Last Comment Bug 830159 - Malicious add-on aka "Lastest Adobe Flash Player"
: Malicious add-on aka "Lastest Adobe Flash Player"
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: x86 Mac OS X
-- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Jorge Villalobos [:jorgev]
Depends on:
  Show dependency treegraph
Reported: 2013-01-13 13:57 PST by Nils Maier [:nmaier]
Modified: 2016-03-07 15:30 PST (History)
1 user (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

MALICIOUS add-on, do not install (2.68 KB, application/octet-stream)
2013-01-13 13:57 PST, Nils Maier [:nmaier]
no flags Details
De-minified, beautified loader js (3.52 KB, text/plain)
2013-01-13 13:58 PST, Nils Maier [:nmaier]
no flags Details

Description User image Nils Maier [:nmaier] 2013-01-13 13:57:29 PST
Created attachment 701617 [details]
MALICIOUS add-on, do not install

Just found the attached add-on in the wild on a relative's PC (Ubuntu, not that this matters).
Judging from the browser history it seems the add-on got to the system via a shady porn site with a "plugin is required to play this video" spoof.

It is a variant of bug 755443, etc.
The add-on acts as a loader for other, remotely retrieved javascript, which is then executed in chrome, hence at least being able to compromise the whole active user account.

I suggest immediately blocklisting the add-on in question, id, and also putting the location of the remote script into the attack sites list! Don't omit the attack sites please, as at least bug 755443 uses the same URL. 

Would it be possible to grab the update ping logs and grep for similar ids, seeing that there is at least one other add-on with a very similar id.
Comment 1 User image Nils Maier [:nmaier] 2013-01-13 13:58:41 PST
Created attachment 701618 [details]
De-minified, beautified loader js

Just in case somebody is wondering....
Comment 2 User image Jorge Villalobos [:jorgev] 2013-01-14 09:19:07 PST
The add-on has been blocklisted:

As for adding the URL to the attack sites, I think all that is necessary is to submit it to Google. Is this correct?

Note You need to log in before you can comment on or make changes to this bug.