Please read: Security Issue on AMO

Nick Nguyen (osunick)

66

NOTE: Further investigation has revealed that all versions of Sothink Web Video Downloader are malware free.  For more, read our update.

Issue

Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose Trojan. Both add-ons have been disabled on AMO.

Impact to users

If a user installs one of these infected add-ons, the trojan would be executed when Firefox starts and the host computer would be infected by the trojan. Uninstalling these add-ons does not remove the trojan from a user’s system. Users with either of these add-ons should uninstall them immediately. Since uninstalling these extensions does not remove the trojan from a user’s system, an antivirus program should be used to scan and remove any infections.

Status

This vulnerability is known to affect Firefox on Windows only, if either Master Filer or Version 4.0 of Sothink Web Video Downloader are installed. Versions of Sothink Web Video Downloader greater than 4.0 are not infected. Master Filer was downloaded approximately 600 times between September 2009 and January 2010. Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008. Master Filer was removed from AMO on January 25, 2010 and Version 4.0 of Sothink Web Video Downloader was removed from AMO on February 2, 2010. AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader. No other instances of malware have been discovered.

Credit

This issue was originally reported by CatThief.

Antivirus Software

Here is a list of antivirus programs known to detect the trojans found in the affected add-ons.

Antiy-AVL
Avast
AVG
GData
Ikarus
K7AntiVirus
McAfee
Norman
VBA32

66 responses

  1. Chris wrote on :

    I tried downloading firefox today, my avg caught the trojans. I stopped the install and rebooted, looks like i still have at least one trojan. I am still waiting on scan results

  2. Milo wrote on :

    ESET’s NOD32 scores relatively well, but there is no signature-based, blacklisting solutions that will score 100% in both reactive and proactive mode. Ref:
    http://www.virusbtn.com/vb100/rap-index.xml

  3. Giorgos wrote on :

    @gbell: It could be from toolbars you have installed. Other than that, you should check your hosts file.

  4. Gordon wrote on ::

    What took so long folks?

  5. PC.Tech1 wrote on :

    - http://blog.mozilla.org/addons/2010/02/09/update-on-the-amo-security-issue/
    February 9, 2010 – “… the suspected trojan in Version 4.0 of Sothink Video Downloader was a [b]false positive[/b] and the extension does not include malware…”

    .

  6. George wrote on :

    Norton is curiously absent from the list of programs which will detect/remove this malware. Anyone know why?

  7. Jillian wrote on ::

    I’m kind of bummed to see that Kapersky wasn’t on your list. And to think I switched from Avast. Ughh!

    1. me09 wrote on :

      hello.Avast is not such a good antivirus in my opinion but Kasperky is my favorite.I found a review of it at top ten best antiviruses http://www.best-antivirus.co/ and it helped me a lot
      good luck

  8. Joni.Tran wrote on :

    I think, that isn’t virus:
    http://blog.bkis.com/sothinks-plugin-for-firefox-is-not-a-virus/

  9. Nellibly wrote on :

    Whatever this is actually uninstalled Stopzilla, disabled Malwarebytes and started using my email account to send SPAM emails and redirected every Firefox page to adware. Happily, Norton stopped the emails from being sent, but couldn’t stop the trojan. Hard drive is in the shop being wiped. Very nasty little bug!

  10. smith wrote on ::

    Hey Thanks for sharing such a nice and detailed review.Mcafee antivirus is the most efficient protection, As far as reputations go, ESET’s Node32 protection is almost faultless. Nod32 antivirus system provides Full antivirus software protection against threats endangering your PC Download antivirus Nod32.

    For more information check this link: http://www.eccouncil.org/certification/ec-council_certified_security_specialist.aspx

  11. Tanner wrote on :

    Another GREAT anti-virus software that works is Avira Antivir! Too bad it wasn’t listed here.

  12. Martin Katz, Ph.D. wrote on ::

    Within 2-3 days of the initial announcement, all antivirus vendors had the problem covered. The problem is not one that can be found when downloading. It can only be found when the file is saved to disk and then run by the browser. That is when every antivirus should have picked it up.

    If you are worried about your antivirus not being able to find all of the problems (none are) make sure you run a separate Intrusion Detection System (such as Threatfire).

  13. grook wrote on ::

    what about Kaspersky ??

  14. Dj Taylor wrote on ::

    I am surprised that Avira or Karspersky didn’t catch it.

  15. Martin Ayala wrote on ::

    In my opinion isn’t that good, I prefer Avast, also check VTZilla, addon for Firefox, is pretty good for scanning files.

More comments: 1 2