I came across another headline that needs some clarification. The FireFox effort doesn’t really deserve this one: “Firefox add-on infected with Trojan”
The language pack add-on in particular, vietnamese_language_pack-2.0-fx-win.xpi, was not infected with a trojan. We inspected some of the allegedly “trojanized” files ourselves. The “.xpi” package can simply be renamed to “.zip” and its contents extracted. Then, we extracted vi-VN.jar. Buried deep within the directories, we can find a help directory. There, multiple “.xhtml” files exist. At the very bottom of these files, we find some script code:
< c = “h xx p : / / %6A %73 %2E %6B%30%31%30%32%2E%63%6F%6D/ %30%31%2E%61%73%70″>
This statement can be decoded and when viewed, redirects a browser to hxxp://js. k0102. com/ 01. asp
At this point, nothing of a highly damaging nature has occured. Web pages redirect browsers to ads all the time, for example. This particular web page redirected browsers to some advertisements.
How often might the redirection have occurred? I am not really sure. In my browser, I installed the language pack, but couldn’t find a way to display the related help pages with the script code. It seems the distributed files would not have readily effected FireFox users. But it appears to not be virulent.
So how come this script code wasn’t detected before it was released? Well, the AV scanners that the Mozilla team was using didn’t detect this line of code. It’s somewhat surprising that the scanners didn’t catch it, considering the viral family that most likely left this line of code and was running on the developer’s machine has been in the wild in the Asian region since at least 2006.
Nonetheless, it is never good when any developers are working on infected systems. Release quality comes into question when things like this happen, but this one doesn’t seem to be terribly alarming. The group appropriately froze access to the package, removed the dozen or so xhtml files, and re-released the package. All in plain view.