Closed Bug 830159 Opened 11 years ago Closed 11 years ago

Malicious add-on support@vide1flash2.com aka "Lastest Adobe Flash Player"

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: nmaier, Unassigned)

Details

Attachments

(2 files)

MALICIOUS add-on, do not install
2.68 KB, application/octet-stream
Details
De-minified, beautified loader js
3.52 KB, text/plain
Details 
Just found the attached add-on in the wild on a relative's PC (Ubuntu, not that this matters).
Judging from the browser history it seems the add-on got to the system via a shady porn site with a "plugin is required to play this video" spoof.

It is a variant of bug 755443, etc.
The add-on acts as a loader for other, remotely retrieved javascript, which is then executed in chrome, hence at least being able to compromise the whole active user account.

I suggest immediately blocklisting the add-on in question, id support@vide1flash2.com, and also putting the location of the remote script http://mio98.hk/j.php into the attack sites list! Don't omit the attack sites please, as at least bug 755443 uses the same URL. 

Would it be possible to grab the update ping logs and grep for similar ids, seeing that there is at least one other add-on with a very similar id.
Just in case somebody is wondering....
Group: client-services-security
Component: Add-on Security → Blocklisting
The add-on has been blocklisted: https://addons.mozilla.org/en-US/firefox/blocked/i246

As for adding the URL to the attack sites, I think all that is necessary is to submit it to Google. Is this correct?
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: