Please read: Security Issue on AMO

Nick Nguyen (osunick)

66

NOTE: Further investigation has revealed that all versions of Sothink Web Video Downloader are malware free.  For more, read our update.

Issue

Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose Trojan. Both add-ons have been disabled on AMO.

Impact to users

If a user installs one of these infected add-ons, the trojan would be executed when Firefox starts and the host computer would be infected by the trojan. Uninstalling these add-ons does not remove the trojan from a user’s system. Users with either of these add-ons should uninstall them immediately. Since uninstalling these extensions does not remove the trojan from a user’s system, an antivirus program should be used to scan and remove any infections.

Status

This vulnerability is known to affect Firefox on Windows only, if either Master Filer or Version 4.0 of Sothink Web Video Downloader are installed. Versions of Sothink Web Video Downloader greater than 4.0 are not infected. Master Filer was downloaded approximately 600 times between September 2009 and January 2010. Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008. Master Filer was removed from AMO on January 25, 2010 and Version 4.0 of Sothink Web Video Downloader was removed from AMO on February 2, 2010. AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader. No other instances of malware have been discovered.

Credit

This issue was originally reported by CatThief.

Antivirus Software

Here is a list of antivirus programs known to detect the trojans found in the affected add-ons.

Antiy-AVL
Avast
AVG
GData
Ikarus
K7AntiVirus
McAfee
Norman
VBA32

66 responses

  1. ftofficer wrote on ::

    I wonder how these two addons passed Mozilla’s test. Does Mozilla has some planning to prevent this kind of vulnerability in the future?

  2. XtC4UaLL wrote on :

    @ftofficer: you didn’t read the last three sentences, did you?

  3. Omega X wrote on :

    @ftofficer

    READ!

    “AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader. No other instances of malware have been discovered.”

  4. Gerv wrote on ::

    Do we have any opinion as to whether the trojaning of Master Filer was deliberate or accidental?

    Gerv

  5. Pino wrote on :

    ftofficer’s question is very legimate. No matter whether AMO has 0, 100 or 10,000 security checks, apparently it was possible to get viruses uploaded. That’s what matters to us, the users. In essence, it doesn’t seem to have changed, since the only thing that has increased is the number of checks, which apparently are not watertight.
    It is not right to argue “see how good their security is, they even find viruses in the addons that are online”. That should have never happened.

  6. Kirkburn wrote on :

    Pino,

    If not by looking for viruses – you know, via checking for them – how do you expect them to be detected?

  7. Jorge wrote on ::

    @Pino: our malware checks are as good as malware detection tools allow them to be. We made the mistake of having a single check, and now we’ve expanded it to 3, and probably more in the near future.
    Your expectation of it “never happening” is equivalent to expecting an antivirus tool to immediately detected every single form of malware in existence. That has never been the case.

  8. Carl Chapman wrote on ::

    I’d reconmend Smart Security from ESET, surprised it isn’t listed in the list above, but it would defiantly pick up any threats like this!

    This is very strange for Mozilla to distribute Add-ons that are infected… What AV do they use?

  9. Olivier SC wrote on ::

    I find this article by Twitter. Are you sure that Kaspersky anti-virus do not know this troyan ? …

  10. Alan Baxter wrote on :

    We already knew security which depends on blacklists isn’t reliable. What else can AMO do to prevent this from happening again? How else can we be protected from rogue Windows executables embedded in extensions? Any ideas? (I’m sure AMO has already thought about this a lot. I’m interested in hearing what they’ve come up with.)

  11. Fred wrote on :

    @Jorge

    I would, however, expect an antivirus/antimalware program to detect malware that seems to have been around since February 2008.*

    *Source:
    http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS:Win32/Ldpinch.gen

  12. dan wrote on :

    I wonder if Firefox for Mac has the same vulnerabilities. Be careful which add-ons you install.
    dan

  13. Kirkburn wrote on :

    Fred, I think they know that: they even list the programs that do detect it at the end of the article.

    Whatever solution they were using, I’m sure they’re probably pretty annoyed that it got through.

  14. Andreas wrote on :

    You wrote „Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008.“ Ok but how often was it downloaded between Max 2009 and NOW?

    I don’t know if it is only a typing error, but some people may think you try to keep informations secret to make this thing look less bad then it is.

  15. Jorge wrote on ::

    @Fred: if you run any of the two infected files through http://www.virustotal.com/, you’ll see that only 18 of the 40 tools used actually detect them. That’s today.

  16. Herbert wrote on :

    What about plugins that use spyware install fake bing toolbars like SkipScreen, according to the comments on its plugin page?

  17. Toby wrote on :

    @dan – given that the Mozilla distributes the OS X version as well, the Mac version “has the same vulnerabilities”; that is, if someone managed to sneak malware into a Mac-specific extension which wasn’t caught, it could be distributed and infect Macs running FF. Unless the payload had some way to elevate its privileges, the amount of harm it could do would be limited, though, and the pool of Mac-infecting malware is many orders of magnitude smaller than the Win32 world’s…

  18. Salih Emin wrote on ::

    For 2 seconds wile i was reading this issue, I was scared that it affects also my system… then I woke up and realised that i was using Ubuntu Linux… Thank God I use Linux for my day-to-day computing !! :)

  19. Arc wrote on :

    Sounds like the infected file were a Windows binary so Linux and Mac OS should be OK?

  20. JohnT wrote on :

    @Dan and @Toby: The Mac version does NOT have the same vulnerabilities. (Please see the first sentence in the third paragraph in the above article.) OS X file permissions and root user would not allow an infection like this to affect the whole computer.

  21. Nex Necis wrote on :

    Why is it even allowed to bungle any, not only malware, Win32 PE file with an extension? There really is no valid reason for this, and the only thing this ends up doing is exposing users to threats.

  22. SF wrote on :

    What about files that are one time malware, written that way and are not on a list of virus lists. How is this detected?

  23. tttt wrote on :

    Is this only with Sothink downloader v4 or all their addons? The latest version from them is v5.6, and how do we know it is actually uploaded by the company and not someone else pretended to be the official addon.

  24. Fred wrote on :

    @Kirkburn

    Yes, I am sure that they are quite annoyed with this incident and have taken what they consider appropriate steps to try and prevent this from happening again.

    @Jorge

    Blaming the “tools” used is all good and well however that is probably small consolation to those 4600 users who may have unwittingly infected themselves with a trojan and may not even know it.

    If a two year old trojan can sneak onto AMO and be downloaded thousands of times then there is something fundamentally wrong with the AMO system.

  25. Calimo wrote on :

    This post is quite disappointing. It is not a surprise malicious code can get through how many checks you want. The two crucial questions are left unanswered:
    - Was it a deliberate or accidental infection (from the extension’s author)?
    - What measures are you going to take?

    This is not only a Windows problem. Mac and Linux could also be infected, even though it would be limited to user’s space.

    Security based on a blacklist is not reliable. Are you going to continue with just a larger blacklist, or are you going to find another way? Are you at last going to forbid any precompiled binary code to be uploaded to AMO? I’d be much more confident with that.

  26. Ben Bucksch wrote on ::

    In May 2008, you found a virus in an vietnamese lang pack. It has also sneaked through the virus checker, because the checker didn’t know about the virus at the time of upload, but did know about it later. You said back then that you’d change your processes to run a virus checker *daily*. This is important, because new viruses get discovered all the time, and virus vendors need some time to add checks for them, so even if you don’t get a hit at time of upload, you may still get a hit 5 days later, even with the same virus checker, assuming you update your virus checker signature files daily.

    So, please run all the virus checkers on all the addons *daily*, esp. the DLL parts. You promised to do that, but apparently failed to do so.

    Also, I recommend AVG http://free.avg.com/ . Although it’s free, it’s one of the best, per c’t magazine tests.

    > How else can we be protected from rogue Windows
    > executables embedded in extensions?”

    Require source code (under Open Source licences) for all addons and compile them yourself.

  27. Ben Bucksch wrote on :

    Re Mac security (not related to this incident):

    “Mac … Unless the payload had some way to elevate its privileges”
    “OS X file permissions and root user would not allow an infection like this to affect the whole computer.”

    While true, that’s meaningless: The important thing is your data and *all* executables you run, including FF addons, can get to that, and to my knowledge also record your keypresses (passwords etc.), so root doesn’t provide any protection for *you*, only for potential (but unlikely) other users on the same machine.

  28. john wrote on :

    i wonder why norton antivirus is not listed here…

    maybe this is important to understand what’s going on here…

    what is and what seems to be?

  29. an Opera User wrote on :

    I’m wondering how much “secure” are the rest of the addons ?
    And who can verify that ?
    What if it was not a complete well “known” trojan ? Who can really confirm that the addons I’m running are not stealing any personal data, or performing suspicous operations, or probably opening some backdoors ?

    If a trojan can make its way that easy into a computer running firefox, I dont see any reason why my gmail password cant be stolen easier with a “cool” addon.

  30. fred wrote on :

    Is this the reason why the FF addons webpage has not been accessible for at least two days? At least, it hasn’t been for me, anyway. I can’t get the page to open in Opera or IE, either.

  31. me3 wrote on :

    WOW, you people who are worried that Mac and Linux systems might get infected really need a clue.

  32. Daniel Molina Wegener wrote on ::

    Is possible for some companies to donate the proper licenses and software to Mozilla, allowing them to make stronger checks?. Possibly a link with to tool used and information about the malware/virus detected should be useful for those companies too.

  33. Mark wrote on :

    Hi,

    is it possble to post the md5 hash here?

  34. john wrote on :

    Other system like Osx & Linux have not extension infected by malware software because the firs interest is to distibute malware software for Windows Platform because Windows have 92% of market share … therefore to strike the highest number of people on the world

    If this 92% of worldwide market share was Osx extension with malware were for Osx ….the same for Linux ..

    this is Social Engineering!!!!

    Ps:in Windows Vista & Windows 7 UAC warn the user that malware want to write in registry his call to autoload at boot …. & system root !!!!!

  35. gbell wrote on :

    Is this the reason why my firefox keeps getting hijacked and redirected to various websites? I’ve run Norton, Spybot and AVG and none have detected a virus

  36. Alan Baxter wrote on :

    It looks like the current scans of the SoThink 4.0 addon may have been false positives. SoThink updated the addon to 4.2 because of false positive reports in May 2008. Did AMO verify that 4.0 actually contained a trojan?

    From http://74.125.47.132/search?q=cache:aou1K7snX3QJ:https://addons.mozilla.org/en-US/firefox/addons/versions/6541+site:addons.mozilla.org+sothink+%22version+history%22&cd=1&hl=en&ct=clnk&gl=us:
    Version 4.2 — May 16, 2008 — 685 KB
    Works with:
    * Firefox: 1.5 – 3.0b3
    Fixed Bug
    * Some of anti-virus softwares misreported that it contained virus.

  37. A2D wrote on :

    You people don’t understand how easy it is too make a variant of any existing trojan or virus .. one that would require an all new scanning definition.

    Just change the compression used on the file and “Boom” you have a new variant.

    easy peasy lemon squeezy

  38. Horacio wrote on :

    I’m having problem with my yahoomail account, which gets blocked the scroll navigation with the mouse wheel since the moment I am composing an e-mail. The Yahoo help has suggested I verify the installed plug-ins in Firefox 3.6

  39. Paul wrote on :

    Congratulations to CatThief.
    And thanks for your Mostly Crystal themes.

  40. LeomanBK wrote on ::

    I didn’t start using computers until I was into my mid-50′s and then I started using the ‘training-wheels version’ of WebTV; hence to a quite dated Imac. Only when I’d past 60 years of age, did I dare the ‘big leagues’ of a Windows 2000 Pro console. I insert this preamble only to lend background to what may appear a profound dimwittedness to the many who’ve been swimming much closer to the wave crest for a very long time.

    I need guidance in the area of either ‘infected addons’ or more generally addons/plugins , the downloading of which lead to a Pandora’s Box of nasty and unintended consequences. —- Being a creative-type, I’m always in search of variety; standard forms break me out (much to my chagrin, I might add). So, over a year ago, I chose to spice up my home page with a florid motif full of mauves. It’d only been downloaded by a handful of people which added an aura of exclusivity to its appeal.

    Only later did I learn (all suppositions on my part) that its use resulted in the shrinkage of my desktop area to no more than 85% of my available screen. Beyond this, I have only a broad black strip of no use to me at all. Add to this that the desktop ‘page’ itself cannot be moved in any direction. EXCEPT in the case of Internet Explorer.

    I’ve crucified myself and vivisected the guts of this machine trying to undo this mess, only leaving myself more prone to need Xanax and once causing a total collapse of the machine’s function. I’d really be grateful for some light in this darkness. There are areas in which I seem quite bright. If only computing were one.

    very truly leomanBK

  41. Giorgos wrote on :

    Since Sothink Web Video Downloader is open source, does anyone know exactly where the trojan resides in the source code?

  42. Manuel wrote on :

    Interesting to read, that the issue in Sothink Web Video Downloader may have been a false positive.

    Did someone verify, it really contained a trojan? If so: Is this addon still trustworthy if the addon developer uploaded an infected version? Why is only version 4.0 infected and no newer version?

    Kirkburn says February 5, 2010 at 7:01 am:
    > If not by looking for viruses – you know, via checking for them – how do you
    > expect them to be detected?

    Don’t accept binary stuff on AMO and the script code, should be reviewed by human reviewers.

  43. Barry wrote on :

    @Jorge,

    “@Fred: if you run any of the two infected files through http://www.virustotal.com/, you’ll see that only 18 of the 40 tools used actually detect them. That’s today.”

    Mmmm, ok, so why not run all submissions through virustotal?

  44. victor wrote on :

    how do we protect our systems from downloading these add-ons, pop-ups always come to say” FIREFOX HAS DETECTED THAT THE FOLLOWING ADD-ONS ARE NOT INSTALLED, DOWNLOAD & INSTALL”
    what do we do in this cause, how to know if my system is infected.

    So many people use my systems, online-offline, how to protects it if am not at home to monitor them

    reply
    thanks

  45. me wrote on :

    Isn’t Mozilla trying to find where these files came from? Were they inserted by the plugin developers? Who are these developers? I would imagine that there would be some sort of liability for uploading trojans.

  46. Jeshmal4u wrote on ::

    i was using sothink.. just now i had removed & used avast to remove the trojan.. thanks for ur update here

  47. Alan Baxter wrote on :

    Barry: “why not run all submissions through virustotal?”

    Good question, but will AMO follow up all detections to find the false positives? Or will they just pull it and almost two years of squeaky-clean updates based on the output from 18 of 40 scanners. It appears that’s what AMO may have done with the SoThink addon.

    SoThink reported this issue on its AMO addon’s page and in their forums almost two years ago. AMO’s report smears SoThink’s reputation. We still don’t know that AMO’s report of actual malware is based on proper research. AMO and Mozilla still haven’t replied to my queries as to whether they actually verified this rather than just relying on scanners.

  48. 32-bit enthusiast wrote on ::

    >list of antivirus programs known to detect the trojans found in the affected add-ons.

    with no Kaspersky or Norton on the list, on the one hand, and AVG/Avast all-time false positives champions on the other hand (I wonder how come Antivir failed to get there), this whole issue looks like another fit of uneducated malware hysteria. No offence, folks…

  49. Greg Shoults wrote on :

    If you’re concerned about AMO’s security level, SELL YOUR COMPUTER. Please stop kvetching because the BEST is not PERFECT. Or go live at the mercy of Politically Correct (PC) IE security.

  50. Arthur wrote on :

    Am I safe with ESET NOD32 Antivirus? I’m sure none of the Antivirus Programs mentioned above are as strong as NOD32

More comments:1 2