Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Firefox users targeted by rare piece of malware
InfoWorld ^ | December 04, 2008 | Jeremy Kirk, IDG News Service

Posted on 12/04/2008 5:02:20 PM PST by Mygirlsmom

Firefox users targeted by rare piece of malware

Trojan.PWS.ChromeInject.A, which registers itself in Firefox's system files as 'Greasemonkey,' collects passwords for banking sites

By Jeremy Kirk, IDG News Service

December 04, 2008

Researchers at BitDefender have discovered a new type of malicious software that collects passwords for banking sites but targets only Firefox users.

The malware, which BitDefender dubbed "Trojan.PWS.ChromeInject.A" sits in Firefox's add-ons folder, said Viorel Canja, the head of BitDefender's lab. The malware runs when Firefox is started.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including Barclays, Wachovia, Bank of America, and PayPal along with two dozen or so Italian and Spanish banks. When it recognizes a Web site, it will collect logins and passwords, forwarding that information to a server in Russia.

Firefox has been continually gaining market share against main competitor Internet Explorer since its debut four years ago, which may be one reason why malware authors are looking for new avenues to infect computers, Canja said.

Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it, Canja said.

When it runs on a PC, it registers itself in Firefox's system files as "Greasemonkey," a well-known collection of scripts that add extra functionality to Web pages rendered by Firefox.

BitDefender has updated its products to detect it, and other vendors will likely follow suit quickly, Canja said. Users could avoid it by only downloading signed, verified software, but that's a measure that restricts the usability of a PC, he said.

The malware is not present in Mozilla's repository of add-ons, Canja said. Mozilla had taken steps to ensure that its official site hosting add-ons -- also called extensions -- are free from malware.

In May, Mozilla acknowledged that the Vietnamese language pack for Firefox contained a bit of unwanted code. Although widely reported as a virus, the language actually contained a line of HTML code that would cause users to view unwanted advertisements.

Mozilla now scans new add-ons for malware. However, those scans will only detect known threats, and there was no signature in the security software Mozilla was using at the time that could detect the code.

Mozilla said the code probably ended up in the language pack after the PC of its developer became infected. More than 16,000 people downloaded the language pack, but only about 1,000 people regularly use it.

After the incident, Mozilla said it would scan add-ons in its repository when antivirus signatures were updated.


TOPICS: Computers/Internet
KEYWORDS: exploits; firefox; malware; mozilla
I didn't see this posted anywhere. There are a lot of Firefox users on this board - me included. Thought you all would want to see this.

My first post--sorry if there are any errors....

1 posted on 12/04/2008 5:02:20 PM PST by Mygirlsmom
[ Post Reply | Private Reply | View Replies]

To: ShadowAce

ping


2 posted on 12/04/2008 5:05:13 PM PST by JoJo Gunn (Stupid people shouldn't breed.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Mygirlsmom
In May, Mozilla acknowledged that the Vietnamese language pack for Firefox contained a bit of unwanted code.

A bit? LOL.

3 posted on 12/04/2008 5:05:19 PM PST by library user
[ Post Reply | Private Reply | To 1 | View Replies]

To: Mygirlsmom

Thanks for the info. If it was posted before, I missed it. ;-)


4 posted on 12/04/2008 5:05:44 PM PST by doc1019
[ Post Reply | Private Reply | To 1 | View Replies]

To: Mygirlsmom

I use FF and just disabled Grease Monkey ....


5 posted on 12/04/2008 5:06:15 PM PST by SkyDancer ("Talent Without Ambition Is Sad, Ambition Without Talent Is Worse")
[ Post Reply | Private Reply | To 1 | View Replies]

To: SkyDancer

How does one go about do that ?


6 posted on 12/04/2008 5:06:45 PM PST by al baby (Hi mom IF DA BIRTH PLACE IS A LIE, BEING DA PRESIDENT AIN'T GONNA FLY!)
[ Post Reply | Private Reply | To 5 | View Replies]

To: TigersEye

ping


7 posted on 12/04/2008 5:08:14 PM PST by pandoraou812 (Don't play leapfrog with a unicorn! ...........^............)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Mygirlsmom

Thank you very much for posting this!!! I just started having problems with my laptop a couple days ago. The word “greasemonkey” in your post absolutely jumped out at me because that is one of the popups that keep occurring. It’s shut down my system restore, won’t let me access MS sites, among other problems. Still trying to figure out how to fix it if if won’t let me download anti-spyware from MS. I’m afraid at this point I may have to reinstall the OS.


8 posted on 12/04/2008 5:12:59 PM PST by My hearts in London - Everett (Those who live by the sword get shot by those who don't.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: al baby

Just left click on the monkey icon and it will either be bright or go gray ... when gray it’s turned off. Never figured out what it’s for. A friend just loaded me up with all sorts of add-on’s from FF ....


9 posted on 12/04/2008 5:13:17 PM PST by SkyDancer ("Talent Without Ambition Is Sad, Ambition Without Talent Is Worse")
[ Post Reply | Private Reply | To 6 | View Replies]

To: SkyDancer

YES, how do you do that???? Thanks for your help to us Firefox users!! :~)


10 posted on 12/04/2008 5:13:53 PM PST by My hearts in London - Everett (Those who live by the sword get shot by those who don't.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: al baby

Tools > Add-ons > Greasemonkey > Disable button


11 posted on 12/04/2008 5:14:04 PM PST by library user
[ Post Reply | Private Reply | To 6 | View Replies]

To: My hearts in London - Everett

Just left click on that monkey face and it will go gray, or right click and you get a little menu. Click on where it says “enable” and the little check mark will go away and the face will turn gray .... not sure what it’s used for ...


12 posted on 12/04/2008 5:15:39 PM PST by SkyDancer ("Talent Without Ambition Is Sad, Ambition Without Talent Is Worse")
[ Post Reply | Private Reply | To 10 | View Replies]

To: SkyDancer

Thank you, I’ll try that. This is the first time I’ve ever had a problem like this. Very frustrating. I had downloaded McAfee from Comcast and Windows Defender and thought I was safe. So much for “thought”!


13 posted on 12/04/2008 5:18:39 PM PST by My hearts in London - Everett (Those who live by the sword get shot by those who don't.)
[ Post Reply | Private Reply | To 12 | View Replies]

To: My hearts in London - Everett

Never knew there was a problem - my problem now is how to sort my bookmarks so they’re in alphabetical order. The previous version had a place on the drop down menu where you just clicked it and it sorted. Now that’s not available and I have a pile of unsorted bookmarks at the bottom of the list.


14 posted on 12/04/2008 5:20:52 PM PST by SkyDancer ("Talent Without Ambition Is Sad, Ambition Without Talent Is Worse")
[ Post Reply | Private Reply | To 13 | View Replies]

To: library user

I don’t even have greasemonkey in there so Im goood i hope thanks


15 posted on 12/04/2008 5:22:40 PM PST by al baby (Hi mom IF DA BIRTH PLACE IS A LIE, BEING DA PRESIDENT AIN'T GONNA FLY!)
[ Post Reply | Private Reply | To 11 | View Replies]

To: SkyDancer

I’d just like to be able to be online without all kinds of popup windows every two seconds! Not to mention my computer going to a blue screen where it says stop error must shut down to protect computer!


16 posted on 12/04/2008 5:24:10 PM PST by My hearts in London - Everett (Those who live by the sword get shot by those who don't.)
[ Post Reply | Private Reply | To 14 | View Replies]

To: tutstar

read later


17 posted on 12/04/2008 5:26:32 PM PST by tutstar (Baptist Ping list - freepmail me to get on or off.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: My hearts in London - Everett

In FireFox go to TOOLS, OPTIONS,CONTENT and click on BLOCK POPUP WINDOWS ....


18 posted on 12/04/2008 5:27:11 PM PST by SkyDancer ("Talent Without Ambition Is Sad, Ambition Without Talent Is Worse")
[ Post Reply | Private Reply | To 16 | View Replies]

Slashdot is covering this, as well.

NoScript + AdBlock = Happiness.

19 posted on 12/04/2008 5:28:47 PM PST by CE2949BB (Fight.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Mygirlsmom

wow.. amazing how they can prattle on about something without actually mentioning the offending file names or a way to identify whether or not your system has been compromised.

again, quality reporting by the press...


