Suspicious connections coming from Firefox (possible malware)

security malware firefox

I was playing around with Wireshark when I noticed something very suspicious: every time I open Firefox (official build from Ubuntu repos), it immediately connects to a server with an apparently random name like d2ddoduugvun08.cloudfront.net and sends some encrypted data.

I couldn't find anything specific on this domain, but it pops up on some malware sites.

At first I thought it was some Firefox telemetry server but it is disabled and the server is not a Mozilla server.

I deleted my ~/.mozilla folder, in case my profile was the problem, but the connection was still there every time.

At this point I thought my installation of Firefox was compromised, so I purged it and redownloaded it from the repos. The connection was still there.

I moved to another machine with Windows, and it doesn't make this connection; when I booted into an Ubuntu live USB, it does.

I decided to build Firefox from source and it does not make this connection.

I tried to use mitmproxy to intercept it but it ignores my system proxy settings.

So my question is: is this a legit thing added by Canonical? Is the Firefox package on Ubuntu compromised by some malware?

Thanks


It appears to be firefox heartbeat telemetry. It could be disabled in about:config settings (that particular one can probably be disabled with app.normandy.enabled=false in about:config)

If you do not like firefox phoning home (and elsewhere), there are also a few other settings you may want to change


It appears to be from canonical as a whois check d2ddoduugvun08.cloudfront.net reveals the following:

Registrant Name: Legal Department
Registrant Organization: Amazon.com, Inc.
Registrant Street: PO BOX 81226
Registrant City: Seattle
Registrant State/Province: WA
Registrant Postal Code: 98108-1226
Registrant Country: US
Registrant Phone: +1.2062664064
Registrant Phone Ext: 
Registrant Fax: +1.2062667010
Registrant Fax Ext: 
Registrant Email: [email protected]
Registry Admin ID: 
Admin Name: Legal Department
Admin Organization: Amazon.com, Inc.

So it is not malware. This site is helpful https://www.whois.com/whois/

Related

If I've installed an application both as a snap and via APT, how can I tell which one is currently running?
Can you recommend a good modern GUI download manager (wget wrapper?) [closed]
Is there a Gmail Drive?
How can I block ping requests with IPTables?
Is Blender good as a CAD tool?
Why doesn't Adobe Flash Player 11.x have hardware acceleration?
How do I get a list of Amazon regions via the command line?
How do I get Skype 4.0 to open multiple chat windows?
Is there a mind mapping software that can handle latex?
Shrinking file system taking a lot of time, is this normal?
How to make bash stop tab autocompleting hidden directories
How to add support for the JPEG image format