Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus? Malware? Just a major pain?


  • Please log in to reply
11 replies to this topic

#1 mrk2474

mrk2474

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 17 July 2016 - 07:24 PM

Could someone lead me in the right direction? I've been seeing the lately but don't know wether it's something to be concerned about or that it's just an annoyance. It comes up completely randomly and I've only noticed it the last month or so. Thanks!

 

 

 

http://i930.photobucket.com/albums/ad147/mrk74/FakeFireFox.jpg



BC AdBot (Login to Remove)

 


#2 inkoalawetrust

inkoalawetrust

  • Members
  • 320 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Internet
  • Local time:12:02 AM

Posted 17 July 2016 - 07:30 PM

its definetely malware


Twitter

Discord:inkoalawetrust#9783

Website


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 18 July 2016 - 07:52 AM

Hi mrk2474 :)

Yes, this file (and the website that delivers it) is indeed malicious. There's been a recent increase in malware impersonating a "Firefox patch" or "Firefox security update". Since it asks you to download and execute the file, as long as you don't do it, you won't be infected. Simply refuse the download and close the website and you should be good. Usually, you get redirected to these via malvertising, so using an Adblocker (such as Adblock Plus) or a general content blocker (like uBlock Origin) should prevent these redirections from occuring.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 mrk2474

mrk2474
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 18 July 2016 - 10:21 AM

Is there something I can run to try and clear it out or do I just have to deal with it? As I said I just started noticing it lately and before that never seen it before.



#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 18 July 2016 - 10:42 AM

Do you use any ad or content blocker like mentionned in my previous post?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 mrk2474

mrk2474
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 18 July 2016 - 11:14 AM

Do you use any ad or content blocker like mentionned in my previous post?

No I don't. And I just got it again with a totally different URL.



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 18 July 2016 - 11:16 AM

Install uBlock Origin for Mozilla Firefox.

https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/

Let us know if you still get these redirections after.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 19 July 2016 - 08:52 AM

Remark the extension of the filename: .js

And the icon left to fireforx-patch.js.

 

This tells you that the file that is offered for download is a JavaScript file. Firefox updates do not come as JavaScript files.

A lot of malware on the web uses JavaScript as a vector.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 mrk2474

mrk2474
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 19 July 2016 - 02:35 PM

Remark the extension of the filename: .js

And the icon left to fireforx-patch.js.

 

This tells you that the file that is offered for download is a JavaScript file. Firefox updates do not come as JavaScript files.

A lot of malware on the web uses JavaScript as a vector.

Yeah I knew it was fake right off. I just didn't know if it was something I should do a scan for to get rid of whatever it is that's making it happen.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:02 PM

Posted 19 July 2016 - 03:14 PM

You could always disable update notifications in Firefox (Tools > Options > Advanced) and manually check for new updates yourself. This way if you ever get an update prompt you will know it is a fake.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 JohnnyJammer

JohnnyJammer

  • Members
  • 1,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:08:02 AM

Posted 19 July 2016 - 04:37 PM

i would strongly suggest you use Symantec's noscript.exe. This will have no impact if you opened that file after disabling scripting.

I get  10's to hundreds of these javascript type variants trying to get through my mail server daily mate, its been in zip files, batch files that rename js files and even zipfiles that execute a file and rename it which then executes the .JS file as soon as the file has extracted.

Self executing zip files isnt new and they are always trying to use macros in word documents which download .js and .bat and .exe files.

I can remember Symantec them selves having a self extracting zip file where as soon as you finished the download it self extracted and executed the update process of signatures!



#12 mrk2474

mrk2474
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 19 July 2016 - 08:59 PM

You could always disable update notifications in Firefox (Tools > Options > Advanced) and manually check for new updates yourself. This way if you ever get an update prompt you will know it is a fake.

 

 

Yeah I knew it was fake right off. I just didn't know if it was something I should do a scan for to get rid of whatever it is that's making it happen.

 

 

 

 

I have it set it auto update. Wondering if it's a legitimate update isn't the issue because I know it isn't. The issue is/was 1. Can it be stopped? 2. Is this happening because I need to clean things up?


Edited by mrk2474, 20 July 2016 - 10:12 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users