08 May 2008, 10:30

Firefox add-on contains malware

Users have discovered malware in a Vietnamese language pack add-on for Firefox on the servers of the Mozilla project. The developers do not know how many users downloaded the infected add-on.

The add-on contains HTML files compromised by the malware rather than the malware itself. One of the add-on developer's systems may have been infected with a virus which contaminates HTML files with concealed script code. According to the Mozilla advisory this code currently displays advertising but could also be used for other malicious purposes.

The script code, detected as HTML.Xorer by many virus scanners, has apparently contaminated the Vietnamese language pack since February 18, 2008. Mozilla has recorded 16,667 downloads of the add-on since November 2007, so the developers estimate that only a few users have been affected.

Because add-ons are uploaded onto servers and maintained by the add-on developers themselves, infected files may find their way onto the servers despite being scanned for viruses during upload. Antivirus vendors only published the signatures for HTML.Xorer in mid April, so the malware would have passed virus checks unnoticed in February. The developers plan to check the add-on directories for malware on a daily basis from now on.

As Firefox add-ons run at user privilege level and have access to the system, they can not only corrupt web pages and monitor users' online behaviour, but also access other resources or add components such as keyloggers into the system during installation. The heise Security browser check demonstrates the risks involved in installing Firefox add-ons.

Scanning add-ons with an online service such as Virustotal before installing them is recommended. The computer should run a a regularly updated antivirus package. Files from untrusted sources should be avoided. The heise Security antivirus pages provide further information on how to protect your system against malware.