Ubuntu
firefox package

Malware in Firefox?

Bug #99759 reported by Bob Stoll
4
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Incomplete
Undecided
Mozilla Bugs

Bug Description

I started playing with the Feisty beta and was having trouble getting to the internet with firefox (adblock and forecastfox plugins installed). My firewall (Check Point FW-1/VPN-1 Edge device) logs show the traffic is being dropped because it is infected with ISTbar, which is adware.

I did a little snooping with Wireshark and found that it indeed is adding what looks like ISTbar headers in the first http get request:

No. Time Source Destination Protocol Info
      4 0.014406 192.168.0.2 192.168.0.1 HTTP GET /StatBar.html HTTP/1.1

Frame 4 (569 bytes on wire, 569 bytes captured)
Ethernet II, Src: AsustekC_41:46:d5 (00:0e:a6:41:46:d5), Dst: Sofaware_72:16:a7 (00:08:da:72:16:a7)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: 53923 (53923), Dst Port: www (80), Seq: 1, Ack: 1, Len: 503
Hypertext Transfer Protocol
    GET /StatBar.html HTTP/1.1\r\n
    Host: 192.168.0.1\r\n
    User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20061201 Firefox/2.0.0.3 (Ubuntu-feisty)\r\n
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
    Accept-Language: en-us,en;q=0.5\r\n
    Accept-Encoding: gzip,deflate\r\n
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
    Keep-Alive: 300\r\n
    Connection: keep-alive\r\n
    Referer: http://192.168.0.1/StatBar.html\r\n
    Cookie: session=Utbs5RzctZSXj8dgioVg\r\n
    \r\n

I didn't see this behavior on Edgy with the browser in the same configuration.

Revision history for this message
Alexander Sack (asac) wrote : Re: [Bug 99759] Malware in Firefox?

On Sun, Apr 01, 2007 at 02:15:36PM -0000, Bob Stoll wrote:
> Public bug reported:
>
> I started playing with the Feisty beta and was having trouble getting to
> the internet with firefox (adblock and forecastfox plugins installed).
> My firewall (Check Point FW-1/VPN-1 Edge device) logs show the traffic
> is being dropped because it is infected with ISTbar, which is adware.

Is this kind of proxy server which doesn't let you through?

>
> I did a little snooping with Wireshark and found that it indeed is
> adding what looks like ISTbar headers in the first http get request:
>
> No. Time Source Destination Protocol Info
> 4 0.014406 192.168.0.2 192.168.0.1 HTTP GET /StatBar.html HTTP/1.1
>

Please try to change user agent in about:config to something
else. (e.g. feisty-> fety) ... does it help?

> Frame 4 (569 bytes on wire, 569 bytes captured)
> Ethernet II, Src: AsustekC_41:46:d5 (00:0e:a6:41:46:d5), Dst: Sofaware_72:16:a7 (00:08:da:72:16:a7)
> Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
> Transmission Control Protocol, Src Port: 53923 (53923), Dst Port: www (80), Seq: 1, Ack: 1, Len: 503
> Hypertext Transfer Protocol
> GET /StatBar.html HTTP/1.1\r\n
> Host: 192.168.0.1\r\n
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20061201 Firefox/2.0.0.3 (Ubuntu-feisty)\r\n
> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
> Accept-Language: en-us,en;q=0.5\r\n
> Accept-Encoding: gzip,deflate\r\n
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
> Keep-Alive: 300\r\n
> Connection: keep-alive\r\n
> Referer: http://192.168.0.1/StatBar.html\r\n
> Cookie: session=Utbs5RzctZSXj8dgioVg\r\n
> \r\n
>
>
> I didn't see this behavior on Edgy with the browser in the same configuration.

Try if you get problems when changing user agent string to contain
feisty (i guess the "ist" substring is important).

Thanks,

 - Alexander

Revision history for this message
Bob Stoll (bob-stoll-family) wrote :

Alexander Sack wrote:
> On Sun, Apr 01, 2007 at 02:15:36PM -0000, Bob Stoll wrote:
>
>> Public bug reported:
>>
>> I started playing with the Feisty beta and was having trouble getting to
>> the internet with firefox (adblock and forecastfox plugins installed).
>> My firewall (Check Point FW-1/VPN-1 Edge device) logs show the traffic
>> is being dropped because it is infected with ISTbar, which is adware.
>>
>
> Is this kind of proxy server which doesn't let you through?
>
 No. It's a stateful packet filter that does header checking.
Specifically, its Check Point's SmartDefense function that is picking
this up. I work with this product on a daily basis and it's usually
pretty good about not sounding a false alarm.

I changed the user agent setting as you suggested which solved the
problem. Apparently SmartDefense was being overly strict on limiting
that header. I will open a case with Check Point to inform them of the
problem. There are a lot of Ubuntu desktops that will be upgrading to
Feisty soon so I'm pretty sure this won't be the last time this comes
about.

Regards,
Bob...

John Vivirito (gnomefreak)
Changed in firefox:
assignee: nobody → mozilla-bugs
status: Unconfirmed → Needs Info
Revision history for this message
Wojtek Kazimierczak (w-kazimierczak) wrote :

This is a duplicate of bug 95241.
https://bugs.launchpad.net/bugs/95241

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.