Mozilla confirms malware add-ons for Firefox slipped through the cracks and promises to improve screening process

Although not the most popular browser out there, Firefox – by the Mozilla Foundation – is very popular for its combination of speed, customization (via add-ons), and a fair amount of security. That is not to say it is the most fast browser, has the best customization (which is does, though), and is the most secure, but that means Firefox blends the three aspects together better than most other browsers. So when news hits the streets that users may be getting infected because of Firefox… well, ya you get the point.

Recently Mozilla – on their AMO blog – announced that two third party add-ons for Firefox were malware infected:

Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose Trojan. Both add-ons have been disabled on AMO.

For those users that were infected by these add-ons, Mozilla recommends the following:

If a user installs one of these infected add-ons, the trojan would be executed when Firefox starts and the host computer would be infected by the trojan. Uninstalling these add-ons does not remove the trojan from a user’s system. Users with either of these add-ons should uninstall them immediately. Since uninstalling these extensions does not remove the trojan from a user’s system, an antivirus program should be used to scan and remove any infections.

(If you don’t have an antivirus program, drop by my post on best free security software and get yourself some protection.)

Noooooooooooooooooooo! Mozilla you have failed meeeeeeeeeeeeeeeeeeeeeeeeeeeeee…

In light of this development, Mozilla has promised to beef up the add-on screening process by adding “two additional malware detection tools” to the “validation chain”. Additionally, Mozilla rescanned all current add-ons and no other instances of malware – except the two mentioned above – were found.

The thing that surprised me the most about this development is that an add-on from Sothink – a software developer I found to be trust worthy – was one of the two add-ons that contained malware.

So, what do you think? Should Microsoft should send a fruit basket to Mozilla HQ? Feel free to express your thoughts below.

Thanks Wheezer!

Related Posts

  • acr

    @Adrian: Here’s what’s remaining of the 4.0 nsCatcher.dll virustotal scan – .

    Version 4.0 is not available on Mozilla for some reason. Last time I checked, the latest version of nsCatcher.dll is flagged by a majority of scanners.

  • Adrian

    Um, actually the Sothink Web Video Downloader 4.0’s install file, after scanning on VirusTotal, is declared not infected by all 43 AVs.

    Also, all versions of Sothink Web Video Downloader after 4.0 are clean.

  • Well, everyone makes mistakes.

    No, MS shouldn’t be sending any fruit baskets, they’ve been battered down just the same.

    I will continue to use Firefox. I wouldn’t have had any use for those add-ons anyway. I’ve been through the ringer with IE, Netscape, Opera, OperaTOR, Chrome, etc. and Firefox still comes out above for me.

    BTW Ashraf, I appreciate the unexpected article on tabs, where the tabs were popping up next to the open window tab instead of on the end. Now my life is all better!


  • Phoenix

    I was surprised when I’d first heard about this, until I heard the process that Mozilla uses to scan add-ons – they only scanned it with one anti-virus. If the trojan makers knew which one they could’ve masked it to escape detection from that one.

    Considering they had a central repository I expected the add-ons to be safe just as I expect Microsoft windows updates to be safe (well, we won’t get into the whole updates that make systems stop working thing here). Actually, I’ve never been a fan of the FireFox add-on system since I’d prefer to download add-ons outside the browser, be able to scan them myself and install them later.

    I didn’t use either of the infected add-ons. I still am very careful about what I install or add-on to my system, even from a central repository, and try to check out the source company or developer beforehand. I also limit adding on things to what I really, truly need since everything creates another opening in the armour. I’d rather download something and view or use it offline then have something in my browser which has it’s own set of vulnerabilities on top of the ones the OS has.

    They’ve changed their practices, now they’ll use three different anti-malware programs to check add-ons. That still seems kind of lax – if they’re the ones distributing the add-ons they could at least run it through VirusTotal or (sites that runs submissions through many different virus scans). If they do it wouldn’t hurt for them to toss up a link to the results either.

    Guess what, that wouldn’t necessarily guarantee safe software either. I don’t know the settings for the scanners at either of those sites and some scanners don’t expand all zip files, or expand them only to a certain number of iterations (so a zip in a zip in a zip may not get scanned), or don’t scan files with certain extensions or mime types unless you go in and change the settings for them to do so.

