Mozilla Connect

pn14 · ‎09-01-2022

Hi!

Thanks for Adding Me!!

🙂 This Most Likely isnt the Standard Protocol for Reporting Malicious Sites , but Im hoping that someone can point me in the right direction ,that you will read the situation in its entirety before coming to any conclusions.

I really would like to see in Browser settings a place that you could Specifically do exactly this. Report a Malicious site. I dont consider Mozilla Firefox to be a 2nd rate Browser , just because i stumbled onto something that i KNOW was bad. This can happen to anyone at anytime , regardless of what Browser you are using , if you arent using antimalware protection while online .( and its happened to me a few times in the past & im sure it will probably happen again too ). It pops up most often when people are visiting bad sites , ( Porn or Cheater sites etc) Which i was doing neither , Im researching Baby Foods & Formula & the Toxins thats been coming up recently in them & thats pretty much what i was doing & i right cliicked the topic to open in a new tab , (there were several search results , so i had each 1 open in new tab)and then started checking each tab . I guess it was the 2nd one that i opened up pops this cheezy ad that lookedd like a wannabe "Adobe Flash Player" that said i needed to download a flashplayer & i immediately knew i had hit a bad site & before i could even close the tab , it was blasting porn. Not just some mild whatever , but outright blast in the face stuff. that i wont try to describe any further . It was just all bad , ya know? It took me a couple minutes to recompose my thoughts & i thought WOW , what if that wouldve been 1 of my grandkids instead of me? I KNOW that this is a great Browser & Organization & know that Firefox would want to be aware of things like this ,So I looked in the settings of my Browser & yeah there was the places to send "Feedback" but i dont consider this to be just common "Feedback" & didnt feel like that was the proper place to let them know that this happened. So I looked in my browser history & copied the url onto a "Wordpad" document & headed over to the "Virus Total" website , where you can submit a file or url to see if its malicious . I was just SURE that it would come back as a bad site & then they would shut it down .. but much to my surprise .. it came back as clean . . . OK well i just wish there was a specific setting that allowed for this type of thing . I dont consider it to be something that is a bug or gliche in the programming that they are expecting , when they are asking for feedback . i consider this to be something that bad people do , to cause misery onto others & should be reported every time it happens to someone & i really believe that Firefox would agree with me , so i hope to offer a suggestion that they could make it easier for a person to report something like this . I think this is the #1 Browser & hope i havent grumbled too much , Im hoping to upload a screenshot . anyway Thanks for reading !

@pn14

jscher2000 · ‎09-02-2022

Firefox's phishing and malware site protection uses lists from the SafeBrowsing project, which is managed by Google. You can submit a URL of a phishing page using the Help menu. Either:

menu button > Help > Report deceptive site...
(menu bar) Help > Report deceptive site...

That's mentioned in https://support.mozilla.org/kb/how-does-phishing-and-malware-protection-work

Google also has a page for reporting malware or attack pages at https://safebrowsing.google.com/safebrowsing/report_badware/

bhs67 · ‎02-29-2024

Trojan:Script/Wacatac.B!ml infected my laptop last week. Initially, Aura Antivirus removed it. However it keeps reoccurring.

When I manual scan using Aura, it finds Trojan.W32.S171023A.cryxos.5913.YR ... see attachment. The Trojan path is --- C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\33hxlxf7.default-release\storage\default --- How do fix this?

Mizar · ‎02-29-2024

It's not easy to provide advice with so very little to go from but here are a few options.

1- Clear Firefox's cache and history then rescan.

2- Check that your extensions are legit, remove the ones that aren't. Then rescan.

3- If all of the above fail, the safest bet would be to format your system and get yourself a better Antivirus solution.

bhs67 · ‎03-01-2024

Thanks for the response.

1) Have cleared Firefox's cache and history.

2) All extensions are legit. I have used them (only four of them) for many years.

3) I switched from Malwarebytes to Aura. Malwarebytes could not find "Trojan:Script/Wacatac.B!ml". Aura did find Trojan:Script/Wacatac.B!ml and fixed it. I was able to use Visual Studio again. However the Trojan keeps reappearing.

4) Is there a website that describes which docs I could delete from C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\33hxlxf7.default-release\storage\default?

5) It seems that Mozilla / Firefox developers would want to know about this Trojan. The Trojan was able to bypass Firefox Security.

jscher2000 · ‎03-01-2024

@bhs67 wrote:
Thanks for the response.
1) Have cleared Firefox's cache and history.
2) All extensions are legit. I have used them (only four of them) for many years.

Occasionally, developers "sell out" but if the extension hasn't been updated for a while, that's probably not the issue.

3) I switched from Malwarebytes to Aura. Malwarebytes could not find "Trojan:Script/Wacatac.B!ml". Aura did find Trojan:Script/Wacatac.B!ml and fixed it. I was able to use Visual Studio again. However the Trojan keeps reappearing.

Hmm, what is the connection between Firefox storage folders and Visual Studio? Is some malware on your system hiding its file in Firefox storage??

4) Is there a website that describes which docs I could delete from C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\33hxlxf7.default-release\storage\default?

\storage\default contains numerous individual folders holding data that websites and add-ons have asked Firefox to store. Presumably the problem is only in one of those folders, but does the software tell you which one it was in?

The website folders are not difficult to identify, but the add-on folders (whose names start with moz-extension) are named using an internal UUID. Your earlier posted screenshot shows that the problem file was found in a moz-extension folder. You can use the about:debugging page to look up that UUID. Type or paste about:debugging into the address bar and press Enter/Return to load it. Click This Firefox in the left column, then use Find in Page (Ctrl+F) to look for 72ca725c and see which extension(s) are the closest match. That is the one which stored the problem file.

5) It seems that Mozilla / Firefox developers would want to know about this Trojan. The Trojan was able to bypass Firefox Security.

I don't think Firefox submits add-on storage requests to your system's virus scanner, but Firefox also isn't executing the storage data as a program. Should Firefox treat all storage data as potentially dangerous? That probably would be overkill. So it's not clear what Firefox should do in this situation.

Mizar · ‎03-01-2024

I'd just delete the whole folder.

bhs67 · ‎03-01-2024

jscher2000 ->

3) "Hmm, what is the connection between Firefox storage folders and Visual Studio? Is some malware on your system hiding its file in Firefox storage?"

The Trojan also appears when I attempt to open a pdf doc in gmail (it fails every other time). It is not tied to Visual Studio. The Trojan affects both Firefox and Visual Studio. It may affect more programs.

Aura tracks the Trojan to a Firefox folder.

4) "Presumably the problem is only in one of those folders, but does the software tell you which one it was in?"

Attached is what I see.

5) "Should Firefox treat all storage data as potentially dangerous?"

I do not recall downloading anything other than pdf's attached to gmail messages.

It is surprising that the Trojan was able to bypass Firefox Security. Firefox is the only browser I use.

----------------------------------

Mizar -> If I delete the folder, what are the potential problems?

----------------------------------

I think it is ok to delete all files that start with "moz-extension"?

jscher2000 · ‎03-01-2024

Were you able to track down which add-on's moz-extension folder that is using the about:debugging page?

Mizar · ‎03-02-2024

Not many, Firefox will just create a new profile folder which allows you to start fresh.

On a side note, PDFs from gmail messages have been known to be used as an entry point by bad actors on the web.

Mizar · ‎03-02-2024

I'll even go on a limb and say it were the PDFs that introduced the Trojan on your system.

bhs67 · ‎03-02-2024

jscher2000 -> "Were you able to track down which add-on's moz-extension folder that is using the about:debugging page?"

Nope.

-----------------------------

Mizar -> "Not many, Firefox will just create a new profile folder which allows you to start fresh."

I have two Add-ons.

The most handy is Simple Tab Groups. Clicking the red circle icon (upper right) opens this:

This helps me keep my topic tabs under a different Tab Group. I've used this Add-on for a long time.

Will deleting the "moz-extension" files affect my Tab Groups?

-----------------------------

Thanks for the responses!

Mizar · ‎03-02-2024

AdBlockPlus is the main offender here as it has become malicious.

Remove AdBlockPlus and install uBlockOrigin by Raymond Hill instead.

bhs67 · ‎03-02-2024

Wow! Thanks!!!

bhs67 · ‎03-02-2024

Oops. Removing AdBlockPlus does not fix the Trojan.

Running Aura does not find any Viruses or Trojans. However, Visual Studio still fails every other time.

Is there a tool that finds Trojans in the Registry?

Mizar · ‎03-02-2024

So, Aura does not detect the trojan anymore?

What makes you think the trojan is still there?

bhs67 · ‎03-02-2024

The Trojan is still there because Visual Studio still fails every other time when I compile the code.

This started happening when TrojanScriptWacatac.B!ml appeared ... detected by Windows 10 Security ... see attachment ->

Mizar · ‎03-02-2024

Is it possible that whatever you are trying to compile is what is setting Windows Defender off?

jscher2000 · ‎03-02-2024

@bhs67 wrote:
Will deleting the "moz-extension" files affect my Tab Groups?

One of them is for Simple Tab Groups. To figure out which one, you would need to use the method I mentioned earlier: use the about:debugging page to figure out the UUID for STG and avoid deleting its moz-extension folder.

bhs67 · ‎03-03-2024

Mizar -> "Is it possible that whatever you are trying to compile is what is setting Windows Defender off?"

Nope. I've been writing code for decades. Plus, my current code was compiling fine for more than a month. The compiling problem occurred about two weeks ago, after TrojanScriptWacatac.B!ml was detected by Window 10 Security.

In addition, opening a pdf in Gmail messages, started failing again. I have removed AdBlockPlus.

----------------------------------

scher2000 -> "use the about:debugging page".

I forgot to mention, I have already tried this. Nothing happens.

TrojanScriptWacatac.B!ml affects Gmail / pdf's and Visual Studio.

jscher2000 · ‎03-03-2024

@bhs67 wrote:
scher2000 -> "use the about:debugging page".
I forgot to mention, I have already tried this. Nothing happens.

The page doesn't display your enabled add-ons on the This Firefox panel? That is strange. Perhaps there is a less convenient way to find the local UUID so you know which extension is responsible for the moz-extension folder which keeps getting the detected file.

Mizar · ‎03-03-2024

At this point you should just reformat your system as that malware is an especially nasty one.

bhs67 · ‎03-03-2024

I purchased and installed TotalAV a few hours ago. That appears to have removed the Trojan.

Visual Studio compiles every time I try. Ditto for opening a Gmail message attached pdf.

I'll try again tomorrow to see if the Trojan is truly removed.

Mozilla Connect

Where/ How do i report Malicious site