Malicious Firefox Add-ons Installed Trojans

Mozilla last night announced that two experimental Firefox add-ons, Master Filer and the Sothink Web Video Downloader version 4, infected victim PCs with Trojans when either add-on was installed.

The small-distribution extensions were previously available via Mozilla's add-on site, but have since been removed. According to Mozilla's post, the Master Filer add-on had been downloaded about 600 times and installed the Bifrose Trojan. The Sothink Web Video Downloader version 4 slipped in the LdPinch Trojan, and had been downloaded about 4,000 times.

According to the open-source organization, the malicious add-ons managed to sneak by the one malware scanner (unnamed in the post) used by Mozilla. The organization says it will now be scanning with two additional detection tools (also unnamed).

If you happen to have installed either of these malicious add-ons, note that removing the add-on will not remove any installed Trojan. You'll need to run a separate antivirus scan and disinfection to clean your system. Mozilla's post includes a list of antivirus software currently known to detect the particular Trojans involved.

This unfortunate incident makes clear why relying solely on one antivirus scanner is never a good idea, as no one program detects everything. Since this has happened at least once before with an infected Vietnamese language pack, I'm curious why Mozilla doesn't simply switch to uploading all add-on submissions to the free Virustotal.com, which uses about 40 different engines to scan each submission. I've also asked Mozilla which scanner it had been using. If I get that information I'll add it to this post.

Update: Mozilla says it had been using ClamAV as its sole scanner prior to this incident. I'd guess Mozilla feels it's a natural match as an open-source app, but the ClamAV engine didn't fare well at detection tests when I reviewed the Windows version of the program, ClamWin.

Subscribe to the Security Watch Newsletter

Comments