Trojans detected in Firefox Add-Ons

Trojans detected in Firefox Add-Ons

 

Thanks for update

 

This is a new low for Mozilla IMO, I mean come on, if you can not even trust extensions hosted on the official site anymore.

 

There is something pretty fishy smelling here. For one, if the Sothink Web Video Downloader was not causing computers to become infected then apparently something else was. But that's another issue altogether. The Computerworld story needs a couple issues pointed out. Here's the link to the "false positive" story-
http://www.computerworld.com/s/article/9155158/Mozilla_retracts_Firefox_add_on_malware_claim

The story states "Mozilla has restored Sothink Web Video Downloader to its add-on download site." But if you look at the download page version 4.0 (the version in question) is not available for download.

https://addons.mozilla.org/en-US/firefox/addons/versions/6541

Also, the story states that Mozilla "reached out" to McAfee who had some of their researches "evaluate the Sothink add-on code" and then determined the Sothink Video Downloader a false positive. But in a quote from the story, Craig Schmugar, a threat researcher at McAfee states that "They (the McAfee researchers) looked at the binary and determined that it did not contain [malware]," said Schmugar. "They gave that information back to Mozilla."

On VirusTotal there are several scanners which still flag nsCatcher.dll as malicious. The latest version of the dll is flagged by 21 out of 40 scanners- including McAfee (PWS-LDpinch). Apparently that is the same dll (although different md5 hash) that was originally flagged in version 4.0 of the Sothink Video Downloader.

Did McAfee actually determine the nsCatcher.dll in version 4.0 of the Sothink Video Downloader as a false positive? Or did they determine something else? Can a dll a program installs still be malicious even if the binary of the program is considered clean?

 

Looks like McAfee no longer flags the nsCatcher.dll but now Nod does, when it did not previously.