« Koobface Worm on the rise again
New DNS Changer Trojan »

Firefox 3.5 exploit (with out of date plugins)

July 7th, 2009

Edit: As reported by F-Secure, this is not an exploit with Firefox itself. It is using out of date plugins to launch its payload.

Sorry for the confusion.

Think you are safe browsing the web with the latest version of Firefox? Well, maybe not…

Today I found a malicious web site that triggers a drive-by download and will infect your PC. You can watch it happen here.

Interestingly, IE7 is not vulnerable to the attack. The browser will crash instead of letting the payload happen:

crash

The exploit seems to be triggered by a malicious JavaScript line:

exploit1

exploit2

At first I thought that the domain pushing this malicious JavaScript had been hacked, but I’m not so sure now. Or at least, it has some rather odd connections (same nameserver), like porn sites???

domains sharing nameservers under another name 6.21.72.in-addr.arpa

7.21.72.in-addr.arpa

adagencypro.com

arpsystems.com

bigblogworld.com

blogsbyindia.com

buy-web-site-traffic.net

buy-web-traffic.net

buy-website-traffic.net

byindia.com

byindia.net

centurygroupus.com

cheapcoder.com

classifiedsbyindia.com

constituentbuilder.com

crayground.com

directorybyindia.com

ebenefitsprocessing.com

emailresponsepro.com

familyhomepages.com

flyadspro.com

free-movie-porn.net

freeseal.net

freestuffmakemoney.com

funnyphotos-funnyvideos.com

funnyvideoworld.com

getmyfreeseal.com

getmyseal.com

getmyseal.net

hobbitsloveal.com

hobbitsloverandy.com

hothomepages.com

improve-search-engine-ranking.net

live-websupport.com

live-websupport.net

miilikewii.com

millionnewjobs.com

miredlatina.com

mycollegemates.com

myjokespace.com

mylaughspace.com

myprayerclub.com

myprayersclub.com

mysickspot.com

mywhipspot.com

nightwolfemedia.com

onlinepulpit.com

picturesofporn.net

porn-gallery-free.com

pornpicfree.net

searchbyindia.com

searchenginerankingcompany.net

sexyhomepages.com

sexysupplystore.com

sickspot.com

tuluso.net

video-free-porn.com

voiceresponsepro.com

web-site-rank.com

web2corp.com

web2corporation.com

web2corporation.net

websiteowner.com

websitepromotionsscompany.com

Those sites are dangerous, please use caution!

Jerome Segura

RSS feed to this site Twitter Linkedin YouTube Channel

 

RSS feed to this site Jerome Segura is a Security Analyst working at ParetoLogic.

You can contact him at:
MalwareDiaries Email

 

Pages




Security Software




Malware Top 10




Archives




Categories
 
 
 

© 2009 ParetoLogic Inc.