Firefox add-on was clean, maker says

An add-on program that allegedly infected the computers of 4000 users of the Firefox Web browser was clean and malware free, according to the maker of the application.

According to Sothink Software, the add-on, Web Video Downloader 4.0, was misidentified as a malware carrier due to a compression utility called Armadillo embedded in Sothink’s offering. The utility is often used by crackers to compress and hide malicious code in malware, the company explained. “That’s the reason why the [virus] scans are hitting on the file as suspicious,” it said, “[T]here isn’t any virus in Web Video downloader or in Armadillo….”

The company added that it hasn’t used Armadillo in the software for quite some time and that the latest release of the add-in, version 5.7, has been certified clean and safe by Virustotal, an independent virus detection service.

The Video Downloader add-on is a free program that allows a user to capture from Firefox Adobe Flash video from Web sites such as YouTube, Google and MSN and save it in a number of formats, including FLV, WMV, ASF, AVI, MOV, RM AND RMVB.

Last week, the Mozilla Foundation, makers of Firefox, removed Video Downloader 4.0, as well as another program called Master Filer, from its add-ons, or AMO, Web site claiming the software was infected with a bad app.

“Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users,” Mozilla stated in a blog posting at its add-ons site. “Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose Trojan. Both add-ons have been disabled on AMO.”

Win32.LdPinch.gen is part of a family of password-stealing Trojans. It steals personal information, such as passwords, from an infected computer and sends the data to the cracker at a designated email address. The Trojans use their own Simple Mail Transfer Protocol (SMTP) engine or a web-based proxy for sending email so copies of the mail will not appear in a local email client.

Bifrose creates a backdoor on a compromised machine. After it infects a computer, it tries to locate a running Web browser and inject code into it. The injected code is the backdoor. It communicates with an outlaw server using specially crafted HTTP queries. The server can instruct the backdoor to execute a number of actions such as copying, deleting, renaming, finding and executing files; download and upload files; modify the Windows Registry; and create screenshots of a desktop.

According to Mozilla, Master Filer was downloaded 400 times from September 2009 to January 2010; Video Downloader 4.0, 4000 times from February to May 2008.

Ironically, the infection window Mozilla attributes to the Sothink program corresponds to another period when the organization’s scanning policies were under fire. At that time, it was discovered that a Vietnamese Language Pack distributed from the add-on site was piggybacking a malicious payload. Under the spotlight of public scrutiny, Mozilla confessed that it only scanned add-ons for malware when they were initially uploaded to the site. If an add-on contained malware that wasn’t discovered until after it was uploaded to the site, it would never be detected. Since that time, Mozilla has changed its policies to address that issue.

Master Filer was removed from the AMO site on January 25, but the Sothink add-on didn’t come down until a week later after Mozilla added two additional malware detection tools which discovered the alleged Trojan in Video Downloader 4.0.

In a related matter, security experts are reporting a fake Mozilla site has been created by crackers to entice users to download the latest version of Firefox. Web surfers with a keen eye, though, will see that site if offering a download of Firefox 3.5. The latest version of the browser is 3.6.

Websters hoodwinked by the site end up installing  something called Hotbar, an obnoxious piece of spyware hawked by Pinball Corp., formerly known as Zango.

The White Hats say that the fake Firefox site is most likely not associated with Pinball, but is only trying to exploit the company’s pay-per-install network for some easy money. Pinball is paying as high as $1.45 per install for Hotbar.