Vietnamese Firefox 2 users were given malicious content
About 17,000 users of Vietnamese-language Firefox may have been wondering why their systems keep pulling up these video game cheat Web sites at random, for the past two months. But Mozilla didn't know what was up until last Tuesday.
The executable code for a Vietnamese language pack for Firefox 2 was the apparent victim of a virus located on the hard drive of its sole author. As a result, Windows Firefox users with the Vietnamese language pack have been victims of malicious page redirects, apparently since last February.
The Firefox 2 Vietnamese language pack does not actually contain a virus itself, Mozilla learned yesterday upon realizing what was going on. But the malicious payload users did receive was produced by the Xorer virus, which had infected the system of language pack author Jasper Thai. For awhile at least, Mozilla officials investigated whether Thai himself was the author of the malicious redirects.
As a Bugzilla tracking forum indicates, the problem was discovered on Tuesday when the language pack did test positive for the presence of the Xorer virus. Developer Hai-Nam Nguyen reported the discovery at about 1:00 pm PDT that day, but by 2:00, Nguyen had learned that code impacted by the virus could still register a positive signature without actually containing the virus itself. Mozilla officials acted promptly and disabled download of the language pack from its servers.
So the Xorer virus cannot spread from users of impacted systems, thus the term "infected" may be inaccurate. Still, records from security vendor McAfee's files indicate that programs impacted by the virus do redirect users to game cheat Web sites.
And since another direct impact of infected systems like Thai's, according to McAfee, is the deletion of certain Windows Registry keys such as ...\CurrentVersion\Run, it remains curious why Thai hadn't reported the problem earlier. In fact, just yesterday, Thai posted a fresh link to his project on Sourceforge -- as opposed to Mozilla's servers -- along with a positive sounding message that translates in English to, "At present / Busy busy tamarind tree!"
Thai's first acknowledgement of the problem came at 5:00 am this morning. "Sorry for the inconvenient!" he wrote. "I've found that translated help files was modified by a virus, come from China. I'm so busy these days, but I've cleaned up malicious code. The new fresh pack coming soon. Thanks!"
The fact that it took over two months for the problem to be discovered even though Mozilla's servers are supposedly checked for viruses regularly, has the group's developers and administrators baffled and searching for solutions. In response to one forum question over whether systems should be re-scanned once new virus definitions are published, Mozilla developer Dave Miller responded, "Ideally, yes, except that we get new definitions on average every 6 hours or so and it takes over a week to virus scan the entire ftp server. Getting monthly scans is in the plan for the new stage server once we get it working."