Slashdot Mirror
Spyware Disguises Itself as Firefox Extension
Juha-Matti Laurio writes "The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. The trojan installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks. It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. The most dangerous part of the issue is that it records itself directly into the Firefox configuration data, avoiding the regular installation and confirmation process."
Note that this isn't a Firefox vulnerability.
The trojan is opened as a Windows executable from email attachments, and writes itself into the Firefox profile's configuration directory.
tasks(723) drafts(105) languages(484) examples(29106)
But the malicious extension can only bypass the normal Firefox checks if your system is already infected with a friendly virus, which will only infect your system through Internet Explorer!
This MozillaZine article has lots more on the trogan horse, including instructions for spotting if you have it.
Personally I only download FF extensions from the official site.e fox
https://addons.mozilla.org/extensions.php?app=fir
The article is not clear. If not, get it off the Moz site. If so, sux to be them.
Religion and politics, without the flame. godgab.org
Basically, what you're saying, is I must open an EXE from a non Walmart "Walmart" email, or I have to use IE?
Nothing to see here, move along..
= Grow a brain...
This is not a Firefox problem, it is a Windows problem. You need to open an email attachment, which installs the Trojan into Firefox. The email client must execute the Trojan with admin rights for this to work. Same old, same old...
Yes, but with Opera you wouldn't have this problem would you? (responce from firefox user) No, because opera doesn't have extensions > widgets != extensions (responce from IE user) what is opera? All rather bad, but there have been bad little extensions out there for a while haven't there?
Did someone say cake?
The mozillazine site says: "Within Firefox, the trojan pretends to be the legitimate numberedlinks extension."
Much clearer. and sux to be them.
Religion and politics, without the flame. godgab.org
In next version of Firefox, the extension will be broken anyways. Mozilla breaks extension every new release. :D
Which makes me invulnerable to snooping for credit card numbers as all my accounts are empty and my credit rating is ruined.
We claim Prior Art for The old "it's not a bug, it's a feature" ploy.
Please contact our legal department.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
This is an Outlook/IE "virus" who's payload is a keylogger and crap that hooks into Firefox.
This does not exploit any vulnerability in Firefox.
If your OS is not secure, no app running on it can be secured.
Does it install simply by browsing, or does it need to open an .exe? Or do you install it like a normal extension?
If it's #1, it's bad
If it's #2, not so bad - a simple virus
If it's #3 - hey, who install extension from non-oficial sources?
True but it's still a back-door. Programs need to seperate internal*, which it trusts, and external, which it shouldn't trust. Just because it's on YOUR machine doesn't mean it should be trusted.
*Internal:inside the program.
External:Data coming into the program.
And part of their entry: Numberedlinks was originally developed by Shawn Betts, who now works on conkeror, a keyboard-driven browser with built in numbered links functionality.
Mr. Betts,
If you're not reponsible for the trojan, I suggest you start doing some damage control to make sure that your name isn't sullied.
Because, if you are going for work, and someone Googles your name, they will make the connection. And you will be labeled a hacker/cracker whether you like it or not; innocent or not.
And, until this is settled, I will consider anything you develop to be suspect.
I know NOTHING, I know NOTHING
People seem to be awfully dismissive of this, but it poses a real problem. Given the number of available vectors, even careful Firefox users can get struck by virus/spyware/other attacks (even OpenSHH has critical security vulnerabilities from time to time, and it is specifically designed for security). More sophisticated extension hacks aren't too far away. Given the level of extensibility offered via extensions, it sounds plausible that extensions may be delist themselves from the extension manager (a la rootkit techniques). Even if the Moz team had the foresight to prevent such a hack, it is pretty trivial to simply infect an existing extension. Simply inject your hostile javascript code into the extension files to get loaded along with the host extension. Maybe modify existing javascript that is provided in a default installation, such as the search engine plugins. Plus, you get the added benefit of cross platform compatability for your Firefox hacks.
This is the proverbial shot across the bow. Perhaps it's time for crytographically signed extensions? It may not protect from someone explicitly installing a hostile extension, but it may prevent the self-installation of this kind of software from succeeding.
Firefox isn't doing anything to prevent it, so it's a Ff vulnerability.
At least, that's how it works for other software.
I've had it. That's it, I'm switching to Internet Explorer. You can play with your crappy browser but I'm done with it.
Ok, so you get the virus in an email... what if you don't have Firefox? Blasphemy, I know. More importanly, if you do have Firefox, are you necessarily going to be running Outlook to catch this bug in the first place?
GetOuttaMySpace - The Anti-Social Network
Somebody wake me up when there's an email virus that affects my Linux box.
It could have been worse, like spyware disguised as a Microsoft Internet Explorer extension. That's sort of like Nixon wearing a Nixon mask.
Where were you when the voynix came?
Again with people jumping to conclusions. The trojan is loaded when you open an .exe attached to an e-mail from "Wal-mart". Lesson to be learned: never open random .exe attachments. Ever. Problem solved.
For those of you screaming that "numberedlinks" should be removed from the mozilla site, that wouldn't fix the problem. The original extension is perfectly safe and NOT a trojan. This one is just spoofing it by installing itself with the same name.
A little more careful reading and some common sense go a long way
Wow. You are fucking clueless.
Imagine you write an extension named "MyHelpfulExtension" to help people. It is good and not a problem. It is listed on MozDev.
Then, a bad person makes a virus called "MyHelpfulExtension". It installs itself secretly on many users machines.
Then, some jackass starts saying that you wrote a virus because it has the same name as your good extension.
How would that make you feel?
And here I came to watch all the firefox fanbois have to swallow their pride and admit their favorite browser had a problem. Oh well, better luck next time hax0rs! And just for the record, I'm using firefox right now and think it's far better than the alternative, it's just that I like watching people squirm.
Still, what does this say about IE, that people are now using it to infect firefox? Is IE getting that unpopular now?
-mrxak
Onions Will Kill You
Actually, you got the link wrong. Here is where the real patch exists. ;)
Firefox allows one of it's directories to be home to malware and right out of the gate, the whining about how insecure IE is begins...
If firefox did security checks on the files that were supposedly part of extensions, this wouldn't be a problem...I write all my apps to verify activities of all files they could potentially use..why can't the guys at firefox do that...
I guess they aren't ever going to get around to fixing that nasty little bug that allows me to use javascript in a webpage to write to firefox's config files....
sigh..oh well....
but you zombies go right on ahead thinking firefox is invulnerable...makes my life more enjoyable...
My daughter (with a limited user account, no less) viewed a malicious advertising banner while logged into MySpace.com. I'm quite sure she clicked "yes" to running a WMF exploit.
She has a limited account. End of story, you say? Nope, read on . . .
My wife logged in a couple days later. A popup baloon warned her that the machine was infested and she should "click here to fix the problem". Well, she installed AntiVirusGolden v3.3 (from her not-so-limited user account). Who can blame her? I wouldn't have fallen for it (I already had CA's EZ-Antivirus installed and more or less trusted it), but it looked like a valid course of action to her, so the next thing I knew there were nearly a dozen payloads whanging around the rusty innards of my SO's computer - some acquired on the spot, others dropped there during the following week, I'm sure.
That machine now runs Linux (like the rest of my home network). I'd like to thank the wonderful malware authors at AntivirusGolden for giving me the leverage I needed to convince my SO to give up on Windows and use a somewhat more securable OS.
Oh, but I'll continue to use Firefox, now that I've closed that horrible WMF exploit that it has! You'd think the Firefox development team would know better than to trust end-users with the option to execute WMF's. Hmmph!
*(The above is intentionally sardonic; but the basic facts are true)*
just send the source code in a nice tarball .
that way it's open source and people can improve it .
Slipping shoelaces ?
...the public will have this sort of response if more and more things like this are reported the way they are. They will think numberedlinks is an extension that will come in through firefox.
Sig: I stole this sig.
