New Firefox Exploit In-the-Wild

Our Virus Lab discovered an exploit for a newly discovered vulnerability in the Firefox web browser which was actively used on the infected Nobel Prize site earlier this week. The exploit using the vulnerability in Firefox 3.6 installed a Backdoor on the users system without any warning.

We had a closer look on the Backdoor to see what the payload is. Right after execution the Backdoor is retrieving the path to the Windows Directory and is creating a copy of itself as “%WINDIR%\temp\symantec.exe”. After the Backdoor created that file, autostart keys are added to the Windows Registry. The registry keys point to different paths within the Windows Registry (current user and local machine).

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v “Microsoft Windows Update” /d C:\WINDOWS\temp\symantec.exe /f
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v “Microsoft Windows Update” /d C:\WINDOWS\temp\symantec.exe /f

Both are added using “reg.exe” and using the registry key as a parameter. In the disassembler this looks very simple:

After the system operations are done, the Backdoor tries to create two connections to Internet servers.

One connection is opened to nobel.<host>.mooo.com and one to update.microsoft.com. The connection to update.microsoft.com is no malicious behavior for sure. After establishing these connections, it tries to connect to two further addresses.


If both hosts are offline, as they are currently, the malware will stop execution and exit. If a connection to one of the servers is successful, the malware opens a shell to the socket which is opened. An attacker can get access to the local computer with same rights as the malware was executed, the computer is compromised.

The Mozilla developers are aware of the 0-day vulnerability within the current versions of their popular Firefox web browser and currently develop a patch. An update is expected soon, we will inform about availability in a new blog post.

It is currently unclear why obviously a script-kiddie-like malware abuses such a valuable 0-day vulnerability; usually cyber criminals abuse them for profitable malware.

Avira is detecting this threat as BDS/Belmoo.A with the latest VDF versions.

Thomas Wegele
Virus Researcher