Someone is distributing fake versions of my app with malware
The rate of increase in users exceeds the number of downloads. At first I thought Mozilla's statistics system was broken. But that's not the problem.[2] Someone is apparently distributing some form of malware which seems to be impersonating Ad Limiter. They're using Ad Limiter's Mozilla AMO ID number, but a random version number. (Real version numbers are 1.3 to 2.0. Fake version numbers range from 2.17.71 to 1009.99.992. All bogus versions have three-number versions, while all legitimate versions have two-number versions.
All this is inferred from Firefox statistics logging. We haven't seen the actual malware yet. If anyone has a copy of Firefox with Ad Limiter installed, and the version isn't between 1.3 and 2.0, we'd really like to see it. Please save a copy of the Firefox add-ons directory before deleting the bogus add-on, and send a copy of the bogus add-on to "info@sitetruth.com". We want to see what this malware is doing in our name. Thanks.
[1] https://addons.mozilla.org/en-US/firefox/addon/ad-limiter/ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1152966
21 comments
[ 3.9 ms ] story [ 65.0 ms ] threadhttps://bugzilla.mozilla.org/show_bug.cgi?id=1152966
I put this on HN because somewhere there's probably somebody who's detected a security problem related to this and is trying to track it down.
A likely possibility is that it's some malware that's already on the Firefox blacklist[1], and they're trying to get past the blacklist by stealing the identity of a valid add-on.
[1] https://addons.mozilla.org/en-US/firefox/blocked/
[1] https://blog.mozilla.org/addons/2015/02/10/extension-signing...
Mozilla is putting the bogus version numbers on the Firefox blocklist. When Firefox adds add-on signing soon, the bogus versions should stop working.
As yet, we haven't seen the actual fake add-on that's doing this. I'd like to know what the attack is doing, and how it gets installed.
They don't know not to copy/paste someone else's ID, yet their add-on has become more popular than OP's overnight?
Malware is not "a bridge too far". If it looks like a duck and quacks like a duck...
OP: ask Mozilla staff to comb their incoming stats logs for IPs suspected of infection then search Spamhaus, RBL type databases for matches. If the malware is spread via email, you might find a copy of it that way.
This comment is insightful: https://bugzilla.mozilla.org/show_bug.cgi?id=1152966#c4 . A similar strategy would be to select the list of other addons that same machines have installed.
Another place you might be able to reach out to are AV vendors like Kaspersky. From what I understand they index and hash nearly every file on a users computer to compare to a master database. Maybe you can ask them to search for a file name and where it occurs geographically.
I wonder if someone is trading warez in exchange for installing a "free ad blocker!" (your addon converted to malware). I've seen things like that before.
Looking at the other facts here makes this unlikely, but don't forget that users may be sharing the files somewhere else, so the actual number of users could far outnumber the number of downloads from the official site. Quite frankly I consider that a good thing, since I think users should be allowed to do that - and look on the bright side, your add-on would not be shared in such a fashion if users didn't like it.
Also, I wouldn't be hasty in calling this "malware"... perhaps it's a benevolent mod that someone did, and was shared it on a forum somewhere. I know that you likely don't approve of such a thing, but it's basically what the Android community does (share modded apps) and I don't think it's fundamentally bad; it's one of the reasons why I prefer it to a more walled-garden ecosystem. I say this from the perspective of both an author and user.
Have you considered adding "malware" to your app? Maybe that would help it be more popular.
https://addons.mozilla.org/en-us/firefox/addon/flashblock/st...
(The human-readable statistics just say "Invalid"; you have to look at the raw JSON to see the bogus versions.)
I started writing a program in Go to find other examples, used Flashblock as the first test case, and got a hit. Not looking good.
Really...