20 posted on 12/04/2008 5:29:14 PM PST by sten
[ Post Reply | Private Reply | To 1 | View Replies]

To: library user
Firefox > Tools > Add-ons > Greasemonkey > Disable button

thank you. this should have been in the article.

21 posted on 12/04/2008 5:32:29 PM PST by sten
[ Post Reply | Private Reply | To 11 | View Replies]

To: sten

Read down further in the comments and there is a link to a bitdefender site that names the files and the folders to look in.


22 posted on 12/04/2008 5:37:37 PM PST by Mygirlsmom (Hope is gone. Change is coming.)
[ Post Reply | Private Reply | To 20 | View Replies]

To: al baby

Don’t have greasemonkey either. The only extension I use is “NoScript” which allows for granular control of javascript & java apps rather than just a blanket allow for all JS on a website.


23 posted on 12/04/2008 5:40:13 PM PST by AFreeBird
[ Post Reply | Private Reply | To 15 | View Replies]

To: SkyDancer

Ya’ll are lifesavers! What’s weird is that it’s not always Firefox windows that are popping up. Most of the time it’s Internet Explorer windows. I don’t even open IE when I’m on my laptop!


24 posted on 12/04/2008 5:44:07 PM PST by My hearts in London - Everett (Those who live by the sword get shot by those who don't.)
[ Post Reply | Private Reply | To 18 | View Replies]

To: My hearts in London - Everett

OK then so it worked for you? You might want to check in TOOLS again and look for where it says ALWAYS VIEW THIS PAGE IN IE - make sure there is no check mark there - that works in you’re on a website where you have it turned on ...


25 posted on 12/04/2008 5:47:26 PM PST by SkyDancer ("Talent Without Ambition Is Sad, Ambition Without Talent Is Worse")
[ Post Reply | Private Reply | To 24 | View Replies]

To: SkyDancer

Block popup windows is already checked. Don’t find any monkey icons anywhere. :~(


26 posted on 12/04/2008 5:55:24 PM PST by My hearts in London - Everett (Those who live by the sword get shot by those who don't.)
[ Post Reply | Private Reply | To 25 | View Replies]

To: My hearts in London - Everett

If you have Grease Monkey it should be along the bottom of your screen along with several other icons ....


27 posted on 12/04/2008 5:57:45 PM PST by SkyDancer ("Talent Without Ambition Is Sad, Ambition Without Talent Is Worse")
[ Post Reply | Private Reply | To 26 | View Replies]

To: Mygirlsmom

Thanks for the info. My problem with Firefox right now is that every time I close the browser and re-open it, it auto sets my home page back to Firefox and opens up an adblock plus window. I never had this problem with previous versions of FF, just the newest version I downloaded.


28 posted on 12/04/2008 6:08:38 PM PST by Phoenix11
[ Post Reply | Private Reply | To 1 | View Replies]

To: SkyDancer

you can easily rearrange them by dragging and dropping them from/to where you want them on the dropdown bookmark menu.....


29 posted on 12/04/2008 6:16:49 PM PST by Vn_survivor_67-68 (CALL CONGRESSCRITTERS TOLL-FREE @ 1-800-965-4701)
[ Post Reply | Private Reply | To 14 | View Replies]

To: SkyDancer

Won’t let me go to any website that would let me download anti-spyware, virus or malware protection. Can you download something like that to a flashdrive and run it from there onto your laptop???


30 posted on 12/04/2008 6:28:06 PM PST by My hearts in London - Everett (Those who live by the sword get shot by those who don't.)
[ Post Reply | Private Reply | To 27 | View Replies]

To: Mygirlsmom

So evidently there is a legitimate “greasemonkey” which I see in Mozilla’s addons repository, and then this malware, which masquerades as greasemonkey, or a script therein. I don’t have either.


31 posted on 12/04/2008 6:30:54 PM PST by steve86 (Acerbic by nature, not nurtureĀ™)
[ Post Reply | Private Reply | To 1 | View Replies]

To: al baby
I don’t even have greasemonkey in there......

How 'bout a bathroom monkey?..........


32 posted on 12/04/2008 7:31:49 PM PST by hole_n_one
[ Post Reply | Private Reply | To 15 | View Replies]

To: pandoraou812

Thanks for the heads up, pandy. Glad to report that I don’t have the Greasemonkey file.


33 posted on 12/04/2008 8:04:03 PM PST by TigersEye (This is the age of the death of reason.)
[ Post Reply | Private Reply | To 7 | View Replies]

To: Mygirlsmom

The only add-ons that I am running are:
Adblock Plus 1.0
Bulk image downloader
flashblock
tinyURL Creator


34 posted on 12/04/2008 8:13:47 PM PST by Chewbacca (Buy gold and silver coins to profit from the comming dollar melt down!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Mygirlsmom

Many Thanks for the Heads Up! Everyone I know uses Firefox. I must pass the word.


35 posted on 12/04/2008 8:29:16 PM PST by BehindEnemyLinesNY
[ Post Reply | Private Reply | To 1 | View Replies]

To: My hearts in London - Everett

OK what you have to do is click on the OPTIONS button - mine is located on the lower right side of the web page I’m on. Then you have to click on ALLOW - you have to either click TEMPORARILY ALLOW THIS PAGE or ALLOW (whatever website you are on) - then you can download what you need or view everything ....it’s sort of a “Do you really want to accept a cookie from this web site” ...


36 posted on 12/04/2008 8:38:45 PM PST by SkyDancer ("Talent Without Ambition Is Sad, Ambition Without Talent Is Worse")
[ Post Reply | Private Reply | To 30 | View Replies]

To: Vn_survivor_67-68

Since you seem knowledgeable about Firefox...

The old (some months ago) mozilla firefox browser would bring up my most recent-visited web addresses when I clicked on the arrow at the end of the address bar.

But now the same addresses appear every time -— they never change, even if I go to other web sites. How do I get it back to where it will bring up my most recent addresses?

I loved that feature, very convenient. Thanks for any help.


37 posted on 12/04/2008 9:50:07 PM PST by Cedar
[ Post Reply | Private Reply | To 29 | View Replies]

To: Chewbacca

Cookiesafe is useful, as well.


38 posted on 12/04/2008 10:32:38 PM PST by PAR35
[ Post Reply | Private Reply | To 34 | View Replies]

To: Mygirlsmom

I don’t have this anywhere. However, when I went to check, the first thing that came up was the AVG Search Shield. I have no pop-ups or any problems on what is essentially a new computer recently set up by my son who is an IT/network/security guy.

So, I recommend AVG, which I have used for years on two different computers.


39 posted on 12/05/2008 8:21:00 AM PST by reformedliberal
[ Post Reply | Private Reply | To 1 | View Replies]

To: Cedar

sorry....mine is the same way.....I’ve gotten grief every time I’ve cleared the ff cache, losing my bookmarks and it goes to default everything....so I don’t mess with it much at all.....since I can’t help you, I’ll give you this instead, since you might need it if you’re going to fool araoud with it.....might come in handy if you keep it

Think You Lost Your Firefox Bookmarks?
http://www.firefoxfacts.com/2008/05/07/think-you-lost-your-firefox-bookmarks/


40 posted on 12/05/2008 11:11:38 AM PST by Vn_survivor_67-68 (CALL CONGRESSCRITTERS TOLL-FREE @ 1-800-965-4701)
[ Post Reply | Private Reply | To 37 | View Replies]

To: Vn_survivor_67-68

Just now getting back to the computer...thanks for your reply and link.


41 posted on 12/07/2008 5:23:17 PM PST by Cedar
[ Post Reply | Private Reply | To 40 | View Replies]

To: Mygirlsmom; rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

42 posted on 12/08/2008 5:21:43 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

The monkey stays - it’s made tech threads quiet and informative, and I’d rather have malware than birdbrain.


43 posted on 12/08/2008 5:33:53 AM PST by Salo
[ Post Reply | Private Reply | To 42 | View Replies]

To: Salo
...it’s made tech threads quiet and informative, and I’d rather have malware than birdbrain.

I completely understand that sentiment, however, he hasn't posted in a few months. You may be OK to disable it. :)

44 posted on 12/08/2008 6:08:38 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 43 | View Replies]

To: LibreOuMort

ping


45 posted on 12/08/2008 10:50:31 AM PST by sionnsar (Iran Azadi|5yst3m 0wn3d-it's N0t Y0ur5 (SONY)|http://trad-anglican.faithweb.com/|RCongressIn2Years)
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson