Do you have a genuine version of Firefox installed? Did it install a bunch of malware alongside your browser? Is Microsoft allowing this to sabotage your first impression of Firefox? The browser wars are getting ugly. Why isn’t Mozilla doing anything to stop this phishing attempt that is ruining their good name and adding more machines to the botnet?
You have a brand new computer and you’re trying to get it all set with your software and preferences. You fire up Internet Explorer to do the one thing it’s good at: Download Firefox when you don’t have any other browsers to choose from. You type ‘firefox’ in the address bar or in the search bar and by default it takes you to search results on Bing. You’re distracted, trying to setup other things, so you click the top result without paying careful attention to it. In hindsight, you’ll realize this was a mistake because the “top result” is a Sponsored Site and not a true result.
The link you clicked still takes you to a page that looks pretty similar to the normal Firefox webpage. It has the latest version you’ve been hearing about, version 3.6. Something still doesn’t feel right, but again, hindsight.
You try to put these paranoid thoughts out of your head, maybe you just left the stove on at home or something else equally harmless. It’s not the fact that you’re about to infect your brand new computer within 5 minutes of unboxing it with over 200 infected files. So, you click the download button.
The download seems a bit odd. “I know Mozilla has mirrors all around the world, but pinballpublishernetwork.com seems odd. Hmm… the downloaded file is only 293 KB even though it says it’s 7.7 MB. Ah well, maybe it’s compressed.” Let’s hit the Run button so we can stop having to use IE!
As it downloads, you start to daydream… Isn’t this what the normal download looks like?
Ding! The download finishes. No more time for daydreaming.
Whoa! McAfee detected some Adware. I really need to get off Internet Explorer!
Even Windows Defender is getting in on the action. Firefox here I come!
Let’s get to the faster, safer, smarter, better browser. Launching the installer, we see…
Well that doesn’t seem right, but maybe things have changed and Mozilla is trying to make more money in these hard economic times. Let’s continue and sure, go ahead and include the latest ShopperReports thingy…
We run through the install and it installs a few things like Seekmo and ShopperReports before getting to the Firefox setup.
Before the Firefox setup even begins we can see two icons were added to the system tray. The one on the right is some weather gadget and the icon on the left promises FREE games, videos, emoticons and more! Firefox is getting better and better!
Coming to my senses, things don’t seem right. A bunch of Browser Helper Objects were installed in IE as part of installing Firefox. That doesn’t make sense.
Even though Firefox installed correctly, it has a suspicious Seekmo plugin installed already.
Things don’t smell right, so I decide to scan my brand new computer with my favorite anti-malware tool, Malwarebytes. Updated to the latest version, running a quick scan reveals 206 infected objects. Not bad for completely infecting a machine 15 minutes out of the box, Seekmo, not bad at all.
Looking at the results, we can see a variety of malware vendors have made your computer their home. If you’d like to see the log of all the objects Malwarebytes detected, you can download the log (.txt).
The Reality of the Situation
Some facts about this infection:
I tested this malware on a virtual machine that was a clean Vista install with Avast! antivirus, Firefox, Java RE, and Adobe Flash installed with the latest Windows Updates. Beyond that, it was pretty bare bones. The McAfee screenshot is of when I first detected this site on another computer.
In order to get infected, I had to disable Avast! antivirus and tell Windows Defender to ‘Ignore’ the alert at least 3 times. These steps are not likely to be required in the case on a new computer however.
The top result was a Sponsored Link hosted through Microsoft Advertising to hxxp://Firefox.io. I highly discourage anybody from going to that site. There is live and active malware available for download through that site. You should always verify that the URL matches the site you expect.
The original download was only a couple hundred KB so it must download the real Firefox setup in the middle of the Seekmo installation.
I hoped to be able to contact Microsoft to have them pull the ad, but I was unable to reach anybody “for reasons beyond their control.” I don’t know what leverage I would have in getting the site shut down, but Mozilla should have some pull because of trademark infringement. I’m not too optimistic because they’ll just move to a different URL and find a new way or ad publisher to trick people into visiting that site. At least if Microsoft will blacklist the ad, it will prevent most people from reaching the site.
If you’re looking to download Firefox, visit: http://www.mozilla.com/en-US/firefox/
Update: I was able to work with the host and take this malware-serving site down.