• On TechRepublic: Top 10 Windows 7 desktop gadgets
February 5, 2010 1:31 PM PST

Mozilla yanks infected add-ons, warns users

by Seth Rosenblatt

Mozilla on Friday pulled two programs from its Firefox browser add-on site for containing malware. Sothink Web Video Downloader 4.0 and all versions of Master Filer were found to contain Trojan horse code aimed at Windows users.

In a blog post, Mozilla stated that the Master Filer add-on was able to bypass AMO's security tests.

Mozilla user CatThief discovered the threat, it said. And when Mozilla added two more security checks to its vetting process and rescanned its entire catalog, it discovered that version 4 of the Sothink Web Video Downloader also contained a Trojan horse program. Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose.

Master Filer was removed from Mozilla's Firefox add-on site on January 25, and the Sothink video downloader was removed on Tuesday. CNET Download.com ceased hosting the Sothink add-on on Friday before noon.

Sothink Web Video Download 5.5.90819 had been a mildly popular Firefox add-on at Download.com, receiving 697 downloads in the past week and 63,716 downloads since it was first added to the site in June 2007.

Because the Trojan horse programs are tied to Firefox, Mozilla warns, host computers won't be infected until Firefox started. Uninstalling either add-on is only part of the solution, if the infection has already attacked the host computer. Mozilla recommends that users who suspect that they are infected use one of the following security applications to sweep and clean their computers after uninstalling the threatening add-on:

  • Antiy-AVL
  • Avast
  • AVG
  • GData
  • Ikarus
  • K7 AntiVirus
  • McAfee
  • Norman
  • VBA32

    • Infected users should note that only Avast and AVG are free.

    Mozilla did not immediately respond to requests for comment. We'll update this post as we learn more.

    Seth peers into the deep, dark corners of software so that you don't have to. He has yet to suffer a single nightmare about OS/2. You can follow him on Twitter.
    Topics:

    Browsers and extensions,

    Security and spyware,

    Windows Software

    Tags:

    Firefox,

    Mozilla,

    Trojan,

    virus,

    freeware,

    add-on,

    extension

    Recent posts from The Download Blog
    Apps show up in BitTorrent Mainline 7.1 RC
    MasterCard MoneySend like PayPal for BlackBerry
    iOS 4.1 for iPhone, iPod Touch released
    Mozilla: Now is the time for browser-based games
    Mozilla fixes Firefox holes, curtails clickjacking
    Norton's new Power Eraser goes free
    Trend Micro bets on the cloud
    BlackBerry maker RIM buys Documents To Go's Data Viz
    Add a Comment (Log in or register) Showing 1 of 2 pages (42 Comments)
    by buffalo2wheeler February 5, 2010 1:59 PM PST
    "Because the trojans are tied to Firefox, Mozilla warns, host computers won't be infected until Firefox started."

    Installing an add-on to Firefox requires a restart of Firefox, so host computers would be infected immediately. The phrase "won't be infected" doesn't apply.
    Reply to this comment
    by redmarine February 5, 2010 2:50 PM PST
    Not if they didn't restart the browser immediately after installing the add-ons and somehow stumbled upon this article.This would give them time to uninstall the plugin.

