Trojan Horse installed with firefox
I installed Firefox 59.0.2 tonight, and was alerted that a Trojan Horse was installed with the crash installer app. ClamXav's Clam Sentry alerted me—and yes, the definitions are updated daily.
Link to installer: https://download-installer.cdn.mozilla.net/pub/firefox/releases/59.0.2/mac/en-GB/Firefox%2059.0.2.dmg
Is this a new false-positive? Clam Sentry alerted it as a LIVE virus, so it wouldn't allow me to quarantine it—delete only.
I deleted everything, but pulled this from Console:
/Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources/crashreporter.icns: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/_CodeSignature: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources/crashreporter.ini: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources/English.lproj/MainMenu.nib/classes.nib: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/_CodeSignature/CodeResources: OK
Checking {
MallocNanoZone = 0;
}
for pattern .*
/Applications/Firefox.app/Contents/Info: Trojan.OSX.Flashback FOUND Live Infections Found: 1 Checking {
MallocNanoZone = 0;
}
for pattern .*
/Applications/Firefox.app/Contents/Info: Trojan.OSX.Flashback FOUND Live Infections Found: 1
System: OS X 10.9.2
Full download and install of 59.0.2, not an update.
All Replies (16)
Hi,
It's best to download Firefox from here :
https://www.mozilla.org/en-US/firefox/all/?q=English%20(British)
Sorry, to clarify, I downloaded FF from mozilla.org and the installer link I included earlier is the same as the one I got just now from the link you sent—thanks anyhow.
I think the page my download originated from was the page that has all of the latest versions of FF.
The resulting download is the same, though: https://download-installer.cdn.mozilla.net/pub/firefox/releases/59.0.2/mac/en-GB/Firefox%2059.0.2.dmg
Downloads from the Mozilla CDN server should be fine.
You can verify the file by using the KEY and checksum file.
- https://download-installer.cdn.mozilla.net/pub/firefox/releases/59.0.2/
- /questions/1020249 How to use the SHA512SUMS.ASC
VanessaKing said
I think the page my download originated from was the page that has all of the latest versions of FF.
So does this page :
https://www.mozilla.org/firefox/all/
I just thought I'd make it easier on you by selecting your language ......
Thanks… No, it's another page, close but:
VanessaKing said
Thanks… No, it's another page, close but: https://www.mozilla.org/en-US/firefox/releases/
Nothing wrong with that page.
But if it would set your mind at ease, maybe you could uninstall the previously downloaded version and download from here :
https://www.mozilla.org/en-US/firefox/all/?q=English%20(British)
And/or maybe contact ClamXAV Sentry Support :
I'm way ahead of you. I uninstalled it immediately after getting the alert and I've opened a ticket with ClamXav.
I'll update this when I hear back, thanks.
Any update on this? Same issue only macOS 10.13.4 and Firefox 59.0.2. ClamXAV v2.18.1/0.100.0 (3610)
However, the machine I am on now with all of the above info has indicated nothing, but when I run the commands on it to detect the so called Flashback Trojan, I receive the following:
Mac-Pro:~ pil13$ defaults read /Applications/Firefox.app/Contents/Info LSEnvironment {
MallocNanoZone = 0;
} Mac-Pro:~ pil13$
Do you know if this indicated another issue, or if this is common in Firefox?
I have contacted ClamXAV as well, but want to know why Firefox is showing this response, so I posted it here.
When I download the .dmg file and submit it to VirusTotal it tests clean:
However, I didn't extract it because I'm on Windows...
Thanks Jefferson. Just an odd thing to show up after all these years and out of the blue. Still waiting for ClamXAV to comment.
My bet is it’s a false positive, yet caused by one Firefox file as confirmed / suggested in this thread.
"This was caused by the Firefox developers leaving a setting enabled in one of the files embedded within the Firefox.app itself. [...] The developer has pushed out a fix via virus defs. Just update your virus definitions which will prevent the detection from recurring."
As you update your virus definitions daily, how about commenting in that thread?
Modified
Thanks Tonnes, yes, updated every day.
I'm still waiting for more detail from ClamXav, too. The definitions should be the same—even if I am using an older version—but I asked them, to be sure, and am waiting to hear back.
VanessaKing said
I'm still waiting for more detail from ClamXav, too. The definitions should be the same—even if I am using an older version—but I asked them, to be sure, and am waiting to hear back.
HI,fyi : if you upload the file to https://www.virustotal.com/ it is scanned by 65 anti-virus engines including ClamAV You can also scan URL's as well it has a Search Feature.
Hi Pkshadow.... Thanks for the tip. I will look into it.
Fwiw and as said, it’s most likely a(nother) false positive by ClamXav probably not worth worrying about. Scan results from other sources as reported above as well as the Firefox installer being downloaded from the original and trusted (Mozilla) source should indicate that. Moreover, I find 5000+ results when searching for ClamXav and "false positive", so this issue doesn’t seem to be entirely new.
I do appreciate the TS wants to hear back from ClamXav of course, but IMO reports by any antivirus product or its vendor should never prevail just because it’s paid software. The same goes for issues when running with Firefox and such products - some users even refuse to disable their security software in order to do some proper troubleshooting, only because they paid for it. Not good.