Mozilla Distributes Virus-Infected Language Pack
Anyone who downloaded the Vietnamese language pack for Firefox 2 needs to run an anti-spyware and anti-virus scan, then disable the pack for now. Mozilla warned yesterday that all versions of that language pack downloaded from its servers since Feb. 18, 2008, were infected with pop-up ad serving software.
Window Snyder, Mozilla's chief security officer, said the Vietnamese language pack was contaminated as the result of a virus infection. "This usually results in the user seeing unwanted ads, but may be used for more malicious actions."
Snyder said Mozilla doesn't know how many people downloaded the compromised language pack, but said there have been 16,667 downloads of the pack since November 2007.
Mozilla is working on getting a replacement language pack up on the site soon. Snyder said that while Mozilla does virus scans when add-ons are uploaded to its servers, the scanner for whatever reason didn't catch this nasty until several months after the upload. Mozilla is now adding post-upload scans to everything on its download servers, she said.
Language packs are add-ons in Firefox. Add-ons can be removed by clicking "Tools" and then "Add-ons." According to the discussion on this in the Bugzilla database, the culprit here is something called "Trojan.Win32.Xorer," which disables security software on the infected PC and spreads by infecting files, programs and removable drives. Instructions for manually removing Xorer are online here.
There is an interesting discussion about this going on today at news-for-geeks site Slashdot, which "highlights the risk on relying on user-submitted Firefox extensions, or a lack of peer-review of the extensions, many of which receive frequent upgrades."
By Brian Krebs |
May 8, 2008; 12:51 PM ET
Latest Warnings
Previous: Robotraff: A Hacker's Go-To For Clicks |
Next: Adobe Plugs 8 Security Holes in Reader
Posted by: Name | May 8, 2008 1:42 PM
Hmmm ... Mozilla is competing in the browser space, and its main competitor is IE. Now Windows itself is one big malware trap -- because of ActiveX if for no other reason -- but when was the last time Microsoft itself actually distributed a virus in its software?
Mozilla evidently didn't have enough checks.
This Windows Synder character (is that name for real?) also said:
**************
"In most software development environments the developers aren't kept in a dark cave," she said. "They browse the web or take those laptops to a coffee shop "
"It's just a fact of life," she added.
**************
Source:
http://www.macworld.co.uk/macsoftware/news/index.cfm?RSS&NewsID=21253
I think "It's just a fact of life" is remarkably nonchalant. That comment turned me right off.
I tend to use Safari on my Mac. I have also got Firefox, but I don't on the whole install extensions, and I do check the MD5 hashes on the Firefox download. (Mind you, while Mozilla has MD5 hashes for its products on its server, it is pretty good at not linking to the hashes, and it is a trouble to find them.)
I'm not impressed by Mozilla's attitude at all. I didn't care for it when Apple was flippant about shipping malware on iPods and it was left to McDonalds in Japan (who'd given the iPods out) to offer a suitable apology. If you screw up like this, you should apologize profusely, and you should change your procedures to try to ensure it doesn't happen again.
Posted by: Mike | May 8, 2008 2:11 PM
is it really necessary to spread FUD by using the term "virus" in the title of the article when the malware in question wasn't actually a virus?
Posted by: kurt wismer | May 8, 2008 4:50 PM
my mistake - this article calls it a trojan in the body of the article but other articles make it clear that it does reproduce...
Posted by: kurt wismer | May 8, 2008 5:11 PM
I seriously don't get why people get so bent out of shape when someone calls it a virus and it's not or WHATEVER. It's all the same stuff, it's unwanted. I wouldn't be surprised if part of the reason AV vendors are lacking signatures is because their sitting in their cubicles debating what the WHATEVER should be classified as, then probably spend another 30 minutes trying to come up with some pretty little name for the WHATEVER.
WHY can't we all just say Virus, Trojan and have the other party know we are talking about UNWANTED CODE. Why can't we just name the malicious code MaliciousCode-1 MaliciousCode-2 and so on....
Posted by: YouMakeMeTired | May 9, 2008 12:15 PM
@Kurt -- THIS article also makes it clear that this thing does reproduce:
"the culprit here is something called "Trojan.Win32.Xorer," which disables security software on the infected PC and spreads by infecting files, programs and removable drives."
Posted by: Bk | May 9, 2008 12:28 PM
>@Kurt -- THIS article also makes it clear that >this thing does reproduce:
>"the culprit here is something called >"Trojan.Win32.Xorer," which disables security >software on the infected PC and spreads by >infecting files, programs and removable drives."
That seems to be the HTML file-infector that inserted the malicious script into HTML files belonging to the add-on. That Trojan horse would have been present on the computer of the add-on developer, but not in the add-on itself, which contained just an adware pop-up as a result of the inserted script.
That at least is my understanding.
Posted by: FreewheelinFrank | May 9, 2008 4:42 PM
"The Vietnamese language pack for Firefox 2 contains inserted code to load remote content. This code is the result of a virus infection, but does not contain the virus itself."
PC World does seem to have a more accurate headline in that respect:
"Mozilla: Firefox Plug-In Shipped With Malicious Code"
Posted by: FreewheelinFrank | May 9, 2008 4:54 PM
Comments from the bug report seem to confirm that there was never 'virus infected':
"I think it just because the author's local
network was infected with the virus, so it modified html files. The main virus
is a Win32 program. The infected code just display annoying banner but it can't
propagate"
Including this from the author of the add-on:
"Sorry for the inconvenient!
I've found that translated help files was modified by a virus, come from China.
I'm so busy these days, but I've cleaned up malicious code. The new fresh pack
coming soon."
Posted by: | May 9, 2008 5:11 PM
@youmakemetired:
"I seriously don't get why people get so bent out of shape when someone calls it a virus and it's not or WHATEVER. It's all the same stuff, it's unwanted."
it's not all the same stuff... it's the difference between stuff that spreads itself and stuff that needs to be spread by a malicious 3rd party... stuff that needs that malicious 3rd party stops when that malicious 3rd party stops... stuff that doesn't need that malicious 3rd party just plain doesn't stop... those represent 2 very different kinds of threat...
@bk:
"THIS article also makes it clear that this thing does reproduce:"
Trojan.W32.Xorer is not the name of a virus, it is the name of a trojan... everything else could have been misunderstood/misreported (as the media is want to do when it comes to viruses)...
further comments seem to have cleared up the situation - it's a component that was dropped by a virus, not the virus itself...
Posted by: kurt wismer | May 9, 2008 11:25 PM
Post a Comment
We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.
User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.
To bad they didn't user Virustotal.com, maybe this would of never been a problem.