Firefox zero-day under attack at Nobel Peace Prize site
Summary: Malicious hackers are exploiting a zero-day vulnerability in Mozilla's Firefox browser to launch drive-by download attacks against visitors the Nobel Prize website.
Malicious hackers are exploiting a zero-day vulnerability in Mozilla's Firefox browser to launch drive-by download attacks against visitors to the Nobel Peace Prize website.
According to researchers at Norman ASA, Firefox users who surfed to the site were silently infected with Belmoo, a Windows Trojan that gives the attacker complete control of the machine.
The exploit was successful on Firefox versions 3.5 and 3.6, according to Norman.
Once a drive-by download is successful, Norman said the malware would then attempt to connect to two Internet addresses, both which point to a server in Taiwan.
Mozilla's security response team is investigating the issue, according to a spokesperson.
UPDATE:
Mozilla has now confirmed the zero-day nature of the vulnerability and in-the-wild exploits. The open-source group describes the issue as "critical" and confirms it affects fully patchedFirefox 3.5 and Firefox 3.6 users.
Users who visited an infected site could have been affected by the malware through the vulnerability. The trojan was initially reported as live on the Nobel Peace Prize site, and that specific site is now being blocked by Firefox’s built-in malware protection. However, the exploit code could still be live on other websites.
Mozilla said it has already diagnosed the issue and is currently developing a fix, which will be pushed out to Firefox users as soon as the fix has been properly tested.
The group urged its users to immediately:
- Disable JavaScript in Firefox.
- Using NoScript Add-on.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Why is this classified as a trojan?
Trojans masquerade as legitimate programs which the user would want to install. That doesn't appear to be the case here. Maybe I can find the answer in the details of the malware.
RE: Firefox zero-day under attack at Nobel Prize site
That's the first time I've ever heard of that definition.
Do you have a reference?
RE: Firefox zero-day under attack at Nobel Prize site
No, the difference between a virus and Trojan is that the Trojan requires the user to accept it. In fact, typically, Trojans come with programs the user actually wants.
RE: Firefox zero-day under attack at Nobel Prize site
It depends on who you ask. Cisco defines it as "...a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems". Norman themselves describe it as "...a program that seems to be genuine and even useful, and thereby tricks the users to install/use it." In this case we can only speculate that it is dubbed Trojan because of its use of "Symantec.exe" as its executable, thus misleading anyone finding the file.
Geeze. Don't they teach classic mythology in schools these days...?
The word "trojan" comes from the term Trojan Horse. In ancient Greece, the Greeks were having a war with the city of Troy. The city was well guarded and the war went on for years. The Greeks got clever and built a giant horse made of wood and withdrew their ships from the area. The horse was supposed to be left for the Trojans as a peace offering.
Instead, there was a crack squad of Greek warriors stashed in the belly of the beast. After the unsuspecting Trojans decided to drag the horse inside the city gates and went to sleep for the day, the crack squad popped out, opened the gates and Troy was sacked.
So by definition, Ye's description of a viral trojan is accurate. It's a program (like the horse) you have to download and run yourself, bypassing any security along the way.
Message has been deleted.
yes it is a trojan
In this case, the malware is using firefox/java/windows themselves as the trojan horse.
Zero Day Meaning and Trojan or What?
@~doolittle~
Javascript being enabled doesn't allow the website to install whatever it wants unless there is a vulnerability to exploit. In this case it is possible to induce a text run buffer overrun and allow arbitrary code execution. Of course, turning Javascript off does reduce the number of attack vectors possible by quite a lot.
RE: Firefox zero-day under attack at Nobel Prize site
>"The best case for calling it a trojan is saying that it >comes in with a web page that you actually meant to >look at"
My thoughts exactly. Once the exploit is patched / fixed / removed the trojan label can be removed as well IMHO
>"Javascript being enabled doesn't allow the website to >install whatever it wants unless there is a vulnerability >to exploit. In this case it is possible to induce a text run >buffer overrun and allow arbitrary code execution. Of >course, turning Javascript off does reduce the number of >attack vectors possible by quite a lot."
I overgeneralized :)
Personally I don't run FF w/o noscript specifically for XSS prevention (since they would not likely be allowed / whitelisted)
RE: Firefox zero-day under attack at Nobel Prize site
Trojan Definition
This still doesn't answer the question.
That's the definition from your link. And it's right in line with what I know a trojan to be. With that said what is the "desirable function" this malware pretends to offer? Is it the web site hosting the it (which is reaching, IMO)? Is it, as you say, Firefox (again reaching, IMO)? I see no reason to label this malware. And a review of the malware description given in the article doesn't help either.
RE: Firefox zero-day under attack at Nobel Prize site
Oops, didn't work for me either
RE: Firefox zero-day under attack at Nobel Prize site
http://en.wikipedia.org/wiki/Trojan_virus#Installation_and_distribution
RE: Firefox zero-day under attack at Nobel Prize site
RE: Firefox zero-day under attack at Nobel Prize site
That'll work
Your method of changing the trojan's target DNS to your Host address is sound, but if the black-hats decide to re-route to a different DNS Server you lose that explicit block .. and consequently the protection you initially had.
So how does NoScript protect against this, you may ask?
1 - XSS Protection: Will automatically sanitize cross-site requests - such as the one described in this particular vulnerability. The relevance to your method being that it will nullify this vector even if the DNS was changed (or spoofed) so that you wouldn't have to worry about manually altering your Hosts file to protect against such issues.
2 - (Application Boundaries Enforcer): NoScript can act to define normal application behavior, allowing hyperlinking but not cross-site POST requests that could obviously lead to alteration of an application's status. Also, pages can be embedded as sub-documents but only by documents from the same domain (this prevents ClickJacking/UI redressing attacks).
That gives you an idea of how NoScript will protect against this attack vector but it is only a small part of the protective capability features it (i.e. NoScript) has. That and it's free.
Quite simply, i don't use FF without it. ;)
(n.b. All this being a side-track from the real issue of FF dropping the ball with recent security issues being in the RED zone).
RE: Firefox zero-day under attack at Nobel Prize site
Agreed (about FF and NoScript).
It can get annoying having to authorise scripts and Flash to get websites to work, but it is a small trade-off when compared to the security benefits (and the peace and quiet because all those annoying Flash Ads have been silenced).
Firefox zero-day under attack at Nobel Prize site