Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Cuireadh an snáithe seo sa chartlann. Cuir ceist nua má tá cabhair uait.

Possible corrupted/fake Firefox Browser installer

  • 13 freagra
  • 0 leis an bhfadhb seo
  • 95 views
  • Freagra is déanaí ó JungleEskimo

more options

I think I may have downloaded and installed a fake/malicious application that looks/acts like a Firefox Browser installer. I noticed a lot of suspicious activity on my personal/work computer that led me to suspect my internet router was compromised. I work from home sometimes and I may have been tricked into downloaded and installing a malicious version of Firefox.

I suspect this Firefox installer is different because this installer is capable of circumventing the safeguards placed on my work laptop. My work laptop is managed by a university and I require an administrator's credentials in order to install/uninstall any programs, change/view any environment settings, or even open up and view task manager. This process entails actually having an administrator remote into my laptop, take remote control, enter their credentials, and ensure the installer completes.

So far, this unusual Firefox installer is the only installer capable of bypassing these security hurdles. And it does not detect any existing versions of Firefox to prompt an uninstaller before re-installing. The installer's visuals/progress bar appears to be a scripted animation.

I still have the installer in question saved on my computer and I'm not sure what to do with it. I'd like to find out more about it but I'm not sure how to go about it.

I think I may have downloaded and installed a fake/malicious application that looks/acts like a Firefox Browser installer. I noticed a lot of suspicious activity on my personal/work computer that led me to suspect my internet router was compromised. I work from home sometimes and I may have been tricked into downloaded and installing a malicious version of Firefox. I suspect this Firefox installer is different because this installer is capable of circumventing the safeguards placed on my work laptop. My work laptop is managed by a university and I require an administrator's credentials in order to install/uninstall any programs, change/view any environment settings, or even open up and view task manager. This process entails actually having an administrator remote into my laptop, take remote control, enter their credentials, and ensure the installer completes. So far, this unusual Firefox installer is the only installer capable of bypassing these security hurdles. And it does not detect any existing versions of Firefox to prompt an uninstaller before re-installing. The installer's visuals/progress bar appears to be a scripted animation. I still have the installer in question saved on my computer and I'm not sure what to do with it. I'd like to find out more about it but I'm not sure how to go about it.

All Replies (13)

more options

Where did you download your FireFox from?

more options

I downloaded the installer from the Firefox website.

I was able to recreate the behavior by following these steps:

and the installer I received behaved just as I described. I can't seem to upload any of the screenshots I took to capture my screen during these steps. But there's nothing different or unusual in those screenshots.

I'm not doing anything differently from how I normally installed firefox on my computer for the past several years. Everything looks and feels the same, but something feels strange in regards to the actual installer.

In the Firefox installer's "Properties" box - under "Details" - it shows the following fields:

Type: Application File Version: 18.5.0.0 Product Name: Firefox Product Version: 18.05 Copyright: Mozilla Size: 342 KB Date modified: 7/16/2022 Language: English (United States) Original Filename: 7zS.sfx.exe

and under "Digital Signatures" - in the "Certificate" box - under "Details" - it shows a lot of fields and I'm not sure what they mean but there's a couple fields in particular that could be relevant:

Version: V3 Serial Number: 0c1cd3eea47edda7a032573b014d0afd Valid From: ‎Thursday, ‎April ‎8, ‎2021 8:00:00 PM Valid To: ‎Wednesday, ‎June ‎19, ‎2024 7:59:59 PM Thumbprint: 1326b39c3d5d2ca012f66fb439026f7b59cb1974

Athraithe ag JungleEskimo ar

more options

I don't know if this is relevant but I took another look at Firefox's properties -> shortcut:

Target type: Application Target Location: Mozilla Firefox Target: [ "C:\Users\jue287\AppData\Local\Mozilla Firefox\firefox.exe" ] [ C:\Users\jue287\AppData\Local\Mozilla Firefox\firefox.exe.sig ]

Start in: "C:\Users\jue287\AppData\Local\Mozilla Firefox" Shortcut Key: None Run: Normal Window Comment:

The brackets represent the dropdown options for that field. I looked up what a .sig file extension was and it's a text file that can be automatically attached to the end of emails.

I'm not sure if that's how Firefox is supposed to work, but I also know nothing about the browser's settings/configuration.

more options

What suspicious activity are you seeing?

Upload the installer to virustotal.com -- see if it flags for anything.

more options

avelor said

What suspicious activity are you seeing? Upload the installer to virustotal.com -- see if it flags for anything.

The suspicious activity is detailed above in my first post. However, the fact it can blow through my laptop's security safeguards like that is the only truly obvious sign of suspicion, and anything else could have been my perception or just general paranoia.

I uploaded both the firefox installer and the firefox shortcut through VirusTotal and here are my results:

installer: https://www.virustotal.com/gui/file/fcd5904992ebb9416b1b32bb73b4fe9a4cfe1ce2615eeaf001751f966470fb52/detection

shortcut: https://www.virustotal.com/gui/file/b101859a33b07bc3270dc58a5270e9d574f4bdc655e57ed68b7b78e93b1abf02/community

it seems likely this is malware that's been only recently identified.

more options

Something doesn't sound right in this post.

more options

I just ran a bunch of other files from my work laptop (a university laptop) through VirusTotal and FileShare.io. I found a lot of files from windows/system32 and some other icons/programs that are highly likely to be malicious/suspicious.

I'm not sure if it's because my laptop is running the Educational version of windows but the virus scan reports keep confirming my suspicion that my laptop has been compromised. It may have been compromised for a long time. I just never noticed anything weird until I started looking around the file directory and viewing system settings.

Basically, there's some odd behavior that I've only ever seen on this laptop.

more options

JungleEskimo said

uploaded both the firefox installer and the firefox shortcut through VirusTotal and here are my results: installer: https://www.virustotal.com/gui/file/fcd5904992ebb9416b1b32bb73b4fe9a4cfe1ce2615eeaf001751f966470fb52/detection it seems likely this is malware that's been only recently identified.

That installer you uploaded is just a small online stub installer as the actual setup is at https://www.mozilla.org/firefox/all/#product-desktop-release as it is listed on https://www.mozilla.org/firefox/new/ at Download options and other languages link.

The virus total shows the stub you uploaded is clean.

The Cylance allegedly having a unsafe result means nothing as they give a false positive way too frequently over the years on virustotal, more so with the stub and not as often with the offline setup.

If there was indeed malware in recent Firefox release for Windows, then it would be both a first and a Hot topic here and elsewhere for the last couple days.

I uploaded the Firefox 103.0 en-US setup at virus total and it was 100% clean. https://www.virustotal.com/gui/file/f9282e624b7ff3758df98d15ac7b6ba3b9aa7020ca1bbd69c13ae3b22aab29c4

Athraithe ag James ar

more options

So your only concern is that it is able to install without your organization approving of it? This sounds like a question for your company as they are the ones that control what happens with your security policies.

The installer you uploaded is legit and isn't a virus/malware. Your computer may or may not be compromised (no way for us to know without a lot more information), but that Firefox installer didn't have anything to do with it.

more options

James said

JungleEskimo said

uploaded both the firefox installer and the firefox shortcut through VirusTotal and here are my results: installer: https://www.virustotal.com/gui/file/fcd5904992ebb9416b1b32bb73b4fe9a4cfe1ce2615eeaf001751f966470fb52/detection it seems likely this is malware that's been only recently identified.

That installer you uploaded is just a small online stub installer as the actual setup is at https://www.mozilla.org/firefox/all/#product-desktop-release as it is listed on https://www.mozilla.org/firefox/new/ at Download options and other languages link.

The virus total shows the stub you uploaded is clean.

The Cylance allegedly having a unsafe result means nothing as they give a false positive way too frequently over the years on virustotal, more so with the stub and not as often with the offline setup.

If there was indeed malware in recent Firefox release for Windows, then it would be both a first and a Hot topic here and elsewhere for the last couple days.

I uploaded the Firefox 103.0 en-US setup at virus total and it was 100% clean. https://www.virustotal.com/gui/file/f9282e624b7ff3758df98d15ac7b6ba3b9aa7020ca1bbd69c13ae3b22aab29c4

Were you able to check out the results for the shortcut itself? It shows nothing for anti-virus/malware applications but there's a flag in the community tab.

more options

avelor said

So your only concern is that it is able to install without your organization approving of it? This sounds like a question for your company as they are the ones that control what happens with your security policies. The installer you uploaded is legit and isn't a virus/malware. Your computer may or may not be compromised (no way for us to know without a lot more information), but that Firefox installer didn't have anything to do with it.

Thank you for looking into this guys,

I am not accusing Firefox of releasing malware. I know for a fact my home router has been compromised because someone was able to set up another wifi network on my router (in what i suspect to be bridging mode) and created a wifi network name using some of my personal information. I know because that suspicious wifi network disappears when I unplug my router; reappears when I power on my router; it persists even if I reset my router; the questionable wifi network only appears when I am in close proximity to my router. But that is a different issue I am dealing with.

And yes, my concern is I am able to run this Firefox installer without my organization approving it. I don't believe this is a one-off glitch that has to do with security policies. I have found other likely pieces of malware on my computer that originated from another computer.

I don't know how my organization is supposed to respond when I tell them that their security policies are allowing one rogue firefox installer to blast through all the prompts to enter in admin credentials. The most I can expect is they would tell me there's nothing wrong with their security policies and that everything else seems to be working fine. I showed this to an IT professional who said it was weird and thought nothing more of it. No one knows why this installer behaves this way, and no one can explain it. But it doesn't affect them, nor me, in any salient way so it seems easy to dismiss.

I do not know what is going on here, but I believe in erring on the side of caution. I know there's something going on but I don't know enough by myself, and I really need more options to explore rather than being told this isn't a Firefox problem. If this is capable of affecting more Firefox users, then it would be irresponsible to dismiss it without approaching it as though it could contain hidden malware.

Athraithe ag JungleEskimo ar

more options

Sounds like you definitely have some funky things going on with your network/computer, but that is beyond the scope of this forum. You can read up more on the installer here.

Athraithe ag avelor ar

more options

avelor said

Sounds like you definitely have some funky things going on with your network/computer, but that is beyond the scope of this forum. You can read up more on the installer here.

Thanks for the info, and you're right... I kinda have problems beyond the scope of this forum. Could I upload my firefox installer somewhere to some sort of Firefox malware repository? I'd like to record/document this in some way, in case I found an unsanctioned version of Firefox from using a compromised router.

P.S. I am in the process of replacing my router, but I wanted to find out as much as possible before replacing a router that may contain evidence of a cybercrime. If I can collect enough evidence and find out who broke into my router I may actually be able to legally do something for the person responsible.