madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Mozilla Firefox hit by malware add-ons

By | February 5, 2010, 8:20am PST

Summary: Mozilla says a pair of malicious Firefox add-ons slipped by its security checks and infected approximately 4,600 Windows computers over the last five months.

Mozilla says a pair of malicious Firefox add-ons slipped by its security checks and infected approximately 4,600 Windows computers over the last five months.

The browser add-ons, described my Mozilla as “experimental,”  contained a Trojan horse that executed when Firefox started and infected the host computer.

According to a post on the Mozilla add-ons blog, the malicious add-ons were Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer.

The Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained the  Win32.Bifrose Trojan. Both add-ons have been been disabled but Mozilla said they were active since September 2009.

Uninstalling these add-ons does not remove the trojan from a user’s system. Users with either of these add-ons should uninstall them immediately. Since uninstalling these extensions does not remove the trojan from a user’s system, an anti-virus program should be used to scan and remove any infections.

Mozilla said the malicious add-ons sneaked past its security processes:

[We perform] a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader. No other instances of malware have been discovered.

Separately, malware researchers at eSoft are warning about a fake Firefox download page that comes with nasty adware surprises.

Taking a closer look reveals clues to the fraudulent page. While the page advertises version 3.5 the newest version is actually 3.6.  There are also misspellings such as “Anti-Pishing” in the title of the security section.

Victims of this scam install the “Hotbar” toolbar by Pinball Corp, formerly Zango.  Not only are users subject to the annoying toolbar, they’re also barraged with pop-up ads and host to a new Hotbar weather application running in the system tray.

eSoft noted that the owner of the fake Firefox site is most likely not associated with Pinball Corp and only using its pay-per-install ad network for fast cash.

Pay-per-install affiliate programs reward referring sites that generate installs of their programs, with Pinball paying as high as $1.45 per install, the company said.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Mozilla Firefox, Trojan Horse, Malware, Mozilla Corp., Add-on, Spyware, Adware & Malware, Cyberthreats, Spyware, Viruses And Worms, Security, Web Browsers, Internet, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 102 Talkback(s)

  • What?
    You gain some popularity and show that you have some good marketshare and usage and then Malware creators find ways to exploit the software you create. Say it isn't so. I have been told by so many MacOS Users, Linux Users, and OpenSource Users that Marketshare and how many people using the software have no impact on such things.
    ZDNet Gravatar
    bobiroc
    5th Feb 2010
  • You did read it is a Windows issue only, right?
    nt
    ZDNet Gravatar
    D.T.Schmitz
    5th Feb 2010
  • I read it was a Firefox issue.
    It has nothing to do with Windows.
    ZDNet Gravatar
    ye
    5th Feb 2010
  • Malware
    "4,600 Windows computers over the last five months."
    That is a Firefox issue in windows, dah.
    ZDNet Gravatar
    Clayman1000x
    8th Feb 2010
  • No.
    It's two issues, neither with Firefox.


    One is some website hosting a trojan horse that only affects
    Windows, the other is another website hosting a trojan horse that
    only affects Windows.


    In both cases you have to manually download and install them,
    clicking through a warning first.
    ZDNet Gravatar
    AzuMao
    9th Feb 2010
  • No it is a firefox issue
    that happens to be installed on Windows because Microsodt does not make firefox. If you have a computer running Windows and do not use firefox then you do not have this issue. Get it? If Adobe has a security flaw only on the windows version of their software do you blame Windows for that too. I bet you do. This is what we mean when we say you are not very bright their Deitrich. Just because you grasp at straws to justify your idiotic way of thinking doesn't make it true.
    ZDNet Gravatar
    bobiroc
    5th Feb 2010
  • and if you have Linux
    You're safe, even if you have Firefox with the mentioned plugins.

    Linux rocks happy
    ZDNet Gravatar
    T1Oracle
    5th Feb 2010
    • Flagged
  • Windows code doesn't run on Linux
    And water is wet, the sun rises in the east, and Linux fanboys continue to grasp
    at straws.
    ZDNet Gravatar
    ye
    5th Feb 2010
  • Speaking of straws, here's a BIG straw for your kool-aid ye
    nt
    ZDNet Gravatar
    D.T.Schmitz
    5th Feb 2010
    • Flagged
  • Well, DUH it doesn't run! Good work sherlock.
    Oh, but I did forget about wine. Firefox will run in wine. SO I guess we penguins aren't completely safe either. Oh, who cares. I'll just reinstall wine.
    ZDNet Gravatar
    bendib
    6th Feb 2010
  • Misattribution.
    You response appears to be more appropriate to T1Oracle's posting.
    ZDNet Gravatar
    ye
    6th Feb 2010
  • Thanks for pointing out
    yet another reason why Linux is inheritantly more secure. "Windows code doesn't run on Linux"
    silly
    ZDNet Gravatar
    T1Oracle
    8th Feb 2010
  • That's no longer true
    Most people (esp the ones switching from Windows) have Wine installed these days, and most distros make it so that executing .exe files automatically opens with Wine. There have been cases of windows malware running on Linux thanks to Wine, but thankfully most of them are contained in the ~/.wine folder, so getting rid of the malware is as simple as deleting ~/.wine . *However*, if you are affected by malware that doesn't restrict itself to the C: drive, and makes a proactive attempt to scan all available drives, then you could face a possible deletion or worse, encryption of all your personal data. (The OS itself will still be fine of course, because no one runs Wine in super-user mode..)
    ZDNet Gravatar
    [deXter]
    8th Feb 2010
  • So when a hacker eventually can be bothered to write a malicious ...
    ... Linux FF add-in which infects your Linux box, then your response will be?
    ZDNet Gravatar
    de-void-21165590650301806002836337787023
    5th Feb 2010
  • Any network-facing App that can be exploited should be sandboxed.
    That goes for any O/S.
    ZDNet Gravatar
    D.T.Schmitz
    5th Feb 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here