Jump to content


Photo

Firefox updater being flagged as a trojan agent


  • Please log in to reply
14 replies to this topic

#1 KerryETB

KerryETB

    New Member

  • Members
  • Pip
  • 8 posts

Posted 15 July 2013 - 08:15 AM

We have a Barracuda web filter which gives us Malwarebytes as a removal tool.

 

Recently during scans it has started marking the firefox updater as a trojan agent. I was wondering if this is a risk or a false positive. I ran the following scan on a Windows XP PC today and it found the following

 

Michael

**************************************

 

Barracuda Malware Removal Tool 1.46
www.barracuda.com
 
Database version: 913071408
 
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
 
15/07/2013 14:05:05
bmrt-log-2013-07-15 (14-05-05).txt
 
Scan type: Full scan (C:\|D:\|)
Objects scanned: 362734
Time elapsed: 40 minute(s), 18 second(s)
 
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
 
Memory Processes Infected:
(No malicious items detected)
 
Memory Modules Infected:
(No malicious items detected)
 
Registry Keys Infected:
(No malicious items detected)
 
Registry Values Infected:
(No malicious items detected)
 
Registry Data Items Infected:
(No malicious items detected)
 
Folders Infected:
(No malicious items detected)
 
Files Infected:
C:\WINDOWS\SoftwareDistribution\Download\bb00e871d14625ce5324ccdf7ad36ca9016bcaec (Trojan.Llac) -> No action taken. [080C65FEA020D768026AD4E77C8A5A1D]C:\Program Files\Mozilla Firefox\updater.exe (Trojan.Agent) -> No action taken. [43EFC9EA4B44BAB93FA8A462F9CC13C4]
 

Attached Files



#2 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,677 posts
  • Gender:Female
  • Location:Belgium

Posted 15 July 2013 - 08:31 AM

Hi,

 

Can you zip & attach both files that were detected to this thread?

Thanks!


Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 jni666

jni666

    New Member

  • Members
  • Pip
  • 1 posts

Posted 16 July 2013 - 03:21 AM

I have been infected with this and I have contained it. If someone wants the relevant files let me know.



#4 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,677 posts
  • Gender:Female
  • Location:Belgium

Posted 16 July 2013 - 05:10 AM

Hi,

 

Please zip & attach the sample so we can verify whether this is a false positive or not.


Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5 KerryETB

KerryETB

    New Member

  • Members
  • Pip
  • 8 posts

Posted 16 July 2013 - 09:09 AM

I will run a scan again and upload the zipped file



#6 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,677 posts
  • Gender:Female
  • Location:Belgium

Posted 16 July 2013 - 10:19 AM

ok, please let me know in your next reply with the attachement.

(because, in case you edit your previous post with the attachement added, I won't get a notification for this ;) )


Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7 KerryETB

KerryETB

    New Member

  • Members
  • Pip
  • 8 posts

Posted 17 July 2013 - 03:33 AM

Attached is the firefox updater.exe that got flagged yesterday on a scan

Attached Files



#8 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,677 posts
  • Gender:Female
  • Location:Belgium

Posted 17 July 2013 - 03:42 AM

Hi,

 

I cannot reproduce detection for this one though...


Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 KerryETB

KerryETB

    New Member

  • Members
  • Pip
  • 8 posts

Posted 17 July 2013 - 03:48 AM

So does this mean it's a false positive?



#10 spywar

spywar

    Forum Deity

  • Malware Hunters
  • PipPipPipPipPipPip
  • 4,185 posts
  • Gender:Male

Posted 17 July 2013 - 03:52 AM

That means the file is not detected by MBAM latest DB.



#11 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,677 posts
  • Gender:Female
  • Location:Belgium

Posted 17 July 2013 - 03:55 AM

This file is not malicious and is not detected on our end :)


Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#12 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,677 posts
  • Gender:Female
  • Location:Belgium

Posted 17 July 2013 - 04:11 AM

Hi Kerry, just to verify, the file you attached here, is this the one that was actually detected by Malwarebytes and was it located in C:\Program Files\Mozilla Firefox\updater.exe?

So you uploaded the updater.exe that is located there?

Does your barracuda still detect this file when you run a scan?


Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#13 KerryETB

KerryETB

    New Member

  • Members
  • Pip
  • 8 posts

Posted 17 July 2013 - 04:28 AM

Yes, that is the one that was detected by Malwarebytes - I copied it from the folder, zipped it and uploaded it here. I have started another scan of the PC



#14 KerryETB

KerryETB

    New Member

  • Members
  • Pip
  • 8 posts

Posted 17 July 2013 - 05:32 AM

Just scanned the PC again - it marked the firefox updater as Trojan.Agent (see attached copy of updater.exe and the log).

 

Update details :

Date : 7/16/2013

Database version : 913071608

Fingerprints loaded : 280462

 

I have removed the file and started another scan

Attached Files

  • Attached File  scan.zip   118.02KB   31 downloads


#15 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,677 posts
  • Gender:Female
  • Location:Belgium

Posted 17 July 2013 - 05:38 AM

Ok thanks.

You can restore this file from quarantine again and add to your whitelist since it's not malicious.

Your version of Barracuda is outdated which explains this misdetection. Please update your baracuda build to 1.75.0.1300


Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users