SoThink Scuttlebutt issue...FP or not ?

Discussion in 'Prevx Releases' started by acr1965, Feb 10, 2010.

Thread Status:
Not open for further replies.
  1. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    I was trying to keep up with the news of the SoThink trojan issue on Mozilla the past few days. It appears that Mozilla has now confirmed the SoThink Web Video Downloader Firefox add on as a false positive...

    http://blog.mozilla.com/addons/2010/02/09/update-on-the-amo-security-issue/

    ...although I can not find the 4.0 SoThink version available to dowload/install ...

    https://addons.mozilla.org/en-US/firefox/addons/versions/6541

    Prevx flagged this download (dll) as malicious back in May 2008-

    ~VT link removed per Policy.~

    And still flagged the dll as malicious a four months later (MD5 search)-

    ~VT link removed per Policy.~


    I was wondering if Prevx ever determined this download to be a false positive. Since the file is not now available for download would it be possible to see if an MD5 search of the file on Prevx still confirms the file as malicious? Would the file still exist in the Prevx database to see if it is in fact a false positive?

    File: nsCatcher.dll
    File size: 634880 bytes
    MD5 : 6f9a8ee5bb8d6adbb1fb46330a432bb2
    SHA1 : f529f8647d97584fbd3fb7d2fd4ae2920246bc20
    SHA256: e48268b84da07f223ec2b0dca254d828765b9c0a4f0b2ada1c868f9503bc7e15

    thanks
     
    Last edited by a moderator: Feb 10, 2010
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    We did not determine this as a FP - I'm not familiar with the whole story but the file you pointed to has a very strong correlation with an LdPinch variant found by 22 vendors on VT and has been marked as bad since May 2008 so I'd tend to err on the side of it being malicious.
     
  3. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    It appeared that in the story I posted that Mozilla "confirmed" the false positive and mentioned McAfee. I was a little skeptical because the 4.0 version is no longer available for download on the Mozilla site. Is there any way to find the file and have it analyzed in realtime, not just an on demand scan? I know it may not be the most important thing in the world and you guys are busy as heck. But I would like to find out what the truth is. I suppose it could be determined whether the dll causes LDpinch characteristics - such as the outbound connections, stealth behavior, etc. if it were allowed to run.

    The way this has been handled by Mozilla has been a bit funky.
     
Thread Status:
Not open for further replies.