Mozilla, the maker of the open source Firefox browser, is redoubling its efforts to check user created add-ons for viruses and Trojans after it discovered that a language pack on its official add-on page had been infected for months with rogue code, the organization reported Wednesday.

Starting in mid-Feburary, Vietnamese users of Mozilla's open source Firefox browser were at risk of infection from malicious Trojan Horse code seemingly accidentally embedded in a language pack available on its Add-ons site.

The virus's signature was unknown at the time, and thus passed Mozilla's testing of add-ons.

The glitch isn't the first time that seemingly trusted software included rogue code, but such occurences are surprisingly rare given the amount of open-source and shareware programs that net users install based on blind trust. That's not even mentioning the huge selection of pirated software available on file sharing networks that could easily be infected with malware.

In response to the later discovery of the latent Trojan code by anti-virus software, Mozilla pulled the language pack and announced it would begin scanning all add-ons whenever they update their virus signatures, not just when add-ons are originally posted, according to a entry on the Mozilla security blog.

Mozilla had no exact statistics on the number of users who had installed the infected Vietnamese language add-on since it was uploaded on February 18, but said that 16,667 people had downloaded the add-on since November 2007.

On Tuesday, a user named Hai-Nam Nguyen reported that anti-virus programs detected the Xorer Trojan inside the add-on. Firefox admins quickly confirmed the presence of the Trojan's code and removed the file the same day.

Mozilla ran an anti-virus check on the most recent version in February when it was added to the official Firefox add-ons site, but the Trojan's virus signature was not known until April.

The add-on's author is not suspected of intentionally booby-trapping the file, but instead had his own system infected. That Trojan inserted a banner-ad displaying script into any html file on his system, which included the help files for the language pack.

That meant that anyone installing the language pack would have malicious ad displaying code inside their browser – which could be used for other exploits.

The Vietnamese language pack has been pulled until a clean replacement is uploaded. Existing users should uninstall the add-on in the meantime.

See Also: