Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Malware infected Firefox Add-Ons – again

February 5th 2010 in Uncategorized

Remember the Vietnamese Language Pack malware debacle that occurred in May of 2008?  That was when Mozilla admitted that they only scanned add-ons for malware when the files were first uploaded – too bad for Firefox users if an infection was new, and not yet detectable.  After that debacle Mozilla changed their protocols to re-scan add-ons (although I must admit, I still don’t understand why they weren’t doing that in the first place).

Now we have another incident. To quote the Mozilla blog:

Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose Trojan. Both add-ons have been disabled on AMO.

Cite: http://blog.mozilla.com/addons/2010/02/04/please-read-security-issue-on-amo/

Mozilla advises that:

Master Filer was downloaded approximately 600 times between September 2009 and January 2010. Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008. Master Filer was removed from AMO on January 25, 2010 and Version 4.0 of Sothink Web Video Downloader was removed from AMO on February 2, 2010. AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader. No other instances of malware have been discovered.

PWS:Win32/Ldpinch.gen detection has been around since at least February 2008.  So would somebody like to explain to me why that Trojan was not detected by Mozilla until after “two additional malware detection tools (were) added to the validation chain”?   And this is despite the scare that they suffered in May of 2008 when the Vietnamese Language Page malware was discovered?  Just what “malware detection tools” were they using up until now? 

Win32.bifrose (as distinct to Win32.Bifrose.32.Bifrose – is that a typo?) has been around since as early as 2006.

Why was Mozilla oblivious to the existence of the Trojans until “CatThief” reported it to them?

The next time you download some add-on from addons.mozilla.org that were uploaded by heaven-knows-who ask yourself ask yourself, just who are you trusting?

Update:  While we’re on the topic of “just who are you trusting”, this is a quote from Computerworld:

Little could be found on the Web about the author of Master Filer, identified as "haklinim," other than that he or she used an anonymous proxy server in Japan to shunt traffic to a developer biography, which Mozilla has also deleted.

SourceTec Software, which makes Sothink Web Video Downloader, is based in China, according to the phone number listed on its Web site. The company did not reply to a request for comment or an explanation of how its add-on was infected.

Mozilla also was unavailable late Thursday to respond to questions, including why the infected Sothink Web Video Downloader add-on was not detected in 2008, and whether it planned to reach out to users who had downloaded the tainted extensions.

(Thanks to ObiWan for the heads up)

Comments are closed.

    Cite: http://www.dynamoo.com/blog/2010/01/zoombannercom-yieldmanager.html   The domain cited by Dynamoo as the end of the legitimate chain, zoombanner.com, is worth a closer look.  It may be registered to “Domain Owner” (trafficbuyer.@gmail.com) of 15156 SW 5th of Scottsdale, Arizona *now*, but it used to be registered to a name […]

Previous Entry

So I fire up Secunia on a PC today, and this alert appears:   But the user seems to be running the latest version:   Only one version appears in add/remove programs:       […]

Next Entry