[FP] Windows Trojans found in 2 AMO experimental extensions

Talk about internet security, computer security, personal security, your social security number...
Post Reply
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

[FP] Windows Trojans found in 2 AMO experimental extensions

Post by Alan Baxter »

Please read: Security Issue on AMO « Mozilla Add-ons Blog

Edit: False positive! Mozilla has announced that the trojan detection in Sothink Web Video Downloader for Firefox 4.0 is a false positive. http://blog.mozilla.com/addons/2010/02/ ... ity-issue/
Sothink Web Video Downloader for Firefox has been reinstated on AMO. https://addons.mozilla.org/en-US/firefox/addon/6541
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Windows Trojans found in 2 AMO experimental extensions

Post by therube »

Softpedia seems to be a stickler for "adware" much less malware.
And of the 41 or so Sothink products they list, the two mentioned are not included.

http://www.softpedia.com/dyn-search.php ... rm=sothink

Sothink has had apps at Giveaway of the Day.
And they have a forum, http://www.sothinkmedia.com/phpBB2/index.php.

Would be interesting to learn more on this.

DSL Reports: Security Issue on AMO...Two experimental add-ons -Firefox
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100131 SeaMonkey/2.0.3pre
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Windows Trojans found in 2 AMO experimental extensions

Post by Alan Baxter »

From Security Issues With Two Experimental Add-Ons at Mozilla Security Blog:
Two add-ons in the experimental section of addons.mozilla.org were found to be containing malware. These were not originally detected with the anti-malware scanning tools that we have been using. We have since increased the number of scanning tools, and will be taking additional steps to minimize the risk of further incidents.
I'm glad to hear they're planning to take "additional steps to minimize the risk of further incidents". Relying on blacklist-based scanners to detect malware isn't sufficiently reliable.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Windows Trojans found in 2 AMO experimental extensions

Post by therube »

Thread on the Sothink Forum (not by me), Sothink Web Video Downloader Firefox Addon is infected?
Lets see how they respond.

And this older thread (where the same person posed the same question), HIJACKING LINKS - TROJAN HORSE VIRUS?
(Some of the original comments in the thread are likely only ignorance on the users part.)


That's right, Sothink was one who played around with FlashGot, http://forums.informaction.com/viewtopi ... 6358#p6358


SWVDService.js now includes (in v5.2 it did not)...

Code: Select all

/***** BEGIN LICENSE BLOCK *****

    FlashGot - a Firefox extension for external download managers integration
    Copyright (C) 2004-2009 Giorgio Maone - g.maone@informaction.com

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
                             
***** END LICENSE BLOCK *****/
The only "executable" is a dll (& some associated files) & they are unchanged from at least March of 2009. (Everything else being JavaScript or whatnot.)

Code: Select all

nsCatcher(i386-2).dylib 69228 03/20/2009
nsCatcher(i386-3).dylib 64536 03/20/2009
nsCatcher(ppc-2) .dylib 62792 03/20/2009
nsCatcher(ppc-3) .dylib 80156 03/20/2009
nsCatcher.dll           57344 03/20/2009
nsCatcher.so            51663 03/20/2009
nsICatcher.xpt            467 03/20/2009
SWVDService.js         143077 01/27/2010
Uploading the above files (all renamed as *.exe & ZIP'd) & nothing was found, http://www.virustotal.com/analisis/ebb7 ... 1265479202.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100131 SeaMonkey/2.0.3pre
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Windows Trojans found in 2 AMO experimental extensions

Post by therube »

The blog talks about "version 4.0" of the Web Video Downloader, so guessing that had to be quite old.

v5.2 ~ March 2009
v5.7 ~ January 2010

Whatever was in the 4.0 version seemingly is not in the current versions. The blog should have been clearer on that.

Don't know where to find this "Master Filer" product or the 4.0 of WVD?


SoThink has been featured on GAOTD several times so I thought the recent news from Mozilla is relevant.

