The add-on, called Advanced Power, secretly runs a botnet from active computers designed to scan the net for websites that might hold potential vulnerabilities ripe for an exploit or SQL injection. It acts as a secondary background process, passing the buck of responsibility off to the user and creating a facade that makes it look like they were behind the attack instead of the addon itself.
Mozilla has already taken the proactive step of disabling the add-on and removing it from their central servers, along with emailing affected users and warning them of the dangers their machine now presents to the net as a whole. All told, the browser suspects the program was able to weasel its way into somewhere close to 12,000 machines, and has actively been hunting anyone who might be running it without knowing the damage it causes while they aimlessly click around the web.
Former director of security assurance at Mozilla Michael Coates reminds The Register that unlike most forms of malware, this program was designed to target websites in particular, not the users who had unwittingly installed it themselves.
“Advanced Power is ultimately a technique for compromising websites. The plugins doesn’t necessarily harm the infected user; it uses them for the larger goal of finding websites that can be compromised and used to host malware.
Remember that you should always verify the source of any add-ons or extensions you download for your browser, and never assume that they are from a respected publisher unless you’ve checked the name twice.