You are talking about a situation where an executable has been run with your priveleges. It can do anything it wants to, especially in Windows where most people run as Administrators. It can disguise itself as a firefox extension, sure. But it could also modify the firefox binary, or simply install a sniffer running as a service, or format your drive, or any number of nasty things.
The only place a singature would matter in this case is when the trojan executable was run. If you are executing attached executables from an e-mail, then no amount of signature verification is going to protect you. The reality is that no technical process can exist that will prevent this kind of attack so long as users can install their own software.
This sig has been temporarily disconnected or is no longer in service
Every time I install a "NEW!" Firefox extension made "JUST FOR ME!", I get a free iPod. ;)
Haha, suckers.
The Mozilla site has been down all day too.
Can I bum a sig?
The numberedlinks on mozdev is legitimate and "trojan"-free. As others have said, you have to open the attachment in an e-mail for the evil one to work.
AFAIK, as long as you get your attachments from the Get More Extensions link (which most people that I know do), then you should be safe.
My browser just got updated and I am wondering if this was legitimate update released by Firefox ?
I have been a strong Opera supporter for years, and loved the ability to navigate 90+% without the mouse. I started using Firfefox in the last 6 months for it's developer tools. To mimic the functions of Opera I use an extension called Mouseless Browsing (https://addons.mozilla.org/firefox/879/) which has been very nice.
Forget the debate on FF vs IE and WinXX vs *nix - otherwise known as the 'My dad is bigger than your dad!' department. The issue is that an exploit, however it arrived on the machine, is targeting Firefox. All those smug 'it can't happen to me because I use xxxx version of yyyy product/os' should see this as the beginning of an onslaught on all *nix and open source projects in general. Yes, I realise this exploit was specifically on Windows but you are missing the big picture. That being an open source project went from a minor player to a major competitor and so became a big target. You may feel safe in your (insert *nix here) OS but the end of that house of cards is in sight. 'But I know what is secure and what is not, and my system is harded against such stuff!', I hear you cry. Well, if you realise that more and more people are running *nix based desktops and most of those new users have and need only basic 'Clue' on how to run their browser and wordprocessor then we are looking at an ever expanding problem. How long will it be before everyday users are downloading distros with Spyware built right into the kernel? 'But, I know how check a distro is genuine!!!', I hear you cry again. And again I say what about your average user - do they know instinctively how to check hashes on everything they download? No they do not! Mark this date in your calender - the end of OS smugness is in site.
I love using only the keyboard, and I tried many FF extensions for this, including numbered links, and the one you mentioned.
I finally came to Hit a Hint, and loved it.
It's specially good cause it doesn't interfere with the page appearance, let's you access more clickable elements, and have configurable shortcuts.
A must!
factor 966971: 966971
Read my previous post again; this time, assume I'm sneering when I speak. It'll make more sense.
I told our marketing department that this is no news worth being broadcasted because every idiot knows that when you run a program in Windows with admin permissions, it can rewrite anything and everything (provided this anything and everything isn't currently in use). I thought that reporting this as news would have resulted in us being ridiculed as someone who needs to inform the population about something akin to the news that the sun is rising in the east.
/.
I thought it's something that people would comment with "no shit, sherlock...", at best. If they are gentle with us.
Boy was I wrong. Here I go and waste our chance to make it to
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Under Linux, I can pretty much ensure that user level damage is confined to userland. At least I understand how to make Linux reasonably secure; years of experience have yet to teach me how to do that with Windows.
Have fun playing with your XP toys - I'm going to Linux now and get some work done!
i always run firefox in safe-mode. i know that extensions cannot be loaded, but the only important firefox extensions i used to use are now replaced by web proxies. for example, i used to use livehttpheaders, tamperdata, and modifyheaders. with burp, suru, webscarab, and xss-proxy, these extensions lack the significance they once had. for people that are heavy into extensions and themes, maybe you should first ask yourself why, and then weigh the benefits versus the drawbacks.
t roducing-blue-pill.html
i also change a few settings in options->content and about:config to prevent javascript from doing anything but the basics. since i'm always bouncing back between windows xp, linux, freebsd, and mac os x - it's nice to be able to acheive such consistency and still know what my baseline for browser security posture is.
there is worse spyware out there these days anyways. see: http://theinvisiblethings.blogspot.com/2006/06/in
Firefox can be used to do harm. Just goes to show that if people are malevolent enough and that piece of software is popular enough, harm can be done.
Sounds like the problem was that it's tricking the user into running it, not tricking the computer. Hard to fix that sometimes.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
You are a "poop vent".
I am from a place called "Garbage grocers' bags laugh".
Push my finger!.
-- shampoo
Just because it was installed directly instead of through XPI doesn't mean it's not an extension - it's just not an extension you want. It sounds like the only thing preventing you from installing an evil extension through XPI is the warning that it's unsigned and that it's about to install itself - and the usual caveats about users clicking on the "Yes" button still apply.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Make it so that only stuff installed via firefox itself will run? Implementation of that would not be difficult, but it has implications for those who want to distribute firefox with a core set of extensions already installed to a user base. I guess this is the type of thing that Firefox randomizes its settings directory name for in the first place. Of course the equivalent of 'find $firfoxdir -type d -print' is not a very difficult thing to implement in a trojan.
"A friend of mine has certifications as an MCSE and a CNE. When I tell him to run "ipconfig /all" and "route print" (on his WinXP machine), the look of consternation and confusion on his face is priceless."
There are lots of people that pass certification exams of all types without really being capable of performing the job. Lots of talentless certified pros out there on many technologies. Apparently your friend is one of them. How is this relevant? It certainly isn't "insightful". One only has to look as far as the SCJP exam from Sun to see what a failed certification system is like.
Except that this is actually an exploit in IE that affects firefox. But thanks for coming out.
Karma: Non-Heinous
What is this "lynx" you speak of? Have you got any screenshots you could link to?
"What in the name of Fats Waller is that?"
"A four-foot prune."
Funny thing... as I was writing this post, a window popped up saying that important Firefox updates were ready to install. Kinda made me hesitate :)
There, fixed it for you.
leave windows vulnerabilities to get attacked by someone so all those open source windows devs have to spend their time fighting off all our msft malware crap!
then they can't compete with us (msft) b/c we spend no time worrying about security (BWAAAAHAHAHAHAHAHA!).
BRILLIANT! no go pull my chair out of the wall, Wilford.
'Nuff said?
Haha, flamed again by FireFag. Burn it and go for Opera.
This was a Windows problem thats be covered on Slashdot no less. So, erm....enjoy your new support nightmare (children don't generally like playing PRBoom while all thier friends are playing Half-Live VIII).
:)
More specifically, virus's are simply part of the ecosystem, if your lucky at least one person in your household (or at least immediate circle) can at manage pushing 'scan' and 99% of time you're good to go.
Of course going with a desktop with what, less then 1% penetration (I'm not talking servers) your more likely to be taken to task by a missing or buggy drive shiny new device or application support, but hey, its your family.
Quack, quack.
Windows users need some education. .exe As the only thing that is required for a exe to work is a dumb thing.
Windows users need tools that will not allow straight click to exec from email.
Yes its slower on Linux but it give you time to think. Hmm email client will not open attachment has to save. Hmm Attachment is a strange script does not run due to no excute bit. Hmm I have to enable x flag why? Note you can enable noexec as a force override on user accounts partition. chmod +x will not work in that case. User would have to copy it into a exec allowed zone on system most likely as root then chmod +x it then run it. Your instructions were kind of useless. Now if is a hardened system using a form of signing where all programs or scripts have to be signed to operate at root level your script is still stuffed. Because you never told the user to sign it.
Problem signing is sometime there sometimes not.
Lot of Linux Distro secuirty is light to what it could be at moment. Reason signing of applications is network dependand and in some cases machine dependant. Very hard to beat. But its up to the administator to set it up. If malware becomes a threat linux distros will just move to the next level. Linux responds to attacks by getting harder to attack in a short amount of time.
Not click then click yes in a hurry and go opps I just infected my machine as windows can be.
