Flags: needinfo?(gdestuynder)
Comment 13•11 years ago
|
||
Hi,
We'd narrow down the predict malware online time span to Nov/27 to noon of Dec/7.
We suspect the download link was changed at Dec/5, but still have not enough proof for that.
This is the current discover of this incident,
2013-11-15 Cracker had got the privilege of server through a weak point and leaked account from phpbb forum
2013-11-15 mozil1a.org been registered
2013-11-25~26 suspect malware create time
2013-11-28 malware (Firefox Setup 25.0.1.exe) had been captured by security company's protect system
2013-12-01 mozil1a.org domain been pointed to 108.61.31.194
2013-12-02 FrameWork.exe/MainExe.exe had been captured on internet
2013-12-04 Firefox Setup 25.0.1.exe had been captured on internet
detect queries to download-installer.cdn.mozil1a.org domain begins
2013-12-05 we'd some error access log to /download-installer.cdn.mozil1a.org/pub/firefox/releases/25.0.1/win32/zh-TW/Firefox%20Setup%2025.0.1.exe on server, this is the suspect link replaced time (with little evidence).
2013-12-07 12:12 user report the problem to moztw mailing list
2013-12-07 12:42 link to malware had been took down
12-07~08 we had many friends from security background helping us doing multiple analysis to our server
2013-12-08 03:47 The announcement of incident and malware cleaning tools had been posted to moztw.org
We're still doing the analysis on the logs, and hope to have more clear understanding of how the cracker got the privilege of the server, and when the malware link had been replaced on website.
Updated•11 years ago
|
Flags: needinfo?(mpurzynski)
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → jbryner
Flags: needinfo?(security)
Flags: needinfo?(mhenry)
Assignee | ||
Comment 14•11 years ago
|
||
I've contacted the registrar and the company hosting the IP address to let them know of the incident and request any assistance they can offer.
I'll see what I can do to determine any change over time in the download referral from MozTW.org to download.mozilla.org.
Let me know if I can help in any other way.
Status: NEW → ASSIGNED
Assignee | ||
Comment 15•11 years ago
|
||
Thanks to the metrics team it looks like 12/4 through 12/6 are the key dates:
downloads with referrer '%moztw.org%'
2013-11-28 2355
2013-11-29 1983
2013-11-30 3817
2013-12-01 3756
2013-12-02 2646
2013-12-03 1038
2013-12-04 560
2013-12-05 532
2013-12-06 521
2013-12-07 3498
2013-12-08 3967
Comment 16•11 years ago
|
||
> downloads with referrer '%moztw.org%'
fwiw, that's 24,773 downloads, or ~25k in the affected time range.
Comment 17•11 years ago
|
||
According to Google Analytics, we have about 16k downloads during 12-04 ~ 12-06 -- just FYI
Comment 18•11 years ago
|
||
I've asked our U.S. trademark counsel to look into this.
Comment 19•11 years ago
|
||
It looks like mozil1a.org is down as is the ftp site. Did anyone check out the download that was being distributed by the hackers? We're wondering whether it contained malware.
Assignee | ||
Comment 20•11 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=947564#c7 appears to indicate the installer left behind a backdoor for those who used it to install firefox.
Reporter | ||
Comment 21•11 years ago
|
||
This is the fake installer. https://www.dropbox.com/s/xvabmp1vy16sl8r/Firefox%20Setup%2025.0.1.exe
!! Don't install it outside a sandbox environment !!
Yes, it contains malware.
Comment 22•11 years ago
|
||
Comment 23•11 years ago
|
||
What we know so far for the fake installer,
# Once execute, It'll extract to FrameWork.exe , setup.exe , MainEv1.0.3.1.rar , setup.exe is real Firefox installer, MainEv.rar is Trojan, MainEv will fetch the update version of FrameWork.exe and execute.
