[FP] Windows Trojans found in 2 AMO experimental extensions
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
[FP] Windows Trojans found in 2 AMO experimental extensions
Please read: Security Issue on AMO « Mozilla Add-ons Blog
Edit: False positive! Mozilla has announced that the trojan detection in Sothink Web Video Downloader for Firefox 4.0 is a false positive. http://blog.mozilla.com/addons/2010/02/ ... ity-issue/
Sothink Web Video Downloader for Firefox has been reinstated on AMO. https://addons.mozilla.org/en-US/firefox/addon/6541
Edit: False positive! Mozilla has announced that the trojan detection in Sothink Web Video Downloader for Firefox 4.0 is a false positive. http://blog.mozilla.com/addons/2010/02/ ... ity-issue/
Sothink Web Video Downloader for Firefox has been reinstated on AMO. https://addons.mozilla.org/en-US/firefox/addon/6541
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Re: Windows Trojans found in 2 AMO experimental extensions
Softpedia seems to be a stickler for "adware" much less malware.
And of the 41 or so Sothink products they list, the two mentioned are not included.
http://www.softpedia.com/dyn-search.php ... rm=sothink
Sothink has had apps at Giveaway of the Day.
And they have a forum, http://www.sothinkmedia.com/phpBB2/index.php.
Would be interesting to learn more on this.
DSL Reports: Security Issue on AMO...Two experimental add-ons -Firefox
And of the 41 or so Sothink products they list, the two mentioned are not included.
http://www.softpedia.com/dyn-search.php ... rm=sothink
Sothink has had apps at Giveaway of the Day.
And they have a forum, http://www.sothinkmedia.com/phpBB2/index.php.
Would be interesting to learn more on this.
DSL Reports: Security Issue on AMO...Two experimental add-ons -Firefox
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100131 SeaMonkey/2.0.3pre
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: Windows Trojans found in 2 AMO experimental extensions
From Security Issues With Two Experimental Add-Ons at Mozilla Security Blog:
I'm glad to hear they're planning to take "additional steps to minimize the risk of further incidents". Relying on blacklist-based scanners to detect malware isn't sufficiently reliable.Two add-ons in the experimental section of addons.mozilla.org were found to be containing malware. These were not originally detected with the anti-malware scanning tools that we have been using. We have since increased the number of scanning tools, and will be taking additional steps to minimize the risk of further incidents.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Re: Windows Trojans found in 2 AMO experimental extensions
Thread on the Sothink Forum (not by me), Sothink Web Video Downloader Firefox Addon is infected?
Lets see how they respond.
And this older thread (where the same person posed the same question), HIJACKING LINKS - TROJAN HORSE VIRUS?
(Some of the original comments in the thread are likely only ignorance on the users part.)
That's right, Sothink was one who played around with FlashGot, http://forums.informaction.com/viewtopi ... 6358#p6358
SWVDService.js now includes (in v5.2 it did not)...
The only "executable" is a dll (& some associated files) & they are unchanged from at least March of 2009. (Everything else being JavaScript or whatnot.)
Uploading the above files (all renamed as *.exe & ZIP'd) & nothing was found, http://www.virustotal.com/analisis/ebb7 ... 1265479202.
Lets see how they respond.
And this older thread (where the same person posed the same question), HIJACKING LINKS - TROJAN HORSE VIRUS?
(Some of the original comments in the thread are likely only ignorance on the users part.)
That's right, Sothink was one who played around with FlashGot, http://forums.informaction.com/viewtopi ... 6358#p6358
SWVDService.js now includes (in v5.2 it did not)...
Code: Select all
/***** BEGIN LICENSE BLOCK *****
FlashGot - a Firefox extension for external download managers integration
Copyright (C) 2004-2009 Giorgio Maone - g.maone@informaction.com
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
***** END LICENSE BLOCK *****/
Code: Select all
nsCatcher(i386-2).dylib 69228 03/20/2009
nsCatcher(i386-3).dylib 64536 03/20/2009
nsCatcher(ppc-2) .dylib 62792 03/20/2009
nsCatcher(ppc-3) .dylib 80156 03/20/2009
nsCatcher.dll 57344 03/20/2009
nsCatcher.so 51663 03/20/2009
nsICatcher.xpt 467 03/20/2009
SWVDService.js 143077 01/27/2010
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100131 SeaMonkey/2.0.3pre
Re: Windows Trojans found in 2 AMO experimental extensions
The blog talks about "version 4.0" of the Web Video Downloader, so guessing that had to be quite old.
v5.2 ~ March 2009
v5.7 ~ January 2010
Whatever was in the 4.0 version seemingly is not in the current versions. The blog should have been clearer on that.
Don't know where to find this "Master Filer" product or the 4.0 of WVD?
SoThink has been featured on GAOTD several times so I thought the recent news from Mozilla is relevant.
