I recently have been redirected to fake webpages [strange URLs] prompting me to download an urgent update for Firefox. This behavior immediately put me on my guard. I did however download the file, firefox-patch.js, out of curiosity. It is apparently a java script file. What is disconcerting about this is that none of my anti-malware tools could identify the file as a threat. So I then navigated to VirusTotal online, and submitted the file there. I first noticed that the file had not been scanned before, which is highly unusual. I think every other time I've scanned a file at VirusTotal, it has told me that the file was previously scanned, and then asked if I would like to re-analyze... In any case, the results were again surprising: only 2 out of 54 antivirus products identified the file as malicious. That kind of detection ratio would typically lead me to suspect a false positive, but I did find a a write-up of this issue on Mozilla [see link], so I'm certain this is indeed a malicious file.
The only products able to correctly identify it as a threat were Arcabit and Fortinet, both of which I wasn't familiar with. I then did a little research on those products, and come to find out: Arcabit is apparently a Polish language only antivirus, and Fortinet strictly an enterprise product, designed for deployment over a corporate LAN.
So bottom line is that I guess if one isn't on one's guard, this will "fly under the radar" of many people. Does anyone know why the detection rate might be so poor for this file? It is only 9.13 KB. Is it easy for malware authors to "hide" malicious code in java script?
Link:
https://support.mozilla.org/en-US/kb/i-found-fake-firefox-update
Edited by Oxonsi, 14 December 2016 - 02:29 PM.
Back to top
