Firefox zero-day under attack at Nobel Peace Prize site

Firefox zero-day under attack at Nobel Peace Prize site

Summary: Malicious hackers are exploiting a zero-day vulnerability in Mozilla's Firefox browser to launch drive-by download attacks against visitors the Nobel Prize website.

SHARE:

Malicious hackers are exploiting a zero-day vulnerability in Mozilla's Firefox browser to launch drive-by download attacks against visitors to the Nobel Peace Prize website.

According to researchers at Norman ASA, Firefox users who surfed to the site were silently infected with Belmoo, a Windows Trojan that gives the attacker complete control of the machine.

The exploit was successful on Firefox versions 3.5 and 3.6, according to Norman.

follow Ryan Naraine on twitter

Once a drive-by download is successful, Norman said the malware would then attempt to connect to two Internet addresses, both which point to a server in Taiwan.

Mozilla's security response team is investigating the issue, according to a spokesperson.

UPDATE:

Mozilla has now confirmed the zero-day nature of the vulnerability and in-the-wild exploits.  The open-source group describes the issue as "critical" and confirms it affects fully patchedFirefox 3.5 and Firefox 3.6 users.

Users who visited an infected site could have been affected by the malware through the vulnerability. The trojan was initially reported as live on the Nobel Peace Prize site, and that specific site is now being blocked by Firefox’s built-in malware protection. However, the exploit code could still be live on other websites.

Mozilla said it has already diagnosed the issue and is currently developing a fix, which will be pushed out to Firefox users as soon as the fix has been properly tested.

The group urged its users to immediately:

UPDATE: A Firefox patch for this vulnerability is now available.

Topics: Malware, Browser, Hardware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

48 comments
Log in or register to join the discussion
  • Why is this classified as a trojan?

    [i]According to researchers at Norman ASA, Firefox users who surfed to the site were silently infected with Belmoo, a Windows Trojan that gives the attacker complete control of the machine.[/i]

    Trojans masquerade as legitimate programs which the user would want to install. That doesn't appear to be the case here. Maybe I can find the answer in the details of the malware.
    ye
    • RE: Firefox zero-day under attack at Nobel Prize site

      @ye No, a Trojan is defined as any virus that opens a back door into the system. It doesn't matter how its deployed.
      I12BPhil
      • That's the first time I've ever heard of that definition.

        @I12BPhil: [i]No, a Trojan is defined as any virus that opens a back door into the system. It doesn't matter how its deployed.[/i]

        Do you have a reference?
        ye
      • RE: Firefox zero-day under attack at Nobel Prize site

        @I12BPhil

        No, the difference between a virus and Trojan is that the Trojan requires the user to accept it. In fact, typically, Trojans come with programs the user actually wants.
        x I'm tc
      • RE: Firefox zero-day under attack at Nobel Prize site

        @I12BPhil @I12BPhil
        It depends on who you ask. Cisco defines it as "...a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems". Norman themselves describe it as "...a program that seems to be genuine and even useful, and thereby tricks the users to install/use it." In this case we can only speculate that it is dubbed Trojan because of its use of "Symantec.exe" as its executable, thus misleading anyone finding the file.
        BigGoodWolf
      • Geeze. Don't they teach classic mythology in schools these days...?

        @I12BPhil
        The word "trojan" comes from the term Trojan Horse. In ancient Greece, the Greeks were having a war with the city of Troy. The city was well guarded and the war went on for years. The Greeks got clever and built a giant horse made of wood and withdrew their ships from the area. The horse was supposed to be left for the Trojans as a peace offering.

        Instead, there was a crack squad of Greek warriors stashed in the belly of the beast. After the unsuspecting Trojans decided to drag the horse inside the city gates and went to sleep for the day, the crack squad popped out, opened the gates and Troy was sacked.

        So by definition, Ye's description of a viral trojan is accurate. It's a program (like the horse) you have to download and run yourself, bypassing any security along the way.
        Wolfie2K3
      • Message has been deleted.

        dgurney
      • yes it is a trojan

        the user is running firefox w/ javascript enabled and allows the website to install whatever it wants.

        In this case, the malware is using firefox/java/windows themselves as the trojan horse.
        ~doolittle~
      • Zero Day Meaning and Trojan or What?

        @dgurney<br><br>A "zero day" vulnerability is a vulnerability for which an exploit exists before the developers of the software know that the vulnerability exists (or at the very least before a patch for the vulnerability exists).<br><br>I agree about using the term "trojan" for this malware being a stretch. I think that it has been described this way because people have had trouble coming up with a term that was apropos. This is not a virus or a worm because it is not self-replicating. The best case for calling it a trojan is saying that it comes in with a web page that you actually meant to look at.

        @~doolittle~
        Javascript being enabled doesn't allow the website to install whatever it wants unless there is a vulnerability to exploit. In this case it is possible to induce a text run buffer overrun and allow arbitrary code execution. Of course, turning Javascript off does reduce the number of attack vectors possible by quite a lot.
        CFWhitman
      • RE: Firefox zero-day under attack at Nobel Prize site

        @CFWhitman
        >"The best case for calling it a trojan is saying that it >comes in with a web page that you actually meant to >look at"

        My thoughts exactly. Once the exploit is patched / fixed / removed the trojan label can be removed as well IMHO

        >"Javascript being enabled doesn't allow the website to >install whatever it wants unless there is a vulnerability >to exploit. In this case it is possible to induce a text run >buffer overrun and allow arbitrary code execution. Of >course, turning Javascript off does reduce the number of >attack vectors possible by quite a lot."

        I overgeneralized :)

        Personally I don't run FF w/o noscript specifically for XSS prevention (since they would not likely be allowed / whitelisted)
        ~doolittle~
    • Trojan Definition

      <a href="http://en.wikipedia.org/wiki/Trojan_horse_(computing)" target="_blank" rel="nofollow">http://en.wikipedia.org/wiki/Trojan_horse_(computing)</a> (I can't get the correct link to stick. You'll need to copy and paste and make sure you get the "(computing)" part on the end.)<br><br>Look under "Installation and distribution." This sounds like an application exploit. Firefox is the legitimate program in this case.
      MichP
      • This still doesn't answer the question.

        @MichP: [i]A Trojan horse, or Trojan, is malware that appears to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user's computer system.[/i]

        That's the definition from your link. And it's right in line with what I know a trojan to be. With that said what is the "desirable function" this malware pretends to offer? Is it the web site hosting the it (which is reaching, IMO)? Is it, as you say, Firefox (again reaching, IMO)? I see no reason to label this malware. And a review of the malware description given in the article doesn't help either.
        ye
      • RE: Firefox zero-day under attack at Nobel Prize site

        @MichP Ahh, that makes much more sense. And here's the link you were shooting for.<br><a href="http://en.wikipedia.org/wiki/Trojan_horse_" target="_blank" rel="nofollow">http://en.wikipedia.org/wiki/Trojan_horse_</a>(computing)

        Oops, didn't work for me either
        BigGoodWolf
      • RE: Firefox zero-day under attack at Nobel Prize site

        @MichP
        http://en.wikipedia.org/wiki/Trojan_virus#Installation_and_distribution
        thookerov
    • RE: Firefox zero-day under attack at Nobel Prize site

      Firefox has already created a patch. I was prompted to download version 3.6.12 tonight.
      coopejx@...
  • RE: Firefox zero-day under attack at Nobel Prize site

    I just added a DNS zone pointing it to 127.0.0.1 until its taken care of.
    Admin71
    • That'll work

      @Bookmark71 .. or, you could try NoScript (which i've been using for over 2 years).

      Your method of changing the trojan's target DNS to your Host address is sound, but if the black-hats decide to re-route to a different DNS Server you lose that explicit block .. and consequently the protection you initially had.

      So how does NoScript protect against this, you may ask?

      1 - XSS Protection: Will automatically sanitize cross-site requests - such as the one described in this particular vulnerability. The relevance to your method being that it will nullify this vector even if the DNS was changed (or spoofed) so that you wouldn't have to worry about manually altering your Hosts file to protect against such issues.

      2 - (Application Boundaries Enforcer): NoScript can act to define normal application behavior, allowing hyperlinking but not cross-site POST requests that could obviously lead to alteration of an application's status. Also, pages can be embedded as sub-documents but only by documents from the same domain (this prevents ClickJacking/UI redressing attacks).

      That gives you an idea of how NoScript will protect against this attack vector but it is only a small part of the protective capability features it (i.e. NoScript) has. That and it's free.

      Quite simply, i don't use FF without it. ;)

      (n.b. All this being a side-track from the real issue of FF dropping the ball with recent security issues being in the RED zone).
      thx-1138_
      • RE: Firefox zero-day under attack at Nobel Prize site

        @thx-1138_@...
        Agreed (about FF and NoScript).
        It can get annoying having to authorise scripts and Flash to get websites to work, but it is a small trade-off when compared to the security benefits (and the peace and quiet because all those annoying Flash Ads have been silenced).
        lehnerus2000
  • Firefox zero-day under attack at Nobel Prize site

    I guess China's still mad at Nobel for giving that political prisoner the Peace Prize
    vbfama@...
    • RE: Firefox zero-day under attack at Nobel Prize site

      @vbfama@... Taiwan is not the China that's mad.
      PMC-CON