October 26, 2010

The Web site for the Nobel Peace Prize has been serving up malicious software that takes advantage of a newly-discovered security hole in Mozilla Firefox, computer security experts warned today.

Oslo-based Norman ASA warned that visitors who browsed the Nobel Prize site with Firefox while the attack was active early Tuesday may have had malicious software silently installed on their computers without warning.

Mozilla just posted a blog entry saying it is aware of a critical vulnerability in Firefox 3.5 and 3.6, and that it has received reports from several security research firms that exploit code leveraging this vulnerability has been detected in the wild. The software firm isn’t saying much more about the flaw for now.

Mozilla says it is developing a fix, which it plans to deploy as soon as it has been tested. In the meantime, Firefox users can mitigate the threat from this flaw by using a script-blocking add-on like NoScript.

Update, 6:40 p.m. ET: I just heard back from Norman ASA malware analyst Snorre Fagerland via e-mail, and he has provided a bit more technical analysis of what’s going on with this Firefox flaw and with the exploit they discovered. Fagerland says the vulnerability is related to a “use-after-free condition” in certain objects, exploited through Javascript.

“Shellcode and a large heapspray is involved,” Fagerland wrote. “The script that does this checks for the following versions:

firefox/3.6.8
firefox/3.6.9
firefox/3.6.10
firefox/3.6.11

…and it checks that it is NOT running Vista or Win7 (Windows versions 6.0 and 6.1), pretty much limiting the attack to XP-family OS’s. The underlying vulnerability is confirmed to also affect Firefox 3.5x series, but we have not seen exploit code that attacks this.”

Update, Oct. 27, 11:50 p.m. ET: Mozilla has opened up the bug report on this flaw.


16 thoughts on “Nobel Peace Prize Site Serves Firefox 0day

  1. Russ

    I’m sure there are several sites hosting malware that takes advantage of this 0-day exploit, either from being compromised or by design. Norman is dropping the Nobel for the big name, not because of the enormous volume of users it may potentially affect. Unless the Nobel Prize website started beating back Yahoo or Google in user count when no one was looking.

  2. Andy

    I have read the information on Norman ASA’s website, it is a Windows executable so I won’t worry about it, running Linux. I will however add a new entry to my blog and email my mailing, plus add it to my status on Facebook so as many people as possible are aware.

    Thank you Brian. keep up the good work.

  3. JS

    If its a trojan payload what demographic is the target. Who is to be snared?

    The announcement for Liu Xiaobo points to those who would want to gain access to the machines of those opposing China’s policies.

    I quake at the blackness of heart of anyone who would take advantage of students and other professional persons ie the press, engineers, teachers…

    Anyhow who was the one the broke into Google? What were they fishing for? Who were the targets?

    Hmm…
    I figure all this to put some thumbscrews on certain “peaceniks”….

    Its like an Agatha Christie mashup with Tom Clancy

  4. SFdude

    As mentioned in a previous comment here,
    this is 99% caused by the Chinese gov’t being angry at the Nobel Prize Committee, for giving the Nobel Peace Prize to Liu Xiaobo.

    The correlation is clear!

    He’s now under arrest in his own country.
    His family and even foreign journalists cannot visit him.

    What is remarkable is that the Chinese gov’t,
    has decided to attack anyone for just visiting the Nobel Prize web site.

    An omen of what they are capable of?

  5. AlphaCentauri

    Is the Nobel site accessible from China, or is it behind the Great Firewall? It seems like it would be infecting Chinese residents of all political persuasions, as there are a lot of pirated copies of older Microsoft OS’s there.

    1. JS

      It would be interesting if not just OS fingerprint but now MUI & language pack was be used as consideration of targets for infection.

      A targeted trojan would yield the surveillance & intel to figure out who is worth to go after next.

      Casting a wide net doesn’t hurt either as you get traffic lost in the background noise.

      However the question in my mind comes now is what old vector / XSS attack or some new vector yet to be discovered was the means for the compromising the Linux Server that was giving out the malware.

      — Netcraft.org says apache/RH 2.2.3 since April 2010.

      Alexis est 160000 daily vists and 1/2 mil page views a day ….

      I’ve just added recheck egress log/filtering on firewalls & word filters to my todo list…

      However it doesn’t mean the vector is solely through nobelprize.org

      It will be interesting how the privacy laws of the hosting country Sweden will be a help/impediment to determining the crime scene & its impact

    2. Greg

      The Chinese hypothesis is interesting.

      I’m no expert on the great Firewall, but I believe it can be bypassed by VPNs and perhaps in other ways. That’s a concession the China makes to foreign businesses that need confidentiality.

