Mozilla Firefox flaw exploited on Nobel Prize website

By on October 27, 2010, 2:36 PM
Malicious hackers are exploiting a newly discovered vulnerability in Mozilla Firefox to launch drive-by download attacks, according to security software company Norman. The exploit, first discovered as being implemented on the Nobel Prize website, works on Firefox 3.5 and 3.6.

Firefox users who visited the website were silently infected with Belmoo, a Windows Trojan that gives the attacker complete control of the machine. Once successfully installed, the malware creates an executable in the Windowstemp directory and sets it to run on startup via the registry. It also attempts to connect to two Internet addresses, both which point to a server in Taiwan, through which someone can control the system.

Mozilla has acknowledged the problem and is investigating it further. "We have diagnosed the issue and are currently developing a fix, which will be pushed out to Firefox users as soon as the fix has been properly tested," the company stated. "The trojan was initially reported as live on the Nobel Peace Prize site, and that specific site is now being blocked by Firefox's built-in malware protection. However, the exploit code could still be live on other websites." In the interim, Firefox users have two workarounds available to them: disable Javascript and/or use NoScript.





User Comments: 27

Got something to say? Post a comment
nismo91 said:

i think mozilla need to hurry up the final version of firefox 4.

JMMD JMMD, TechSpot Chancellor, said:

I use noscript and keep java script  disabled unless I have to use it. What I would really like is for Windows and Web browsers to block all servers from foreign domains (or specified top level domains) since a lot of these issues originate from non-US domains/networks.

klepto12 klepto12, TechSpot Paladin, said:

man i love firefox about the only browser i use hope they fix it soon.

Technochicken Technochicken, TechSpot Paladin, said:

How does malware end up on the Nobel Prize website?

Ahmed90 Ahmed90 said:

bugs are every where and hackers will always find them and so far there is no full effective solution for all these Trojans, viruses, etc...

JMMD said:What I would really like is for Windows and Web browsers to block all servers from foreign domains (or specified top level domains) since a lot of these issues originate from non-US domains/networks.

looooool thats the most weird solution i ever heard

neowing said:

I want to know if this case effected in Dule boot with WinXP and Linux.

JMMD JMMD, TechSpot Chancellor, said:

bugs are every where and hackers will always find them and so far there is no full effective solution for all these Trojans, viruses, etc...

looooool thats the most weird solution i ever heard

Really? makes a lot of sense from a security standpoint. Let's say that 80% of malware being served on hacked websites is downloaded from a .ru , cn, pl, etc. domain/host.

Wouldn't blocking all of those domains make sense? I have no need to ever access any top level domains from other countries. It's not going to stop everything but every bit helps.

JMMD JMMD, TechSpot Chancellor, said:

I want to know if this case effected in Dule boot with WinXP and Linux.

It all depends on which operating system you were using at the time. If you were in Linux then probably not.

Ahmed90 Ahmed90 said:

JMMD said:

Really? makes a lot of sense from a security standpoint. Let's say that 80% of malware being served on hacked websites is downloaded from a .ru , cn, pl, etc. domain/host.

Wouldn't blocking all of those domains make sense? I have no need to ever access any top level domains from other countries. It's not going to stop everything but every bit helps.

maybe you "have no need to ever access" these sites but many many many other people do need it

maybe instead the internet main organizations should make some laws for local data-centers in these countries

but blocking them nope it will never solve the issue thy can easily get a .com domain or even .us and use it with such a infected servers / web sites

TomSEA TomSEA, TechSpot Chancellor, said:

Huh...what an odd website to drop a trojan on.

frodough said:

wow that's like putting a spotlight on a perfect storm.. dont do it! it's a trap! im not a troll but this is how i felt after reading this.

Guest said:

Some workarounds that are more than a quick fix and more universal in their prevention controls:

1) Use antivirus software. This could have identified the trojan during or right after the download.

2) Use software to stop apps from running. Some firewalls do this. With Windows, if User Account Control (UAC) is on, then UAC will prompt you. This could have stopped the trojan from changing the registry, connecting to a remote server...

3) Use a firewall to control network connections. There are firewalls that can be configured to only allow outgoing connections you want and block the ones you don't want. This could have stopped the trojan from connecting to a remote server. They can also do the same for inbound connections, which could stop the remote server from making your computer a slave.

4) And if the above is still not enough, use software that can block domains or IP addresses. This could have stopped outbound and inbound connections with a remote server.

Guest said:

Firefox Version 3.6.12 is now available.

klepto12 klepto12, TechSpot Paladin, said:

Seems they already posted the fix check it out.

HaMsTeYr HaMsTeYr said:

Congratulations, while visiting a nobel prize website, you got hacked. Indeed, what a strange place to put a trojan in... But maybe thats the thing, the least expected it is, the higher the chance of catching people of guard i suppose.

