Hacker News new | past | comments | ask | show | jobs | submit login
Someone is distributing fake versions of my app with malware
185 points by Animats on Apr 10, 2015 | hide | past | web | favorite | 20 comments
I have a Firefox plug-in, "Ad Limiter"[1]. Recently, the number of users as logged by Mozilla's AMO site began to climb rapidly. When Firefox checks for updates daily, it reports the installed plug-ins to Mozilla, and Mozilla publishes those statistics.

The rate of increase in users exceeds the number of downloads. At first I thought Mozilla's statistics system was broken. But that's not the problem.[2] Someone is apparently distributing some form of malware which seems to be impersonating Ad Limiter. They're using Ad Limiter's Mozilla AMO ID number, but a random version number. (Real version numbers are 1.3 to 2.0. Fake version numbers range from 2.17.71 to 1009.99.992. All bogus versions have three-number versions, while all legitimate versions have two-number versions.

All this is inferred from Firefox statistics logging. We haven't seen the actual malware yet. If anyone has a copy of Firefox with Ad Limiter installed, and the version isn't between 1.3 and 2.0, we'd really like to see it. Please save a copy of the Firefox add-ons directory before deleting the bogus add-on, and send a copy of the bogus add-on to "info@sitetruth.com". We want to see what this malware is doing in our name. Thanks.

[1] https://addons.mozilla.org/en-US/firefox/addon/ad-limiter/ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1152966




It's not just our addon. They got Flashblock, too. There are about 5000 bogus Flashblock installs, with the same sort of random 1000.xx.xx version numbers. Here's the raw JSON of usage by version:

https://addons.mozilla.org/en-us/firefox/addon/flashblock/st...

(The human-readable statistics just say "Invalid"; you have to look at the raw JSON to see the bogus versions.)

I started writing a program in Go to find other examples, used Flashblock as the first test case, and got a hit. Not looking good.


I feel like the the odds of you finding a HN user with a malicious addon is pretty low compared to other places. Have you tried the firefox addons forums? Users often describe issues there and you may have a thread dedicated to your addon (or you can start one).

Another place you might be able to reach out to are AV vendors like Kaspersky. From what I understand they index and hash nearly every file on a users computer to compare to a master database. Maybe you can ask them to search for a file name and where it occurs geographically.

I wonder if someone is trading warez in exchange for installing a "free ad blocker!" (your addon converted to malware). I've seen things like that before.


Now that I read more about your app I can see why criminals would want to subvert it. You are replacing the top (ad) search result on every search engine with one that has been verified by sitetruth.com. If I were a criminal I would love to slightly modify your code to point to my own ad server, thus letting me earn affiliate bucks. Then install the addon via drive-by download. The users wouldn't remember installing it, but they might not remove it either, due to the pleasant-sounding name.


Is this not the same vector used for the GitHub DDOS, just in a slightly different form?


Maybe installation was done by Firefox add-on updates?


From https://bugzilla.mozilla.org/show_bug.cgi?id=1152966 > The real solution to this problem is extension signing, which we will deploy later this year.


The malware is probably using our add-on ID

    551f2920-3c19-11e1-b86c-0800200c9a66@jetpack.xpi
and may have a filename such as that, but may not be called Ad Limiter. Google searches for that ID are not turning up anything other than our own stuff.


Can you push a plugin update that breaks whatever they're doing, or at least makes some sort of notification to the user show up?


Are you sure there is malware? Maybe someone copy-pasted your id not knowing what they were doing, and they have a completely legitimate app otherwise.


They know how to make their version number vary at runtime, but they don't know not to copy/paste someone else ID?

They don't know not to copy/paste someone else's ID, yet their add-on has become more popular than OP's overnight?

Malware is not "a bridge too far". If it looks like a duck and quacks like a duck...

OP: ask Mozilla staff to comb their incoming stats logs for IPs suspected of infection then search Spamhaus, RBL type databases for matches. If the malware is spread via email, you might find a copy of it that way.

This comment is insightful: https://bugzilla.mozilla.org/show_bug.cgi?id=1152966#c4 . A similar strategy would be to select the list of other addons that same machines have installed.


"If it looks like a duck and quacks like a duck" - ferguson missouri PD operations manual (2012)


Each copy has a mostly-random version number. There are thousands of different version numbers such as 1009.99.992. That can't happen by accident. It's probably to thwart the Firefox block list.

Mozilla is putting the bogus version numbers on the Firefox blocklist. When Firefox adds add-on signing soon, the bogus versions should stop working.

As yet, we haven't seen the actual fake add-on that's doing this. I'd like to know what the attack is doing, and how it gets installed.


I agree malware is a bridge too far. I thought firefox was building this walled garden and addon's needed to be signed. Has this not happened yet?


Firefox add-on signing is coming later in 2015, but the wall around the garden isn't complete yet. I just got an update from Mozilla; other add-on IDs are also being stolen.

[1] https://blog.mozilla.org/addons/2015/02/10/extension-signing...


Have you contacted Mozilla to see what they recommend in this type of scenario?


Yes. See

https://bugzilla.mozilla.org/show_bug.cgi?id=1152966

I put this on HN because somewhere there's probably somebody who's detected a security problem related to this and is trying to track it down.

A likely possibility is that it's some malware that's already on the Firefox blacklist[1], and they're trying to get past the blacklist by stealing the identity of a valid add-on.

[1] https://addons.mozilla.org/en-US/firefox/blocked/


>app

Really...


The rate of increase in users exceeds the number of downloads.

Looking at the other facts here makes this unlikely, but don't forget that users may be sharing the files somewhere else, so the actual number of users could far outnumber the number of downloads from the official site. Quite frankly I consider that a good thing, since I think users should be allowed to do that - and look on the bright side, your add-on would not be shared in such a fashion if users didn't like it.

Also, I wouldn't be hasty in calling this "malware"... perhaps it's a benevolent mod that someone did, and was shared it on a forum somewhere. I know that you likely don't approve of such a thing, but it's basically what the Android community does (share modded apps) and I don't think it's fundamentally bad; it's one of the reasons why I prefer it to a more walled-garden ecosystem. I say this from the perspective of both an author and user.


Along those same lines. It's been Grand Central in my house around 4 a.m. I can't trust my computer and am going to print the code. Scan the printed code. Have the code retyped on a new computer. Copy the code to a disk. Compare it against the original code on the original computer. Rinse, wash, repeat until the code matches. I live in an area I un-affectionately call "Spookville". Does anyone know of a service that does this? (I realize I can hire a temp.)


Sorry. S. Feibish.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: