Mozilla Wednesday warned users about a worm that slipped into Firefox's Vietnamese language add-on and went undetected for months.
The malware-infected file has been pulled from Mozilla's servers.
"The Vietnamese language pack for Firefox 2 contains inserted code to load remote content," Window Snyder, Mozilla's chief security executive, confirmed in a post to the company's blog on Wednesday. "Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy."
According to Snyder, the download count for the add-on since last November has been 16,667. "So we anticipate the impact on users to be limited," Snyder said.
Mozilla developers first noticed the infected language pack on Tuesday, and by the next day had determined that the infection was accidental.
According to messages posted on Bugzilla, the bug-management system Mozilla uses to track code changes, a computer used by Jasper Thai, the author of the Vietnamese add-on, had been infected earlier with the Xorer worm, malware designed to infect only Windows PCs. When Thai created the add-on, Xorer hitched a ride by installing itself in the extension's code.
Xorer can spread via removable media -- including floppy disks -- and network shares, several security vendors said in their online malware databases. "Its effects can range from simply annoying to destructive," noted the write-up by Panda Security. Snyder said that infected users were being shown unwanted ads when they surfed with Firefox.
Although Mozilla scans Firefox add-ons, including language packs, for malicious code before making them available for download, its anti-virus scanner missed Xorer because it had not added a signature for the malware until mid-April. Thai had wrapped up the Vietnamese pack nearly two months earlier, on Feb. 18.
"The file is dated February 18, the virus signature is date April 14, so we apparently had this in the wild for about 2 months before the scanners were detecting it," Dave Miller, a Mozilla company developer, said on Bugzilla.
Although U.K.-based security vendor Sophos said it had produced a detection signature for the worm in early January, and Trend Micro had added one on Feb. 16, others, including McAfee and Panda, didn't get around to the worm until after Thai wrapped up the language pack.
Snyder said that Mozilla would boost the number of times it scanned files for malware. "We are also adding after-the-fact scans of everything to address this sort of case in the future," she said.
Developers on Bugzilla, however, argued whether that was feasible. "Ideally, yes, except that we get new definitions on average every 6 hours or so and it takes over a week to virus scan the entire ftp server," said Mozilla's Miller as he replied to a proposal to re-scan after every signature update.
"Getting monthly scans is in the plan for the new stage server once we get it working," he added.
In a message posted to the Bugzilla thread today, Thai said that he would deliver a malware-free Vietnamese language pack soon. He also claimed that the worm came from China, though he offered no proof.
"Sorry for the inconvenient! I've found that translated help files was modified by a virus, come from China," he said.