Hi FwF,
The malicious code can be smuggled into the plug-in of some external coder before he uploads it to Firefox (he did not detect it at that time). If no anti virus scanners (script debuggers) detect it, then it can for instance sneak into the code of a legit language pack starting to infect users of the plug-in.
See the developer's discussion on the previous incident here:
https://bugzilla.mozilla.org/show_bug.cgi?id=432406In mentioned incident it was pop-up adware that was served up unintentionally, but it also can be Trojan code etc. In the case of add-on 5954:
All help pages (*.xhxml) are malicious script right after
</hxml>:
<script src="hxxp://%6A%73..."></script>
This was not according the rules that language packs could not contain JS. So again JavaScript was at the root of all this evil.
We cannot believe the add-on developer on his or her blue eyes for it to be malware free and so all add-ons should be given the all green before being published by Mozilla, and you should be extra careful to trust third party add-ons, plug-ins, so refrain from using these...
In the mentioned recent incident we had another scenario: that the plugin is not being installed through FF itself, but has ended up on ones computer by other means. At that point, (most likely) all that needs to be done is for the DLL to be moved into the FF /plugins/ directory - no "install" necessary, becoming active thereafter.
You could check about:plugin & look for anything out of place, like npbasic.dll as the case may be.
The cool thing about Firefox is that you can basically force users into installing malware by exploiting bug 59314 [mozilla.org]. Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes. This is called a Cross Browser Modal Dialog Box.
Test at:
https://bugzilla.mozilla.org/attachment.cgi?id=5099Also see what our friend "essexboy" had to report on the mentioned malware here:
http://forum.avast.com/index.php?topic=40713.msg341330#msg341330polonus