The trojans on the Mozilla site were found in all versions of Master Filer, and Sothink Web Video Downloader. Master Filer contained the Win32.Bifrose.32.Bifrose Trojan, while the video downloader add-on was infected with Win32.LdPinch.gen. Mozilla Add-Ons (also known as AMO) missed them during a routine scan.
"AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that were detected as such," said Mozilla in a blog post. "This scanning tool failed to detect the trojan in Master Filer.
Mozilla has added two more malware detection tools, and rescanned all of its add-ons. At that point, it discovered the other trojan in Sothink Web Video Downloader.
The latest trojan is a password stealing program that gathers private user data and sends it to an attacker using a preset email address. The trojan uses its own SMTP server, or a web-based proxy, meaning that copies of the same email will not appear in the affected user's email client, according to an analysis by Microsoft. The encyclopedia entry was first published almost exactly two years ago.
Experimental add-ons in Firefox are not easy to install by accident. Firefox users must confirm that they want to install software that is not fully tested. However, Master Filer was downloaded roughly 600 times between September and last month. Sothink Web Video Downloader was downloaded 4000 times between February and May 2008.
Simply uninstalling the add-ons will not be enough to cleanse a system that has been infected. Mozilla has published a list of anti-malware programs known to spot these two trojan malware instances on its blog.