Firefox 3.1 Beta 2 Pwned?

[WhollyMindless]

Hey, I was just monkeying around with the Firefox 3.1 betas and today noticed a really bad thing.

When using the following search at google:

microsoft mvc beta

I get a list of link context that looks good, but the links referenced are link farm sites.

I do NOT get this in Firefox 3.0, Chrome 1 or IE 7. But 3.1 is doing something bad. No other application seems to be affected so I don't suspect that I've been compromised lower down the stack but...

Has anyone else seen it?

I thought I was nuts. removed what I had installed and went back and downloaded the freshest Beta 2 directly from Mozilla (anl.gov link mirror) and the same thing happens.

This is a bit worrisome!

[Sparda]

Hey, I was just monkeying around with the Firefox 3.1 betas and today noticed a really bad thing.

When using the following search at google:

microsoft mvc beta

I get a list of link context that looks good, but the links referenced are link farm sites.

I do NOT get this in Firefox 3.0, Chrome 1 or IE 7. But 3.1 is doing something bad. No other application seems to be affected so I don't suspect that I've been compromised lower down the stack but...

Has anyone else seen it?

I thought I was nuts. removed what I had installed and went back and downloaded the freshest Beta 2 directly from Mozilla (anl.gov link mirror) and the same thing happens.

This is a bit worrisome!

Example links and/or screen shot?

[DingleBerries]

Be sure that in the preferences you have checked the "warn me of suspicious sites, and/or attack site" in the security tab.

[Sparda]

Also a trace using tamper data could be potentially useful.

[WhollyMindless]

Unfortunately I've left that machine for the weekend. No other machines I have (so far) duplicated the behavior - but I haven't put the same versions on them either.

This is the URL to the query I was using.

http://www.google.com/search?hl=en&q=m...mp;aq=f&oq=

I can't be sure that it will actually trigger the behavior as I've been going directly to http://www.google.com and typing in the query "microsoft mvc beta". (without quotes)

I'll check for more later. As far as links/screenshots, they aren't that interesting. It's not hidden, the domain displayed in the link (This a correct link):

Download details: MVC Beta

Oct 15, 2008 ... The ASP.NET MVC Beta release provides a new Model-View-Controller (MVC) framework on top of the existing ASP.NET 3.5 runtime.

www.microsoft.com/downloads/details.aspx?familyid=a24d1e00-cd35-4f66-baa0-2362bdde0766 - 35k - Cached - Similar pages -

in the bottom right corner (www.microsoft.com on this one) points to sites like www.vitamonline.com or www.bottomdollar.com or www.couponworld.com (I can't remember right now, I'm just not in front of it). The link at the top shows the text of the link (like normal) but the link itself points to the domain in the bottom left corner.

The interesting thing to note is that every returned link was to a link farm sites.

No other browser or my Firefox 3.0.4 exhibited the same behavior. I didn't try any other queries but I had used it for a couple days before seeing this. I think that the query might be a trigger.

Unfortunately it's a work machine and so has a less than stellar virus scanner by default (Computer Associates) but between ClamAV and Spybot nothing at all could be found.

[DingleBerries]

Yeah, I cant get that same behaviour, FF 3.0.4 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008111318 Linux Mint/6 (Felicia) Firefox/3.0.4. I would be sure to submit a bug report though as soon as you can. Good looking out, my not try the beta for a bit.

[WhollyMindless]

Followup information -

I find that the 3.0.5 also does it. Only Web Search results are touched, other features aren't translated.

Attached are some screenshots.

About Box

Addons

plugins

Results

ResultsHak5

shows that all web searches are translated - it's not the original text that triggered the translation - Note video links at bottom are untouched - top google "menu" options are untouched as well

VideoResults

no links touched - Image too large to add, but it's not interesting

No other service pages appear to be touched, only web results.

I'll see what I can do about tracing the connections - I'm on a corporate network here so I really don't think I want to fire up wireshark. I still haven't found another machine that does this same thing. So I'm still hoping that someone else will be able to duplicate this in a location that is more suitable for sniffing/tracing.

[DingleBerries]

Will you post that full url, as it seems different than the one you posted before.

[Sparda]

There is some thing a bit odd going on there. You get owned and haven't realised it yet? Possible.

Tamper data trace please!

[jkdelauney]

There is some thing a bit odd going on there. You get owned and haven't realised it yet? Possible.

Tamper data trace please!

I'm going to have to go with Sparda on this one. I'm using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2) Gecko/20081201 Firefox/3.1b2 and can not reproduce your results.

I think you might want to check your system, sir. :/

[WhollyMindless]

Found it - now to hunt it down and kill and and wonder why just firefox and not chrome/ie..

http://miekiemoes.blogspot.com/2008/10/fak...archengine.html

Apparently it's being missed by a lot of tools.

I'll post when I get it cleaned out. Lots of interruptions here.

[WhollyMindless]

Fixed. That was weird. I'll let you guys read for real details, but deleting sysaudio.sys from c:\windows\system32 (which is the WRONG place for this file) and cleaning up the registry solves the problem for now. It appears that it's mutating pretty fast and changing fake IP addresses.

The good news is that it's not as persistent as some I've seen (and tried to rip out).

Thanks for walking me through it AND - Sparda was right - Tamper Data is an awesome Firefox plugin for hunting this kind of stuff. (I noticed that a site at http://1.2.3.0 was injecting javascript code... With that handle I was able to find it.

[DingleBerries]

So was it some sort of malicious code attached to your download, or did you get it in some other way either way great info incase this happens to someone elese

From the blog comments

This one is/was getting installed via a "Yahoo! Counter starts here" javascript (which is a malicious script and not related with Yahoo) injected on many forums/sites/blogs. So this means that even legitimate sites can install this malware. In most of the cases, their forum, blog, whatever, is being "hacked" and the malicious script is loaded/installed. So whoever enters that site and "automatically "accepts the script, gets infected. That's why it's a good idea to use Firefox as browser WITH the NOscript extension installed: http://noscript.net/ . Then you can allow or deny what scripts to load etc... And if you're unsure, just select to deny the script. :)