2015-07-09

A strange Firefox extension…

About 1 year ago I wrote this, but only now I realized that I hadn't published it. So in case it helps someone googling for something similar…




Lately there have been news about Chrome extensions being bought out by spammers, adware-makers and other lowlifes, who get that way a direct plug into one’s browser.

And that reminded me of a strange extension I found in my Firefox. It’s called “Web Download Wizard Free”, has a version number of 4.1.6.0 and absolutly lacks any further identification (no link to Mozilla’s addons pages, no informative text, no preferences, no *nothing*). The icon is a green cube with a white arrow pointing down; I’d guess it’s some generic placeholder.

In my profile folder, the extension appears as {63106cc2-2e45-49c2-ba30-b585894150fb}.xpi.

Sounds nasty, doesn’t it? Enough so that I disabled it but did not remove it at once to better examine it at some other moment. Of course, I don’t remember having installed something like this. So my guess is that this was installed by some other extension or software, or that it started being another extension which later changed its name (is any of that possible?).

Well, I googled for “Web Download Wizard Free” weeks ago and I found absolutely nothing. How is that possible? Paranoic theory: the name sounds generic and nonsensical enough that it might have been generated randomly once it is installed. That way, googling for info or help has pretty limited usefulness.

Today I tried again, and only one result appeared, in a pastebin page which looked like the output of some “Farbar Recovery Scan Tool” http://pastebin.com/N3z50inC . This extension was in the middle of the extensions reported to that user. It had a different *.xpi name (but that might be normal), and didn’t seem singled out in any way.

I traced back that pastebin to some user asking for help in Avira’s forums, but ended up being a non-alarm.

So, which other extensions had this guy that I could have? There is one another UUID-filenamed extension, but apart from that, the only extension we have in common is “YouTube Unblocker”. In fact I no longer have that one because I uninstalled it long ago, since I wasn’t sure about what (and how) it was doing, nor how effective it was.

But I just created a new user and installed Youtube Unblocker in a virgin Firefox and nothing strange happened after a few minutes of poking it. So either there is some waiting before a payload is dropped, or that simply is not the vector.


… and that's the last I wrote. I remember I tried taking a look into the javascript, but I have no experience in there and the code seemed obfuscated IIRC. So finally I left if for later… and… well…

No comments

Post a Comment