"Mozilla also was unavailable late Thursday to respond to questions, including why the infected Sothink Web Video Downloader add-on was not detected in 2008"
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100131 SeaMonkey/2.0.3pre
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Windows Trojans found in 2 AMO experimental extensions

Post by therube »

So this old version of software has basically been sitting on Mozilla shelves for what, at least 1 year, containing malware, undetected.
Does not speak well for Mozilla & its policies & methodologies.

Presumably they also had the more recent versions on AMO, but all look to be pulled now?

Finding the issue is fine, but I think Mozilla needs to be more forthcoming on this.

(Don't know if AMO is different from "Mozilla" ..., but whatever.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100131 SeaMonkey/2.0.3pre
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Windows Trojans found in 2 AMO experimental extensions

Post by Alan Baxter »

From: http://74.125.47.132/search?q=cache:aou ... clnk&gl=us
Sothink Web Video Downloader for Firefox
Version 4.0 — February 18, 2008
Version 4.2 — May 16, 2008

At least the extensions were still marked Experimental, i.e. AMO never vouched for them.

Has it been Slashdotted yet?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Windows Trojans found in 2 AMO experimental extensions

Post by Alan Baxter »

From http://74.125.47.132/search?q=cache:aou ... clnk&gl=us again:
Version 4.2 — May 16, 2008 — 685 KB
Works with:

* Firefox: 1.5 – 3.0b3

Fixed Bug

* Some of anti-virus softwares misreported that it contained virus.
I just noticed. SoThink identified version 4.0 as a false positive in the change log when 4.2 was released almost two years ago. Did AMO just pull an extension and drag SoThink's name through the mud without ensuring the scanners weren't reporting a false positive? :shock:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Windows Trojans found in 2 AMO experimental extensions

Post by therube »

Kind of my thought too.

It's one thing to pull it & investigate it, but as it is, this is now all over the web.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100131 SeaMonkey/2.0.3pre
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Windows Trojans found in 2 AMO experimental extensions

Post by GµårÐïåñ »

To be fair though, the ranking of experimental is not AMO not vouching for something, it just means it has not been downloaded or ranked and/or commented on as much as others, I know this because of a particular "experimental" addon which I use and I KNOW to be fine but has been ranked as experimental for a while. So suddenly, there was like 10-15 comments on the addon in the next week and sure enough the status changed, I HIGHLY doubt and willing to bet my paycheck, it wasn't because AMO suddenly vouched for something that has been holding that status for nearly 8 months, it was the comments and the increased downloads that changed its status, so let's not give them more credit than they deserve. Like all the "recommended" addons get that ranking not because AMO really gives a damn, its because they are downloaded beyond a point, or have a certain number of "GOOD" comments, the system is automated. Alan, given your relationship with the AMO people, you should know that.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Windows Trojans found in 2 AMO experimental extensions

Post by Alan Baxter »

Good points, GµårÐïåñ. Thank you bringing them up.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Windows Trojans found in 2 AMO experimental extensions

Post by Alan Baxter »

False positive! Mozilla has announced that the trojan detection in Sothink Web Video Downloader for Firefox 4.0 is a false positive. http://blog.mozilla.com/addons/2010/02/ ... ity-issue/
Sothink Web Video Downloader for Firefox has been reinstated on AMO. https://addons.mozilla.org/en-US/firefox/addon/6541
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: [FP] Windows Trojans found in 2 AMO experimental extensions

Post by therube »

two instances of suspected malware
So now it is "suspected".

They didn't mention that in the original blog report.
Would have been better had they done so originally.

Something like ... We suspect, so we're pulling. Advise to remove in the meantime. Will confirm once we know ...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100131 SeaMonkey/2.0.3pre
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: [FP] Windows Trojans found in 2 AMO experimental extensions

Post by therube »

Just to point out, "Master Filer 0.2" (which does contain a trojan) is not a Sothink product.
I was never clear on that.

Master Filer 0.2

http://translate.google.com/translate?p ... c/tag/4240
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100131 SeaMonkey/2.0.3pre
Post Reply