    Unlikely but sure.
    by Seaspray0 February 5, 2010 3:43 PM PST
    because we all stumble across internet articles without using the browser? Ya know, that's just crazy enough to work! I'm convinced.
    by lordmorgul February 5, 2010 9:04 PM PST
    It does not require a restart immediately. It requires a restart before the addon will work, sometimes, but not always, and you can put that restart off for as long as you want. What was claimed is accurate, even if it is not very likely to save anyone.
    by Timetogetill7 February 6, 2010 12:33 AM PST
    Seaspray...yeah because on most computers people typically only use one browser?
    [CNET editor's note: Personal attack deleted.]
    by baconstang February 5, 2010 2:05 PM PST
    Why do I bother reading these articles to see if latest malware affects Mac OSX?
    Reply to this comment 3 people like this comment
    by monkeyfun14 February 5, 2010 2:12 PM PST
    Idk I ask you the same thing. But I think your main objective is to be a troll.
    21 people like this comment
    by chrisszy08 February 5, 2010 2:16 PM PST
    Why do you bother making pointless post like this? Who knows? More importantly, who cares? Move along troll.
    8 people like this comment
    by aka_tripleB February 5, 2010 3:13 PM PST
    Why did I bother reading your comment, then comment on your comment?
    5 people like this comment
    by hybreda February 5, 2010 9:56 PM PST
    Ahh, just another useless Mac-boaster that forgets all the hurried patches Apple applied to OSX due to security. Move along troll, and read the Mac posts too!
    8 people like this comment
    by Angry CPU February 7, 2010 8:50 AM PST
    Attackers do not target Macs because there is not much below the surface, too few users use macs to make it worth while. Attackers go after systems that do real work.
    4 people like this comment
    by Random_Walk February 7, 2010 3:48 PM PST
    "too few users use macs to make it worth while."

    So millions of machines, owned by fairly affluent users, usually left on 24/7, practically none of which run anti-virus, in a homogeneous environment...

    Nah - that can't be a ripe target or anything... *rolls eyes*
    2 people like this comment
    by kevsmail February 9, 2010 9:47 AM PST
    Because the smugness hasn't yet overpowered the curiosity?

    Not that I wish viruses on anyone, but when there are actually enough Macs in the wild to make it worthwhile, these malware/virus-writing folks are going to be able to target a population of fairly non-technical folks whose idea of being a power user is being able to turn on the computer and synch their iPod and take it to the Genius Bar if something goes wrong.
    1 person likes this comment
    by MadLyb February 5, 2010 2:23 PM PST
    Plug-in, add-on, whatever you want to call it. You are installing it on your machine and if you just blindly trust folks like Mozilla to act as gatekeeper, then you deserve what you get.

    I would have thought people learned their lesson with toolbar debacles from a few years ago.
    Reply to this comment 4 people like this comment
    by Edonkey2000 February 5, 2010 3:25 PM PST
    I applaud firefoxwith taking this threat down. [CNET editors' note: URL removed.]
    Reply to this comment
    by finalfanoffkey February 5, 2010 3:40 PM PST
    Will that do any harm if user is logged in as non-admin? Does the install of the addon need admin right? Does that mean the firefox add-on is not more secure than ActiveX?
    Reply to this comment
    by srosenblatt February 5, 2010 3:47 PM PST
    If you have either of these add-ons, uninstall them immediately and then run a system scan with your antivirus app.

    Only the add-ons mentioned above are dangerous. Mozilla has a fairly secure process for scanning add-ons, but no system is flawless. Don't panic, but don't mess around with known infection vectors, either.
    4 people like this comment
    by The_Computer_Man February 5, 2010 4:14 PM PST
    I have been using Sothink Web Video Downloader version 5 for a little while now. The article doesn't mention that version, is it only version 4 that contains a trojan??
    Reply to this comment
    by TotallyMadeUpName February 5, 2010 5:20 PM PST
    "Sothink Web Video Downloader 4.0 and all versions of Master Filer were found to contain Trojan horse code"

    The implication is that only version 4 of the Sothink plugin is infected.
    by OccamsAftershave February 5, 2010 5:35 PM PST
    Can the add-on developers be fingered by Mozilla?
    Reply to this comment
    by Random_Walk February 7, 2010 8:38 AM PST
    Nobody uses finger on the Internet anymore
    (http://en.wikipedia.org/wiki/Finger_protocol)

    (sorry - couldn't resist :) ).
    by corelogik February 5, 2010 5:41 PM PST
    I don't use either of these add-ons. I also don't know about anyone else, but If I found out that a plug-in, add-on, whatever had any sort of attack code in it, I would never trust anything that company published again.

    If version 4 is infected, why would you trust them enough to use the next version. They have demonstrated an ability and willingness to put Trojan infected software out. Never trust them again.

