SUMO community discussions

sites serving fake firefox-patch.exe/firefox-patch.js list and discussion.

  • 125 Replies
  • Last reply by cliffontheroad
  1. John99
    John99 3665 posts
    more options

    How about putting an advisory message on geuinr updates.

    I wonder what is the current malware doing. IIRC some posts just mention it does not update, presumably it is I introducing as yet unknown malware but not immediately ransomeware. I suppose I could look up the signatures of the detections, but it may not help as once malware has a toe hold it tends to proliferate. 

    The major problem as I see it is users trust the Firefox icon but do not realise it is not from Mozilla. The idea of a snippet was dismissed as only able to reach 10% of the usrerbase.

    If we out a message about how to & how NOT to upgrade with new installs and genuine updates we will reach 100% of the userbase; sure it would be annoying to most users but it may be worth it to educate the novice or naive users. Malware could wreck our reputation and marke-share.

    How about putting an advisory message on geuinr updates. I wonder what is the current malware doing. IIRC some posts just mention it does not update, presumably it is I introducing as yet unknown malware but not immediately ransomeware. I suppose I could look up the signatures of the detections, but it may not help as once malware has a toe hold it tends to proliferate. The major problem as I see it is users trust the Firefox icon but do not realise it is not from Mozilla. The idea of a snippet was dismissed as only able to reach 10% of the usrerbase. If we out a message about how to & how NOT to upgrade with new installs and genuine updates we will reach 100% of the userbase; sure it would be annoying to most users but it may be worth it to educate the novice or naive users. Malware could wreck our reputation and marke-share.
  2. John99
    John99 3665 posts
    more options

    jscher2000 /questions/1130120#answer-894846|said

    ... The numeric parts of the URLs seem to be linked to the user who finds them, so if I click the links, the page is not found. I suspect they are computed based on your IP address and/or a cookie as a way to make it difficult for others to investigate. ....

    So unless we happen to discover that, code; which is likely impossible; it makes it difficult even to effectively report these sites.

    ''jscher2000 [/questions/1130120#answer-894846|said]'' <blockquote> ... The numeric parts of the URLs seem to be linked to the user who finds them, so if I click the links, the page is not found. I suspect they are computed based on your IP address and/or a cookie as a way to make it difficult for others to investigate. .... </blockquote> So unless we happen to discover that, code; which is likely impossible; it makes it difficult even to effectively report these sites.
  3. James (doing minimal support)
    James (doing minimal support) 1653 posts
    more options

    For a few days I changed my SeaMonkey on Linux UA to UA's like say Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0 to try and see if any sites that I know gives Ad popups in tabs will get one of these fake urgent Firefox update sites but none so far.

    For a few days I changed my SeaMonkey on Linux UA to UA's like say Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0 to try and see if any sites that I know gives Ad popups in tabs will get one of these fake urgent Firefox update sites but none so far.
  4. James (doing minimal support)
    James (doing minimal support) 1653 posts
    more options

    Hmm thanks to Abzyx at here

    Detection ratio: 2 / 52 Compilation timestamp 2016-07-07 06:53:14 https://www.virustotal.com/en/file/d5276fb20bc7c341426faec75514623133055808ec589af185c71f7431b55af5/analysis/1467903674/

    So it is a new firefox-patch.exe as perhaps older versions was getting blocked or flagged.

    Hmm thanks to Abzyx at [https://support.mozilla.org/en-US/questions/1127436#answer-894911 here] Detection ratio: 2 / 52 Compilation timestamp 2016-07-07 06:53:14 https://www.virustotal.com/en/file/d5276fb20bc7c341426faec75514623133055808ec589af185c71f7431b55af5/analysis/1467903674/ So it is a new firefox-patch.exe as perhaps older versions was getting blocked or flagged.
  5. cliffontheroad
    cliffontheroad 20 posts
    more options

    feehacitysocialising.net was registered 7/8 and I ended up there at 5AM (EDT) 7/9 after visiting the cincinnatibell DOTnet web page (cited elsewhere) with the orange-screen-false-update.

    Part of that offending destination page contains:

    Urgent Firefox update

               <a class="btn" href="/1091815563143/14680538415496/firefox-patch.exe">Download Now</a>
       </div>
       <script>window.jQuery || document.write('<script src="/PR1-2/js/vendor/jquery-1.10.2.min.js"><\/script>')</script>
       <script src="/PR1-2/js/plugins.js"></script>
       <script src="/PR1-2/js/main.js"></script>
       <script>
        setTimeout("location.href = '1091815563143/14680538415496/firefox-patch.exe';", 1000);

    Important asides; my mouse was hovering over the 'ad choices'-right-arrow at the time, which is a link to their 'about' page. Perhaps it was a time-delay-link involved. I had not clicked anything. I had not logged in, nor seen the 'page wants to run adobe flash' which did come up upon a revisit.

    The page continually (proper choice) downloads new images. Question by me; is this the least bit useful or should I go away? At least the web site (cincin bell) is still a problem-source site.

    feehacitysocialising.net was registered 7/8 and I ended up there at 5AM (EDT) 7/9 after visiting the cincinnatibell DOTnet web page (cited elsewhere) with the orange-screen-false-update. Part of that offending destination page contains: <h1>Urgent Firefox update</h1> <a class="btn" href="/1091815563143/14680538415496/firefox-patch.exe">Download Now</a> </div> <script>window.jQuery || document.write('<script src="/PR1-2/js/vendor/jquery-1.10.2.min.js"><\/script>')</script> <script src="/PR1-2/js/plugins.js"></script> <script src="/PR1-2/js/main.js"></script> <script> setTimeout("location.href = '1091815563143/14680538415496/firefox-patch.exe';", 1000); Important asides; my mouse was hovering over the 'ad choices'-right-arrow at the time, which is a link to their 'about' page. Perhaps it was a time-delay-link involved. I had not clicked anything. I had not logged in, nor seen the 'page wants to run adobe flash' which did come up upon a revisit. The page continually (proper choice) downloads new images. Question by me; is this the least bit useful or should I go away? At least the web site (cincin bell) is still a problem-source site.

    Modified by cliffontheroad on

  6. cliffontheroad
    cliffontheroad 20 posts
    more options

    Discussion permitted, right? I thought I posted in this forum something with began with the word Conjecture. It went "poof" or became vapor-ware. Now I was hoping that the above item would prod someone more knowing to announce Eureka-found. Alas, not.

    I searched through some Notepad items I created in the last month of when the false-update msgs appeared. Each gave a "malware" hit on that VirusTotal site.

    On 6/24 I got the orange screen after opening http://omgwhut.com/this-dog-doesnt-want-to-wake-up-the-sleeping-cat-so-he-does-this-so-funny but of course the orange-page appeared in that tab with the URL of

    https://weoroobstaclesandglory.org/9961815560932/4aa0244b9c629b623590aa93e68eed69.html

    I wish I could read JS like I could DataBasic. But isn't an HTTP inside an HTTP page like a "gosub"? Cause I have a view-source of a page which seems "dead on", as well as another which seems to replace a string with another string character by character. Love the variable name "secret"

    I was about to go back to the cincinatti page for another "orange screen", if possible, and try to suspend the linking so I could catch the intermediaty code and help put this thing to bed.

    There'd be no glory, only satisfaction. But I'm ....

    SO I ask; is there someplace else I could be/should be? Or is blocking the daily site all that is sought?

    Discussion permitted, right? I thought I posted in this forum something with began with the word Conjecture. It went "poof" or became vapor-ware. Now I was hoping that the above item would prod someone more knowing to announce Eureka-found. Alas, not. I searched through some Notepad items I created in the last month of when the false-update msgs appeared. Each gave a "malware" hit on that VirusTotal site. On 6/24 I got the orange screen after opening http://omgwhut.com/this-dog-doesnt-want-to-wake-up-the-sleeping-cat-so-he-does-this-so-funny but of course the orange-page appeared in that tab with the URL of https://weoroobstaclesandglory.org/9961815560932/4aa0244b9c629b623590aa93e68eed69.html I wish I could read JS like I could DataBasic. But isn't an HTTP inside an HTTP page like a "gosub"? Cause I have a view-source of a page which seems "dead on", as well as another which seems to replace a string with another string character by character. Love the variable name "secret" I was about to go back to the cincinatti page for another "orange screen", if possible, and try to suspend the linking so I could catch the intermediaty code and help put this thing to bed. There'd be no glory, only satisfaction. But I'm .... SO I ask; is there someplace else I could be/should be? Or is blocking the daily site all that is sought?
  7. cliffontheroad
    cliffontheroad 20 posts
    more options

    oh gosh; more. The program/fix the orange screen wants to load is malware, I think. When I first fell for the update, my machine was constantly running at 50%CPU, all on a SVC process. Procexp utility showed me six channels were being polled.. Maybe they were legit, but I got them to stop.

    Whe I looked at this view-source:http://omgwhut.com/wp-includes/js/wp-embed.min.js?ver=4.5.3 it has some code of: ...addEventListener("message"

    Therefore I might be doing a 2+2=5 thinking some computer will respond to mine and then who knows what will happen. Has anyone defind what the downloaded exe patch actually performs?

    oh gosh; more. The program/fix the orange screen wants to load is malware, I think. When I first fell for the update, my machine was constantly running at 50%CPU, all on a SVC process. Procexp utility showed me six channels were being polled.. Maybe they were legit, but I got them to stop. Whe I looked at this view-source:http://omgwhut.com/wp-includes/js/wp-embed.min.js?ver=4.5.3 it has some code of: ...addEventListener("message" Therefore I might be doing a 2+2=5 thinking some computer will respond to mine and then who knows what will happen. Has anyone defind what the downloaded exe patch actually performs?
  8. John99
    John99 3665 posts
    more options

    Admins such as Tyler will likely not be around until Monday.

    Did you submit the .exe file to virustotal.com  ? You may search for files already scanned, or it will tell you when it is submitted if it has already been scanned. The site indexes files not by name but by hash so you need the hash if you want to search for files. Tyler may still want copies.

    The virustotal site gives the signatures that AV venders use when detecting and reporting the file, and their own analysis and details of the file. So you may be interested in the info they have collected. Files scanned include

    Admins such as Tyler will likely not be around until Monday. Did you submit the .exe file to virustotal.com ? You may search for files already scanned, or it will tell you when it is submitted if it has already been scanned. The site indexes files not by name but by hash so you need the hash if you want to search for files. Tyler may still want copies. The virustotal site gives the signatures that AV venders use when detecting and reporting the file, and their own analysis and details of the file. So you may be interested in the info they have collected. Files scanned include * https://virustotal.com/en/file/d5276fb20bc7c341426faec75514623133055808ec589af185c71f7431b55af5/analysis/ ** note '''detection ratio increased to 24/52 from [https://www.virustotal.com/en/file/d5276fb20bc7c341426faec75514623133055808ec589af185c71f7431b55af5/analysis/1467903674/ 2/52]''' * https://virustotal.com/en/file/12446f2ad470ad093db192821faabac19044814637c3b4889ef5403fc6805b56/analysis/ * https://virustotal.com/en/file/28f844d7b7009694624a309c6a48bbd4a32a9f66479f8615e9bbbb3eb18c5041/analysis/ * https://virustotal.com/en/file/e73820fe8b3c5022b03025657286304365c0d2d8312ccbdd136f8a0ecbe7cad1/analysis/ * https://virustotal.com/en/url/516f87dae0b61bfb134d87f011a0a1deaba5c992f8d476e887365445bfe6b9c8/analysis/
  9. helpout
    helpout 2 posts
    more options

    https://eudorbollywoodkhabri.net

    This url appears when I get the firefox patch pop up.

    https://eudorbollywoodkhabri.net This url appears when I get the firefox patch pop up.
  10. JoeAllen2
    JoeAllen2 2 posts
    more options

    This is my third time getting the FAKE update screen.

    I still believe that this FAKE update is embedded in the Pop-up ADs.

    The site I was on at the time was: https://weather.com/weather/radar/interactive/l/02048:4:US

    The Address it sent me to for the orange screen was: https://eepheverseoftheday.org/9631813284746/e122d525737bd3ef8300ec9dfb95fbfd.html

    The Address behind the Download Button is: https://eepheverseoftheday.org/9631813284746/1468190225922059/firefox-patch.exe

    This is my third time getting the FAKE update screen. I still believe that this FAKE update is embedded in the Pop-up ADs. The site I was on at the time was: https://weather.com/weather/radar/interactive/l/02048:4:US The Address it sent me to for the orange screen was: https://eepheverseoftheday.org/9631813284746/e122d525737bd3ef8300ec9dfb95fbfd.html The Address behind the Download Button is: https://eepheverseoftheday.org/9631813284746/1468190225922059/firefox-patch.exe
  11. John99
    John99 3665 posts
    more options

    Note I posted a comment in the open bug to try to discover exactly what information engineers want us to obtain.

    I do not know whether you are aware but these links from the malware are personalised. 

    The Address behind the Download Button is: 
https://eepheverseoftheday.org/9631813284746/1468190225922059/firefox-patch.exe

    I get an empty response header from that link.

    So links like the one above are not accessible by other people. If you download but do not open the .exe file you could submit it to virustotal.com and report back to the forum if it is a new file because these files seem to evolve presumably to add features or evade detection.

    P.S. Bug 1282106#c12 Suspect ad on various websites displays alert to offer false Firefox update

    Note I posted a comment in the open bug to try to discover exactly what information engineers want us to obtain. I do not know whether you are aware but these links from the malware are personalised. The Address behind the Download Button is: https://eepheverseoftheday.org/9631813284746/1468190225922059/firefox-patch.exe I get an empty response header from that link. So links like the one above are not accessible by other people. If you download but do not open the .exe file you could submit it to virustotal.com and report back to the forum if it is a new file because these files seem to evolve presumably to add features or evade detection. ---------- P.S. Bug [https://bugzilla.mozilla.org/show_bug.cgi?id=1282106#c12 1282106#c12] Suspect ad on various websites displays alert to offer false Firefox update

    Modified by John99 on

  12. John99
    John99 3665 posts
    more options

    Has this morphed is it now targeting other platforms

    Has this morphed is it now targeting other platforms * Is "firefox-patch.js" from "nichufreevectordownload.net" legitimate? [/questions/1130586]
  13. helpout
    helpout 2 posts
    more options

    JoeAllen2 said

    This is my third time getting the FAKE update screen. I still believe that this FAKE update is embedded in the Pop-up ADs. The site I was on at the time was: https://weather.com/weather/radar/interactive/l/02048:4:US The Address it sent me to for the orange screen was: https://eepheverseoftheday.org/9631813284746/e122d525737bd3ef8300ec9dfb95fbfd.html The Address behind the Download Button is: https://eepheverseoftheday.org/9631813284746/1468190225922059/firefox-patch.exe

    I was also on weather.com when I got the fake firefox patch update. I had just clicked the "monthly" weather forecast link but have been unable to reproduce the pop up going forward. If it's a rotating advertisement that explains why I cannot reproduce the pop up by clicking a link or visiting weather.com.

    ''JoeAllen2 [[#post-69555|said]]'' <blockquote> This is my third time getting the FAKE update screen. I still believe that this FAKE update is embedded in the Pop-up ADs. The site I was on at the time was: https://weather.com/weather/radar/interactive/l/02048:4:US The Address it sent me to for the orange screen was: https://eepheverseoftheday.org/9631813284746/e122d525737bd3ef8300ec9dfb95fbfd.html The Address behind the Download Button is: https://eepheverseoftheday.org/9631813284746/1468190225922059/firefox-patch.exe </blockquote> I was also on weather.com when I got the fake firefox patch update. I had just clicked the "monthly" weather forecast link but have been unable to reproduce the pop up going forward. If it's a rotating advertisement that explains why I cannot reproduce the pop up by clicking a link or visiting weather.com.
  14. John99
    John99 3665 posts
    more options

    I will add [Attn Admin] to the thread title. I am hoping for guidance as what we should do and say to users seeing this problem especially with respect to making progress with the filed bug. Has anyone else come across the new file with a .js extension instead of a .exe ? and if so has anyone managed to save that file and submit it to virustotal.com ?

    helpout said

    I was also on weather.com when I got the fake firefox patch update. I had just clicked the "monthly" weather forecast link but have been unable to reproduce the pop up going forward. If it's a rotating advertisement that explains why I cannot reproduce the pop up by clicking a link or visiting weather.com.

    I am in the uk. I have tried the weather com site. The longest weather forecast is 10 days so for instance I have used https://weather.com/en-GB/weather/10day/l/UKXX0085:1:UK I do see various adverts. I have not yet seen any fake updates. I also tried using a free web proxy service but that broke the site.

    I will add '''''[Attn Admin]''''' to the thread title. I am hoping for guidance as what we should do and say to users seeing this problem especially with respect to making progress with the filed bug. ''' Has anyone else come across the new file with a .js extension''' instead of a .exe ? and if so has anyone managed to save that file and submit it to virustotal.com ? ''helpout [[#post-69564|said]]'' <blockquote> I was also on weather.com when I got the fake firefox patch update. I had just clicked the "monthly" weather forecast link but have been unable to reproduce the pop up going forward. If it's a rotating advertisement that explains why I cannot reproduce the pop up by clicking a link or visiting weather.com. </blockquote> I am in the uk. I have tried the weather com site. The longest weather forecast is 10 days so for instance I have used https://weather.com/en-GB/weather/10day/l/UKXX0085:1:UK I do see various adverts. I have not yet seen any fake updates. I also tried using a free web proxy service but that broke the site.
  15. philipp
    philipp 1301 posts
    more options

    this now also got picked up by the security community: https://blog.barkly.com/fileless-malware-kovter-posing-as-firefox-update

    there are also a number of affected users with adblocker addons present, so that makes it even more dubious what is triggering the fake alerts.

    this now also got picked up by the security community: https://blog.barkly.com/fileless-malware-kovter-posing-as-firefox-update there are also a number of affected users with adblocker addons present, so that makes it even more dubious what is triggering the fake alerts.
  16. Andrew
    Andrew 1232 posts
    more options

    I'm seeing a small increase in numbers from our social media users reporting that they are seeing these fake urgent update messages. So far, I've told them to ignore the message and scan for viruses on the computer (if applicable). If you need any information from them, I'd be happy to reach out and grab more details.

    I'm seeing a small increase in numbers from our social media users reporting that they are seeing these fake urgent update messages. So far, I've told them to ignore the message and scan for viruses on the computer (if applicable). If you need any information from them, I'd be happy to reach out and grab more details.
  17. jscher2000 - Support Volunteer
    jscher2000 - Support Volunteer 832 posts
    more options

    The very dangerous code of at least one version of firefox-patch.js is shown over here: http://forums.mozillazine.org/viewtopic.php?p=14653247#p14653247

    The very dangerous code of at least one version of firefox-patch.js is shown over here: http://forums.mozillazine.org/viewtopic.php?p=14653247#p14653247
  18. John99
    John99 3665 posts
    more options

    I have created a tag tag Bug1282106

    I have not retrospectively added any of the other posts by tagging them, but it may help us if we are able to pass on information or advice later on.

    I have created a tag '''[/questions/all?owner=all&tagged=bug1282106&show=all tag Bug1282106]''' I have not retrospectively added any of the other posts by tagging them, but it may help us if we are able to pass on information or advice later on.
  19. FredMcD
    FredMcD 923 posts
    more options

    Between this and the sync hacks I reported; https://support.mozilla.org/en-US/forums/contributors/712048

    If I were paranoid, I'd think someone wants to destroy Firefox/Mozilla.

    Between this and the sync hacks I reported; https://support.mozilla.org/en-US/forums/contributors/712048 If I were paranoid, I'd think someone wants to destroy Firefox/Mozilla.
  20. the-edmeister
    the-edmeister 603 posts
    more options

    Six weeks into this situation and the only apparent progress has been made by the "doer" / perpetrator with morphing this exploit to providing a .js file that may be more dangerous.

    And with the amount of effort that James, John99, and others have put into tracking this that the response here from Mozilla has been underwhelming to say the least!

    Three weeks ago I asked about adding a 'snippet' to the about:home page for the least experienced users and who I would classify as the "most vulnerable" users, but that was "shot down" as being at best only seen by 10% of Firefox users. At least that would have been 10 % more than we have almost 3 weeks later. https://support.mozilla.org/en-US/forums/contributors/712056?last=69624&page=1#post-69488

    https://blog.mozilla.org/security/ May not have been the exact proper place for mentioning this exploit and probably not a very "trafficked" sub-domain - but better that nothing!

    This isn't gonna solve it. https://bugzilla.mozilla.org/show_bug.cgi?id=1282106#c17 b) Beta folks have gotten fake updates just like Release users: without warning (uh oh -- need to investigate PUP feature for bugs)

    And with the Firefox 48 update coming in two weeks - I feel the "shit hasn't hit the fan yet", especially if the last 6 weeks have been a practice run for "the big event"! With two new domains per day being used, how hard would it be to multiply that by 10 or by 100? And the same for whatever is infecting the Ad Servers or whatever is "hosting the payload"?

    Six weeks into this situation and the only apparent progress has been made by the "doer" / perpetrator with morphing this exploit to providing a .js file that may be more dangerous. And with the amount of effort that James, John99, and others have put into tracking this that the response here from Mozilla has been underwhelming to say the least! Three weeks ago I asked about adding a 'snippet' to the about:home page for the least experienced users and who I would classify as the "most vulnerable" users, but that was "shot down" as being at best only seen by 10% of Firefox users. At least that would have been 10 % more than we have almost 3 weeks later. https://support.mozilla.org/en-US/forums/contributors/712056?last=69624&page=1#post-69488 https://blog.mozilla.org/security/ May not have been the exact proper place for mentioning this exploit and probably not a very "trafficked" sub-domain - but better that nothing! This isn't gonna solve it. https://bugzilla.mozilla.org/show_bug.cgi?id=1282106#c17 '''b) Beta folks have gotten fake updates just like Release users: without warning''' '''(uh oh -- need to investigate PUP feature for bugs)''' ------------------- And with the Firefox 48 update coming in two weeks - I feel the "shit hasn't hit the fan yet", especially if the last 6 weeks have been a practice run for "the big event"! With two new domains per day being used, how hard would it be to multiply that by 10 or by 100? And the same for whatever is infecting the Ad Servers or whatever is "hosting the payload"?
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7