Coinminer malware in "Open with Adobe PDF Reader" extension

RESOLVED FIXED

Status

()

enhancement
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: rblampert2, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [specification][type:bug])

(Reporter)

Description

a year ago
What did you do?
================
1. Installed and activated "Open with Adobe PDF Reader" extension
2. 
3. 

What happened?
==============
Norton Internet Security immediately began reporting that it had blocked JScoinminer12 malware. After I disabled the extension, the warnings stopped.

What should have happened?
==========================
Should not have gotten such warnings.

Is there anything else we should know?
======================================
After leaving the extension disabled for a few days, and getting no warning, I enabled it again a few minutes ago and within seconds got the warning from NIS again. Once I disabled the extension again, the warnings stopped coming.
Group: websites-security → client-services-security
Component: Security → Security
Product: Mozilla Developer Network → addons.mozilla.org
Out of curiosity, I ran the latest version of the add-on through virus total.  At the time of scanning, it appears to not trigger anything by any of the various scanners.

Results can be found here: https://www.virustotal.com/#/file/88f955f07de4dfe9db4aa06769662539d0bde7f65142bba69b3c95131369bd58/detection
(Reporter)

Comment 2

a year ago
Interesting. Given this, I tried enabling the extension again. Within 5 seconds, I got this alert from Norton Internet Security: "Norton blocked an attack by: Web Attack: JSCoinminer Download 12." The "View Details" link produced this information:

Severity: High
Activity: An intrusion attempt was blocked.
IPS Alert Name: JSCoinminer Download 12
Attacker URL: https://coinhive.com/lib/cryptonight.wasm
Network traffic was detected that matches the signature of a known attack. The attack was resulted from C:\Program Files\Mozilla Firefox\firefox.exe.

When I first started encountering these alerts, I ran a Norton full system scan. It found three instances of this malware and was able to remove two of them, but not the third. The Norton web site recommended I download, install, and run FixToolKotver64.exe. I did, but it produced no results after the first run. Per Norton's instructions in this case, I ran it a second time, which was supposed to confirm that the malware had, in fact, been removed.

I've recently seen a Wordfence blog post (http://www.wordfence.com/blog/2017/12/massive-cryptomining-campaign-wordpress/?utm_source=list&utm_medium=email&utm_campaign=122017) about coinminer malware that install itself, then hides its existence. Could this be an example of that? That post has to do with attacks on WordPress-based web sites but there's no reason why an attacker couldn't use the same techniques against Firefox.
Just to verify, you are talking about this add-on, correct?

https://addons.mozilla.org/en-US/firefox/addon/open-with-adobe-pdf-reader/
RBLampert: Can you also share the Firefox version and the version of the add-on you are running?
Group: client-services-security
Component: Security → Blocklisting
Product: addons.mozilla.org → Toolkit
The version currently available on AMO (1.2.3) doesn't have a coin miner, but a version previously submitted with a higher version number (2.0.0) did have one and was rejected by a reviewer. Most current users are still on version 2.0.0 and won't upgrade because it's a higher version number, so they are still affected.

We will ask the developer to resubmit the clean version with a higher version number, so users are updated to it. If there's no response after some time, we will move forward with a block.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 6

a year ago
(In reply to Jorge Villalobos [:jorgev] from comment #5)
> The version currently available on AMO (1.2.3) doesn't have a coin miner,
> but a version previously submitted with a higher version number (2.0.0) did
> have one and was rejected by a reviewer. Most current users are still on
> version 2.0.0 and won't upgrade because it's a higher version number, so
> they are still affected.
> 
> We will ask the developer to resubmit the clean version with a higher
> version number, so users are updated to it. If there's no response after
> some time, we will move forward with a block.

Thanks, Jorge! I did install AMO version 2.0.0. I'm running 64-bit Firefox version 57.0.2.
:jorgev - Any reason why we wouldn't block the add-on now if we know the 2.0.0 version is malicious and the 1.2.3 can't be upgraded to?
Flags: needinfo?(jorge)
The add-on doesn't meet the bar for blocklisting per our policy: https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews

We will block it only if the developer doesn't update it in time.
Flags: needinfo?(jorge)
To me, I don't believe the policy makes considerations for a malicious version of an add-on being released at a higher version of latest.

I was reading this part of the policy...

"If an add-on is considered malicious or its developers have proven unreachable or unresponsive, or in case of repeat violations, blocklisting may be immediate."

And as I read it, the latest version of the add-on, as known by a Firefox install is considered the malicious version.  I wonder if there is a means by which we could force-fully invalidate the known malicious version of this add-on in the browser rather than revoke the plugin directly.  That to me, seems in the best interest of our users.
Added context, to help color this in future...

- SKCom (the add-on developer) is a brand new user (created on Nov. 29, 2017)
- There are 3,042 users of the Open With Adobe PDF Reader plugin
- I believe the default of AddOn updates (at-least in nightly) is automatic, so all 3,042 or so of those users (assuming they were not post 2.0.0 revocation) are running and stuck on the malicious 2.0.0 version until a new version is released or the product were to somehow render that add-on version useless given it's blacklist status
- SKCom has two other Firefox AddOns that likely warrant a closer look, but Open With Adobe PDF Reader seems to be the most interesting
Jorge, there haven't been any new submissions so far. Should we start blocking?
Flags: needinfo?(jorge)
The block is staged now. Please review and push.
Flags: needinfo?(jorge) → needinfo?(awagner)
The block is now live.
Status: NEW → RESOLVED
Last Resolved: a year ago
Flags: needinfo?(awagner)
Resolution: --- → FIXED
Andreas: To confirm, the block effectively does two things; (1) prevents people from downloading any version of the add-on and (2) makes it no longer function in the browser.  Is that an accurate statement?
Flags: needinfo?(awagner)
The block targets affected versions only, not the entire add-on.

Users that have the affected version installed will have it disabled automatically, as soon as Firefox pulls the blocklist update. https://blocked.cdn.mozilla.net/ should pick up the new block shortly.
Flags: needinfo?(awagner)
(Reporter)

Comment 17

a year ago
Thanks, guys! Glad to see this action taken. The web's a little bit safer place.
You need to log in before you can comment on or make changes to this bug.