Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Firefox Update


  • Please log in to reply
11 replies to this topic

#1 Oxonsi

Oxonsi

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 14 December 2016 - 12:04 PM

I recently have been redirected to fake webpages [strange URLs] prompting me to download an urgent update for Firefox.  This behavior immediately put me on my guard.  I did however download the file, firefox-patch.js, out of curiosity.  It is apparently a java script file.  What is disconcerting about this is that none of my anti-malware tools could identify the file as a threat.  So I then navigated to VirusTotal online, and submitted the file there.  I first noticed that the file had not been scanned before, which is highly unusual.  I think every other time I've scanned a file at VirusTotal, it has told me that the file was previously scanned, and then asked if I would like to re-analyze...  In any case, the results were again surprising:  only 2 out of 54 antivirus products identified the file as malicious.  That kind of detection ratio would typically lead me to suspect a false positive, but I did find a a write-up of this issue on Mozilla [see link], so I'm certain this is indeed a malicious file.

 

The only products able to correctly identify it as a threat were Arcabit and Fortinet, both of which I wasn't familiar with.  I then did a little research on those products, and come to find out:  Arcabit is apparently a Polish language only antivirus, and Fortinet strictly an enterprise product, designed for deployment over a corporate LAN.

 

So bottom line is that I guess if one isn't on one's guard, this will "fly under the radar" of many people.  Does anyone know why the detection rate might be so poor for this file?  It is only 9.13 KB.  Is it easy for malware authors to "hide" malicious code in java script?

 

Link:

 

https://support.mozilla.org/en-US/kb/i-found-fake-firefox-update


Edited by Oxonsi, 14 December 2016 - 02:29 PM.


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 AM

Posted 14 December 2016 - 02:09 PM

Can you post the link to the VirusTotal analysis?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Oxonsi

Oxonsi
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 14 December 2016 - 02:34 PM

Yes, I think I can, see link.  Seems to be quite an insidious threat.

 

https://www.virustotal.com/en/file/6f9deeb5cbf01a90eda8a9e3bc67c8dd9197d3c75193a502bb87c843d08a5bb3/analysis/1481743801/



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 AM

Posted 14 December 2016 - 04:21 PM

Detection is low because the JavaScript is heavily obfuscated.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 14 December 2016 - 04:47 PM

People that make code like that aren't fools, they will test their code vs everything known and if it passes only then will it be used.

Code that can be detected with out problems isn't worth anything and a good Zero day no one knows about can sell on the darknet for like up to $500,000.



#6 Oxonsi

Oxonsi
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 15 December 2016 - 12:21 AM

Thanks for the replies and info.  In the meantime I was reading online about obfuscated JavaScript.  That's interesting, and it makes sense that malware authors are good at concealing the intent of their code.  It is obviously important to be vigilant online! 



#7 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 15 December 2016 - 01:42 AM

I haven't really used javascript for years but i have to for some places,noscript plugin for firefox owns, most of the drive by download attacks are vs java or flash player in any case and i dont use flash, just look at BC home page, seem a new hack for flash player just bin found one that lets someone take over your cam and mic, man that topic is conic when it comes to flash player its why that topic needs to die and HTML5 needs to take over.

 

Ps: 90% of the time getting infected is tricking people in to installing something they downloaded its not brute force hacking.



#8 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:06:30 PM

Posted 16 December 2016 - 06:00 PM

How Maliciously Crafted Images Spread Malware. https://www.deepdotweb.com/2016/12/07/maliciously-crafted-images-spread-malware/
Locky Ransomware .svg Attack Vector. http://pastebin.com/BWxLgaVs
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#9 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 16 December 2016 - 07:42 PM

How Maliciously Crafted Images Spread Malware. https://www.deepdotweb.com/2016/12/07/maliciously-crafted-images-spread-malware/

 

once more java was the way in, same old same old.

 

 

Locky Ransomware .svg Attack Vector. http://pastebin.com/BWxLgaVs

 

Not pro at reading code but if i didn't miss my guess just one more case of java.



#10 MoxieMomma

MoxieMomma

  • Members
  • 471 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 16 December 2016 - 08:26 PM

Hi, @shadow_647:

 

 

How Maliciously Crafted Images Spread Malware. https://www.deepdotweb.com/2016/12/07/maliciously-crafted-images-spread-malware/

 

once more java was the way in, same old same old.

 

 

Locky Ransomware .svg Attack Vector. http://pastebin.com/BWxLgaVs

 

Not pro at reading code but if i didn't miss my guess just one more case of java.

 

 

I think it may be confusing for the OP (and for non-experts like myself) to use "Java" and "JavaScript" interchangeably?

Needless to say, they are not the same thing.

 

If I understand the thread correctly, the OP is talking about scripted malware/obfuscated JavaScript, not "Java".

 

Cheers,

MM



#11 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 16 December 2016 - 09:05 PM

Right, sorry about that ill be shoure from now on to all ways say javascript.



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:30 AM

Posted 16 December 2016 - 10:05 PM

It's not only fake Foxfire updates you have to be careful with but also other popular software like Adobe and Java which are also exploited.

BTW...Ransomware developers have been known to use malicious .js (JavaScript) files often found in zipped email attachments.Many users confuse JavaScript with Java, a software package by Oracle installed separately from your browser. Although the name is similar, Java is not the same as JavaScript. For the benefit of all readers, here are a few articles to help you understand.
 

Because of the unfortunate similarity of their names, many people confuse Java with Javascript. But these are two completely different things. Most Web sites use JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser. It is true that selectively allowing JavaScript on known, safe sites wont block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.

Krebs On Security: What You Need to Know About the Java Exploit
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users