Is this Firefox extension compromised ?

Discussion in 'all things UNIX' started by Ocky, Mar 5, 2011.

Thread Status:
Not open for further replies.
  1. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    On my U. Maverick I sometimes run a scan with BitDefender and was surprised that something was found.

    Location :- /.mozilla/firefox/xvgghrw2.default/extensions/{f759ca51-3a91-4dd1-ae78-9db5eee9ebf0}/components

    File :- arUnMHTMhtmlProtocolHandler.js

    Description :- A Firefox add-on. https://addons.mozilla.org/en-US/firefox/addon/unmht/

    VirusTotal finds 3 instances :- F-Secure; GData; and of course BitDefender.

    Infection :- Generic.Exploit.CVE_20.0B7C2474

    I will delete the add-on even if it is a false positive as Opera does a better job natively.

    UnMHTM.jpg
     
    Last edited: Mar 5, 2011
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    I'd say it's a false positive.
    Open the file and check the code, btw.
    Mrk
     
  3. tlu

    tlu Guest

    Ocky, I also think that it's a false positive. Nevertheless, it might be a good idea to click "Report abuse" on above website so that AMO has the chance to re-check that extension.
     
  4. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    I emailed amo - don't want to create yet another account. I am also pretty sure it's a FP. In the code there is some Chinese gobbledegook that of course is Greek to me but it is not js. :argh:
     
  5. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    That's just comment(it's Japanese btw)

    I uploaded the file to VT, BitDefender and the other 2 AV don't detect it anymore.(but now Ikarus does o_O)
     
  6. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Has been confirmed a false positive by amo admins who ran the add-on through some malware checks.

    (The 'does look like a false positive' part is not really very definitive isn't it ?) :blink:
     
  7. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Could it somehow have been (overzealously) triggered by this?
    http://www.pcworld.com/businesscenter/article/222014/attacks_use_ie_to_exploit_windows_mhtml_flaw.html

    Perhaps, the detection system didn't segregate Windows and *nix?
     
  8. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
Loading...
Thread Status:
Not open for further replies.