Spyware for Firefox Coming This Year?

EvilCowzGoMoo writes "One of the main reasons for the Firefox browser's successful seizure of market share from Microsoft's Internet Explorer is the desire to escape the inundation of PC-slowing spyware. However, spyware experts indicate that with its increased popularity, Firefox itself will become a target for spyware creators." From the article: "Basically, if you use Firefox today, you're not susceptible to any spyware, other than what you download when you're on Kazaa...The spyware writers target mostly Explorer users because that's the most fertile feeding ground for piranha-like (spyware) attacks. They'll watch as Firefox becomes mainstream, they'll see opportunity there and start targeting them."

Malicious XPI's exist already

[flyingace]

Spyware already exists for firefox in XPI form. Please lookout of malicious XPI's More information on this can be found here. http://forums.mozillazine.org/viewtopic.php?t=6434 1

Re:Malicious XPI's exist already

[niittyniemi]

There sure is. I just posted to freebsd-chat:

Date: Tue, 8 Feb 2005 18:15:32 +0000
Subject: Spyware on FreeBSD!?
Cc: FreeBSD chat

Bad news, looks like my machine has been infected with some Spyware.

I noticed that on surfing to: http://news.bbc.co.uk/ or anything under that domain, I was getting some outgoing activity and Firefox was after a URL (as shown by the status bar) somewhere under the domain:

http://bbcnewscouk.112.2o7.net/

A quick Google on 2o7.net confirmed my worst fears: spyware!

and a 2o7.net cookie planted on my machine.

I cached some pages in my proxy :

http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/ G.7-Pd-R/s68107022286455?purl=http%3A%2F%2Fnews.bb c.co.uk%2F&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2: 21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Pag e&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864& c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin %3B&%5BAQE%5D

http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/ G.7-Pd-R/s68107022286455?purl=http://news.bbc.co.u k/&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+ 0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http ://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1 .3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BA QE%5D

Looks like some sort of perl script which returns a 2x2 gif, whilst harvesting your browsing habits (and screen & windowsize - by calling Javascript functions in Firefox?)

I wonder if they use different sub-domains to collect stats on different sites. This particular variant seems to be only activated by a visit to BBC news.

I had a grovel in the source of the BBC news homepage but found no reference to 2o7.net (For a minute I thought the BBC had turned evil on me!)

I'm going to do a little bit more investigation on it - I tried removal by obliterating my Firefox profile but no joy. The only thing I saved was my bookmarks file, which looks sound.

Spyware on a unix machine? Tell me it's not so! :(

BTW:
FreeBSD 4.11-PRERELEASEfirefox-1.0.r1,1

I know the latter has some vulnerabilities and I'll update it in due course (and the OS).

I think I'm going to build Links/Lynx with SSL and use that for my banking from now on (if I can).

Anybody aware of other reports of spyware infecting Unix machines?

Anyway, I'm gutted. I feel like I've been violated and humiliated. In short, I feel like a Windows user does everyday!!

The truth: I feel a bit pissed off but I urge people to take no action against 2o7.net like DOS or cracking their webserver and trashing it.....I'll do that myself ;)

Further information: it uses Javascript and I'm guessing it came with an XPI I installed. I'll try and determine which one and post back to freebsd-chat. To disable: turn off Javascript & firewall off 207.net both outgoing and incoming.

I'll also post back here when this story gets duped in a few days time ;)

Spy vs Spy

[Doc+Ruby]

How about a program that takes the cryptohash of the virgin final installed code, and checks against that hash periodically (every 5 minutes, every new website, every app launch)? When spyware strikes, it changes the app fingerprint, and this sentinel could keep a log of recent traffic for analysis, and offer to reinstall. Our desktop immune system should take advantage of our "known good" info to detect these cancers when they start, and track them to their source.

Re:Open Source Disadvantage

[bashbrotha]

Sure, there will probably be companies like that. That's the risk you take when you use open source software.

At least I have a better chance of less exploits created because there are so many eyes on the code.
I've heard that openBSD developers have founded and fixed other security bugs while working to fix exploits, so I still don't see an inherent disadvantage to using FireFox vs. Explorer.

Re:A Grand Day For Firefox

[nine-times]

Maybe spyware authors are just hoping to make the appearance that they're focussing on Firefox in order to prevent switching. If I were a spyware author, and I knew that people switching to Firefox would make my job harder, and I knew the reason people are switching was the understanding that "using Firefox makes you less likely to get infected with spyware," I know what I'd do: try to make noise that I'm working on Firefox spyware.

The hoped-for result would be that people would be discouraged from switching because they believed it didn't matter. They'd think I was going to get them one way or the other, so they might as well stick with what they're used to. The hoped-for result would be that people stay on IE and keep my job easier.

I'm not saying that this is what's happening, but I wouldn't be surprised if it were to happen.