MSFT exposes Firefox users to drive-by malware download

[kodi]

More

 

[Jacee]

This would be a "goored" type of infection ... I'm not sure, but I think MalwareBytes' have been working on this bit of malware.

This is an example when scanned with Gooredfix:
=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{E616A495-EBCA-4F9D-84B9-D04016D33CA9}

C:\Program Files\Mozilla Firefox\extensions\{775372EE-D619-4557-A9CC-44BB47A03EFA}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

 

[Teerex]

I assume that now that the vulnerability in question has been fixed, this is now moot, except as a new warzone in Mozilla Foundation- Microsoft wars?

 

[Jacee]

It's a DNS redirection (including the hosts file) exploit. It can be 'fixed'. I don't see it as a war between MS and FF, but if you do, then you have your reasons.

Known as the "goored" infection, this is a Firefox hijacker that targets a variety of search engines:
Google, Yahoo, Msn, AOL and Ask.

Usually, the first sign of infection is that upon starting Firefox, you receive a notification that "1 new Add-on has been installed", although you did not knowingly install anything. When using any of the above search engines, you may notice that during the search you see names like zfsearch.com, v1.adwarefeed.com flash past in your status bar

 

[Teerex]

It seems to me that you are kinda confused about the topic. This is about a Firefox attack vector opened up by a vulnerability that was just patched.

What the heck're you writing about?

 

[Jacee]

No, I'm not confused ..... this is the application that was added by MS .... Reason to avoid!
Microsoft .NET Framework Assistant and Windows Presentation Foundation, all versions, for all applications. Reason: *remote code execution vulnerability

*Drive-by malware download can easily redirect DNS and change the Hosts file.

The 'fix' was posted here quite a while back. This is the article
Annoyances.org - Remove the Microsoft .NET Framework Assistant (ClickOnce) Firefox Extension

I was talking about 'Goored', which is a drive-by malware download. We have a tool to 'fix' the Goored malware.

Now, if you look at my above posts, do you see where I'm coming from?

 

[Teerex]

Yeah, but the connection is a bit loose, don't you think?

Anyways, Mozilla blocked both the extension and the plugin on the eve off Saturday.