Posted on 07/26/2006 7:26:07 AM PDT by ShadowAce
An identity-stealing keylogger that disguises itself as a Firefox extension and installs silently in the background was discovered Tuesday by security vendor McAfee.
According to the Santa Clara, Calif.-based company, the "FormSpy" Trojan horse monitors mouse movements and key presses to steal online banking or credit card usernames and passwords, other login information, and URLs typed into Firefox, the popular open-source browser. Another component of the Trojan sniffs out passwords from ICQ and FTP sessions, and IMAP and POP3 traffic, said McAfee. All collected information is sent to an IP address hard-coded into the Trojan.
The scam starts with spam posing as a message from the billing support department of mega-retailer Wal-Mart, said Craig Schmugar, the virus research manager at McAfee's Avert Labs. "There's an order number in the message, which matches the number of the attachment," said Schmugar. "When someone opens the attachment, the Trojan downloads and installs two components, a keylogger as well as a sniffer." As of Tuesday afternoon, FormSpy had gained little traction.
But it's the way that FormSpy gets onto a machine that's unique, Schmugar said. FormSpy masquerades as a Firefox extension, or browser add-on. It spoofs Numberedlinks 0.9, an extension that in its legitimate form lets users navigate links with the keypad. FormSpy uses some of the actual extension's code to put its hooks into Firefox.
Normally, Firefox extensions -- which in Windows have the .xpi file extension -- display a confirmation dialog that the user must acknowledge before the add-on installs. The bogus Numberedlinks, however, skips that.
"The Trojan writes files directly to the Firefox folders without putting up the confirmation," said Schmugar. Users who have been infected won't realize that the bogus extension has been added to Firefox unless they call on the Tools|Extensions command (in Firefox 2 Beta 1, Tools|Add-ons) and spot "Numberedlinks 0.9" in the list.
Firefox's extensions have been criticized for lax security, in particular that they're not digitally signed to vouchsafe their contents. Schmugar said FormSpy's disguise argues for revisiting the topic.
"The Trojan is using a mechanism to get its code executed when it hooks into Firefox [spoofing an extension]," he said, "and from a security model, that kind of functionality is all over the place." Still, "better extension security should be considered by Mozilla," he concluded.
Because of similar -- and long-standing -- threats posed by ActiveX controls, Microsoft has made several changes to Internet Explorer, including blocking of virtually all such add-ons by default in the upcoming IE 7, to protect users. ActiveX controls, unlike Firefox extensions, are also digitally signed.
"Over time, malware writers will find a way to leverage Firefox to their advantage," said Schmugar.
"Quite a number" of the original spammed messages were reported to McAfee, Schmugar, said, but there had been "very little field submissions" of FormSpy Trojan, so for the moment the threat remained low-level.
"In all likelihood, some of those who received the spam did run the attachment. But how many were using Firefox, we don't know."
"When someone opens the attachment,..."
There's the real problem. I have zero sympathy for anyone who gets nailed, especially after all these years of being warned about attachments.
Another indication of Firefox's growth in market share.
Any system that achieves a significant market share will become a target.
Techie thanks-for-the-heads-up BUMP.
bttt
-b-
That's bizarre, if true.
That's like have the person wanting entrance ask for a password, and the security guard gives it out. If the person doesn't ask, the guard lets him thru anyway?
Identity theft is near-murder of a person, whose credit, identity, savings, etc. are all wiped out, and effectively is economically destroyed in some cases....the death penalty would be a good deterent for these a#@holes....
The tricks used to get people to open attachments have become much more sophisticated lately - complete with HTML format e-mails which are essentially indistinguishable, except for the target URL, from an actual e-mail from eBay or PayPal or the like.
I used to have little sympathy, but I got taken down a peg after clicking through a link in an eBay phishing e-mail that happened to arrive just as I was finishing up an eBay transaction without checking the target host of the link.
I continually tell my students and co-workers, "don't click on anything in an email or on a website you don't know." They can't help themselves. They just keep clicking and they keep getting malware, spyware and virus.
