I have recently noticed Firefox acting strangely. Almost every time I
load the program, my software firewall tells me that the program has
changed based on the files checksum. I thought perhaps it was the
firewall so changed it out, and the same thing happened. I removed
Firefox from the firewall and let it be added again and the same thing
happens. I have checked the drive for errors thoroughly doing both a
normal chkdsk /v /f /x /r at boot (Windows XP Professional) and from the
recovery console on the XP CD. I removed each stick of RAM to ensure
nothing was flaky and getting corrupted there and tested it in other
computers and using a CD boot Linux. I have scanned for virii and
spyware (Norton AV, SB S&D, Adaware) and found nothing and even checked
for rootkits using Win Internals rootkit revealer. What is odd is that
over MD5 suggests the same thing. I ran MD5 20 times and came up with
the results below, indicating that the program was changing - oddly
enough it is always one of the same 3 MD5 signatures (as shown below -
tabbed for clarity). Even stranger is that this problem is *only*
present on the firefox.exe file, none of my other files appear to be
affected. To further confuse things, i can see no write access taking
place using Filemon or Diskmon (Win Internals) and even stranger than
that, to try to stop the annoying message from my firewall whenever I
use Firefox (every 5 minutes or so :) I removed all access to the file
from any other user account except for my daily use account and even
restricted that to Read and Execute only - specifically denying the
rights to write to the file - yet this still happens! All I can think of
is that the file is getting corrupted in RAM, but then how does MD5 keep
getting a bad copy from the disk? I have uninstalled it completely
(removing all directories including my user directories, extensions and
themes manually before reinstalling) and still no love. I have tried
disabling (then stopping completely by disabling the service) System
Restore. I even repaired the OS using the WinXP boot CD and reinstalled
SP2 and criticals afterward and still it is doing the same thing. I am
out of ideas. Anyone?
I have googled looking for details of an exploit, or basically anything
to do with Firefox and its checksum, but have only found info on Linux
builds stamped with md5, and have found no clue to what is going on.
Because it is only happening to Firefox, I am wondering if there is a
new exploit targeting Firefox and if anyone had heard of such a thing
happening? Below are the MD5 signatures that consistently come up (MD5
run in a batch 20 times - I have highlighted the differences with a
symbol and tabs to show that the MD5sums do make sense, always adding up
to one of three different checksums, but it seems almost random which
will be next, and it's driving my firewall rather nuts (which is driving
me rather nuts ;)
+ 6E57F494AF682DF145077F2D6254B3F2 firefox.exe
= 28BC6ACF8851153633C9CD6CCD858C03 firefox.exe
* D30041742F4D27E37FF5E34C07966959 firefox.exe
- DBCCD1D446018E4ECA6CC8B7A3077F07 firefox.exe
+ 6E57F494AF682DF145077F2D6254B3F2 firefox.exe
* D30041742F4D27E37FF5E34C07966959 firefox.exe
- DBCCD1D446018E4ECA6CC8B7A3077F07 firefox.exe
* D30041742F4D27E37FF5E34C07966959 firefox.exe
* D30041742F4D27E37FF5E34C07966959 firefox.exe
* D30041742F4D27E37FF5E34C07966959 firefox.exe
= 28BC6ACF8851153633C9CD6CCD858C03 firefox.exe
+ 6E57F494AF682DF145077F2D6254B3F2 firefox.exe
* D30041742F4D27E37FF5E34C07966959 firefox.exe
+ 6E57F494AF682DF145077F2D6254B3F2 firefox.exe
= 28BC6ACF8851153633C9CD6CCD858C03 firefox.exe
= 28BC6ACF8851153633C9CD6CCD858C03 firefox.exe
+ 6E57F494AF682DF145077F2D6254B3F2 firefox.exe
* D30041742F4D27E37FF5E34C07966959 firefox.exe
* D30041742F4D27E37FF5E34C07966959 firefox.exe
* D30041742F4D27E37FF5E34C07966959 firefox.exe
+ 6E57F494AF682DF145077F2D6254B3F2 firefox.exe
= 28BC6ACF8851153633C9CD6CCD858C03 firefox.exe
+ 6E57F494AF682DF145077F2D6254B3F2 firefox.exe
- DBCCD1D446018E4ECA6CC8B7A3077F07 firefox.exe
* D30041742F4D27E37FF5E34C07966959 firefox.exe
* D30041742F4D27E37FF5E34C07966959 firefox.exe
Any ideas?
Hruod
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
