PDA

View Full Version : came across this firefox redirect site



sdowney717
October 1st, 2010, 12:14 PM
http://ffcheck.co.cc/
firstly it claims I am running a version which I am not running and to download the new version.
So what is the motivation here you think?

Lucradia
October 1st, 2010, 12:23 PM
Silly malware sites, site copying is for MMORPG hackers.

t0p
October 1st, 2010, 12:30 PM
There's certainly something odd about that site. It claims I'm running Firefox 3.6.8 (I actually use 3.5.13) and tells me the version I'm allegedly running is allegedly insecure (something to do with the flash player it thinks I'm using). And if you click on the download button, it leads to "firefox-update.exe" - so the site doesn't know I'm running Linux. It thinks I'm using a Windows OS.

My immediate thought is that this site is up to no good - trying to get Windows users to install an executable that might do who knows what to their machines.

CharlesA
October 1st, 2010, 12:30 PM
At least FF prompts you to only save the file, since it's an exe (at least for me).


There's certainly something odd about that site. It claims I'm running Firefox 3.6.8 (I actually use 3.5.13) and tells me the version I'm allegedly running is allegedly insecure (something to do with the flash player it thinks I'm using). And if you click on the download button, it leads to "firefox-update.exe" - so the site doesn't know I'm running Linux. It thinks I'm using a Windows OS.

My immediate thought is that this site is up to no good - trying to get Windows users to install an executable that might do who knows what to their machines.

Yep. That's the whole point.

Lucradia
October 1st, 2010, 12:38 PM
Also: http://www.threatexpert.com/files/firefox-update.exe.html

forrestcupp
October 1st, 2010, 12:44 PM
It claims I'm using that version of Firefox, yet I'm using Chrome.

It's obviously trying to get you to download a virus. I wouldn't trust any web site that ends in "co.cc". That's a free domain that anyone can get and do whatever they want with. You can bet that a "co.cc" address isn't really from Mozilla.

slackthumbz
October 1st, 2010, 12:47 PM
Apparently Chromium is Firefox 3.6.8... wait what?

It's obviously a malware site for windows users.

lovinglinux
October 1st, 2010, 06:07 PM
When you find such sites, report it at http://www.mozilla.com/en-US/legal/fraud-report/index.html

I did it already, so no need to submit again.

Frogs Hair
October 1st, 2010, 07:52 PM
The site was reported to WOT eleven hours ago , in comments it said " Viruses/ Malware. "

ubunterooster
October 2nd, 2010, 01:50 PM
The site was reported to WOT eleven hours ago , in comments it said " Viruses/ Malware. "
http://www.mywot.com/en/scorecard/ffcheck.co.cc

The file firefox-update.exe hosted on this site is the lates ...

1



The file firefox-update.exe hosted on this site is the latest Fast-Flux malware with a different MD5 every time it's downloaded. One sample - Virus Total 18/43:
http://www.virustotal.com/file-scan/report.html?id=d732f0276b72672400ccc...
(http://www.virustotal.com/file-scan/report.html?id=d732f0276b72672400cccd592b75fbe65d7 b155f02230dde46e347f8f1ed2c37-128)
5917773
MD5 : 11893a929a9b0ae697a1f0ed4a075edb
- McAfee GW (Heuristic.BehavesLike.Win32.Spyware.H)
Current IP: 195.3.145.42

Dustin2128
October 2nd, 2010, 03:24 PM
much funnier if you're running minefield and don't have flash installed.