Investigative security journalist Brian Krebs has discovered that cybercrooks are using a FoxFire add on that is really a botnet to scan the web for hackable websites.

Running from infected machines, the botnet dubbed the Advanced Power botnet, scans the web looking for exploitable vulnerabilities. Krebs indicated that it may have already infected 12,500 systems.

Mozilla removed the fraudulent Microsoft .NET Framework Assistant add-on. It was added to Mozilla's block list on Monday.

The target of the attacks were web sites, not individual computers that were infected by the malware.

Michael Coates, a one-time director of security assurance at Mozilla, stated:

“Advanced Power is ultimately a technique for compromising websites. The plugins doesn't necessarily harm the infected user; it uses them for the larger goal of finding websites that can be compromised and used to host malware.

“Malicious actors will always turn to easy attack vectors such as malicious plugins to build networks of unsuspecting endpoints to carry out their ill will,” he added.