Malware in Firefox?

Bug #99759 reported by Bob Stoll on 2007-04-01
4
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Undecided
Mozilla Bugs

Bug Description

I started playing with the Feisty beta and was having trouble getting to the internet with firefox (adblock and forecastfox plugins installed). My firewall (Check Point FW-1/VPN-1 Edge device) logs show the traffic is being dropped because it is infected with ISTbar, which is adware.

I did a little snooping with Wireshark and found that it indeed is adding what looks like ISTbar headers in the first http get request:

No. Time Source Destination Protocol Info
      4 0.014406 192.168.0.2 192.168.0.1 HTTP GET /StatBar.html HTTP/1.1

Frame 4 (569 bytes on wire, 569 bytes captured)
Ethernet II, Src: AsustekC_41:46:d5 (00:0e:a6:41:46:d5), Dst: Sofaware_72:16:a7 (00:08:da:72:16:a7)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: 53923 (53923), Dst Port: www (80), Seq: 1, Ack: 1, Len: 503
Hypertext Transfer Protocol
    GET /StatBar.html HTTP/1.1\r\n
    Host: 192.168.0.1\r\n
    User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20061201 Firefox/2.0.0.3 (Ubuntu-feisty)\r\n
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
    Accept-Language: en-us,en;q=0.5\r\n
    Accept-Encoding: gzip,deflate\r\n
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
    Keep-Alive: 300\r\n
    Connection: keep-alive\r\n
    Referer: http://192.168.0.1/StatBar.html\r\n
    Cookie: session=Utbs5RzctZSXj8dgioVg\r\n
    \r\n

I didn't see this behavior on Edgy with the browser in the same configuration.

On Sun, Apr 01, 2007 at 02:15:36PM -0000, Bob Stoll wrote:
> Public bug reported:
>
> I started playing with the Feisty beta and was having trouble getting to
> the internet with firefox (adblock and forecastfox plugins installed).
> My firewall (Check Point FW-1/VPN-1 Edge device) logs show the traffic
> is being dropped because it is infected with ISTbar, which is adware.

Is this kind of proxy server which doesn't let you through?

>
> I did a little snooping with Wireshark and found that it indeed is
> adding what looks like ISTbar headers in the first http get request:
>
> No. Time Source Destination Protocol Info
> 4 0.014406 192.168.0.2 192.168.0.1 HTTP GET /StatBar.html HTTP/1.1
>

Please try to change user agent in about:config to something
else. (e.g. feisty-> fety) ... does it help?

> Frame 4 (569 bytes on wire, 569 bytes captured)
> Ethernet II, Src: AsustekC_41:46:d5 (00:0e:a6:41:46:d5), Dst: Sofaware_72:16:a7 (00:08:da:72:16:a7)
> Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
> Transmission Control Protocol, Src Port: 53923 (53923), Dst Port: www (80), Seq: 1, Ack: 1, Len: 503
> Hypertext Transfer Protocol
> GET /StatBar.html HTTP/1.1\r\n
> Host: 192.168.0.1\r\n
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20061201 Firefox/2.0.0.3 (Ubuntu-feisty)\r\n
> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
> Accept-Language: en-us,en;q=0.5\r\n
> Accept-Encoding: gzip,deflate\r\n
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
> Keep-Alive: 300\r\n
> Connection: keep-alive\r\n
> Referer: http://192.168.0.1/StatBar.html\r\n
> Cookie: session=Utbs5RzctZSXj8dgioVg\r\n
> \r\n
>
>
> I didn't see this behavior on Edgy with the browser in the same configuration.

Try if you get problems when changing user agent string to contain
feisty (i guess the "ist" substring is important).

Thanks,

 - Alexander

Bob Stoll (bob-stoll-family) wrote :

Alexander Sack wrote:
> On Sun, Apr 01, 2007 at 02:15:36PM -0000, Bob Stoll wrote:
>
>> Public bug reported:
>>
>> I started playing with the Feisty beta and was having trouble getting to
>> the internet with firefox (adblock and forecastfox plugins installed).
>> My firewall (Check Point FW-1/VPN-1 Edge device) logs show the traffic
>> is being dropped because it is infected with ISTbar, which is adware.
>>
>
> Is this kind of proxy server which doesn't let you through?
>
No. It's a stateful packet filter that does header checking.
Specifically, its Check Point's SmartDefense function that is picking
this up. I work with this product on a daily basis and it's usually
pretty good about not sounding a false alarm.

I changed the user agent setting as you suggested which solved the
problem. Apparently SmartDefense was being overly strict on limiting
that header. I will open a case with Check Point to inform them of the
problem. There are a lot of Ubuntu desktops that will be upgrading to
Feisty soon so I'm pretty sure this won't be the last time this comes
about.

Regards,
Bob...

Changed in firefox:
assignee: nobody → mozilla-bugs
status: Unconfirmed → Needs Info
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers