Mozilla shipped worm with Firefox add-on
Vietnamese language pack was infected for months before malware detected
The malware-infected file has been pulled from Mozilla's servers.
"The Vietnamese language pack for Firefox 2 contains inserted code to load remote content," Window Snyder, Mozilla's chief security executive, confirmed in a post to the company's blog on Wednesday. "Everyone who downloaded the most recent Vietnamese language pack since Feb. 18, 2008, got an infected copy."
According to Snyder, the download count for the add-on since last November has been 16,667. "So we anticipate the impact on users to be limited," she said.
Mozilla developers first noticed the infected language pack on Tuesday, and by the next day had determined that the infection was accidental.
According to messages posted on Bugzilla, the bug management system Mozilla uses to track code changes, a computer used by Jasper Thai, the author of the Vietnamese add-on, had been infected earlier with the Xorer worm, malware designed to infect only Windows PCs. When Thai created the add-on, Xorer hitched a ride by installing itself in the extension's code.
Xorer can spread via removable media -- including floppy disks -- and network shares, several security vendors said in their online malware databases. "Its effects can range from simply annoying to destructive," noted the write-up by Panda Security. Snyder said that infected users were being shown unwanted ads when they surfed with Firefox.
Although Mozilla scans Firefox add-ons, including language packs, for malicious code before making them available for download, its antivirus scanner missed Xorer because it had not added a signature for the malware until mid-April. Thai had wrapped up the Vietnamese pack nearly two months earlier, on Feb. 18.
"The file is dated Feb. 18, the virus signature is date April 14, so we apparently had this in the wild for about two months before the scanners were detecting it," Dave Miller, a Mozilla company developer, said on Bugzilla.
Although U.K.-based security vendor Sophos PLC said it had produced a detection signature for the worm in early January, and Trend Micro Inc. had added one on Feb. 16, others, including McAfee Inc. and Panda, didn't get around to the worm until after Thai wrapped up the language pack.
Snyder said that Mozilla would boost the number of times it scanned files for malware. "We are also adding after-the-fact scans of everything to address this sort of case in the future," she said.
Developers on Bugzilla, however, argued whether that was feasible. "Ideally, yes, except that we get new definitions on average every six hours or so and it takes over a week to virus-scan the entire FTP server," said Mozilla's Miller as he replied to a proposal to rescan after every signature update.
"Getting monthly scans is in the plan for the new stage server once we get it working," he added.
In a message posted to the Bugzilla thread today, Thai said that he would deliver a malware-free Vietnamese language pack soon. He also claimed that the worm came from China, though he offered no proof.
"Sorry for the inconvenience! I've found that translated help files were modified by a virus from China," he said.
Read more about Security in Computerworld's Security Topic Center.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- 2014 Gartner Magic Quadrant Report For the 7th year in a row, Riverbed is in the "Leaders" Quadrant of the 2014 Magic Quadrant for WAN Optimization Controllers. In...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts