In a latest discovery, one extension that has been available on the Mozilla Firefox add-ons page since May this year, has been found to be a Botnet. This vicious tool dubbed Advanced Power, has affected over 12,500 systems, and until a few hours ago Mozilla wasn’t able to detect it either. Besides the infection, the way this bogus tool made it to the official store and disguised it as Microsoft .NET Framework Assistant, being published from Microsoft raises too many concerns.
Once infected, this malware was turned the victim’s computer as a botnet, which then used that PC to perform SQL injection attacks on every website the victim visited. SQL injection is one of most common web-attacks we have been seeing and reporting in recent times.
Krebs on Security analyzed this malware to discover some more interesting facts. Albeit the malware contained codes to record victims’ passwords, it wasn’t really activated in most cases. The vicious minds behind this attack were more interested in finding vulnerabilities in websites. As a result of which, over 1800 web pages have been found to be attacked by this malware.
The infected browser-plug-in by the name “Microsoft .NET Framework Assistant” (there is a legit add-on by the same name), scans every page you visit to find potential SQL injection vulnerabilities. The genuine Microsoft .NET Framework Assistant 0.0.0 appears in Extensions and not in Plugins.
Mozilla has acknowledged this issue, and have added this add-on to their block-list. They have also released a statement,
This is not the Microsoft .NET Framework Assistant created and distributed by Microsoft. It is a malicious extension that is distributed under the same name to trick users into installing it, and turns users into a botnet that conducts SQL injection attacks on visited websites.
Thanks to Krebs on Security for their investigation and brilliant reporting.