That Nasty Firefox Extension

So there has been a lot of noise on the interwebs about this new “malware”/”virus”/”worm” that apparently no anti-virus software has been able to detect or remove recently. Last week I was infected with this nasty little thing and it was really starting to piss me off. I had been searching madly across the Internet (using cached search pages, a little work around this bug) to try and find the solution to this little issue. I also ran every piece of malware and anti-virus software I have… which by the way is a lot.

After my holy-trinity of virus-killing software (Malwarebytes, Avira, and CCleaner) found nothing numerous times I was starting to get excessively frustrated. Then I came across a forum posts of Firefox users who all had the same issues… Turned out this was a Firefox specific problem (which of course I wouldn’t know because I never use IE, I assumed all was infected).

One user (bless him) said that this was an extension related issue, just find the extension folder that was modified around about the date you noticed the infections and remove it. Restart Firefox and it works without the problems. Me and my curious self… decided that I wanted to look at the code of this little thing.

So I dug in and copied the XUL (XML User Interface Language) file and opened it to see the code. These files, as a side, are used to change the user interface of Firefox, and are the reason that some extensions can make web pages change and do all the weird and cool things that we all seem to love… They are also the reason for my frustration over the past week..

So I open the file and look at the code and its very simple actually… Here are a few lines…

if( loc.match(/google\..+\/search.*[&\?]q=([^&]*)/)){
keyword = RegExp.$1;
engine = ‘google’;
//    } else if(loc.match(/search\.ua.+[&\?]q=([^&]*)/)){
//        keyword = RegExp.$1;
} else if ( loc.match(/search\.yahoo.*search.*[&\?]p=([^&]*)/)){
keyword = RegExp.$1;
engine = ‘yahoo’;

There are actually a number of lines like this for every single browser. Simple regular expressions and checks the search engine. If it matches, then you are going to see these random redirects to some adserver, then to a page of their choosing… Found this little variable, which is apparently the server your requests are redirected to and changed.

var __d = “http://v1.adwarefeed.com/ffjs.php?u=1145892647-2942932799-2535655826-377724549a=998&s=3&v=icv270109ff&e=”;
I love the Internet, but I hate stuff like this out there. Anyways, Removal instructions are simple:

1.) Go to: %Mozzila Firefox%\extensions\

2.) Delete folder xxxxx where xxxxx is something like {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} and has a modified date around the time you got infected.

3.) Restart Firefox, problem solved.

And if you’re anything like me, look at the code for yourself and see exactly what it was doing… While nasty, its actually a pretty neat trick. Useful if you want to say… spy on someone using your internets. Oh, Change passwords if you’ve used any while being infected. Can never be too safe.

3 Responses to That Nasty Firefox Extension

  1. This post is exactly what I’ve been looking for. Thank you very much for all the extra info.

  2. Al Green says:

    culprit is when the malicious “Seneka” settles, thanks you very much for your information, I needed it

  3. devnullworld says:

    Thanks a million times
    😀

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: