News

The researcher found a bulk of malware among Firefox add-ons that hide behind the name of Adobe and other well-known companies

The catalog of add-ons for Firefox (AMO) noted a massive publication of malicious add-ons hiding behind well-known projects.

Researcher Martin Brinkmann discovered and it tested on examples.

For instance, in the catalogue posted malware add-ons “Adobe Flash Player“, “ublock origin Pro“, “Adblock Flash Player” etc.

As these add-ons are removed from the catalog, the attackers immediately create a new account and substitute them with new malware add-ons.

For example, a few hours ago, the Firefox user account 15018635 was created, under which the add-ons “Youtube Adblock“, “Ublock plus“, “Adblock Plus 2019” located. Apparently, the description of the additions formed to ensure that they are displayed in the top on such searching queries as “Adobe Flash Player” and “Adobe Flash“.

When you install an add-on, you are asked for permissions to access all the data on the sites you are browsing. In the process of work, the keylogger is launched, which sends information about the filling out of forms and the installed cookies to theridgeatdanbury.com host.

Martin Brinkmann

“When you download the extensions, you may notice that the name of the extension does not necessarily match the downloaded file name. The download if ublock origin pro returned a adpbe_flash_player-1.1-fx.xpi file”, — writes Martin Brinkmann in ghacks.net portal.

The script code inside add-ons is slightly different, but the malicious actions they perform are obvious and not hidden.

Probably, absence of application of techniques for hiding malicious activity and extremely simple code make it possible to bypass the automated system of preliminary review of add-ons. At the same time, it is not clear how the fact of the explicit and non-hidden sending of data from the add-on to an external host can be ignored during an automated check.

Recalling, Mozilla argues that introduction of a digital signature check will block the distribution of malicious and spyware add-ons.

Fake Abobe add-ons

Some add-on developers do not agree with this position and believe that the mandatory digital signature verification mechanism only creates difficulties for developers and leads to increase in the time of communicating corrective releases to users without affecting security.

Many trivial and obvious techniques of bypassing system of automated verification of add-ons allow secretly inserting malicious code. For example, by forming an operation on the fly by connecting several lines and executing the resulting string by calling eval.

Read also: [Makeseparatebestappclicks.top] fake Adobe Flash Player update alert removal

Mozilla’s position narrows to the fact that most authors of malicious add-ons are quite lazy and will not resort to similar techniques to hide malicious activity.

In October 2017, a new review process was added to the AMO catalog. The manual check was replaced by an automatic process, which allowed getting rid of long waiting times in the queue for passing the check and increased the efficiency of delivering new issues to users.

In this manual check is not completely abolished, and selectively carried out for already placed additions. Supplements for manual verification are selected based on the calculated risk factors.

Source: https://www.ghacks.net

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Pbmsoultions.com Pop-up Ads

About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…

1 day ago

Remove Prizestash.com Pop-up Ads

About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…

1 day ago

Remove Verifiedbreaking.com Pop-up Ads

About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…

1 day ago

Remove Themoneyminutes.com Pop-up Ads

About Themoneyminutes.com Themoneyminutes.com pop-ups can not launch out of the blue. If you have actually…

1 day ago

Remove News-xcidizi.com Pop-up Ads

About News-xcidizi.com News-xcidizi.com pop-ups can not introduce out of nowhere. If you have clicked some…

1 day ago

Remove Everytraffic-flow.com Pop-up Ads

About Everytraffic-flow.com Everytraffic-flow.com pop-ups can not launch out of nowhere. If you have actually clicked…

1 day ago