X
Thinta lapha ukuze uye kuveshini yamakhalekhukhwini kusayithi.

Isithangami Sabeseki

Lolu chungechunge lwabekwa kunqolobane. Uyacelwa ubuze umbuzo omusha uma udinga usizo.

Trojan Horse installed with firefox

Kuphostiwe

I installed Firefox 59.0.2 tonight, and was alerted that a Trojan Horse was installed with the crash installer app. ClamXav's Clam Sentry alerted me—and yes, the definitions are updated daily.

Link to installer: https://download-installer.cdn.mozilla.net/pub/firefox/releases/59.0.2/mac/en-GB/Firefox%2059.0.2.dmg

Is this a new false-positive? Clam Sentry alerted it as a LIVE virus, so it wouldn't allow me to quarantine it—delete only.


I deleted everything, but pulled this from Console:

/Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources/crashreporter.icns: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/_CodeSignature: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources/crashreporter.ini: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources/English.lproj/MainMenu.nib/classes.nib: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/_CodeSignature/CodeResources: OK

Checking {

   MallocNanoZone = 0;

}

for pattern .*

/Applications/Firefox.app/Contents/Info: Trojan.OSX.Flashback FOUND Live Infections Found: 1 Checking {

   MallocNanoZone = 0;

}

for pattern .*

/Applications/Firefox.app/Contents/Info: Trojan.OSX.Flashback FOUND Live Infections Found: 1

System: OS X 10.9.2

Full download and install of 59.0.2, not an update.

I installed Firefox 59.0.2 tonight, and was alerted that a Trojan Horse was installed with the crash installer app. ClamXav's Clam Sentry alerted me—and yes, the definitions are updated daily. Link to installer: https://download-installer.cdn.mozilla.net/pub/firefox/releases/59.0.2/mac/en-GB/Firefox%2059.0.2.dmg Is this a new false-positive? Clam Sentry alerted it as a LIVE virus, so it wouldn't allow me to quarantine it—delete only. I deleted everything, but pulled this from Console: /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources/crashreporter.icns: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/_CodeSignature: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources/crashreporter.ini: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources/English.lproj/MainMenu.nib/classes.nib: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/_CodeSignature/CodeResources: OK Checking { MallocNanoZone = 0; } for pattern .* /Applications/Firefox.app/Contents/Info: Trojan.OSX.Flashback FOUND Live Infections Found: 1 Checking { MallocNanoZone = 0; } for pattern .* /Applications/Firefox.app/Contents/Info: Trojan.OSX.Flashback FOUND Live Infections Found: 1 System: OS X 10.9.2 Full download and install of 59.0.2, not an update.

Eminye Imininingwane Yohlelo

Fakela amapulagi

  • Adobe® Acrobat® Plug-in for Web Browsers, Version 15.008.20082
  • Creative Cloud Desktop Plugin.v_3_0_0_0
  • detect the version of extension manager
  • Plugin that detects installed Citrix Online products (visit www.citrixonline.com).
  • Coupons Inc., Coupon Printer
  • Provides information about the default web browser
  • DivX Plus Web Player version 2.2.1.2
  • DivX VOD Helper Plug-in
  • The Flip4Mac WMV Plugin allows you to view Windows Media content using QuickTime.
  • Version 5.41.3.0
  • Displays Java applet content, or a placeholder if Java is not installed.
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in web pages. For more information, visit the QuickTime Web site.
  • Microsoft Office for Mac SharePoint Browser Plug-in
  • Shockwave Flash 29.0 r0
  • Skype Web Plugin 7.32.6.278

Isisebenziso

  • I-ejenti Engumsebenzisi: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko/20100101 Firefox/47.0

Eminye Imininingwane

Happy112 561 izisombululo 5694 izimpendulo
Kuphostiwe

Hi,

It's best to download Firefox from here :

https://www.mozilla.org/en-US/firefox/all/?q=English%20(British)

Hi, It's best to download Firefox from here : https://www.mozilla.org/en-US/firefox/all/?q=English%20(British)

Umnikazi wombuzo

Sorry, to clarify, I downloaded FF from mozilla.org and the installer link I included earlier is the same as the one I got just now from the link you sent—thanks anyhow.

I think the page my download originated from was the page that has all of the latest versions of FF.

The resulting download is the same, though: https://download-installer.cdn.mozilla.net/pub/firefox/releases/59.0.2/mac/en-GB/Firefox%2059.0.2.dmg

Sorry, to clarify, I downloaded FF from mozilla.org and the installer link I included earlier is the same as the one I got just now from the link you sent—thanks anyhow. I think the page my download originated from was the page that has all of the latest versions of FF. The resulting download is the same, though: https://download-installer.cdn.mozilla.net/pub/firefox/releases/59.0.2/mac/en-GB/Firefox%2059.0.2.dmg
cor-el
  • Top 10 Contributor
  • Moderator
17334 izisombululo 156710 izimpendulo
Kuphostiwe

Impendulo Ewusizo

Downloads from the Mozilla CDN server should be fine.

You can verify the file by using the KEY and checksum file.

Downloads from the Mozilla CDN server should be fine. You can verify the file by using the KEY and checksum file. *https://download-installer.cdn.mozilla.net/pub/firefox/releases/59.0.2/ *[/questions/1020249] How to use the SHA512SUMS.ASC
Happy112 561 izisombululo 5694 izimpendulo
Kuphostiwe

VanessaKing said

I think the page my download originated from was the page that has all of the latest versions of FF.

So does this page :

https://www.mozilla.org/firefox/all/

I just thought I'd make it easier on you by selecting your language ......

''VanessaKing [[#answer-1101218|said]]'' <blockquote> I think the page my download originated from was the page that has all of the latest versions of FF. </blockquote> So does this page : https://www.mozilla.org/firefox/all/ I just thought I'd make it easier on you by selecting your language ......

Umnikazi wombuzo

Thanks… No, it's another page, close but:

https://www.mozilla.org/en-US/firefox/releases/

Thanks… No, it's another page, close but: https://www.mozilla.org/en-US/firefox/releases/
Happy112 561 izisombululo 5694 izimpendulo
Kuphostiwe

VanessaKing said

Thanks… No, it's another page, close but: https://www.mozilla.org/en-US/firefox/releases/

Nothing wrong with that page.

But if it would set your mind at ease, maybe you could uninstall the previously downloaded version and download from here :

https://www.mozilla.org/en-US/firefox/all/?q=English%20(British)

And/or maybe contact ClamXAV Sentry Support :

https://www.clamxav.com/support/

''VanessaKing [[#answer-1101274|said]]'' <blockquote> Thanks… No, it's another page, close but: https://www.mozilla.org/en-US/firefox/releases/ </blockquote> Nothing wrong with that page. But if it would set your mind at ease, maybe you could uninstall the previously downloaded version and download from here : https://www.mozilla.org/en-US/firefox/all/?q=English%20(British) And/or maybe contact ClamXAV Sentry Support : https://www.clamxav.com/support/

Umnikazi wombuzo

I'm way ahead of you. I uninstalled it immediately after getting the alert and I've opened a ticket with ClamXav.

I'll update this when I hear back, thanks.

I'm way ahead of you. I uninstalled it immediately after getting the alert and I've opened a ticket with ClamXav. I'll update this when I hear back, thanks.
cosmo13 0 izisombululo 4 izimpendulo
Kuphostiwe

Any update on this? Same issue only macOS 10.13.4 and Firefox 59.0.2. ClamXAV v2.18.1/0.100.0 (3610)

However, the machine I am on now with all of the above info has indicated nothing, but when I run the commands on it to detect the so called Flashback Trojan, I receive the following:

Mac-Pro:~ pil13$ defaults read /Applications/Firefox.app/Contents/Info LSEnvironment {

   MallocNanoZone = 0;

} Mac-Pro:~ pil13$

Do you know if this indicated another issue, or if this is common in Firefox?

I have contacted ClamXAV as well, but want to know why Firefox is showing this response, so I posted it here.

Any update on this? Same issue only macOS 10.13.4 and Firefox 59.0.2. ClamXAV v2.18.1/0.100.0 (3610) However, the machine I am on now with all of the above info has indicated nothing, but when I run the commands on it to detect the so called Flashback Trojan, I receive the following: Mac-Pro:~ pil13$ defaults read /Applications/Firefox.app/Contents/Info LSEnvironment { MallocNanoZone = 0; } Mac-Pro:~ pil13$ Do you know if this indicated another issue, or if this is common in Firefox? I have contacted ClamXAV as well, but want to know why Firefox is showing this response, so I posted it here.
jscher2000
  • Top 10 Contributor
8568 izisombululo 70051 izimpendulo
Kuphostiwe

When I download the .dmg file and submit it to VirusTotal it tests clean:

https://www.virustotal.com/#/file/642a87311a0f264a165c41a3599c681e7272c2dc43a3c1f71ea632223f9a5ad5/detection

However, I didn't extract it because I'm on Windows...

When I download the .dmg file and submit it to VirusTotal it tests clean: https://www.virustotal.com/#/file/642a87311a0f264a165c41a3599c681e7272c2dc43a3c1f71ea632223f9a5ad5/detection However, I didn't extract it because I'm on Windows...
cosmo13 0 izisombululo 4 izimpendulo
Kuphostiwe

Thanks Jefferson. Just an odd thing to show up after all these years and out of the blue. Still waiting for ClamXAV to comment.

Thanks Jefferson. Just an odd thing to show up after all these years and out of the blue. Still waiting for ClamXAV to comment.
Tonnes
  • Locale Leader
246 izisombululo 1454 izimpendulo
Kuphostiwe

My bet is it’s a false positive, yet caused by one Firefox file as confirmed / suggested in this thread.

"This was caused by the Firefox developers leaving a setting enabled in one of the files embedded within the Firefox.app itself. [...] The developer has pushed out a fix via virus defs. Just update your virus definitions which will prevent the detection from recurring."

As you update your virus definitions daily, how about commenting in that thread?

My bet is it’s a false positive, yet caused by one Firefox file as confirmed / suggested in [https://macintouch.com/forums/showthread.php?tid=522&pid=33038#pid33038 this thread]. <blockquote> "This was caused by the Firefox developers leaving a setting enabled in one of the files embedded within the Firefox.app itself. [...] The developer has pushed out a fix via virus defs. Just update your virus definitions which will prevent the detection from recurring." </blockquote> As you update your virus definitions daily, how about commenting in that thread?

Okulungisiwe ngu Tonnes

cosmo13 0 izisombululo 4 izimpendulo
Kuphostiwe

Thanks Tonnes, yes, updated every day.

Thanks Tonnes, yes, updated every day.

Umnikazi wombuzo

I'm still waiting for more detail from ClamXav, too. The definitions should be the same—even if I am using an older version—but I asked them, to be sure, and am waiting to hear back.

I'm still waiting for more detail from ClamXav, too. The definitions should be the same—even if I am using an older version—but I asked them, to be sure, and am waiting to hear back.
Shadow110 1072 izisombululo 14836 izimpendulo
Kuphostiwe

VanessaKing said

I'm still waiting for more detail from ClamXav, too. The definitions should be the same—even if I am using an older version—but I asked them, to be sure, and am waiting to hear back.

HI,fyi : if you upload the file to https://www.virustotal.com/ it is scanned by 65 anti-virus engines including ClamAV You can also scan URL's as well it has a Search Feature.

''VanessaKing [[#answer-1105114|said]]'' <blockquote> I'm still waiting for more detail from ClamXav, too. The definitions should be the same—even if I am using an older version—but I asked them, to be sure, and am waiting to hear back. </blockquote> HI,fyi : if you upload the file to https://www.virustotal.com/ it is scanned by 65 anti-virus engines including ClamAV You can also scan URL's as well it has a Search Feature.
cosmo13 0 izisombululo 4 izimpendulo
Kuphostiwe

Hi Pkshadow.... Thanks for the tip. I will look into it.

Hi Pkshadow.... Thanks for the tip. I will look into it.
Tonnes
  • Locale Leader
246 izisombululo 1454 izimpendulo
Kuphostiwe

Fwiw and as said, it’s most likely a(nother) false positive by ClamXav probably not worth worrying about. Scan results from other sources as reported above as well as the Firefox installer being downloaded from the original and trusted (Mozilla) source should indicate that. Moreover, I find 5000+ results when searching for ClamXav and "false positive", so this issue doesn’t seem to be entirely new.

I do appreciate the TS wants to hear back from ClamXav of course, but IMO reports by any antivirus product or its vendor should never prevail just because it’s paid software. The same goes for issues when running with Firefox and such products - some users even refuse to disable their security software in order to do some proper troubleshooting, only because they paid for it. Not good.

Fwiw and as said, it’s most likely a(nother) false positive by ClamXav probably not worth worrying about. Scan results from other sources as reported above as well as the Firefox installer being downloaded from the original and trusted (Mozilla) source should indicate that. Moreover, I find 5000+ [https://www.google.com/search?hl=en&q=clamxav+%22false+positive%22&oq=clamxav+%22false+positive%22 results] when searching for ClamXav and "false positive", so this issue doesn’t seem to be entirely new. I do appreciate the TS wants to hear back from ClamXav of course, but IMO reports by any antivirus product or its vendor should never prevail just because it’s ''paid'' software. The same goes for issues when running with Firefox and such products - some users even refuse to disable their security software in order to do some proper troubleshooting, only because they paid for it. Not good.