Trojans detected in Firefox Add-Ons

Discussion in 'other security issues & news' started by Ocky, Feb 5, 2010.

Thread Status:
Not open for further replies.
  1. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Trojans detected in Firefox Add-Ons
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Thanks for update
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    This is a new low for Mozilla IMO, I mean come on, if you can not even trust extensions hosted on the official site anymore. :gack:
     
  4. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,907
    Location:
    U.S.A.
     
  5. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    There is something pretty fishy smelling here. For one, if the Sothink Web Video Downloader was not causing computers to become infected then apparently something else was. But that's another issue altogether. The Computerworld story needs a couple issues pointed out. Here's the link to the "false positive" story-
    http://www.computerworld.com/s/article/9155158/Mozilla_retracts_Firefox_add_on_malware_claim

    The story states "Mozilla has restored Sothink Web Video Downloader to its add-on download site." But if you look at the download page version 4.0 (the version in question) is not available for download.

    https://addons.mozilla.org/en-US/firefox/addons/versions/6541

    Also, the story states that Mozilla "reached out" to McAfee who had some of their researches "evaluate the Sothink add-on code" and then determined the Sothink Video Downloader a false positive. But in a quote from the story, Craig Schmugar, a threat researcher at McAfee states that "They (the McAfee researchers) looked at the binary and determined that it did not contain [malware]," said Schmugar. "They gave that information back to Mozilla."

    On VirusTotal there are several scanners which still flag nsCatcher.dll as malicious. The latest version of the dll is flagged by 21 out of 40 scanners- including McAfee (PWS-LDpinch). Apparently that is the same dll (although different md5 hash) that was originally flagged in version 4.0 of the Sothink Video Downloader.

    Did McAfee actually determine the nsCatcher.dll in version 4.0 of the Sothink Video Downloader as a false positive? Or did they determine something else? Can a dll a program installs still be malicious even if the binary of the program is considered clean?
     
  6. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Looks like McAfee no longer flags the nsCatcher.dll but now Nod does, when it did not previously.
     
Loading...
Thread Status:
Not open for further replies.