Malware in Firefox add-ons

Mozilla has announced that a couple of add-ons for Firefox have malware and have removed those from the add-on repository. The two add-ons were in the experimental section of the repository.

In a posting on their security blog, they said that these add-ons were not detected and flagged as containing malware by their anti-malware scanning tools. The malicious add-ons have been identified as version 4.0 of Sothink Web Video Downloader and all versions of Master Filer. Sothink Web Video Downloader 4.0 included malware known as Win32.LdPinch.gen, while Master Filer included malware known as Win32.Bifrose.32.Bifrose Trojan.

Starting Firefox with these add-ons installed would infect the host machine. Once infected, removing the add-ons would not remove the malware. Removal would require running an anti-virus/anti-malware tool. Antiy-AVL, Avast, AVG, GData, Ikarus, K7AntiVirus, McAfee, Norman, and VBA32 were all supposed to be effective at removing them. Both of the malware targeted Windows systems.

This is another reason to not trust software just because it is open-source or free. The fact that thousands of add-ons exist to accomplish specific things is what make software like Firefox, WordPress etc. attractive. Hackers have started exploiting that fact that most users do not have the expertise to inspect the code and understand what it does.

As the number of add-ons grows, the amount of time that it takes to screen them and post them on the official repository grows. I have seen a lot of add-on developers post the latest version of their add-ons on their websites to make it available immediately to users. There are a couple of problems with this:

  1. For users, there is no guarantee that these add-ons are malware free. Someone could post a valid and useful add-on on the mozilla add-on site. After some time, when the add-on has enough users, just post an update on the private site with malware. All the users updating to the latest versions will be activating the malware on their computers.
  2. Another issue could be the security of the developer’s website. The developer might not be malicious, but if a hacker was able to replace the legitimate add-on files with modified ones that contained malware, the end result would be the same. Users downloading the add-ons will get the malware on their computers.

Another problem that Mozilla will have to address lies with Firefox’s plug-in architecture. When add-ons are posted to the official repository, they are screened for malware. But once a user downloads and installs them, there is no way for Firefox to know if one of them has been modified. For instance, you can open one of them in a text editor and modify functionality and Firefox will not even blink. It will run the modified code without any problems.

That presents another attack point for hackers. Modify a legitimate add-on to perform unauthorized actions. FFSpy is a proof of concept that illustrates how this can be accomplished. This involves editing NoScript’s XUL overlay file and the altered add-on can be made to intercept HTTP requests and to report data posted through HTML forms, such as a user credentials, to a remote server.

Link to the original notice put out on Mozilla: Please read: Security Issue on AMO