reported at http://news.softpedia.com/news/Click-Fraud-Malware-Hides-as-Firefox-Extension-120430.shtml support article might be the only defense on this one. we should check possibility of blocking. from the article Dubbed Trojan.PWS.ChromeInject by BitDefender researchers, the malicious extension was being deployed without the users' consent by other malware already present on the infected computers. In comparison, this new Firefox threat, which Trend Micro calls TSPY_EBOD.A, is using social engineering to trick users into installing it. The extension is being offered on various forums via JavaScript as an Adobe Flash Player update. Once installed, it appears in the Add-ons Management window under the Extensions tab as "Adobe Flash Player 0.2." It is worth noting that the real Flash Player add-on for Firefox is actually a plug-in, which is listed under the Plugins tab as "Shockwave Flash [version number]." This new piece of malware is actually a click fraud trojan, which injects ads into Google search-result pages. When these ads are clicked, the trojan's authors are receiving a small fee from the advertising network supplying them. Back in July, we reported about a similar trojan, which hijacked queries performed through the default search boxes in Internet Explorer and Firefox and routed them through a custom Google search widget. Trend Micro analysts note that the rogue extension is also monitoring and intercepting all Google searches performed with Firefox and uploads the captured data to a remote server. This is probably done in order to establish some search trends for the victims and subsequently serve them with ads, which they are more likely to click on.

ss kev, any contacts at trend micro that might be able to get us a copy of this? quick scan of crash data doesn't produce anything that we might be able to use to identify and block.

FFSearcher started doing attacks on search back in July as well when being delivered as part of Nine-Ball http://news.softpedia.com/news/Nine-Ball-Distributes-Complex-Click-Fraud-Trojan-115677.shtml

more on Nine=Ball here http://securitylabs.websense.com/content/Alerts/3421.aspx http://voices.washingtonpost.com/securityfix/2009/06/ffsearcher_a_stealthy_evolutio.html

Here is the trend micro report: http://blog.trendmicro.com/firefox-addo-spies-on-google-search-results/ and details: http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FEBOD%2EA&VSect=P I can't find the extension ID anywhere though.

kurt, thanks for the follow up research. from that trend micro report it sounds like TSPY_EBOD.A. are js component files used information theft. However, this javascript requires other components in order to run properly. So we won't be able to block that file directly, but we might be able to block the process that runs or initiates the loading of that JS if we can figure that out.

the guidance given by trend micro is to Step 1: Close all opened browser windows Step 2: Remove malware files related to JS_EBOD.A we could also look at some future enhancement to the blocking system to perform steps to clean off evil js scripts that get dumped on users systems, but that would be beyond the scope of this bug. until then those two step could go in the support page for this attack.

(In reply to comment #6) > kurt, thanks for the follow up research. from that trend micro report it > sounds like TSPY_EBOD.A. are js component files used information theft. > However, this javascript requires other components in order to run properly. > So we won't be able to block that file directly, but we might be able to block > the process that runs or initiates the loading of that JS if we can figure that > out. But blocking the extension itself would keep Firefox from running the code as itsounds like the fake extension runs the code when a search is done (I'm assuming through the search bar).

(In reply to comment #8) > (In reply to comment #6) > > kurt, thanks for the follow up research. from that trend micro report it > > sounds like TSPY_EBOD.A. are js component files used information theft. > > However, this javascript requires other components in order to run properly. > > So we won't be able to block that file directly, but we might be able to block > > the process that runs or initiates the loading of that JS if we can figure that > > out. > But blocking the extension itself would keep Firefox from running the code as > itsounds like the fake extension runs the code when a search is done (I'm > assuming through the search bar). I'm basing this on, "The said add-on injects ads into the user’s Google search results pages. More disturbing, however, is its capability to monitor the user’s browsing activities, particularly his/her Google search queries using the Firefox browser. It then sends the information it gathers to http://{BLOCKED}jupdate.com."

I'm trying to follow up with Jonathan from Trend to get more information. If the extension guid stays constant it can be blocked, but as soon as we start that, I'm betting we'll start seeing dynamically generated guids. More to come when I have more info.

(In reply to comment #10) > I'm trying to follow up with Jonathan from Trend to get more information. If > the extension guid stays constant it can be blocked Any update here?

re:user-doc-need I've made an edit to <https://support.mozilla.com/en-US/kb/*Is+my+Firefox+problem+a+result+of+malware?bl=n>. Just waiting for someone to review it.

It was approved. You should be able to see the changes now.