Spyware disguises itself as Firefox extension

The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. It is currently being openly disseminated through spam emails that purport to come from Wal-Mart. If the recipient opens the mail attachment while running a Windows operating system, the Trojan then installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks. It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. McAfee has dubbed the Trojan "FormSpy," although the company is still currently categorizing its distribution as low.

The file attached to the email consists of an executable Windows program, the AXM downloader. Once launched, it fetches the extension from the Internet and records itself directly into the Firefox configuration data, avoiding the regular installation process. Firefox extensions are normally distributed as XPI files, which ask the user for confirmation after forcing a pause of several seconds.

In a blog entry, Geok Meng Ong from McAfee Avert Labs called on users to take extreme caution when installing unsigned Firefox extensions from untrustworthy sources. This well-intended warning was actually off the mark on several points. One the one hand, only very few websites are authorized to install extensions without seeking additional approval. Furthermore there are at the moment virtually no signed extensions for Firefox or Mozilla. And finally, that mechanism would not have protected against this attack. This is because the user, in opening the file attachment and thereby allowing the foreign program to execute on his computer, automatically provides it with his own usage rights.

An effective protection against this attack is simply never to open file attachments that you have not requested. It is also important not to rely on seemly trustworthy 'From:' address fields, since these are easy to forge. When in doubt, confirm the legitimacy of the email with the purported sender in another way, such as by telephone. Further tips for safe handling of email are provided at heisec Emailcheck.

As usual, this appears to be MS-Windows only. From the description above, it doesn't appear to affect Linux or OSX users.

It's actually spread via an email trojan, so the usual rules for MS-Windows users not to open unsolicited/unexpected attachments apply. There is no description given as to what email clients are vulnerable platforms from which this trojan can launch.

Absent specifics, I'd assume that MS-Outlook is the usual culprit, or they'd be screaming about vulnerabilities in the other clients.

The way the extension operates, it would be advisable to only download extensions from known good locations.

Honest, I wasn't playing forum monitor.
It's just that when an initial thread has gotten a lot of posts I'm afraid that
new arrivals to the secondary thread will miss out on the posts to the first thread.
Thus missing a lot of good info./advice.

Whenever I start a thread, I try at least three keywords and also
try them with the title search (by date).
But occassionally I still get stung and put a duplicate, even with that due diligence.

Honest, I wasn't playing forum monitor.

I could tell by the manner in which you pointed out the other thread. I don't mind at all when people point out previous threads, if they do it nicely, (like you did), because the commentary on each thread is often worth the read.

In any case, this wasn't technically a duplicate, because they were from different sources. I'd probably have posted it into the body of the other thread if I'd seen it though.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.