Infecting Firefox Add-ons With Malware

[Spoiler]

Firefox is easily extended via add-ons. And the way extensions work makes it relatively easy for bad guys to inject malware that would be difficult to detect and remove.
The problem is basically two-fold. First, Firefox extensions have access to raw unencrypted data streams. Second, extensions are typically based on a set of files that include XML and Javascript.

An attacker could inject malware into an existing legitimate extension (e.g. one that is already installed on your systems) by modifying the extension's XML file(s) to include additional Javascript code.

So for example, any data (including keystrokes, form data, history, etc) could then be harvested directly from the browser and/or its network traffic and sent to a third-party offsite server. Ouch!

For a better understanding of this potential problem read about FFSpy. And to learn about why the extension subsystem in Firefox is fundamentally flawed read what Ralas Los has to say about this situation.

Now think about this for a moment. What if someone infects a popular add-on like NoScript, FlashBlock, GreaseMonkey, WebDeveloper, or Firebug? What tools do you have to find that infection and eradicate it?

http://myf00.net/?p=18

http://preachsecurity.blogspot.com/2009/05/pwning-firefox-via-extension-jacking.html

[Computer Hope Admin]

I'd imagine something like this based off the first example they gave with the external .js file could be found using most malware tools since the .js file would likely be a unique name that could be easily searched for. If not, I'd imagine most protection programs could analyze the code since it's the files are in plaintext and look for anything suspicious.

However, it still definately could be an issue, something that could potentially even affect the Mac users who still believe they can't be infected. Which is why it'd probably be best to just rely off of add-ons directly through mozilla and not third-party sites.

[evilfantasy]

Firefox has become a bigger target over the last 6 months or so.

The overlay.xul is one target. This one has to be manually deleted.

C:/Program Files/Mozilla/Firefox/extentions/{xxxxxxxxxx}/chrome/content/overlay.xul
 
 Note: {xxxxxxxxxx} represents random letters and numbers. The exact letters and numbers vary from one computer to another.

And then a redirector found in the extensions. This one can be fixed with a tool called GooredFix (Google Redirect Fix) Using GooRedFix to fix FireFox browser redirection problems.

Example, they are all different.

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{609E0751-889D-402A-B225-DBA0ACE20764}"="C:\Documents and Settings\xxxx\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}"

[Computer Hope Admin]

Firefox has become a bigger target over the last 6 months or so.

The overlay.xul is one target. This one has to be manually deleted.

And then a redirector found in the extensions. This one can be fixed with a tool called GooredFix (Google Redirect Fix) Using GooRedFix to fix FireFox browser redirection problems.

Is the "overlay.xul" shown in hijackthis log reports? If so, you think it'd be advisable for me to add this to the CH process tool to check for?

[evilfantasy]

Unfortunately no it isn't.

That is one of those that, after you have pulled all of your hair out, someone comes along and says "hey, check this out" lol.

Broni tipped me off to that one. No scanner can seem to find it because the file path is always random and the overlay.xul is a legitimate file.

Original 4 page conversation at the Mozillazine forums. "clickfeedmanager.com" virus targets Firefox

[Computer Hope Admin]

Hmm that's too bad, well hopefully maybe something the next version of HijackThis may have.