Posted on 12/04/2008 5:02:20 PM PST by Mygirlsmom
Trojan.PWS.ChromeInject.A, which registers itself in Firefox's system files as 'Greasemonkey,' collects passwords for banking sites
By Jeremy Kirk, IDG News Service
December 04, 2008
Researchers at BitDefender have discovered a new type of malicious software that collects passwords for banking sites but targets only Firefox users.
The malware, which BitDefender dubbed "Trojan.PWS.ChromeInject.A" sits in Firefox's add-ons folder, said Viorel Canja, the head of BitDefender's lab. The malware runs when Firefox is started.
[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including Barclays, Wachovia, Bank of America, and PayPal along with two dozen or so Italian and Spanish banks. When it recognizes a Web site, it will collect logins and passwords, forwarding that information to a server in Russia.
Firefox has been continually gaining market share against main competitor Internet Explorer since its debut four years ago, which may be one reason why malware authors are looking for new avenues to infect computers, Canja said.
Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it, Canja said.
When it runs on a PC, it registers itself in Firefox's system files as "Greasemonkey," a well-known collection of scripts that add extra functionality to Web pages rendered by Firefox.
BitDefender has updated its products to detect it, and other vendors will likely follow suit quickly, Canja said. Users could avoid it by only downloading signed, verified software, but that's a measure that restricts the usability of a PC, he said.
The malware is not present in Mozilla's repository of add-ons, Canja said. Mozilla had taken steps to ensure that its official site hosting add-ons -- also called extensions -- are free from malware.
In May, Mozilla acknowledged that the Vietnamese language pack for Firefox contained a bit of unwanted code. Although widely reported as a virus, the language actually contained a line of HTML code that would cause users to view unwanted advertisements.
Mozilla now scans new add-ons for malware. However, those scans will only detect known threats, and there was no signature in the security software Mozilla was using at the time that could detect the code.
Mozilla said the code probably ended up in the language pack after the PC of its developer became infected. More than 16,000 people downloaded the language pack, but only about 1,000 people regularly use it.
After the incident, Mozilla said it would scan add-ons in its repository when antivirus signatures were updated.
thank you. this should have been in the article.
Read down further in the comments and there is a link to a bitdefender site that names the files and the folders to look in.
Don’t have greasemonkey either. The only extension I use is “NoScript” which allows for granular control of javascript & java apps rather than just a blanket allow for all JS on a website.
Ya’ll are lifesavers! What’s weird is that it’s not always Firefox windows that are popping up. Most of the time it’s Internet Explorer windows. I don’t even open IE when I’m on my laptop!
OK then so it worked for you? You might want to check in TOOLS again and look for where it says ALWAYS VIEW THIS PAGE IN IE - make sure there is no check mark there - that works in you’re on a website where you have it turned on ...
Block popup windows is already checked. Don’t find any monkey icons anywhere. :~(
If you have Grease Monkey it should be along the bottom of your screen along with several other icons ....
Thanks for the info. My problem with Firefox right now is that every time I close the browser and re-open it, it auto sets my home page back to Firefox and opens up an adblock plus window. I never had this problem with previous versions of FF, just the newest version I downloaded.
you can easily rearrange them by dragging and dropping them from/to where you want them on the dropdown bookmark menu.....
Won’t let me go to any website that would let me download anti-spyware, virus or malware protection. Can you download something like that to a flashdrive and run it from there onto your laptop???
So evidently there is a legitimate “greasemonkey” which I see in Mozilla’s addons repository, and then this malware, which masquerades as greasemonkey, or a script therein. I don’t have either.
How 'bout a bathroom monkey?..........
Thanks for the heads up, pandy. Glad to report that I don’t have the Greasemonkey file.
The only add-ons that I am running are:
Adblock Plus 1.0
Bulk image downloader
flashblock
tinyURL Creator
Many Thanks for the Heads Up! Everyone I know uses Firefox. I must pass the word.
OK what you have to do is click on the OPTIONS button - mine is located on the lower right side of the web page I’m on. Then you have to click on ALLOW - you have to either click TEMPORARILY ALLOW THIS PAGE or ALLOW (whatever website you are on) - then you can download what you need or view everything ....it’s sort of a “Do you really want to accept a cookie from this web site” ...
Since you seem knowledgeable about Firefox...
The old (some months ago) mozilla firefox browser would bring up my most recent-visited web addresses when I clicked on the arrow at the end of the address bar.
But now the same addresses appear every time -— they never change, even if I go to other web sites. How do I get it back to where it will bring up my most recent addresses?
I loved that feature, very convenient. Thanks for any help.
Cookiesafe is useful, as well.
I don’t have this anywhere. However, when I went to check, the first thing that came up was the AVG Search Shield. I have no pop-ups or any problems on what is essentially a new computer recently set up by my son who is an IT/network/security guy.
So, I recommend AVG, which I have used for years on two different computers.
sorry....mine is the same way.....I’ve gotten grief every time I’ve cleared the ff cache, losing my bookmarks and it goes to default everything....so I don’t mess with it much at all.....since I can’t help you, I’ll give you this instead, since you might need it if you’re going to fool araoud with it.....might come in handy if you keep it
Think You Lost Your Firefox Bookmarks?
http://www.firefoxfacts.com/2008/05/07/think-you-lost-your-firefox-bookmarks/
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.