Comments on: Firefox Malware

By: adamjakab

adamjakab — Mon, 19 Dec 2011 17:14:12 +0000

…three years later…

Just to let you know that there is quite a long thread going on started off by me asking a silly question about add-ons ‘stealing’ data from one another. The sad thing is that no one really worried about stuff like full user privileged file system access and friends. You might be interested but really i don’t really see much change since pdp’s post in the far 2008. I think as long as FF will consider 3rd party add-ons as “integral part of itself” we will always have to watch our backs!

By: Extensions during War |

Extensions during War | — Tue, 19 Apr 2011 07:27:12 +0000

[...] As we mentioned before, a antagonistic square of JavaScript formula (even an apparent obfuscation) can be utterly simply smuggled into harmlessly looking Firefox extensions. If we might speculate, a conditions is a same for other identical platforms. [...]

By: noone

noone — Mon, 26 Jul 2010 21:48:56 +0000

i knew it was only a matter of time.

By: Mike

Mike — Wed, 11 Nov 2009 15:59:20 +0000

So all we know is that there is some add-on, somewhere, that does...something, and that add-on contains malware? Yikes. This is like when I watch my local news and they say something like, "Is an everyday product you use in your house SLOWLY KILLING YOU?...FIND OUT AT 11!" I need more details!!

By: Extensions at War | GNUCITIZEN

Extensions at War | GNUCITIZEN — Sun, 03 May 2009 08:40:24 +0000

[...] As I mentioned before, a malicious piece of JavaScript code (even an obvious obfuscation) can be quite easily smuggled into harmlessly looking Firefox extensions. If I may speculate, the situation is the same for other similar platforms. [...]

By: Krazy_Kaos

Krazy_Kaos — Thu, 08 Jan 2009 18:18:31 +0000

Nice post. Personally if I was to do that, I would first make an extension, a clean one. Release it. Wait 1 week. Release an update (still clean) and on the second update… malware (I think they will not check the source so well the 3rd time).

By: marchiner

marchiner — Wed, 10 Dec 2008 06:30:29 +0000

AVGs that use pro-active defense like “kaspersky” can deal with new malware?

By: Mark Mathson

Mark Mathson — Tue, 09 Dec 2008 18:45:36 +0000

Nice post pdp. This brings to light something I have thought for a while. What implied trust do you give to a Firefox add-on when you decide to install it? Quite a bit really.

One thought is a community review process an add-on goes through before publishing live. Code reviewed, product beta tested and then given a stamp of approval. I know they have the experimental add-ons, maybe tie this idea in. I don’t know. Plus it wouldn’t do any good if the ‘community’ was “in on it” together. ;-)

By: Morgan Storey

Morgan Storey — Tue, 09 Dec 2008 07:02:27 +0000

Maybe Mozilla needs to get all extensions in their source code format and compile/package it themselves, run a quick search using standard looking obfuscation type code and if any is obfuscated deny the code from being compiled/packaged and therefore not listed on the extensions site.

By: Dave

Dave — Tue, 09 Dec 2008 05:15:37 +0000

As far as I understand, Firefox was not the delivery platform but rather the target of the malware once it had infected the computer by other means. I don’t remember where I read about it.

The malware installed a plugin and named it GreaseMonkey. The malicious plugin looked for and logged details for over 100 finance websites such as banks, Paypal, Amazon and eBay.

The rest of your post is, of course, still completely accurate. The other interesting point this raises is that Firefox has enough marketshare to be worth targeting specifically. It was inevitable, but it has actually happened now.

By: pdp

pdp — Mon, 08 Dec 2008 23:59:07 +0000

yup, I don’t see why it shouldn’t work. :)

By: mindcorrosive

mindcorrosive — Mon, 08 Dec 2008 22:23:37 +0000

How about developing an addon in such a way that a “plausible deniability” to a gaping security hole is possible? What I mean is – someone can create a not-so-obvious gaping security hole, and still claim innocence, if it can easily be attributed to a coding error, not deliberate action. The thing is, you probably might not be able to pull this more than one or two times.. Then again, some products seem to be literally leaking with remotely exploited security holes – VLC first comes to mind..