In association with heise online

11 February 2010, 10:39

Mozilla admits to add-on malware false alarm

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Mozilla has admitted that one of the two experimental add-ons for the Firefox browser it said contained malware was in fact a false positive. Version 4.0 of the Sothink Video Downloader, which Mozilla previously said included the Win32/Ldpinch.gen password sniffing malware, after further investigation, has been found to be free of malware.

Sothink Video Downloader has been returned to the experimental section of the Mozilla Add-ons site and Mozilla have apologised to the users and developers of Sothink "for any inconvenience this has caused". The investigation confirmed that the other add on, Master Filer, did contain malware. Mozilla say now that only 700 downloads were affected by malware, rather than the 6,000 previously claimed. Affected users should remove the Master Filer add-on and disinfect the PC with a virus scanner. Mozilla also thanked McAfee for assisting with the investigation and for helping to "better understand this threat".

There is currently a controversy over the generation of false alarms amongst anti-virus vendors after Kaspersky undertook an attempt to provoke false alarms in other vendors products. Kaspersky manufactured 20 harmless files and prepared 10 of them to produce false positives. It then uploaded all 20 to the VirusTotal online scanner.

VirusTotal then submitted the samples to other security specialists for analysis. As a result, after ten days, all of the harmless files were being detected by "up to fourteen other anti-virus companies". Kaspersky denies it was trying to bring other manufacturers into disrepute, saying they only wanted to draw attention to a common problem.

Manual validation by a virus analyst is not feasible because of the shear volume of new threats appearing every day. Therefore the analysts work on the principle of taking information from a usually reliable source, which in turn, allows any false alarms to spread. The remedy, say Kaspersky, is better and faster dynamic testing, which classifies a file based on it's behaviour, rather than detecting signatures in the file. ESET disagrees with this position, saying that a good static analysis is a better approach than bad dynamic testing and that the real problem is that of validation, something that cannot be automated.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit