Welcome to WebmasterWorld Guest from 54.147.217.76

Forum Moderators: incrediBILL

Message Too Old, No Replies

FireFox Add-ons Infecting Users with Trojans

Infected add-ons incorporated due to unrecognized signatures

   
10:50 am on May 8, 2008 (gmt 0)

WebmasterWorld Senior Member marcia is a WebmasterWorld Top Contributor of All Time 10+ Year Member



From Wired:

Mozilla, the maker of the open source Firefox browser, is redoubling its efforts to check user created add-ons for viruses and Trojans after it discovered that a language pack on its official add-on page had been infected for months with rogue code, the organization reported Wednesday.

Firefox Infects Vietnamese Users With Trojan Code [blog.wired.com]
12:06 pm on May 8, 2008 (gmt 0)

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I have been cautious of add-ons (extensions) since day one. Every time a friend calls with a "my internet is slow" issue I seem to end up patching their Windows host file and managing their Add-ons in Microsoft Internet Explorer. So when Firefox came out with extensions I was very cautious, and still am very cautious. I just hope they extend the scanning to their Themes [webmasterworld.com] as well.
2:32 pm on May 8, 2008 (gmt 0)

WebmasterWorld Senior Member marcia is a WebmasterWorld Top Contributor of All Time 10+ Year Member



IMO, anything at all that starts to get widespread exposure in publicity, distribution or usage will start to get targeted eventually. It was only a matter of time in coming.
3:24 pm on May 8, 2008 (gmt 0)

5+ Year Member



The actual facts of THIS case seem to point to the fact that the software was accidentally included in some sort of bundle and then uploaded it to the Mozilla servers. It was not targeting Mozilla at all.

The most worrying part is that they just use signature based virus checking before hosting extensions. They need to improve their verification of code before hosting it (and therefore saying it is safe)

Malicious extensions are nothing new, I have seen them before 1.0. By default extensions will not install so this is not a drive-by attack.

EDIT: More information from Mozilla

The Vietnamese language pack for Firefox 2 contains inserted code to load remote content. This code is the result of a virus infection, but does not contain the virus itself.

[blog.mozilla.com...]

So the language pack only included symptoms of a trojan, not the actual trojan itself. No users were ever at risk and they would only have seen the ads that were inserted if they viewed the help files.

5:25 pm on May 8, 2008 (gmt 0)

5+ Year Member



I always re-start Firefox in "Safe Mode" before doing anything that needs to be really secure like online banking. I don't want any extensions running then, since an extension could monitor my keystrokes and send login and password info to the bad guys.
8:29 pm on May 8, 2008 (gmt 0)

10+ Year Member



Will safe mode do the trick? I never even though about the banking with Firefox.
10:04 pm on May 8, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Why restart Firefox in safe mode? Install Opera and do your online banking from there.
10:05 pm on May 8, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



So the language pack only included symptoms of a trojan, not the actual trojan itself. No users were ever at risk and they would only have seen the ads that were inserted if they viewed the help files.

But, mozilla.org says:

The Vietnamese language pack for Firefox 2 contains inserted code to load remote content.

So, the addon is doing something other than its advertised function. This is independent of whether it is capable of spreading the infection.

Also, the remote content can always be replaced at will with different remote content that does more than display an ad. Drive by javascript for example.

1:54 pm on May 9, 2008 (gmt 0)

5+ Year Member



The title is still totally misleading and inflammatory.

'FireFox Add-ons Infecting Users with Trojans'

It isn't infecting users with trojans, it gave them HTML pages which had some ad code added (the developer is the only person that was infected) and there is only a theoretical risk if you view the help pages of an infected download.

5:28 pm on May 9, 2008 (gmt 0)

5+ Year Member



For the last 2 weeks, I also had a strange problem with firefox 2.0
When the connection is a little slow, after sometime, firefox tries to go to the an address with the domain name omitted. For example, in stead of accessing this page, firefox will go to [firefox_browser...]
No peculiar add-on installed, apart from some web development stuff like alexa, google page rank , or colorzilla
1:35 am on May 13, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I always re-start Firefox in "Safe Mode" before doing anything that needs to be really secure like online banking. I don't want any extensions running then, since an extension could monitor my keystrokes and send login and password info to the bad guys.

What do you mean by "Safe Mode"?

Before you do your online banking, why not simply disable any suspect Add-ons in the "Tools" dropdown menu?

Is that what you call "Safe Mode"?

3:23 am on May 18, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hah! Since posting in this thread, I've discovered what "Safe Mode" is from neccessity.

I use FF 2.0.0.14 (latest on OSX Tiger 10.4) and use 4 Add-ons.

Not eperienced a grain of trouble for over a year.

But this week the SiteAdvisor (McAfee) extension 26.5 causes FF to freeze, totally unusable.

I had to force quit FF, and use Camino to troubleshoot.

It is definitely the Siteadvisor Add-on, and there's no chatter about the problem on the McAfee site or forums.

I even tried a fresh SA download, and the same bug occurs; Siteadvisor is broken on this platform, and rogering the latest Firefox version.

In addition; if you try the "Find Updates" in your Add-ons menu, they all work EXCEPT the Siteadvisor one which returns an error message.

Wake up McAfee!

And a heads-up to any fellow Mac FF users.

>>Disable Sitadvisor until McAfee fix the bug.<<