Is this Firefox extension compromised ?

Discussion in 'all things UNIX' started by Ocky, Mar 5, 2011.

Thread Status:
Not open for further replies.
  1. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,710
    Location:
    George, S.Africa
    On my U. Maverick I sometimes run a scan with BitDefender and was surprised that something was found.

    Location :- /.mozilla/firefox/xvgghrw2.default/extensions/{f759ca51-3a91-4dd1-ae78-9db5eee9ebf0}/components

    File :- arUnMHTMhtmlProtocolHandler.js

    Description :- A Firefox add-on. https://addons.mozilla.org/en-US/firefox/addon/unmht/

    VirusTotal finds 3 instances :- F-Secure; GData; and of course BitDefender.

    Infection :- Generic.Exploit.CVE_20.0B7C2474

    I will delete the add-on even if it is a false positive as Opera does a better job natively.

    UnMHTM.jpg
     
    Last edited: Mar 5, 2011
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,236
    I'd say it's a false positive.
    Open the file and check the code, btw.
    Mrk
     
  3. tlu

    tlu Guest

    Ocky, I also think that it's a false positive. Nevertheless, it might be a good idea to click "Report abuse" on above website so that AMO has the chance to re-check that extension.
     
  4. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,710
    Location:
    George, S.Africa
    I emailed amo - don't want to create yet another account. I am also pretty sure it's a FP. In the code there is some Chinese gobbledegook that of course is Greek to me but it is not js. :argh:
     
  5. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    That's just comment(it's Japanese btw)

    I uploaded the file to VT, BitDefender and the other 2 AV don't detect it anymore.(but now Ikarus does o_O)
     
  6. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,710
    Location:
    George, S.Africa
    Has been confirmed a false positive by amo admins who ran the add-on through some malware checks.

    (The 'does look like a false positive' part is not really very definitive isn't it ?) :blink:
     
  7. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,236
    Could it somehow have been (overzealously) triggered by this?
    http://www.pcworld.com/businesscenter/article/222014/attacks_use_ie_to_exploit_windows_mhtml_flaw.html

    Perhaps, the detection system didn't segregate Windows and *nix?
     
  8. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,710
    Location:
    George, S.Africa
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.