I have reformatted one co-worker's computer 5 times now. I think I have convinced him to buy a cheap wally world linspire machine for his daughter to surf the web and do her IM.
I hardly understand this - just who is at risk?
OS X now has 12% of the laptop market, with a bullet, and some of the highest visibility in the industry. Fame and fortune await any hacker who can crack the Mac.
But it hasn't happened. My Mac is blessedly free of malware. Neener neener.
-ccm
It looks like anyone who uses Firefox as a browser, and who opens attachments in emails.
The bad thing about this is these extensions will install even if you're running as a Limited User. It's almost impossible to avoid getting gaffed.
I harp pretty constantly about not running in admin mode. This is something the FF developers will have to address immediately because there is no protecting yourself against this one.
Firefox users, mainly. What isn't clear from the article is whether this is limited by OS as well.
Considering the nature of the trojan (keylogger and sniffer), my guess is that only Windows users are vulnerable. So if you run Firefox on Windows, this can get you. Others are not at risk.
However, that doesn't mean the others should relax their guard. Always be alert for phishing e-mails and never click on attachments.
Of course, this only works if:
a. The user actually has a firewall that analyzes outgoing traffic (which, as I understand it, the Windows firewall in XP SP2 does NOT do) and,
b. The user can comprehend what the firewall is asking and doesn't just mindlessly click "OK" or "Accept."
Someday, somebody's going to kill some azzhole who has stolen his identity. If I'm on the jury, he walks.
And that works out to what percentage of total computer users, worldwide?
Doesn't matter. I'm safer. That's what matters to me. Whether you join a relatively safer platform is up to you and your needs/wants.
I'd gladly serve on that jury. We now have 2 votes, any more?
I'm thinking they should charge the guy with successful suicide. As he's obviously still alive, the charges should land flat on their face, and he should walk.
Safe than what. I take reasonable precautions and have no problems. At home I spend exactly nothing on security software -- AVG, ZoneAlarm, Windows Defender. At work I use paid versions.
I've been building computers and doing IT for 20 years and haven't had a problem.
If Windows has more inherent problems that OSX, then Apple is in trouble, because lots of Mac users will be running Windows under Bootcamp.
I really don't care to be involve in flame wars. I just observe that no OS can prevent a user from installing malware if the user authorizes it, and the trend in malware is to trick users into authorizing it.
Love Mac too,that Safari is a pretty darned good browser as well.
No A-V software installed,built in very good firewall.Heck,I think I save money
running a Mac.
I'm not criticizing you at all. I perfectly understand that Windows machines can be safe on the net, given the proper precautions. Not a problem.
If Windows has more inherent problems that OSX, then Apple is in trouble, because lots of Mac users will be running Windows under Bootcamp.
Yup, that's true. The key word in your sentence is inherent--that's where I have issues with Windows. It does take more work to make a Windows machine safe on the Net--hence your use of AVG, ZoneAlarm, and Windows Defender.
I really don't care to be involve in flame wars.
Same here. I think a person should use what best meets his/her needs and wants.
I just observe that no OS can prevent a user from installing malware if the user authorizes it,...
This is also true, but there are ways in which the OS can minimize the damage created by said malware. Windows prefers users to run in Admin mode. That is not the way to minimize damage.
ping
I know, m, as I get them all the time, too. Banks, credit card co's, paypal, telcos and scores more phonies, wanting me to update this, and confirm that. Flush 'em all! Netscape v8.1 has them tagged as 'junk' and that's where they go. You're right about the html-based graphics; they are getting more sophisticated from back 'in the day', when a simple text letter arrived.
Hope you recovered all right?
Yeah, I realized within moments, and immediately changed my eBay and PayPal passwords.
"...eBay and PayPal..."
Two places I avoid like the plague.
Thanks - I don't run FoxFire but do have Windows.
One more qualification - It only affects Microsoft Windows users. People who run Firefox on Mac OS X or Linux are not at risk with this exploit.
Since Macintosh users keep their machines much longer than the disposable landfill from Microsoft, it's somewhere around 10%. The top 10%. Neener neener.
-ccm
I think most people are now running Windows virtual machines under Parallels. If the feeble Microsoft crapware gets infected, you trash the VM file and restore another from backup.
I really don't care to be involve in flame wars. I just observe that no OS can prevent a user from installing malware if the user authorizes it, and the trend in malware is to trick users into authorizing it.
That is true, but there is still way too much Windows sludgeware that doesn't run except in administrator mode. OS X is light years ahead in this regard. I'm not aware of even a single piece of OS X malware that can get root without specifically asking for an administrator's password, which is totally unnecessary for an ordinary user to run any kind of application software.
--ccm
I have no problem with that.
Probably true. I do think digital signatures would be a very helpful and not overly intrusive step.
That's very true. I have several technical packages that won't run except in admin mode, which has always led me to make my personal account an admin account, with all the risks entailed. Now I'm trying making the account user mode, and using shortcuts with "Run As" to run those specific apps with admin priveliges.
But for most of the packages in question, there is no reason they need admin priveliges (with some exceptions). So it's sloppy programming on the part of the ISP's, which is a trap they fell in because of laxness on the part of Window's users ("everybody runs in admin mode, so what does it matter?"), with some encouragement from MS.
Thanks!
But, but, the jury's there to judge the facts, not the law! Jury nullification bad! < /judge mode >
you dont run firefox on your mac?
I have it, but use Safari.
The Mac (and Linux) versions of Firefox are not susceptible to the Trojan horse that affects the Windows version.
-ccm
Yeah, but you have to be careful what you trash, you might miss out on valuable opportunities. I, for example, am expecting very soon to receive several million for assisting the daughter of some deposed Nigerian mucky-muck to get her vast holdings out of the country.
did it say that in the article or just guessing?
Still, the blame rests with the idiots that open e-mail attachments. You'd think that after all these years now, and all the warnings and virus' and eveything else that's been floating around the net, that people would know better.
Rubbish. The relevant statistic is internet browser traffic. Mac has about 3.6 percent.
My favorite piece of sludgeware is QuickBooksPro 2006, which normally runs in admin mode. Why did Intuit do that? Well, that way Intuit can download its obnoxious updates and advertising unfettered, that's why.
Anyway, Intuit has provided a way to relax permissions on certain directories and registry keys to allow Limited User to run it. See KB ID# a4edfd81 Message: "User Access Rights Problem: Windows XP and Windows 2000 users must have Power Users or Administrator group rights..."
That kb will get you started on the other programs, too. I've just gotten WordPerfect 2000 to run as LUA, instead of teaching folks the runas trick.
One thing to keep in mind. When you're in LUA, it's still downloading crap, just not installing it. When you go to shut down, the exit screen will ask "Install updates and shut down?" Most answer yes, the machine flips into admin and installs all the spyware and then you're whacked and all your work is for nought. And there are still people who don't know why MS is so despised.
But hey, it keeps me in clover.
Pride comes before the fall. Nothing remains immune forever. The Mac stands as a lightening rod for someone to attack and crack.
LOL. I know I'm missing out on several fortunes, but I've already made my several million and don't need any more.
It's not that bizarre. They've already owned your machine at that point, so they don't have to go through the normal Firefox extension installation procedure.
Uhhmmm. I hate to break this to you, but OS-X has already been cracked.
http://www.macvirus.org/
In addition, this kernel is built on FreeBSD which is an open source code and easily vulnerable to an OS programmer worth his salt.
You should also be aware that Macintosh is very liberal company that pumps money into politicos in the Demoncrat party. They push a heavily pro-gay/liberal agenda.
Mac is a good platform in some respects. However, I'll take a good locked down RedHat box over a mac anyday. Back in the early days Mac owned the CG(computer graphics) market. But Windows/Adobe combos leave Mac in 2nd place even there now. Every dollar you pump into Mac is another $ towards liberal causes.
In addition, Macs make a sys admin's life a living hell. Mac freaks are nothing but a pain in the ass, and like many liberals are more concerned about their "individuality" than any real concern for society or their neighbors.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.