Archean Archean, TechSpot Paladin, said:

Well, I am unsure, but just now there is a FF update to version 3.6.12; may be that has fixed it? I hope someone will confirm it.

highlander84 said:

Would been nice for Techspot to tell us what those IP's are if they knew. Then Id just block them from my router and even if I was infected they would not be able to gain control because id have the server blocked. I think if information like that was published people could better protect their self's.

Lokalaskurar Lokalaskurar said:

JMMD said:

I use noscript and keep java script  disabled unless I have to use it. What I would really like is for Windows and Web browsers to block all servers from foreign domains (or specified top level domains) since a lot of these issues originate from non-US domains/networks.

Ha, someone might actually get offended by that comment!

And really, many people rely on foreign and top level solutions. I know loads of people who use Tokelau-aliases for their websites. And Niue-servers to host them. To put it frankly, I'm offended by this comment. However I understand how you think, and it's perfectly fine wanting to increase one's security.

But a solution like this would simply not work. Especially not if everyone started using Windows' and browser's which block foreign content. Multimillions of dollars will be lost if the world-wide-web stopped being world-wide. Foreign people would stop learning things from YouTube, foreign people would not be able to chat with friends on Skype, MSN or Facebook, foreign people would sieze developing. And no good can come of this, you know...

sMILEY4ever said:

Good thing I use Noscript and usually allow it to block stuff.

Burty117 Burty117, TechSpot Chancellor, said:

Lokalaskurar said:

JMMD said:

I use noscript and keep java script  disabled unless I have to use it. What I would really like is for Windows and Web browsers to block all servers from foreign domains (or specified top level domains) since a lot of these issues originate from non-US domains/networks.

Ha, someone might actually get offended by that comment!

And really, many people rely on foreign and top level solutions. I know loads of people who use Tokelau-aliases for their websites. And Niue-servers to host them. To put it frankly, I'm offended by this comment. However I understand how you think, and it's perfectly fine wanting to increase one's security.

But a solution like this would simply not work. Especially not if everyone started using Windows' and browser's which block foreign content. Multimillions of dollars will be lost if the world-wide-web stopped being world-wide. Foreign people would stop learning things from YouTube, foreign people would not be able to chat with friends on Skype, MSN or Facebook, foreign people would sieze developing. And no good can come of this, you know...

If you do want to block TLD (Top Level Domains) Install DNSKong

http://accs-net.com/hosts/DNSKong.html

this will allow you to enter .ru for example and any DNS lookup for any .ru websites will get directed to your internal loopback address meaning it will go no were!

Incase anyone wanted to know if it was possible....

ucould2 ucould2 said:

Guest said:

Some workarounds that are more than a quick fix and more universal in their prevention controls:

1) Use antivirus software. This could have identified the trojan during or right after the download.

2) Use software to stop apps from running. Some firewalls do this. With Windows, if User Account Control (UAC) is on, then UAC will prompt you. This could have stopped the trojan from changing the registry, connecting to a remote server...

3) Use a firewall to control network connections. There are firewalls that can be configured to only allow outgoing connections you want and block the ones you don't want. This could have stopped the trojan from connecting to a remote server. They can also do the same for inbound connections, which could stop the remote server from making your computer a slave.

4) And if the above is still not enough, use software that can block domains or IP addresses. This could have stopped outbound and inbound connections with a remote server.

& five) clean out your Temp/folders oh I mean Ccleaner your temp/folders

xcelofjkl said:

Seeing a trend? Google with their password hacking, Trojan affecting Mac and Win7, then this? We gotta be careful, we're being watched!

pyari said:

this Q is always in my mind.why hackers, crackers always go one step ahead form developers? do the developers wanna that may be they wanna work to do?

ucould2 ucould2 said:

Archean said:

Well, I am unsure, but just now there is a FF update to version 3.6.12; may be that has fixed it? I hope someone will confirm it.

I still cannot get this to install yet ie download-download-download-download - then - "error on install due to firefox running in another window"......yes it's "autodownloading" -wtf...??

Archean Archean, TechSpot Paladin, said:

It installed without any issue for me via 'auto update'; if it doesn't work you always have the option (defeats the point of auto update anyway) to manually downloading the full executable and installing it.

pyari said:

ie download-download-download-download - then - "error on install due to firefox running in another window"

i really don't understand this line.

Leeky Leeky said:

Ha, someone might actually get offended by that comment!

And really, many people rely on foreign and top level solutions. I know loads of people who use Tokelau-aliases for their websites. And Niue-servers to host them. To put it frankly, I'm offended by this comment. However I understand how you think, and it's perfectly fine wanting to increase one's security.

But a solution like this would simply not work. Especially not if everyone started using Windows' and browser's which block foreign content. Multimillions of dollars will be lost if the world-wide-web stopped being world-wide. Foreign people would stop learning things from YouTube, foreign people would not be able to chat with friends on Skype, MSN or Facebook, foreign people would sieze developing. And no good can come of this, you know...

Would be a bummer for me, I use co.uk, and .com addresses all the time.

If my country blocked .com we'd lose half of our own countries websites - People here use .com as well as .co.uk, among other TLD's.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.