[Bug 99759] Malware in Firefox?

Sun Apr 1 14:00:19 UTC 2007

Public bug reported:

I started playing with the Feisty beta and was having trouble getting to
the internet with firefox (adblock and forecastfox plugins installed).
My firewall (Check Point FW-1/VPN-1 Edge device) logs show the traffic
is being dropped because it is infected with ISTbar, which is adware.

I did a little snooping with Wireshark and found that it indeed is
adding what looks like ISTbar headers in the first http get request:

No.     Time        Source                Destination           Protocol Info
      4 0.014406    192.168.0.2           192.168.0.1           HTTP     GET /StatBar.html HTTP/1.1

Frame 4 (569 bytes on wire, 569 bytes captured)
Ethernet II, Src: AsustekC_41:46:d5 (00:0e:a6:41:46:d5), Dst: Sofaware_72:16:a7 (00:08:da:72:16:a7)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: 53923 (53923), Dst Port: www (80), Seq: 1, Ack: 1, Len: 503
Hypertext Transfer Protocol
    GET /StatBar.html HTTP/1.1\r\n
    Host: 192.168.0.1\r\n
    User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20061201 Firefox/2.0.0.3 (Ubuntu-feisty)\r\n
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
    Accept-Language: en-us,en;q=0.5\r\n
    Accept-Encoding: gzip,deflate\r\n
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
    Keep-Alive: 300\r\n
    Connection: keep-alive\r\n
    Referer: http://192.168.0.1/StatBar.html\r\n
    Cookie: session=Utbs5RzctZSXj8dgioVg\r\n
    \r\n

I didn't see this behavior on Edgy with the browser in the same configuration.

** Affects: mozilla-firefox-locale-all (Ubuntu)
     Importance: Undecided
         Status: Unconfirmed

-- 
Malware in Firefox?
https://launchpad.net/bugs/99759