A crappy thing happened last week – someone wrote some malware that infects Firefox. We obviously don’t like that very much at all, but I wanted to at least make it clear what is and isn’t happening, since there’s some confusion out there.
What is going on?
Basically for as long as there has been software, there have been nasty people out there who get you to download and install software which turns out to have hidden cargo. Security folks use names like “virus,” “trojan,” “worm,” and “malware” to describe different types, but the point is that if a person can be tricked into running nasty programs, they can do nasty things.
In this case, rather than wiping your hard drive or turning all your icons upside down, this particular jerk has decided to mess with your Firefox. Once you run the program, it hooks into your Firefox and watches for you to visit certain sites, at which point it will steal your username and password.
How Can I Tell If I Have It?
You can open up your Firefox addons manager (Tools->Add-ons) and go to the “Plugins” section. If you have a plugin called “Basic Example Plugin for Mozilla” you should disable it.
Original credit to TrustDefender Labs’ blog post on the subject
Does This Mean that Firefox is Insecure?
No, and here’s why:
- This particular malware targets our program, but once you have malicious software running on your system, it can just as easily attack other programs, or harm your computer in other ways.
- This isn’t contracted by just browsing around the web with Firefox 3. In fact, the Malware Protection features in Firefox 3 are designed specifically to prevent sites from being able to attack your computer.
The people getting infected here are either downloading enticing files that have the malware hiding inside (which is why Firefox 3 hands off all downloads to your computer’s virus scanner once downloaded) or, as some sites are reporting, people who have already been infected in the past having their computers forced to download this file as well.
Typical Firefox 3 users who avoid downloading software they don’t trust are unlikely to ever see this, and even the sites reporting it describe its incidence as “rare”.
What’s this I hear about GreaseMonkey?
There are some mentions of greasemonkey in a couple of the early reports based on some analysis of the code used by this malware, but I want to be clear that the (legitimate, and awesome) Greasemonkey Addon is not involved in this malware in any way. It is not involved in the installation or execution of the attack.
As always, the best defense is vigilance. Use a browser with a solid security record and modern anti-malware defenses built in, and be very careful about downloading and running programs you find online. If a bad guy is able to get you to run a program on your machine they will be able to do bad things, so we’ll keep trying to stop them and you keep trying to as well.
More details are also available on the official Mozilla security blog.
meandering wildly 
Thanks for the update. So are the virus guys (Symantec etc) treating this as a virus, and blocking it using their clients?
Will Mozilla update blocklist.xml to prevent this malicious plugin from even starting up/loading Firefox 3.0/3.1/3.2?
I second Anon’s question. When will blocklist.xml be updated?
there’s not much point in blocklisting this, assuming the writer isn’t dead, they could just rename it.
blocklisting is designed to address dead or slow to update software written by people who are cooperating but not ready to fix their bugs.
this doesn’t describe malware, which is quickly updated and mutates regularly.
malware should be addressed at the system level.
note that by the time this binary is on your system, someone has already run arbitrary code which could e.g. disable or rewrite any part of firefox or any other product on your system.
Thanks for the great blog post, I’ve already used it in two places. Noobs keep thinking it’s a Firefox exploit, which is ridiculous because Mozilla would have patched it a week ago if it was. 😉
The article I keep seeing pop up though does not going into detail on the method of infection, just that it’s a downloaded file the user has to be tricked into running, or it’s run through a “browser vulnerability” but it doesn’t say WHICH browser (which I bet is where the confusion arises). Based on all the browsers’ track records I am betting it involves a certain blue E.
Is there a way to automatically detect if this plugin is installed?
There is no 100% working way to automatically detect in Firefox whether this plugin is installed: assuming the writer isn’t dead, they could just rename it or change it so that autodetection doesn’t work any longer. Thus detecting it is probably antiviruses’ job, since any antivirus nowadays contains a constantly updating base of malware signatures.
There’s an extension blacklist for Firefox, isn’t there? Is there one for Plugins too?
Sorry to sound negative, but the fact that Firefox will :
1. run untrusted and unsigned executable/extensions is a security issue.
2. run an extension just because it is located in the extension directory whereas this extension have never been installed by Firefox is also an issue. Firefox should only run extensions if they have been installed by firefox ( it means that Firefox should have an installation journal ).
@ FACORAT:
I agree with your second point.
In the case of the first point, I happen to think that users should only use the addons.mozilla site to source their addons.
Firefox encourages this, by disallowing 3rd party sites to install addons. To override this, the user has to click an ‘allow’ button, add the site to the whitelist, then click through another warning telling the user not to install addons from sources they do not trust
That sort of user is not going to care if an addon is signed or not. If it isn’t, they will still click through the warning dialogs regardless.
There’s only so much Mozilla can do here- the final decision to install something lies with the user.
Back to your second point, which is important. One of the benefits of Firefox (on Windows at least) is that it is seperate from the operating system, insofar as not sharing code like IE does (or did in IE5/6, I don’t know about 7)
That means even if a PC’s operating system has a security hole that allows someone else to slip in some unwanted malware, it shouldn’t compromise Firefox.
I don’t want Firefox using addons/plugins unless I’ve clicked through those warning dialogs.
If addons can be run just by plonking files in the extention folder, then Mozilla may as well remove all those warning dialogs telling people to be careful.
@FACORAT / Mr. Lizard:
It makes no difference what Firefox does. If someone is running arbitrary executable code on your system, you have already lost. Firefox could jump through hoops to try to verify the extensions it loads, but malicious software could just patch Firefox itself if necessary and subvert those checks. There is no way to stop malware from inserting itself into Firefox once it is already running on your system.
@FACORAT / Mr. Lizard:
I disagree with your 2nd point. I actually use that feature.. helps to manage addons with multiple profiles. The best thing to do is not download programs unless you can assure they are absolutely safe. Having linux also helps ;).
“Use a browser with a solid security record and modern anti-malware defenses built in”
Roger that, I’ll stick with Opera..
Out of curiosity, what does the “Mozilla Default Plug-In” do? I disabled that and managed to get it to not show on my plug-in list, and Firefox is working just fine so far.
Re my question above, I found an explanation. Thanks anyway.
hi guys, i think i have been infected by a virus. This virus prevented me from visiting those anti-virus web sites and also prevented my current anti virus softward from getting updates. Any idea how to solve this? any advice would be much appreciated.
thanks
thomas
This does not sound like an “arbitrary” code executing on your machine. Fact is it has been designed to run in your browser specifically do that it knows when you are browsing banking sites, and then it can steal passwords. Yes the browser could have been IE or Firefox.
I have a question, if companies can push updates/patches into there software running on usre’s machines, why cant they push warnings/alerts to users in same way. This issue is a good example, where this is needed. The issue is not with firefox, so no patching required, but Mozilla is still posting warnings/mitigations on their sites.
Thomas of post 16: This has just happened to me and it took me about 5 days to get rid of it. Every well known scanner I could think of was either blocked or would not update. So I tried to use a scanner that wasn’t so well known if that makes sense. 1st was called Norman Malware Cleaner, and the other was called Dr Web Cureit! both picked up nasties and it released my other scanners. I found both free progs at http://www.snapfiles.com/ Hope that helps you and it was ok to post the web site address here. I was on the verge of wiping everything and starting again! Good luck.