* We'd got a Cuckoo report of the whole install process, https://bugzilla.mozilla.org/attachment.cgi?id=8350489
* And VirusTotal scanned report of MainEv1.0.3.1.rar, https://www.virustotal.com/en/file/04a5b762a8074543b05af6fa914d1b29820c66d14012e1e222e0db9c07b2e002/analysis/1386412616/
# The net activity of FrameWork.exe
via port 80 & 443
209.236.114.105:443
209.236.114.105:80
URL: http://www.firmday.com:443/a123o/Post.aspx
TYPE: POST
USER AGENT: None
URL: http://www.firmday.com:443/a123o/Get.aspx?s=078BF9FF-000206D700000000-00000000-0800273cb533
TYPE: GET
USER AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0)
Content SQR
POST http://www.firmday.com/a123o/post.aspx
s1 : lS oEW P0qEA49tPpbV00GV8943mph6odcMVlV GD7oP p2BGnEgaUOjfWNVtk4NT3zrUl02
TSxJkdIcgRdaBNlRjjqq0n/XRFdPYOcqkwwYpqITFNUi3aweugFwL7HmPGP3dOhLSPpK0t2L
Dbk85a7Mob1FWQZIHbmuoCLTLenDpXmidRgN4mVInKQ39uh0WY84SxhBKVhSb6H2ES75L9Fu
9kMaZHS63Fdm63NIH9S7hIGQhRfN8B pf89ph108D8Q3wks4xUnrvii5TgAzK53hI BH4VA2
TAL5RGam qj0kEs8rPIYAZmlCgrAP5zEcKoOluHQSFoYeuZMteCaweI0y4xutaB4GKaiExTV
It2Joz9BnMN65xAyfNb0qc2dbxQtRV8bvcIZK4LqnrQ79zbjwW T9ZtzAiC8GbO1QpssOCpJ
eqxaSempESyucP10chiHHZn4O7KArt2rRj1F xieuC0EQ7rXzW9ApGLtosoakxYDorKKrcYL
IFd4uRkIarbR qxkciAqK3o7 6bdc2A2rZSM8M8rMU00xjE0w6Rl/BUzXnLHQC5f1ki1t pw
PuMBnWut0/0JC0AG7unjvn45pu5uCTSdlCOz3PCcDRwa3h/QakQfBmC459wAOpWVHajPSHPD
kbFg7Sfsto3U6GGmC4Ybddpg/zlzYcT45eXY1adzX8lehoBa1k7aLUzyW9G7auXE2Uv8IOtB
Cz2BcOcH96FB2p1GEexiUouio6giYoQO2dHLg0ml15pC5HZP6ZOFnqq129pDVzDMfNRd4Q==
s2 : 1FEBFBFF-000206A700000000-00000000-000c29b1b73f
Content SQR
s1 : lS oEW P0qEA49tPpbV00GV8943mph6odcMVlV GD7oP p2BGnEgaUOjfWNVtk4NT3zrUl02
TSxJkdIcgRdaBNlRjjqq0n/XW kI FNZAA41 xnbZbu3Mei8pq20WixSNyL8G1BMFY45UdSh
alYT26dSO/e1WQYMqELTjsjO/fWEgEsYL0Pt0uWCC7f1/7vo
s2 : 1FEBFBFF-000206A700000000-00000000-000c29b1b73f
Content SQR
http://www.firmday.com/a123o/post.aspx
Status: ASSIGNED → NEW
Assignee | ||
Comment 24•11 years ago
|
||
Thanks for the analysis. I'm in discussions with law enforcement to see if they are interested in this.
Comment 25•11 years ago
|
||
Hi Jeff - any interest from law enforcement?
Assignee | ||
Comment 26•11 years ago
|
||
Yes, working with the local agent and awaiting his availability.
Comment 27•11 years ago
|
||
Hi Jeff, may I ask what the law and local agent is using for?
Is it for the registrator of mozil1a.org?
Assignee | ||
Comment 28•11 years ago
|
||
Yes the registration of the site and distribution of malware. I've sent him your analysis and a copy of the malware and he is going to see if he can make a case to pursue it.
Comment 29•11 years ago
|
||
@Jeff, understood, thanks!
Comment 30•11 years ago
|
||
Hi Jeff, any update?
You need to log in
before you can comment on or make changes to this bug.
Description
•