Skip to content

Weird, Fake Firefox Installs Boatloads of Bloatware

2011-12-18

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Someone in the office stumbled upon the domain name Firefox.io and passed the info along to me. Apparently, the person had mistyped the domain name of a Web site (one unrelated to Firefox), adding an additional character. The domain he ended up on was parked, registered but unused; However, one of the ads that loaded on the parked page opened a popunder ad, which redirected this person’s browser to a page on Firefox.io.

This is what he found. I dunno…looks bogus to me. It resembles a really, really out of date Firefox installer download page.

The .io top-level domain, by the way, belongs to the British Indian Ocean Territories, and its TLD is administered from a charming village in England. At least, that’s where they pick up their mail. Not so with Firefox.io.

I have no idea how many Indian Ocean Territories Web sites the Mozilla Foundation own, but I surmise that they would most likely register said domain to point to their business address in California, and not to some random apartment building with a foyer decorated to look like a two-story high shower stall, located in the Sinsing District of Kaohsiung City, Taiwan.

The icon for the executable I downloaded from there vaguely resembles the currently-released, legit Firefox installer, but it has no properties of any kind, let alone the digital signature that authenticates the genuine Firefox 8.0.1 installer. It is a generic NSIS installer package that anyone can unpack using UniExtract.

Upon execution, though, it’s clear that something is wrong here.


As soon as it executes, an installer for…RealPlayer?…fires up. That installer pulls down a 57KB file from the same firefox.io Web site. Something else downloads the current RealPlayer installer from Real’s legit server. If you cancel out of the installation process, as I did, the “Fakefox” installer launches another instance of the RealPlayer installer.

But it only does this twice, then quits trying.

Next, it gets an older installer (Firefox 7.0.1) from one of the Mozilla mirror sites

During the installation, I saw some other odd traffic. Apparently, the RealPlayer installer pulls down some components from Symantec. There was chatter with both liveupdate and stats.norton.com after those files came down the pipe.

So, what are we really seeing here? A rogue Real affiliate? The truth is, it’s unclear why the installer is such a vigorous pusher of anything-but-Firefox.

There isn’t much advice I can give other than to pay attention to what’s in your address bar. That’s what my coworker did, and it kept him from downloading something that turned out to be relatively benign, but still undesirable.

Comments are closed.

%d bloggers like this: