Mozilla says a pair of malicious Firefox add-ons slipped by its security checks and infected approximately 4,600 Windows computers over the last five months.
The browser add-ons, described my Mozilla as “experimental,” contained a Trojan horse that executed when Firefox started and infected the host computer.
According to a post on the Mozilla add-ons blog, the malicious add-ons were Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer.
The Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained the Win32.Bifrose Trojan. Both add-ons have been been disabled but Mozilla said they were active since September 2009.
Uninstalling these add-ons does not remove the trojan from a user’s system. Users with either of these add-ons should uninstall them immediately. Since uninstalling these extensions does not remove the trojan from a user’s system, an anti-virus program should be used to scan and remove any infections.
Mozilla said the malicious add-ons sneaked past its security processes:
[We perform] a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader. No other instances of malware have been discovered.
Separately, malware researchers at Eset are warning about a fake Firefox download page that comes with nasty adware surprises.
“Taking a closer look reveals clues to the fraudulent page. While the page advertises version 3.5 the newest version is actually 3.6. There are also misspellings such as “Anti-Pishing” in the title of the security section,” the company explained.
Victims of this scam install the “Hotbar” toolbar by Pinball Corp, formerly Zango. Not only are users subject to the annoying toolbar, they’re also barraged with pop-up ads and host to a new Hotbar weather application running in the system tray.
Eset noted that the owner of the fake Firefox site is most likely not associated with Pinball Corp and only using its pay-per-install ad network for fast cash.
Pay-per-install affiliate programs reward referring sites that generate installs of their programs, with Pinball paying as high as $1.45 per install, the company said.