Mozilla shipped worm with Firefox add-on

Computerworld - Mozilla Corp. yesterday warned users about a worm that slipped into Firefox's Vietnamese language add-on and went undetected for months.

The malware-infected file has been pulled from Mozilla's servers.

"The Vietnamese language pack for Firefox 2 contains inserted code to load remote content," Window Snyder, Mozilla's chief security executive, confirmed in a post to the company's blog on Wednesday. "Everyone who downloaded the most recent Vietnamese language pack since Feb. 18, 2008, got an infected copy."

According to Snyder, the download count for the add-on since last November has been 16,667. "So we anticipate the impact on users to be limited," she said.

Mozilla developers first noticed the infected language pack on Tuesday, and by the next day had determined that the infection was accidental.

According to messages posted on Bugzilla, the bug management system Mozilla uses to track code changes, a computer used by Jasper Thai, the author of the Vietnamese add-on, had been infected earlier with the Xorer worm, malware designed to infect only Windows PCs. When Thai created the add-on, Xorer hitched a ride by installing itself in the extension's code.

Xorer can spread via removable media -- including floppy disks -- and network shares, several security vendors said in their online malware databases. "Its effects can range from simply annoying to destructive," noted the write-up by Panda Security. Snyder said that infected users were being shown unwanted ads when they surfed with Firefox.

Although Mozilla scans Firefox add-ons, including language packs, for malicious code before making them available for download, its antivirus scanner missed Xorer because it had not added a signature for the malware until mid-April. Thai had wrapped up the Vietnamese pack nearly two months earlier, on Feb. 18.

"The file is dated Feb. 18, the virus signature is date April 14, so we apparently had this in the wild for about two months before the scanners were detecting it," Dave Miller, a Mozilla company developer, said on Bugzilla.

Although U.K.-based security vendor Sophos PLC said it had produced a detection signature for the worm in early January, and Trend Micro Inc. had added one on Feb. 16, others, including McAfee Inc. and Panda, didn't get around to the worm until after Thai wrapped up the language pack.

Snyder said that Mozilla would boost the number of times it scanned files for malware. "We are also adding after-the-fact scans of everything to address this sort of case in the future," she said.

Developers on Bugzilla, however, argued whether that was feasible. "Ideally, yes, except that we get new definitions on average every six hours or so and it takes over a week to virus-scan the entire FTP server," said Mozilla's Miller as he replied to a proposal to rescan after every signature update.

"Getting monthly scans is in the plan for the new stage server once we get it working," he added.

In a message posted to the Bugzilla thread today, Thai said that he would deliver a malware-free Vietnamese language pack soon. He also claimed that the worm came from China, though he offered no proof.

"Sorry for the inconvenience! I've found that translated help files were modified by a virus from China," he said.