"Mozilla also was unavailable late Thursday to respond to questions, including why the infected Sothink Web Video Downloader add-on was not detected in 2008"
v5.2 ~ March 2009
v5.7 ~ January 2010
Whatever was in the 4.0 version seemingly is not in the current versions. The blog should have been clearer on that.
Don't know where to find this "Master Filer" product or the 4.0 of WVD?
SoThink has been featured on GAOTD several times so I thought the recent news from Mozilla is relevant.
"Mozilla also was unavailable late Thursday to respond to questions, including why the infected Sothink Web Video Downloader add-on was not detected in 2008"
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100131 SeaMonkey/2.0.3pre
Re: Windows Trojans found in 2 AMO experimental extensions
So this old version of software has basically been sitting on Mozilla shelves for what, at least 1 year, containing malware, undetected.
Does not speak well for Mozilla & its policies & methodologies.
Presumably they also had the more recent versions on AMO, but all look to be pulled now?
Finding the issue is fine, but I think Mozilla needs to be more forthcoming on this.
(Don't know if AMO is different from "Mozilla" ..., but whatever.)
Does not speak well for Mozilla & its policies & methodologies.
Presumably they also had the more recent versions on AMO, but all look to be pulled now?
Finding the issue is fine, but I think Mozilla needs to be more forthcoming on this.
(Don't know if AMO is different from "Mozilla" ..., but whatever.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100131 SeaMonkey/2.0.3pre
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: Windows Trojans found in 2 AMO experimental extensions
From: http://74.125.47.132/search?q=cache:aou ... clnk&gl=us
Sothink Web Video Downloader for Firefox
Version 4.0 — February 18, 2008
Version 4.2 — May 16, 2008
At least the extensions were still marked Experimental, i.e. AMO never vouched for them.
Has it been Slashdotted yet?
Sothink Web Video Downloader for Firefox
Version 4.0 — February 18, 2008
Version 4.2 — May 16, 2008
At least the extensions were still marked Experimental, i.e. AMO never vouched for them.
Has it been Slashdotted yet?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: Windows Trojans found in 2 AMO experimental extensions
From http://74.125.47.132/search?q=cache:aou ... clnk&gl=us again:
I just noticed. SoThink identified version 4.0 as a false positive in the change log when 4.2 was released almost two years ago. Did AMO just pull an extension and drag SoThink's name through the mud without ensuring the scanners weren't reporting a false positive?Version 4.2 — May 16, 2008 — 685 KB
Works with:
* Firefox: 1.5 – 3.0b3
Fixed Bug
* Some of anti-virus softwares misreported that it contained virus.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Re: Windows Trojans found in 2 AMO experimental extensions
Kind of my thought too.
It's one thing to pull it & investigate it, but as it is, this is now all over the web.
It's one thing to pull it & investigate it, but as it is, this is now all over the web.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100131 SeaMonkey/2.0.3pre
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Windows Trojans found in 2 AMO experimental extensions
To be fair though, the ranking of experimental is not AMO not vouching for something, it just means it has not been downloaded or ranked and/or commented on as much as others, I know this because of a particular "experimental" addon which I use and I KNOW to be fine but has been ranked as experimental for a while. So suddenly, there was like 10-15 comments on the addon in the next week and sure enough the status changed, I HIGHLY doubt and willing to bet my paycheck, it wasn't because AMO suddenly vouched for something that has been holding that status for nearly 8 months, it was the comments and the increased downloads that changed its status, so let's not give them more credit than they deserve. Like all the "recommended" addons get that ranking not because AMO really gives a damn, its because they are downloaded beyond a point, or have a certain number of "GOOD" comments, the system is automated. Alan, given your relationship with the AMO people, you should know that.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: Windows Trojans found in 2 AMO experimental extensions
Good points, GµårÐïåñ. Thank you bringing them up.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: Windows Trojans found in 2 AMO experimental extensions
False positive! Mozilla has announced that the trojan detection in Sothink Web Video Downloader for Firefox 4.0 is a false positive. http://blog.mozilla.com/addons/2010/02/ ... ity-issue/
Sothink Web Video Downloader for Firefox has been reinstated on AMO. https://addons.mozilla.org/en-US/firefox/addon/6541
Sothink Web Video Downloader for Firefox has been reinstated on AMO. https://addons.mozilla.org/en-US/firefox/addon/6541
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Re: [FP] Windows Trojans found in 2 AMO experimental extensions
So now it is "suspected".two instances of suspected malware
They didn't mention that in the original blog report.
Would have been better had they done so originally.
Something like ... We suspect, so we're pulling. Advise to remove in the meantime. Will confirm once we know ...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100131 SeaMonkey/2.0.3pre
Re: [FP] Windows Trojans found in 2 AMO experimental extensions
Just to point out, "Master Filer 0.2" (which does contain a trojan) is not a Sothink product.
I was never clear on that.
Master Filer 0.2
http://translate.google.com/translate?p ... c/tag/4240
I was never clear on that.
Master Filer 0.2
http://translate.google.com/translate?p ... c/tag/4240
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100131 SeaMonkey/2.0.3pre