      Sophisticated Chinese can bypass the Firewall in similar ways, but most Chinese won’t have access. So, this might make sense for the PRC, but that doesn’t rule out other sources.

  6. Christopher Kunz

    I, too, wonder about the target demographic. It seems that the exploit “naturally” limits it to XP-family OSes, which still seems to be a large chunk, especially in piracy-heavy regions.

    However, one more thing hints at an targetted attack IMHO: It would seem that this is not your average botnet herder increasing the size of their flock – seeing that all the exploit binary purportedly does is open a connect-back shell. This would be very unusual for a botnet payload, wouldn’t it?

  7. Jonathon

    I loved Firefox, but I’m afraid it’s heyday is over. We need to accept that right now Firefox is the most vulnerable of the top three. If it wasn’t, the hackers surely would have been more effective exploiting an IE vulnerability.

    1. LonerVamp

      What makes you claim that Firefox is the most vulnerable?

      What makes you think Chrome or IE are better?

      Are you including addons/functionality like NoScript that improves the security?

      1. Jonathon

        I should have been clear that I’m not including Firefox’s NoScript, which I consider the ultimate tool for browsing security. However, in my experience as an admin most of your average users just don’t want/don’t know how to mess with NoScript. They often just end up allowing scripts globally or just “allow all this site” for every site they want to view correctly (My wife does this, and I come in after her and revoke all the permissions she allows).

        I maintain that without NoScript, I believe Firefox is now the most vulnerable browser. Open Source is great, but when the closed source megacorps (Microsoft/Google) get serious, Open Source doesn’t stand a chance.

        1. Joshua

          I’d have to see some proof before I agreed it was the most vulnerable. But the fact that it is open source has MANY advantages over closed source proprietary code. For one, they shipped a patch in LESS THAN 3 DAYS!!! Find me closed source software that will patch a major vulnerability that quick…yeah, you won’t. Second, since it is open source many add-on’s can be created to help mitigate future vulnerabilities or other dangerous actions encounterd while using your browser. Again, won’t see that with IE. The reason why you see FireFox pop up is due to popularity. People don’t want to use IE anymore, Chrome is still too new and Safari and Opera just don’t have the user base (yet) to worry about. The other reason you don’t hear of IE much anymore, is because they are now using Java/Adobe as infection methods instead and/or the tards are still using unsupported IE 6. If you ever want to see how out out of date peoples computers are, check out some of the malware removal forums like http://forums.techguy.org/54-virus-other-malware-removal/ or Bleeping Computer on Brian’s blog roll. Open source son, open source. I’d rather have the whole world on my side than rely on a few hundred/thousand coders at individual companies all competing against each other. Open source = passion, the rest is a paycheck.

  8. LonerVamp

    @Brian: Thanks for posting the update. I hadn’t really heard much discussion yet on the Firefox 0day, which I find more interesting than yet another trojan payload. (Albeit, an interesting one that kicks back a shell.)

    @target demographics: The sorts of people who visit the Nobel site are probably of a certain crust in society, or at least in general. If you can open shells to those people, chances are you’re going to gain a foothold into some interesting places that work on very interesting things… I doubt they much care about John Doe farmer in Nebraska checking out the prize-winners from his home connection.

    Theorizing about XP is worthwhile, but it may be the exploit-writer was only successful against XP and not newer versions. This wouldn’t be uncommon when attacking memory space.

  9. Joshua

    @Jonathan–ALL software has vulnerablities. Their isn’t a software program that can’t be exploited if given enough time, attention and oppurtunity. It just so happens that Firefox is extremely popular, so in lies the incentive.

  10. diocyde

    Just so you know, the Firefox 0-day and the Flash 0-day are both launched by the same chinese cyber operators that have burned approximately 10-15 0-days in the past 2 years targeting the Western world will all manner of targeted attacks. It is about time A message be sent that this actively will not go unanswered and their will be consequences. The domains and malware on both attacks are the same that have been launched against highly targeted interests a number of times in the past. If you would like to challenge my assumptions, go for it, at the end of the day you just might leave with your jaw on the floor.

    I repeat, these two attacks are linked. The only thing thats interesting is the fact that they needed to burn so many in such a limited time span. Of course there is a China angle, They are hella pissed over the Nobel award to a dissenter. They wage aggressive cyber operations against dissenters in their country and outside of their country.

    From an opsec and sloppieness perspective they are just dam horrible, they should be ashamed of their tradecraft. Silly Dragon. 0-days are for ninjas.

    -Diocyde diocyde.wordpress.com

Comments are closed.