14 DAY TRIAL // The AMO (addons.mozilla.org) team has announced on its official blog that two experimental Firefox extensions were removed from the repository after they were found to be infected with malware. The add-ons had some 4,600 combined downloads.
According to Mozilla, version 4.0 of Sothink Web Video Downloader was infected with Win32.LdPinch.gen, and all versions of Master Filer with Win32.Bifrose. Master Flier was removed from the repository on January 25 and had 600 downloads up to that date, while Sothink Web Video Downloader version 4.0 had around 4,000 downloads and was removed on February 2.
"If a user installs one of these infected add-ons, the trojan would be executed when Firefox starts and the host computer would be infected by the trojan. Uninstalling these add-ons does not remove the trojan from a user’s system. Users with either of these add-ons should uninstall them immediately. Since uninstalling these extensions does not remove the trojan from a user’s system, an antivirus program should be used to scan and remove any infections," the AMO team explains.
CatThief, a Firefox extension developer, is credited with reporting the issue, which begs the question: why didn't Mozilla discover them when they were uploaded? As the AMO advisory indicates, this is because the malware detection tool used at the time did not pick up the infections. It is also noted that two additional scanning engines have now been added to increase accuracy.
However, Microsoft MVP Sandi Hardmeier is not satisfied with this explanation, as according to her, Mozilla's policy for some time now is to re-scan add-ons periodically. "PWS:Win32/Ldpinch.gen detection has been around since at least February 2008. So would somebody like to explain to me why that Trojan was not detected by Mozilla until after 'two additional malware detection tools (were) added to the validation chain'? [...] Just what 'malware detection tools' were they using up until now? Win32.bifrose […] has been around since as early as 2006. Why was Mozilla oblivious to the existence of the Trojans until 'CatThief' reported it to them?" she asks.
Despite this incident, Mozilla has a pretty good track record of keeping malware out of the official repository. However, it is worth mentioning that trojans hiding or functioning as Firefox extensions are not new and have been detected in the wild.