Security Information and Review

Collection of security information and review

Critical Vulnerability in Mozilla Firefox, Belmoo and Nobel Peace Prize Site

Author : Admin

Latest vulnerability has been found in Mozilla Firefox v3.5 and v3.6 that is caused due to an unspecified error and can be exploited to execute arbitrary code by tricking a user into visiting a specially crafted site. If a user visited an infected site, the malware might be installed on the user’s computer without warning. The malware is delivered and installed by way of a malicious JavaScript that exploit a vulnerability in Firefox v3.5 and v3.6.

The malware ( Trojan ) was initially reported as live on the Nobel Peace Prize site and that specific site is now being blocked by Firefox’s built-in malware protection. However, the exploit code could still be live on other site. The Malicious JavaScript as Exploit:JS/Belmoo and the payload as Backdoor::Win32/Belmoo.A ( BKDR_NINDYA.A : Trend Micro ).

Belmoo is a Windows executable with size 48640 bytes which is written in C, without compression and encryption. It’s apparently created October, 24 2010. This trojan is known to be delivered via JavaScript when browsing a hacked website using the web browser Firefox. When run, the trojan copies itself as the following file <%WINDOWS%>\temp folder and create registry keys, so that it’s started from boot up. It’s uses the command line options reg in order to do the registry modification, no modification registry directly from the program.

  • Creates file [WINDIR]\temp\symantec.exe.
  • Creates value “Microsoft Windows Update”=”[WINDIR]\temp\symantec.exe” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run”.
  • Creates value “Microsoft Windows Update”=”[WINDIR]\temp\symantec.exe” in key “HKLM\Software\Microsoft\Windows\CurrentVersion\Run”

The malware will attempt to resolve two internet address : nobel.usagov.mooo.com and update.microsoft.com. After this it will attempt to connect to two other internet addresses alternately : l-3com.dyndns-work.com and l-3com.dyndns.tv. If none of these addresses resolve, the malware will exit.

If the first address resolves, the malware will attempt to connect to it on port 443/tcp. If this connect fails, the malware will instead attempt to connect to the second address on port 80/tcp, presumably to avoid firewalls. If either of the connects succeed, the malware attaches a command shell to the opened socket, giving an attacker access on the local computer with the same rights as the logged on user.
After the shell has been closed, the malware will wait a semi-random amount of time before retrying; minimum one minute.

We can prevent of the Mozilla firefox’s vulnerability, disabling JavaScript or using “NoScript” add on. So how to protect and prevent infection on our computer or system ..? please following steps :

  1. Enable a firewall on our computer.
  2. Get the latest computer updates for all our installed software.
  3. Use up to date antivirus software.
  4. Limit user privileges on the computer.
  5. Use caution when opening attachments and accepting file transfers.
  6. Use caution when clicking on links to webpages.
  7. Avoid downloading pirated software.
  8. Use strong password.
  9. Protect yourself against social engineering attacks.
  10. sources : Norman, Microsoft, TSOC-blogg

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: SQL Server Security - Virus Security
Do you people have a facebook fan page? I looked for one on twitter but could not discover one, I would really like to become a fan!
17 November 10 at 08:38
If you like this posts, please leave messages / comments.