Closed Bug 1738653 Opened 4 years ago Closed 4 years ago

On macbook, clean install latest firefox connects to malware (tent) servers

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
Firefox 93
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: max.payload, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0

Steps to reproduce:

I use a Pi-Hole and regularly check my log. I noticed Firefox (only on Mac-book) connecting to r3.i.lencr.org and r3.o.lencr.org that would be a browser hijack. I did a scan (Malwarebytes) no result. Removed Firefox, cleaned up my mac-book (Onyx). On the Pi-hole i blocked these 2 servers

Actual results:

After downloading and re-installing Firefox i saw 2 new connections made this time to x1.c.lencr.org and x1.i.lencr.org both (again) malware servers (at least that's what i found on the web). Again, i blocked these 2 servers in the Pi-Hole.

Expected results:

Is it possible this malware found its way into the Mac-book version of Firefox? I did download it from the official site. I did (re) scan my Mac-book but again, its clean. I don't see these connections with Firefox Windows nor Firefox Linux. I use the latest Mac-OS Monterey but saw the connections also in Big-Sur.

Before new install the connections where to:

r3.i.lencr.org
r3.o.lencr.org

After the clean install the connections where to

x1.c.lencr.org
x1.i.lencr.org

I keep monitoring this, only see the connection made, NOT the traffic to/from this servers

Those sites appear to belong to Let's Encrypt, https://community.letsencrypt.org/t/r3-o-lencr-org-is-seen-as-malware/153205 . I think JC's comment there is likely correct:

I haven’t examined this situation in particular, but I’ve seen before where security researchers examining malware mistakenly identified simple OCSP as being a botnet command-and-control vector. Basically, while the researcher is examining the actions of a piece of malware, the researcher is likely to scrutinize the list of all the hosts the malware connects to. If the malware for any reason validates OCSP for a Let’s Encrypt-issued certificate, the researcher would observe it connecting to lencr.org .

Since OCSP is often done without transport encryption, it’s usually pretty straightforward to see it’s legitimate certificate validation, but certainly everyone makes mistakes, and as of yet lencr.org is not as well-known as letsencrypt.org .

In other words, no, those sites are not malware and whatever is telling you they are malware (perhaps the Mahakala list if you're using that for your Pi-Hole) is wrong.

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.