    Just my $0.02.
    Reply to this comment 3 people like this comment
    by hitman7112 February 8, 2010 9:54 AM PST
    I have Google Chrome so that makes me immune, I guess im like a god or something "untouchable"

    jk I used to have firefox but when I tried Google Chrome I fell in love.

    Never went back to that slow outdated browser, now that Google Chrome has add-ons firefox users dont have they're same old excuse "but it doesn't have add-ons"
    by RamaSubbu_SK February 5, 2010 6:49 PM PST
    What about Microsoft Security Essential - Free antimalware application ? Has anyone tested with those ? Can it deduct these trojans ?
    Reply to this comment
    by sprydle February 8, 2010 1:35 PM PST
    AVTest.org tested Microsoft Security Essentials and gave it outstanding reviews it caught 98 out of 100 brand new viruses made just for their lab. It is the only free anti-virus i don't laugh at hysterically when people say they use free anti-virus programs. The problem with free is you get what you pay for. Microsoft dropped my jaw for the first time in awhile.
    by shellcodes_coder February 5, 2010 7:54 PM PST
    This is the reason I don't install any add-ons and don't need them either!!
    Reply to this comment 1 person likes this comment
    by lordmorgul February 5, 2010 9:07 PM PST
    By the same logic you could choose to uninstall the browser entirely and simply not browse the internet at all. This is a silly conclusion to make. Threats exist... minimized their impact to you and mitigate the risks, but avoiding all possible threat sources is tantamount to putting your head in the sand and claiming everything in just like you want it to be so nothing should need changing. Sure, ok, sand in your ears is ok if you want it there. I'll use a few well chosen addons and benefit from them (while browsing more safely than you).
    3 people like this comment
    by brandonmasterson February 10, 2010 12:11 AM PST
    I would like to introduce you to the world of add ons, you must have never used any of them before, take a look, you say that you don't need them, but that's due to the fact that you have never tried them, if you had, your whole internet experience would be enriched with productivity tools and not only would you be able to enjoy the internet more, but your any thing you do online would be 1000 times more productive, don't take my word for it, take a look, cool iris, you tube down-loader,cool previews, area decoder, there are hundreds if not thousands of programmers like myself who make these, to honestly help our technology grow,and not for profit, just to make the internet better and without this passion for making things better, everything would just stay the same, and you would still be on dial up looking at a green screen, if you decide that you just wont need any add ons or want any add=ons, the only one who will missing out, is you
    by SirWumpus February 6, 2010 12:58 AM PST
    Avria has a free AV scanner too. And Malwarebytes also has a free scanner and frankly puts many of the AV scanners to shame. Can't say enough good things about Malwarebytes.
    Reply to this comment
    by TX-Sunset February 8, 2010 9:57 AM PST
    Malware bytes is a very nice application and I have seen it fix a few otherwise "unfixable" PCs. However, it is not truely free. There is a freeware version you can download but it does not provide the same level of security as their pay version and it is always wanting you to upgrade to the pay version. Same goes for all the other "free" AV apps out there.
    by queticomn February 6, 2010 2:30 AM PST
    Norman is also free on SoftPedia.
    Reply to this comment 1 person likes this comment
    by DADSGETNDOWN February 6, 2010 6:36 PM PST
    I hope that EVERY thing by these 2 users or whoever are deleted and they should at least be banned for a long time or forever.

    Every single addon / extensions should be checked/scanned by mozilla before being able to distribute it, that DOES include every update to addons / extensions whether they are trusted or not.
    And ofcourse the periodic and random scans of the entire inventory.
    Reply to this comment
    by this1! February 7, 2010 1:07 AM PST
    did you read the article? mozilla diud and does scan everything, its just the scanning they used wasn't completely foolproofed, so they increased its scope and ability and ran it again...
    by Nissj February 7, 2010 9:17 PM PST
    Its bad enough Mozilla did not detect these infected addons before adding them to the sites, but neither did Cnet. Also why did it take Cnet until Friday to remove the Sothink addon when Mozilla removed it on Tuesday. Did it take Mozilla that long to notify Cnet or did it take Cnet that long to remove the addon after they were notified?

    In any event, both of these sites have excellent reputations and are trusted by millions; which is why I use them. Hopefully this is a lesson learned and they must be more vigilant.
    Reply to this comment
    by hairybeast69 February 8, 2010 9:00 AM PST
    it seems to me that if mozilla is getting trojans in their add ons then they should make it more public knowledge instead of just on cnet,what about all those people out there that dont know cnet even exists.i am new to the computer and it took me a long time before i even found out about cnet..if you ask me the responsibility lies with mozilla to warn the public.....its their program.not cnets.therefore they should make the public aware of the situation. as well i think mozilla needs to be way more vigilant when adding these add ons for this very reason.....PEOPLE.. how many millions of computers are infected with trojans and nobody knows where they are coming from.......MORE VIGILANCE FOR USERS IS THE MOST IMPORTANT POINT IN USING ANY PROGRAM...WE PAY LARGE MONEY FOR OUR COMPUTERS .
    WHY SHOULD WE CONSTANTLY BE HIJACKED AND SCAMMED BY THESE SO-CALLED SAFE ADD ONS THAT ARENT SAFE AT ALL
    Reply to this comment
    by hairybeast69 February 8, 2010 9:04 AM PST
    it seems to me that if mozilla is getting trojans in their add ons then they should make it more public knowledge instead of just on cnet,what about all those people out there that dont know cnet even exists.i am new to the computer and it took me a long time before i even found out about cnet..if you ask me the responsibility lies with mozilla to warn the public.....its their program.not cnets.therefore they should make the public aware of the situation. as well i think mozilla needs to be way more vigilant when adding these add ons for this very reason.....PEOPLE.. how many millions of computers are infected with trojans and nobody knows where they are coming from.......MORE VIGILANCE FOR USERS IS THE MOST IMPORTANT POINT IN USING ANY PROGRAM...WE PAY LARGE MONEY FOR OUR COMPUTERS .
    WHY SHOULD WE CONSTANTLY BE HIJACKED AND SCAMMED BY THESE SO-CALLED SAFE ADD ONS THAT ARENT SAFE AT ALL
    Reply to this comment
    by qwerty49 February 8, 2010 11:43 AM PST
    I wonder what the repercussions are for a company like Sothink/ Sourcetech for this behaviour ? This virus is designed to steal passwords . I hope Cnet will take down all their software and this is surely a criminal offense. They should be made an example of.
    Reply to this comment
    by golfman40 February 9, 2010 3:56 AM PST
    Well in my case I've just uninstalled all Sothink apps from my PC - I didn't have any Sothink Firefox plugins but I had some other Sothink apps. The trust is gone if they've shipped a trojan in any product they produce.
    1 person likes this comment
    by sprydle February 8, 2010 1:31 PM PST
    Yet another reason why i use Opera.
    Reply to this comment
    by Angmarr February 8, 2010 8:38 PM PST
    I also applaud Firefox for removing it ... nevertheless this does not taint Firefox add-ons in my book = )
    But hay all hail Avast!
    Reply to this comment
    by Kinloch66 February 9, 2010 2:30 AM PST
    Thanks great service I hope to contribute one day
    Reply to this comment
    Showing 1 of 2 pages (42 Comments)

    Search Download Blog posts

    advertisement

    About The Download Blog

    Download.com editors cover the world of downloadable software and beyond.

    Add this feed to your online news reader

    The Download Blog topics

    download
    Site map
    Help center
    Our software policies
    Newsletters
    Submit software
    View all mobile devices
    Popular topics
    Apple iPhone
    Apple iPod
    Cell phones
    CES 2010
    GPS
    LCD TV
    CNET sites
    CNET Site map
    Video
    Downloads
    News
    Reviews
    Shopper.com
    More information
    Newsletters
    CNET Mobile
    CNET Widgets
    Customer Help Center
    RSS
    CNET API
    About CNET