
Someone is distributing fake versions of my app with malware - Animats
I have a Firefox plug-in, &quot;Ad Limiter&quot;[1].  Recently, the number of users as logged by Mozilla&#x27;s AMO site began to climb rapidly. When Firefox checks for updates daily, it reports the installed plug-ins to Mozilla, and Mozilla publishes those statistics.<p>The rate of increase in users exceeds the number of downloads. At first I thought Mozilla&#x27;s statistics system was broken.  But that&#x27;s not the problem.[2]
Someone is apparently distributing some form of malware which seems to be impersonating Ad Limiter.  They&#x27;re using Ad Limiter&#x27;s Mozilla AMO ID number, but a random version number.  (Real version numbers are 1.3 to 2.0. Fake version numbers range from 2.17.71 to 1009.99.992.  All bogus versions have three-number versions, while all legitimate versions have two-number versions.<p>All this is inferred from Firefox statistics logging. We haven&#x27;t seen the actual malware yet.  If anyone has a copy of Firefox with Ad Limiter installed, and the version isn&#x27;t between 1.3 and 2.0, we&#x27;d really like to see it. Please save a copy of the Firefox add-ons directory before deleting the bogus add-on, and send a copy of the bogus add-on to &quot;info@sitetruth.com&quot;.  We want to see what this malware is doing in our name.  Thanks.<p>[1] https:&#x2F;&#x2F;addons.mozilla.org&#x2F;en-US&#x2F;firefox&#x2F;addon&#x2F;ad-limiter&#x2F;
[2] https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1152966
======
Animats
It's not just our addon. They got Flashblock, too. There are about 5000 bogus
Flashblock installs, with the same sort of random 1000.xx.xx version numbers.
Here's the raw JSON of usage by version:

[https://addons.mozilla.org/en-
us/firefox/addon/flashblock/st...](https://addons.mozilla.org/en-
us/firefox/addon/flashblock/statistics/versions-day-20150409-20150411.json)

(The human-readable statistics just say "Invalid"; you have to look at the raw
JSON to see the bogus versions.)

I started writing a program in Go to find other examples, used Flashblock as
the first test case, and got a hit. Not looking good.

------
redwards510
I feel like the the odds of you finding a HN user with a malicious addon is
pretty low compared to other places. Have you tried the firefox addons forums?
Users often describe issues there and you may have a thread dedicated to your
addon (or you can start one).

Another place you might be able to reach out to are AV vendors like Kaspersky.
From what I understand they index and hash nearly every file on a users
computer to compare to a master database. Maybe you can ask them to search for
a file name and where it occurs geographically.

I wonder if someone is trading warez in exchange for installing a "free ad
blocker!" (your addon converted to malware). I've seen things like that
before.

~~~
redwards510
Now that I read more about your app I can see why criminals would want to
subvert it. You are replacing the top (ad) search result on every search
engine with one that has been verified by sitetruth.com. If I were a criminal
I would love to slightly modify your code to point to my own ad server, thus
letting me earn affiliate bucks. Then install the addon via drive-by download.
The users wouldn't remember installing it, but they might not remove it
either, due to the pleasant-sounding name.

~~~
_asummers
Is this not the same vector used for the GitHub DDOS, just in a slightly
different form?

------
JetSpiegel
From
[https://bugzilla.mozilla.org/show_bug.cgi?id=1152966](https://bugzilla.mozilla.org/show_bug.cgi?id=1152966)
> The real solution to this problem is extension signing, which we will deploy
later this year.

------
Animats
The malware is probably using our add-on ID

    
    
        551f2920-3c19-11e1-b86c-0800200c9a66@jetpack.xpi
    

and may have a filename such as that, but may not be called Ad Limiter. Google
searches for that ID are not turning up anything other than our own stuff.

------
spiritplumber
Can you push a plugin update that breaks whatever they're doing, or at least
makes some sort of notification to the user show up?

------
alwold
Are you sure there is malware? Maybe someone copy-pasted your id not knowing
what they were doing, and they have a completely legitimate app otherwise.

~~~
daveloyall
They know how to make their version number vary at runtime, but they don't
know not to copy/paste someone else ID?

They don't know not to copy/paste someone else's ID, yet their add-on has
become more popular than OP's overnight?

Malware is not "a bridge too far". If it looks like a duck and quacks like a
duck...

OP: ask Mozilla staff to comb their incoming stats logs for IPs suspected of
infection then search Spamhaus, RBL type databases for matches. If the malware
is spread via email, you might find a copy of it that way.

This comment is insightful:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1152966#c4](https://bugzilla.mozilla.org/show_bug.cgi?id=1152966#c4)
. A similar strategy would be to select the list of other addons that same
machines have installed.

~~~
cmdrfred
"If it looks like a duck and quacks like a duck" \- ferguson missouri PD
operations manual (2012)

------
cenal
Have you contacted Mozilla to see what they recommend in this type of
scenario?

~~~
Animats
Yes. See

[https://bugzilla.mozilla.org/show_bug.cgi?id=1152966](https://bugzilla.mozilla.org/show_bug.cgi?id=1152966)

I put this on HN because somewhere there's probably somebody who's detected a
security problem related to this and is trying to track it down.

A likely possibility is that it's some malware that's already on the Firefox
blacklist[1], and they're trying to get past the blacklist by stealing the
identity of a valid add-on.

[1] [https://addons.mozilla.org/en-
US/firefox/blocked/](https://addons.mozilla.org/en-US/firefox/blocked/)

------
Aoyagi
>app

Really...

------
userbinator
_The rate of increase in users exceeds the number of downloads._

Looking at the other facts here makes this unlikely, but don't forget that
users may be sharing the files somewhere else, so the actual number of users
could far outnumber the number of downloads from the official site. Quite
frankly I consider that a _good_ thing, since I think users should be allowed
to do that - and look on the bright side, your add-on would not be shared in
such a fashion if users didn't like it.

Also, I wouldn't be hasty in calling this "malware"... perhaps it's a
benevolent mod that someone did, and was shared it on a forum somewhere. I
know that you likely don't approve of such a thing, but it's basically what
the Android community does (share modded apps) and I don't think it's
fundamentally bad; it's one of the reasons why I prefer it to a more walled-
garden ecosystem. I say this from the perspective of both an author and user.

------
sbfeibish
Along those same lines. It's been Grand Central in my house around 4 a.m. I
can't trust my computer and am going to print the code. Scan the printed code.
Have the code retyped on a new computer. Copy the code to a disk. Compare it
against the original code on the original computer. Rinse, wash, repeat until
the code matches. I live in an area I un-affectionately call "Spookville".
Does anyone know of a service that does this? (I realize I can hire a temp.)

~~~
sbfeibish
Sorry. S. Feibish.

