Suspicious connections coming from Firefox (possible malware)
I was playing around with Wireshark when I noticed something very suspicious: every time I open Firefox (official build from Ubuntu repos), it immediately connects to a server with an apparently random name like d2ddoduugvun08.cloudfront.net and sends some encrypted data.
I couldn't find anything specific on this domain, but it pops up on some malware sites.
At first I thought it was some Firefox telemetry server but it is disabled and the server is not a Mozilla server.
I deleted my ~/.mozilla folder, in case my profile was the problem, but the connection was still there every time.
At this point I thought my installation of Firefox was compromised, so I purged it and redownloaded it from the repos. The connection was still there.
I moved to another machine with Windows, and it doesn't make this connection; when I booted into an Ubuntu live USB, it does.
I decided to build Firefox from source and it does not make this connection.
I tried to use mitmproxy to intercept it but it ignores my system proxy settings.
So my question is: is this a legit thing added by Canonical? Is the Firefox package on Ubuntu compromised by some malware?
Thanks
22 Answers
It appears to be firefox heartbeat telemetry. It could be disabled in about:config settings (that particular one can probably be disabled with app.normandy.enabled=false in about:config)
If you do not like firefox phoning home (and elsewhere), there are also a few other settings you may want to change
1It appears to be from canonical as a whois check d2ddoduugvun08.cloudfront.net reveals the following:
Registrant Name: Legal Department
Registrant Organization: Amazon.com, Inc.
Registrant Street: PO BOX 81226
Registrant City: Seattle
Registrant State/Province: WA
Registrant Postal Code: 98108-1226
Registrant Country: US
Registrant Phone: +1.2062664064
Registrant Phone Ext:
Registrant Fax: +1.2062667010
Registrant Fax Ext:
Registrant Email:
Registry Admin ID:
Admin Name: Legal Department
Admin Organization: Amazon.com, Inc.So it is not malware. This site is helpful
6
