Discovered a malware in my Firefox

Hi there peeps,

I came across a strange malware in my Firefox 70.0 browser
by chance when using this very basic code…

<!DOCTYPE HTML>
<html lang="en">
<head>

<meta charset="utf-8">
<meta name="viewport" content="width=device-width,height=device-height,initial-scale=1">

<title>Untitled document</title>

<style media="screen">

div {
    width: 10%;
    margin: 25%;
 }

</style>

</head>
<body> 

 <div></div>

</body>
</html>

…which obviously, will present a blank page.

I happened, though, to refresh the page and discovered this
little bugger…

54

Inspect Element” provided this injected CSS…

injected-css.txt (43.3 KB)

…and this injected HTML…

injected-html.txt (1.2 KB)

I also have Firefox Developer Edition 71.0b4 installed and it
is not effected at all.

Do you think that deleting and reinstalling Firefox 70.0 would
be a good solution or should I consider something else?

coothead

It looks like the “sf” is “savefrom”. Did you install any extensions or scripts having to do with “saving” from web pages?

Hi there Mittineague,

thank you for replying. :winky:

I have not installed any extensions other than
uBlock Origin, Ghostery and Web Developer .

coothead

When searching for the image on google (by image upload) it suggests it is a circle. Does that help? :wink:

Screenshot%20from%202019-10-28%2020-10-04

3 Likes

Hi there rpkamp,

thank you for replying. :winky:

The problem that I have, though, is that something is injecting
HTML and CSS code into my Firefox 70.0 browser.

Windows Malicious Software Removal Tool or Avast Antivirus
were unable to find anything untoward. :unhappy:

coothead

Are you sure it is malicious?

Hi there gandalf458,

thank you for replying. :winky:

I am not sure about anything. :unhappy:

Bemused would be a better description of my thoughts. :biggrin:

coothead

It appears to be a JS download from https://greasyfork.org/fr/scripts/374338-savefrom-net-helper/code

I have no intention of running that, but the long list of .ru links looks pretty suspicious to me.

2 Likes

I’m thinking there’s a good chance if you look around you could find some JavaScript that you weren’t aware of too. It seems like a lot of CSS for what arguably could have been an animated GIF, and the href="#" links suggest JavaScript is meant to do something, whatever that something may be.

I’m wondering if the “web developer” extension has some kind of “download all the stuffs” feature. Or maybe this is a Firefox “download this page for offline viewing” feature you inadvertently activated?

I would try temporarily uninstalling the web developer extension to see if it still shows up.

If you can’t figure out where it’s coming from or what it’s doing and want to be safe you could install a fresh Firefox not using your older “user profile”. Doing so will mean you lose a lot of your “meta” information - bookmarked favorites, history, font preferences, etc. - so you may want to note anything you want to repeat in the new clean install.

1 Like

Hi there tracknut,

thank you for replying. :winky:

You have solved the problem. :biggrin:

I’d forgotten about that add-on, it does
not appear next to my other add-ons. :shifty:

It has now been deleted.

Thank you very much. :winky:

coothead

3 Likes