Infected Firefox add-ons pulled off official site

Two infected Firefox add-ons managed to avoid detection and were put online, available to download, on Firefox’s official add-on download site. The one thing that stopped the infection spreading more than it has is the fact that the add-ons were experimental, and as such, were less likely to get downloaded than those who have already passed the review process.

Sothink Web Video Downloader 4.0 and all versions of Master Filer contained Trojans able to hijacks computers running Windows. Good news for Mac and Linux users – their computers could not have been infected.

The Sothink add-on contained the Win32.LdPinch.gen Trojan, and was downloaded some 4,000 times between February 2008 and May 2008. Master Filer contained the Win32.Bifrose.32.Bifrose Trojan, and was downloaded approximately 600 times between September 2009 and January 2010. They were both removed from the page immediately after being detected: Master Filer in late January of this year and Sothink’s Downloader just a few days ago.

This news was made public on Mozilla’s official blog, and users who have downloaded either or both add-ons were warned that uninstalling them will achieve nothing and that they should scan their system with an anti-virus program to find and remove the Trojans. They also offered a list of antivirus programs known to detect the trojans found in the affected add-ons: Antiy-AVL, Avast, AVG, GData, Ikarus, K7AntiVirus, McAfee, Norman, and VBA32.

But, how could such a thing happen in the first place? “AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader,” it says in the blog entry.

So far they had only one check, but they raised the number to three. Jorge Villalobos, the Add-ons Developer Relations Lead at Mozilla, says that they will probably add more in the future. They will also raise the frequency of scanning the complete catalogue of add-ons they have online.

The interesting thing that only the 4.0 version of the Sothink Web Video Downloader contains the Trojan – later versions are safe. It raises the question about whether the presence of the Trojan is intentional or accidental. According to Computerworld, SourceTec – the developer of the Downloader – is based in China, and they didn’t respond to an email inquiry about an explanation of how this could have happened.

Don't miss