Posted on 07/26/2006 7:26:07 AM PDT by ShadowAce
An identity-stealing keylogger that disguises itself as a Firefox extension and installs silently in the background was discovered Tuesday by security vendor McAfee.
According to the Santa Clara, Calif.-based company, the "FormSpy" Trojan horse monitors mouse movements and key presses to steal online banking or credit card usernames and passwords, other login information, and URLs typed into Firefox, the popular open-source browser. Another component of the Trojan sniffs out passwords from ICQ and FTP sessions, and IMAP and POP3 traffic, said McAfee. All collected information is sent to an IP address hard-coded into the Trojan.
The scam starts with spam posing as a message from the billing support department of mega-retailer Wal-Mart, said Craig Schmugar, the virus research manager at McAfee's Avert Labs. "There's an order number in the message, which matches the number of the attachment," said Schmugar. "When someone opens the attachment, the Trojan downloads and installs two components, a keylogger as well as a sniffer." As of Tuesday afternoon, FormSpy had gained little traction.
But it's the way that FormSpy gets onto a machine that's unique, Schmugar said. FormSpy masquerades as a Firefox extension, or browser add-on. It spoofs Numberedlinks 0.9, an extension that in its legitimate form lets users navigate links with the keypad. FormSpy uses some of the actual extension's code to put its hooks into Firefox.
Normally, Firefox extensions -- which in Windows have the .xpi file extension -- display a confirmation dialog that the user must acknowledge before the add-on installs. The bogus Numberedlinks, however, skips that.
"The Trojan writes files directly to the Firefox folders without putting up the confirmation," said Schmugar. Users who have been infected won't realize that the bogus extension has been added to Firefox unless they call on the Tools|Extensions command (in Firefox 2 Beta 1, Tools|Add-ons) and spot "Numberedlinks 0.9" in the list.
Firefox's extensions have been criticized for lax security, in particular that they're not digitally signed to vouchsafe their contents. Schmugar said FormSpy's disguise argues for revisiting the topic.
"The Trojan is using a mechanism to get its code executed when it hooks into Firefox [spoofing an extension]," he said, "and from a security model, that kind of functionality is all over the place." Still, "better extension security should be considered by Mozilla," he concluded.
Because of similar -- and long-standing -- threats posed by ActiveX controls, Microsoft has made several changes to Internet Explorer, including blocking of virtually all such add-ons by default in the upcoming IE 7, to protect users. ActiveX controls, unlike Firefox extensions, are also digitally signed.
"Over time, malware writers will find a way to leverage Firefox to their advantage," said Schmugar.
"Quite a number" of the original spammed messages were reported to McAfee, Schmugar, said, but there had been "very little field submissions" of FormSpy Trojan, so for the moment the threat remained low-level.
"In all likelihood, some of those who received the spam did run the attachment. But how many were using Firefox, we don't know."
"When someone opens the attachment,..."
There's the real problem. I have zero sympathy for anyone who gets nailed, especially after all these years of being warned about attachments.
Another indication of Firefox's growth in market share.
Any system that achieves a significant market share will become a target.
Techie thanks-for-the-heads-up BUMP.
bttt
-b-
That's bizarre, if true.
That's like have the person wanting entrance ask for a password, and the security guard gives it out. If the person doesn't ask, the guard lets him thru anyway?
Identity theft is near-murder of a person, whose credit, identity, savings, etc. are all wiped out, and effectively is economically destroyed in some cases....the death penalty would be a good deterent for these a#@holes....
The tricks used to get people to open attachments have become much more sophisticated lately - complete with HTML format e-mails which are essentially indistinguishable, except for the target URL, from an actual e-mail from eBay or PayPal or the like.
I used to have little sympathy, but I got taken down a peg after clicking through a link in an eBay phishing e-mail that happened to arrive just as I was finishing up an eBay transaction without checking the target host of the link.
I continually tell my students and co-workers, "don't click on anything in an email or on a website you don't know." They can't help themselves. They just keep clicking and they keep getting malware, spyware and virus.
I have reformatted one co-worker's computer 5 times now. I think I have convinced him to buy a cheap wally world linspire machine for his daughter to surf the web and do her IM.
I hardly understand this - just who is at risk?
OS X now has 12% of the laptop market, with a bullet, and some of the highest visibility in the industry. Fame and fortune await any hacker who can crack the Mac.
But it hasn't happened. My Mac is blessedly free of malware. Neener neener.
-ccm
It looks like anyone who uses Firefox as a browser, and who opens attachments in emails.
The bad thing about this is these extensions will install even if you're running as a Limited User. It's almost impossible to avoid getting gaffed.
I harp pretty constantly about not running in admin mode. This is something the FF developers will have to address immediately because there is no protecting yourself against this one.
Firefox users, mainly. What isn't clear from the article is whether this is limited by OS as well.
Considering the nature of the trojan (keylogger and sniffer), my guess is that only Windows users are vulnerable. So if you run Firefox on Windows, this can get you. Others are not at risk.
However, that doesn't mean the others should relax their guard. Always be alert for phishing e-mails and never click on attachments.
Of course, this only works if:
a. The user actually has a firewall that analyzes outgoing traffic (which, as I understand it, the Windows firewall in XP SP2 does NOT do) and,
b. The user can comprehend what the firewall is asking and doesn't just mindlessly click "OK" or "Accept."
Someday, somebody's going to kill some azzhole who has stolen his identity. If I'm on the jury, he walks.
And that works out to what percentage of total computer users, worldwide?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.