Security Hero Rotating Header Image

September 25th, 2008:

Mozilla Products Graphic Rendering Memory Corruption Vulnerability

Mozilla Products Graphic Rendering Memory Corruption Vulnerability


A memory corruption vulnerability exists in various Mozilla products, allowing a remote attacker to compromise targeted systems upon viewing malicious HTML document.


Full compromise of the targeted system.


  • Critical

Affected Software:

  • Firefox version older than 3.0.2
  • Firefox version older than
  • Thunderbird version older than
  • SeaMonkey version older than 1.1.12

Additional Information:

The vulnerability lies in common graphics routines rendering, and is caused by insufficient checking of long strings when displaying them. There are two main attack scenarios:

1) A malicious html page could be hosted on a rogue or hacked web server, targeting users who browse the page in Firefox or Seamonkey.
2) A malicious html formatted e-mail could be mailed (or mass-mailed), targeting recipients who open the e-mail in Thunderbird or Seamonkey.


  • Upgrade to latest version available from
  • Disable JavaScript until a version containing the fix is installed.



  • David Maciejak of Fortinet’s FortiGuard Global Security Research Team


The State of Malware – September 2008 Edition

The State of Malware – September 2008 Edition

This edition’s highlights:

Malware by the numbers

The following malware statistics are based on threats caught by Fortinet’s FortiGate security appliances for the period August 21st – September 20th, 2008.

Top Ten Variants

Top ten malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition’s Top 100 ranking, with “new” highlighting the malware’s debut in the Top 100:

Rank     Malware Variant                  Percentage  Top 100 Shift1        W32/Inject.GZW!tr.bdr            38.1           new2        W32/Inject.GZV!tr.bdr             6.7           new3        W32/Multidr.JD!tr                 4.3           -24        W32/Delf.BFC!tr.dldr              3.6           new5        W32/Netsky!similar                2.2           -26        W32/Goldun.AXT!tr.spy             2.1           new7        W32/Virut.A                       2.0           -28        HTML/Iframe_CID!exploit           2.0           +19        W32/Dloadr.BQY!tr                 2.0           new10       W32/Crypt.MV!tr                   1.6           new

There was a vast change in this report’s threatscape, highlighted by a run of many new variants:

  • Rogue security trojans swept the top four positions, with all associated variants accounting for over 60 percent of total malware volume for this period
  • Virut.A remained strong amongst the rogues in seventh spot, bumped out of the top five for the first time in seven months
  • Goldun.AXT, a new trojan keylogger, generated heavy volume and claimed sixth spot
  • Crypt.MV, belonging to the Pushdo family, clings onto the final tenth spot

Top Five Families

Malware variants’ activity for this edition has been grouped into families and sorted as shown below. Percentage indicates the portion of activity accumulated by the family out of all threats reported in this edition. Top 10 shifts indicate positional changes compared to last edition’s Top 10 ranking, with “new” highlighting the malware family’s debut in the top ten:

Rank     Malware Family                    Percentage  Top 10 Shift1        RogueSecurity                     61.5            new2        Netsky                             3.5            -13        Goldun                             3.5            new4        Virut                              2.5            -5        OnlineGames                        2.0            -3

The rogue security application family (RogueSecurity) was added this month, and the accumulated results for all of its variants was astounding: 61.5% of total reported malware belonged to the RogueSecurity family. The sheer volume for the top four variants this period no doubt contributed to a good part of this figure, with many other variants filling in the rest. Two main rogue applications composed this family (see our rogue analysis for more details): AntiVirus XP 2008 took the cake with 55.5% of the 61.5% reported family activity, while XP Security Center accounted for the remaining 6.0%.

Activity recap

There was a vast change in the threatscape this period, highlighted by the arrival of new variants in our top ten. Last report, we showed the influx of activity associated with W32/Multidr.JD towards the end of the period. This activity continued throughout the beginning of this period, shifting to W32/Delf.BFC before moving on to other variants. While this activity was concerning enough, the cyber criminals behind this campaign decided to kick it up a notch. Halfway through the reported period, already heavy rogue security activity exploded: W32/Inject.GZW began flooding cyberspace in volumes we have not previously reported. Figure 1 below shows this surge of activity overshadowing W32/Netsky:

Figure 1: Top six variant activity for this report period, fueled by rogue security trojans

Back in January/February of 2007, Storm made a couple of single day runs with comparable activity. This has not occurred since, and the biggest difference here is the accumulated volume: W32/Inject.GZW maintained these extreme levels for at least six days, not to mention the other variants. All of the variants shown in Figure 1 above were associated to the rogue security application AntiVirus XP 2008. This campaign has been ongoing for a while, and has recently been underscored by this flood of activity. All servers observed hosting web content for this product were using a limited fast flux model: a small sample of IP’s were being switched out on a frequent basis, noticed Fortinet security researcher Derek Manky. These hosts all ran the popular Nginx web server, and supported other rogue products such as AntiMalware 2009 through virtual domains.

While these rogue applications were certainly the focus of this period, other malware should not go unnoticed. W32/Virut.A remains very consistent and prevalent. In addition, a new keylogger popped up onto the radar, most of the activity associated to W32/Goldun.AXT. Figure 2 below shows activity for this new family, as well as accumulated activity for the RogueSecurity and Netsky family:

Figure 2: Family activity for this report, dominated by RogueSecurity

Fortinet’s FortiGuard Global Security Research Team will continue to monitor these emerging trends and threats. Users should prepare for another month of activity from the RogueSecurity family, and always be aware of these scams.


Customers who use Fortinet¡¦s FortiGuar