Closed Bug 660924 Opened 14 years ago Closed 12 years ago

Please block the "XULRunner 1.9.1" malware extension.

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: raykos, Unassigned)

References

Details

Attachments

(3 files)

XULRunner 1.9.1 source
4.92 KB, application/octet-stream
Details
XULRunner 1.9.1 installable XPI (for testing)
4.31 KB, application/octet-stream
Details
Redirect address list
7.52 KB, text/plain
Details
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 If I do a google image search, only the results on page 1 (which isn't marked as page 1) display. Those that should appear on following pages show up simply as gray rectangles (placeholders). If I hit Reload, the images on page 2 will usually appear. For a search that produces lots of results (like Lady Gaga), typically the rectangles appear up to page 6, followed by white space right to the bottom of the page. If I place the mouse pointer over a gray rectangle, I can see the link at the bottom and go to it by clicking. If I do the same search using bing.com, all the images display. Disabling XULRunner 1.9.1 eliminates the problem. Reproducible: Always Steps to Reproduce: 1. google.com 2. Search Images for lady gaga 3. Actual Results: See Details above. Expected Results: Displayed all the images, with none represented by gray rectangles.
Version: unspecified → 4.0 Branch
The XULRunner 1.9.1 *add-on* is malware and infects Google search results. See for example: http://support.mozilla.com/en-US/questions/743526 http://support.mozilla.com/en-US/questions/749007
Not a bug in Firefox as this is a bug with a malicious extension. However, perhaps we can black list this extension?
Reporter: Please enter about:support in Firefox URL bar and copy the extension part into this bug report. We can block this extension with your information.
Extensions Name Version Enabled ID Microsoft .NET Framework Assistant1.2.1false{20a82645-c095-46ed-80e3-08825760534b}Java Quick Starter1.0truejqs@sun.comXULRunner1.9.1false{44753F2F-58AE-4C42-A4AB-214D6B3169E0}DownloadHelper4.8.6true{b9db16a4-6edc-47ec-a1f4-b86292ed211d}Java Console6.0.18true{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}Java Console6.0.20true{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}Java Console6.0.21true{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}Java Console6.0.22true{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}RealPlayer Browser Record Plugin14.0.3true{ABDE892B-13A8-4d1b-88E6-365A6E755758}DivX Plus Web Player HTML5 <video>2.1.1.94false{23fcfd51-4958-4f00-80a3-ae97e717ed8b}DivX HiQ2.1.1.94false{6904342A-8307-11DF-A508-4AE2DFD72085}Adblock Plus1.3.7true{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
Please block : XULRunner1.9.1false{44753F2F-58AE-4C42-A4AB-214D6B3169E0} Reporter: We will probably block the extension for all Firefox users but that will just set it to a disabled state. You did that already manually. To remove it from your system you have to ask for help in one of the malware support forums or in the mozilla support Forums. It's out of the scope of bugzilla to provide help in such cases.
Status: UNCONFIRMED → NEW
Component: Extension Compatibility → Blocklisting
Ever confirmed: true
Product: Firefox → addons.mozilla.org
QA Contact: extension.compatibility → blocklisting
Summary: XULRunner 1.9.1 prevents Google images from displaying → Please block the "XULRunner 1.9.1" malware extension.
Version: 4.0 Branch → unspecified
It seems to that malware generates different UUID. from http://support.mozilla.com/de/questions/743526 >C:\Documents and Settings\myname\Local Settings\Application >Data\{BA82CD75-8E23-4B17-86CA-AF21BB71D52E}* >The the hex filename seems to be randomly generated on each restart. These folders can be deleted, but a new one respawns on every restart. " Can we block an extension without UUID ?
{E36440E0-EF0C-432B-8084-5FF96106D5A4} is another ID.
We can't block add-ons that change their GUIDs. If we are sure that a particular GUID has been used a lot, we can block that. Is there any confirmation that one of these GUIDs has been used several times?
It seems that unfortunately the malware author did a "good job" with using an addon name that is related to Mozilla and the malware generates random UUIDs. People who google for that name will find out that this seems to be part of Firefox. Could we contact AV software vendors if we have no chance to block this ?
Does anyone know where this extension can be downloaded? I'm hoping that if we take a look at what it's doing to generate UUIDs then maybe there's a way to block it. We might be lucky and it's using a predefined list or there could at least always be the same starting UUID to block to at least prevent new infections.
URL: http://google.com
It looks like bug 636780 is about the same issue.
(In reply to Matthias Versen (Matti) from comment #10) > Could we contact AV software vendors if we have no chance to block this ? Yes please! Sending samples to A-V vendors is the only way to beat back this kind of thing. Send them individually, and then scan with www.virustotal.com (once one A-V detects it virustotal will share it with the others).
Attached file XULRunner 1.9.1 source
I've located the extension on my computer at %USERPROFILE%\AppData\Local\{3787E767-0AE4-4111-B32A-8F988B2CA047}\ The UUID may differ for other users. I am uploading the extension for review.
Attached file Redirect address list
In case it helps anyone, I've uploaded a list of URLs that I have been redirected to while clicking on Google search results.
My MS Virus scanner detected the XPI during the download of the attachment. The scan result from virustotal : http://www.virustotal.com/file-scan/report.html?id=ffa7acc3d558414abdacd1ceb1f26adbe0067a009bb9a2e6efb73f1dc3d323a8-1313849113
Kris, can you look into this one? Should we consider a name block?
Good point.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: