Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Korean Mozilla and Thunderbird Distro Site Woes - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Korean Mozilla and Thunderbird Distro Site Woes
The trend of putting trojaned downloads on software distribution sites continues unabated.  A Korean site, officially **unaffiliated** with the Mozilla, Thunderbird, and Firefox development teams, distributes a Korean version of Mozilla Suite 1.7.6 and Thunderbird 1.0.2.  Turns out, a couple of days ago, evil versions of Mozilla and Thunderbird for Linux appeared on this site.  When installed, they would infect ELF binaries in /bin.  The malware included a backdoor, although it had little spreading potential.  Still, that's why, when you upgrade, make sure you download from a couple of mirrors and check that hash!  Md5sum and SHA-1 are your friend.  And, if you are really paranoid, RIPEMD-160 is a good acquaintance to have.

Update: According to information we've received (thanks, Roel!), Korean versions of Mozilla and Thunderbird distributed through **official** Mozilla FTP sites were also infected.  So, if you use Korean Mozilla or Thunderbird, and downloaded the latest versions of thunderbird or mozilla, you may have been compromised.  I suggest a good file integrity check, and perhaps a reinstall of your operating system and apps.  Thanks again, Roel, for the clarification.
Ed

57 Posts

Sign Up for Free or Log In to start participating in the conversation!