Korean Mozilla and Thunderbird Distro Site Woes

Published: 2005-09-23
Last Updated: 2005-09-23 16:34:13 UTC
by Ed Skoudis (Version: 1)
0 comment(s)
The trend of putting trojaned downloads on software distribution sites continues unabated.  A Korean site, officially **unaffiliated** with the Mozilla, Thunderbird, and Firefox development teams, distributes a Korean version of Mozilla Suite 1.7.6 and Thunderbird 1.0.2.  Turns out, a couple of days ago, evil versions of Mozilla and Thunderbird for Linux appeared on this site.  When installed, they would infect ELF binaries in /bin.  The malware included a backdoor, although it had little spreading potential.  Still, that's why, when you upgrade, make sure you download from a couple of mirrors and check that hash!  Md5sum and SHA-1 are your friend.  And, if you are really paranoid, RIPEMD-160 is a good acquaintance to have.

Update: According to information we've received (thanks, Roel!), Korean versions of Mozilla and Thunderbird distributed through **official** Mozilla FTP sites were also infected.  So, if you use Korean Mozilla or Thunderbird, and downloaded the latest versions of thunderbird or mozilla, you may have been compromised.  I suggest a good file integrity check, and perhaps a reinstall of your operating system and apps.  Thanks again, Roel, for the clarification.
0 comment(s)


Diary Archives