Closed
Bug 593791
Opened 14 years ago
Closed 14 years ago
Possible Firefox 0day?
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: imipak, Unassigned)
References
(Blocks 1 open bug, )
Details
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko/20100904 Firefox/4.0b6pre
Build Identifier: Mozilla/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko/20100904 Firefox/4.0b6pre
A work colleague who uses Firefox on Windows XP was compromised via a drive-by download from the (deactivated) URL given above. The malware seems to have:
- dropped a basic root kit (blocked Task Mgr)
- deactivated the local AV (Symantc Endpoint Protection)
- installed a password sniffer / keylogger
- installed fake AV
- the usual. It /might/ be a new variant of Bredolab (Disclosure: my employer is an AV company. We are investigating internally.)
Looking in the Event Viewer after booting into Safe Mode shows a bunch of "Application faulting: Firefox" crashes. So it makes sense that the malware's using an unpatched
Reproducible: Always
Steps to Reproduce:
1. browse to url
2. get pwned
3. make sad face
Actual Results:
pwned
Expected Results:
Not pwned
Comment 1•14 years ago
|
||
What version of Firefox was your colleague using?
Did any of the Firefox crashes result in the crash-reporter sending a report to us? If so please enter the URL about:crashes in the location bar and paste the recent crash ids here in the bug. Crash IDs that start with "bp-" will auto-link to the crash-stats site, you don't need to past the links just the IDs. If you have any that do NOT start with bp- please click on those first. The lack of the bp- prefix indicates they were not submitted and are only stored locally, but clicking on the links will then submit them (at which point they will be replaced with a bp- style ID).
Reporter | ||
Comment 2•14 years ago
|
||
It was v3.6.8 , on windows. Talkback didn't fire and I'm afraid the machine's been blatted and rebuilt now. All I have is this, from the Event Logs, if it's any use(?)
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 06/09/2010
Time: 11:36:12
User: N/A
Computer: [hostname]
Description:
Faulting application firefox.exe, version 1.9.2.3855, faulting module unknown, version 0.0.0.0, fault address 0x5a7d30e2.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 66 69 72 ure fir
0018: 65 66 6f 78 2e 65 78 65 efox.exe
0020: 20 31 2e 39 2e 32 2e 33 1.9.2.3
0028: 38 35 35 20 69 6e 20 75 855 in u
0030: 6e 6b 6e 6f 77 6e 20 30 nknown 0
0038: 2e 30 2e 30 2e 30 20 61 .0.0.0 a
0040: 74 20 6f 66 66 73 65 74 t offset
0048: 20 35 61 37 64 33 30 65 5a7d30e
0050: 32 2
Updated•14 years ago
|
Blocks: malware-attacks
Comment 3•14 years ago
|
||
How up to date was the machine? Was it a personal machine where the plugins are likely to be up-to-date (or maybe not), or was it a newly imaged test machine that might have a lot of old stuff on it? This /could/ be a new Firefox 0-day, but with what we see in the wild the odds are much higher it actually was a plugin attack (flash, pdf, IE HCP attack via WMP, etc.).
The information in comment 2 isn't all that useful, the process is already off executing in neverland. A stack that shows what it was doing before that point might have been a partial clue but it sounds like we're not going to get it.
The page was relatively uninteresting as well. There were two ads from a 3rd party provider (ad.yieldads.com) that changed on every load. If there was a malicious ad in rotation at the time we'd never know (unless yieldads discovered it and would admit it).
Reporter | ||
Comment 4•14 years ago
|
||
The OS install was a fairly new, about three months old, and up-to-date with all Microsoft patches; likewise Flash would have been upgraded to v10.1.82.76 in early September. Acrobat should also have been updated for http://www.adobe.com/support/security/bulletins/apsb10-17.html in late August. That said, yes a plugin exploit would seem more statistically likely.
It seems that whatever it was has got away this time; I don't think there's any other forensic info I could lay my hands on. Shall I close this bug?
Comment 5•14 years ago
|
||
Unfortunately I don't think we have much choice but to close this.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•