Select Page

Earlier this week, I blogged about a site doing a bunch of different exploits, depending on what you are running. 

One of the things the site will do is detect if you have Firefox, and attempt to exploit it, using the InstallVersion.compareTo() vulnerability. 

There are actually a number of sites running this exploit, and one of our researchers, Adam Thomas, was kind enough to take some pictures. Going to a site with an older version of Firefox got him just a bucket-load of spyware.

_firefox10000000adali

A Haxdoor variant was installed (seen above as detected by F-Secure’s Blacklight)… and a typical rogue-antispyware security install with a bunch of fake security messages.

_firefox20000001238asdf

Hijacked browser…

_firefox3200000023

And this is nifty — there’s even this Local Security Authority Service pop-up message (above). Clicking OK aborts the system shutdown and…brings you to this page:

_firefox40000023

And you get the usual fake and hysterical security messages:

_firefox500000a34

_firefox600000adf

_firefox80000003424

As a final dash of spice, the malware is redirecting attempts to navigate to security relates websites such as Kaspersky.com, Symantec.com, F-secure.com,  etc.to Microsoft.com!   

On another test system, Adam got UnSpyPC (a rogue antispyware application) and a Haxdoor install, among other things.

_firefox7000001eda

Now, the Faithful (and admittedly few) Readers of My Blog are demigods when it comes to security, so most of you are running a patched version of Firefox (basically, any version 1.05 or higher).  But checking browser stats on this site does show that there is a very small number of you that aren’t updated to a safe version. Very, very few AV vendors detect this exploit, as you can see by clicking here.

Alex Eckelberry
(And, thanks again for the tip from some French friends)


Fatal error: Uncaught wfWAFStorageFileException: Unable to save temporary file for atomic writing. in /home/eckelberry1966/public_html/sunbeltblog/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php:34 Stack trace: #0 /home/eckelberry1966/public_html/sunbeltblog/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php(658): wfWAFStorageFile::atomicFilePutContents('/home/eckelberr...', '<?php exit('Acc...') #1 [internal function]: wfWAFStorageFile->saveConfig('livewaf') #2 {main} thrown in /home/eckelberry1966/public_html/sunbeltblog/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php on line 34