mozilla :: #security

10 Sep 2017
13:55* life_brewer-M sent a long message: life_brewer-M_2017-09-10_13:55:54.txt <>
16:06Caspy7So this particular malware/scam has remained constant and prolific for a long while now, over a year I&#39;m guessing
16:06Caspy7and no one&#39;s been able to put a stop to it
16:07Caspy7though I don&#39;t see reports of it happening to Chrome. So I don&#39;t know why Firefox is more susceptible
16:09Caspy7anyway, I had the thought that we might take more extreme methods to combat it. Such as, at least those with telemetry enabled, that we find something unique for these pages and report back when it&#39;s encountered. And maybe that could at least help with study on it...
16:09Caspy7mainly what I&#39;m thinking is identifying that background page
16:09Caspy7like the image
22:06dveditzCaspy7: I&#39;ve seen reports of it on Chrome and IE. When it first started showing up and there was some press about it
22:07Caspy7dveditz: ok. Guess we&#39;re not sure if it&#39;s still happening for them?
22:07dveditzI&#39;m not sure why our &quot;malicious download&quot; check doesn&#39;t catch that. The initial form was a downloaded .exe and we blocked that
22:08dveditzWe only know it&#39;s happening to Firefox folks because they report it to us, so I&#39;m not sure if the other browsers aren&#39;t being attacked or whether we&#39;re just not hearing about it.
22:08dveditzSince the attack itself is independent of the browser it&#39;s hard to believe it would just be us
22:08dveditzbut maybe our malware detection is suckier. That&#39;s MS&#39;s advertising claim anyway
22:09dveditzthe attack is &quot;just&quot; social engineering, and Windows will execute the .js file in the Windows Scripting Host
22:09Alex_GaynorWhy does Window have an execution handler by default for .js files :-/
22:10dveditzWhy does mac have one (had one?) for Apple Script?
22:10dveditz&quot;by default&quot; is a good question though. &quot;turn on power user tools here&quot;
22:10Caspy7dveditz: you can ask questions to the poser here (for instance if they messed with any malware blocking settings) and another user linked another recent report along with the user
22:11Alex_GaynorDo we know if the contents of firefox-patch.js are stable/the same? Can we get it blacklisted by Windows Defender or something.
22:11Alex_Gaynor(I suspect this is not a new idea)
22:11dveditzif someone _runs_ that file they will get malware. At one point the payload was the &quot;Kovter&quot; trojan. I don&#39;t know what variants are going around now
22:12dveditzThe contents change, at the very least because the download locations for the payload change (in the past was the same short-lived host as the one the page is served from)
22:13Caspy7yeah, tons of one use or near one use URLs. i&#39;m guessing it&#39;s still the same MO
11 Sep 2017
No messages
Last message: 10 days and 5 hours ago