    I was surprised to see SoThink in there too. Now the funny thing is sometimes on GiveawayOfTheDay you see people reporting that their security reports viruses or malware and the stock response is that all programs are thoroughly checked, but I’ve always wondered. Who knows how thorough GAOTD checking (or anyone else) really is since they never tell us what they do to check the software.

    Just yesterday I was reading two articles. One was about what I could best describe as part-time hackers in China who hack for fun, for profit, for love of country or any combination of the above. In it, one hacker was mentioning how they had some undiscovered zero day security flaws that they kept to themselves for MS and Adobe products in case they ever needed to use them. The other was about affiliate programs that’ll actually pay people for the number of computers that they infect with a particular trojan or piece of malware. There are forums for these guys where they share tips on how to be more successful and infect more computers.

    Bottom line – you can’t take anything for granted or leave your security in other people’s hands. At base my system runs using about 550 Mb of RAM. About 250-300 Mb of that is different security programs and I’ve likely still got holes in my system. Not as many as other people, but no doubt there’s still some there.

  • future hacker

    I knew it would happen some day -well,I beleive everyboody knew- and that day has come. But still, I’m sure the firefox users haven’t lost confidence in this terrific browser for two reasons. First we all trust that from now on Mozilla developpers will do their best to prevent this from happenning again. Second, I don’t think any of you -Firefox lover’s- has got another option. Because of the lack of security other browser may experience, Firefox will still be the best in maintaning a clean PC, even if it’s not perfect.
    Plus we are DotTechies and we ain’t afraid of any virus coz we have Ashraf and his “9 protection software” to guide us in the right path, ain’t I right?

  • Doru

    I wrong.It can be use for all browser from settings.Only you must to search for your browser that you want and add to your list.

  • Doru

    Something much better it can replace Sothink and is work very good(it can be problem only from firewall,in this case you must allow from firewall(from antivirus suite) and will work) is the new generation:Iwisoft Free Video Downloader version 2.1 build 100109.Work for:Ie,Firefox,Opera and Maxton.It can make easy operation to download not only for swf like Sothink,but also from settings it is create also for:
    -video:flv,mpeg 4 video,wmv,mpg,rm,3gp,mov,f4v,m4v,asf,mpeg,rmvb,3g2,avi and swf in final.Is not an addon.Also my antivirus not detect something bad,but i don’t use yet Virus Total.Soo who want to try,please make scan with virus total.Program is here:

  • RobCr


    You did not mention Opera.
    That should be right below FF
    Chrome should be much lower in your list, as it cannot save as .MHT
    And if you are using XP, and wish to have the ability to re-install an image of your drive(or partition) in another pc (when your main PC dies), then you will be cursing MS, if you had IE7 or IE8 installed. Because the XP repair install that is required for new hardware, cannot handle IE7 and IE8

  • @Ashraf: It is true that the lack of knowledge is mostly on the users end more than the developers end but the result is the same in that users don’t download as many add-ons for IE as they do for Firefox.

    And while IE6 is a decade old, Microsoft is/was (I don’t know but I know they support most software like IE for around a decade) officially still supporting it so they can be help somewhat at fault.

  • Ashraf

    @Samuel: I agree with your “lack of knowledge” point but I would clarify that most users don’t know. Most developers do know in my opinion.

    As for your complexity point: I have no idea. You have more knowledge than me in that area so I’ll take your word for it.

    Now that you mention the IE add-on website, I do remember coming across it a few months back (I think?).

    Lastly, I agree with you 100% most IE-related problems stem from IE6 as opposed to IE8. In that regard it is hard to fault Microsoft for a decade old browser being vulnerable to today’s problems.

  • @Ashraf: I disagree about how quick malicious code would be caught in a truly open system, but I do agree that Mozilla isn’t a true open system, though I call them as such since they are, especially when compared to other browsers (though Chrome is now a contender here), for the most part an open system.

    As to IE being as open as Firefox, while technically correct I consider it less open for two reasons:
    1) Lack of knowledge; as I’m sure you know most people don’t know that IE can have add-ons, short of ActiveX but ActiveX is technically not an add-on but a plug in.
    2) Complexity; making an IE add-on is not easy, I have tried and sometimes failed to make them, this also make it harder and less likely for them to be made whether for good or bad.

    I do agree with you about the centralized distribution helping but IE does have one; it’s just that like most people don’t know about IE having add-ons they don’t know about where to get them (

    As to Firefox looking better as you said, that’s a matter of opinion and I’m happy as long as it does stay friendly.

    And although IE does have majority of the market share I have to admit that most of it probably comes from big corporations still running XP with IE6.

  • Ashraf

    @Samuel: I agree with you to an extent: an open system allows malicious people to contribute malicious code. However, I disagree that this is a “flaw”. I say this because if a open system was truly open, the malicious code would be caught very quickly. The reason these add-ons slipped through is Mozilla’s screen process for add-ons isn’t really “open”. Mozilla conducts it themselves and they can make mistakes.

    I also disagree that IE is a closed system. IE has a “open” platform similar to Firefox (in the idea that anyone can make add-ons) but in fact that add-on system is more dangerous because it is not centralized. The advantage of having a centralized add-on repository – like in the case of Firefox – is that malicious code can be caught more quickly and more easy. With IE, malicious add-ons, ActiveX, etc. can be out in the wild for a long time before it hits the headlines.

    Oh and I did not mean to turn this into a FF vs IE, nor am I arguing FF > IE. Each have their own pluses to them (although I do believe overall FF is a more attractive package). Just carrying on a friendly discussion.

    @DJ: Well if you count the total IE users (in other words IE6 + IE7 + IE8) then IE is the most popular by a long shot. However, I believe I just read somewhere that IE8 alone was now the most popular.

    I have no arguments with Firefox being the best. Firefox fan here =).

  • DJ

    If, as you claim, Firefox is not “the most popular browser out there” then what is?

    Tell me it isn’t IE :o

    I have used Netscape(yes, I still think it was the best browser before Firefox), IE, Firefox, Google, Safari, USAbrowser, StarOffice browser and still put Firefox on the top of the list, with Google coming in second…

  • Al Hall

    I noticed that the end of the article in the Mozilla blog gave a list of anti-virus software that could detect the malware in the infected add-ons. Avira AntiVir, my favorite and the one that I have active in the background [and, I believe your’s also Ashraf] isn’t listed.

    “Antivirus Software

    Here is a list of antivirus programs known to detect the trojans found in the affected add-ons.


    What to do?

  • The one thing this does show is the flaw in open systems, which is one of the biggest reasons people like Apple, and then they go and download Firefox which is the exact opposite. And this is one area were Microsoft is a closed system for the most part, since while you can make IE add-ons it’s not easy make it less common (though ActiveX counters this by being relatively easy to make).

  • Ashraf

    @Doru: It was a joke… I am not happy Mozilla is having problems.

    @John G.: To be honest, I don’t think it will be as big of a “fiasco” as the whole IE6-being-phase-out-early-because-recent-hacks considering the vulnerabilities were from third parties and not Mozilla themselves. Plus Mozilla is the Google of browsers; people forgive Mozilla easier than they forgive, say, Microsoft.

    @Ron: It is true Mozilla gives extensive warning about experimental add-ons. However, that is no excuse for malware ones in my book.

    @ahmed: Well, I wouldn’t say Firefox is “involved” in malware. Just like Internet Explorer is not “involved” in hacks (so to speak). It is one incident which has been rectified. Not saying it was justified to happen in the first place, but at least Mozilla addresses it quickly (relatively speaking).

  • John G.

    I think I’m going to let the dust settle a bit on this fiasco before I make any further comment.

    Thanks for the input and the great reviews.

  • Doru

    Why Microsoft to send fruits to Mozilla?.Where is logic?Why you are happy if Firefox have some problems?
    Like do you say,i’m feel free to express myself what i’m thinking.You will delete me?.Another question:what action make this trojans?.

  • ahmed

    So i guess now, firefox is also involved in malware. well thanks for keeping us updating on everyday issues. and I also appreciate your reviews too. Thanks for your great work

  • Ron

    While word bout this is spreading around the ‘net, thanks for making your readers aware of the problem. Mozilla’s pretty clear about the fact all “experimental addons” are not usually vetted by the editors immediately and represent a potential risk to a user’s computer. Additionally, registration is required to download experimental addons.

    That said, no one likes surprises when trying out experimental software. Real-time protection from AV and anti-malware programs are, sadly, not a 100% guarantee against infection. They do go a long way toward guarding machines, and should never be dismissed out of hand.