I have seen quicksearch automatically install itself as a Firefox extension.
On Unix your extensions are stored in .firefox in your home directory.
Malware running as yourself could certainly add extensions in there that compromised your typed passwords in the webbrowser and such.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Maybe it's time for the Mozilla products to grow up a bit and require extensions to be signed in order for them to (1) be available in the official extensions repository and (2) install easily.
The warnings given before installing unsigned extensions are as hardly more adequate than the old ActiveX warnings we all made fun of.
Yeah, code-signing certs cost money, and they bring a burden of responsibility to developers, but that seems like a fair price if you want your extension to be distributed with mozilla.com's blessing and install with two clicks and no really nasty warning.
I ditched Microsoft and went 100% Linux in my house several years ago. My wife and kids are as far from being tech savvy as one can get. Life has been SO easy for them and for me since that time. I don't get viruses, I don't get malware, I don't have to install anti-virus and anti-malware software that does nothing more than eat up CPU cycles. My kids have used OpenOffice.org to do all of their schoolwork and have been on the A honor roll every year. My son will be a junior in high school and my daughter will be starting her first year of college with a full scholarship. Maybe if I would have grown up with Linux I could have been smart like them. They certainly didn't get it from me. They are smart but they are not tech savvy and they don't really have an interest in computers which is excellent in my book. Hopefully they can actually do something useful with their life rather than the IT grind.
In my house the computers are just tools that work when they need them and they don't get in the way. It's almost like you don't even know they are there. You can concentrate on your real work rather than on whether the computer is going to work or whether your virus software is up to date or whether your credit card data is going to some 3rd party.
As I said, you look up the word "user" in the dictionary and you will find a picture of my wife and kids. With that said, they have never broken anything that has rendered the computer unusable or even their own account for that matter, unlike my having to constantly repair their Windows profiles and reinstall the OS back in the old days. I just chuckle when I see articles like these and I chuckle when I see people defend Microsoft for their severely flawed OS. No problem though, I like free entertainment.
In my household I have had around 8 Linux machines (a few servers, a few desktops, and a few laptops) for the last few years and have been running Linux in some form since the early 90s. I can not remember a single time on any one of those machine where I have had to reinstall the OS. Most have had one install and then an upgrade install every time a new release comes out. They automatically update themselves with any security updates nightly while I sleep. I guess my point is, computing in my house is not a chore. I am glad to see at least one more person take off the shackles. Good luck my friend!
-Void
http://voidmain.is-a-geek.net/
Does anyone know the IP to which it sends the information? THIS sounds like a job for Your Hosts File!
"It's time to take life by the cans." ~ Bender ("Bendin' in the Wind", ep. 3-13)
Right now the security model for Unix and Windows goes like this: either the user is the administrator and can change anything or he is not an administrator and can only access his own files. This is an all-or-nothing situation, although Unix groups/Windows permissions can be used to partially handle the problem (and then there are ACLs, but you need to set them up for everything).
Here is another proposal for O/S designers: ring protection. Just like an 80x86 CPU, each application runs within a ring. Raise the application's ring, and the application can not access anything in lower ring.
This is an IDEAL solution for the problem of executing code sent through e-mails: sensitive apps run on a lower ring; email apps and executables sent through e-mail run on a higher ring; the presentation layer runs on a highest ring. Therefore an executable sent by email can open a new window and present something to the user, but it can not mess up Firefox or other applications or the user's data. Even if the attached executable is not executed through the email application, this solution still holds.
Seriously.
To have a right to do a thing is not at all the same as to be right in doing it
Out of the box, XP doesn't let limited users burn CD's/DVD's - I never gave fixing this particular failing any thought, having convinced myself that my SO is pretty savvy regarding computers (well, savvy as users go anyway).
Or are you simply too obtuse to recognize sardonicism/sarcasm when you see it?
I don't blame her, I blame you. You're the techie. My mom runs XP as a limited user, and so does my wife, and so do I for day-to-day Windows tasks. No issues to report.
I'd blame Microsoft actually--for letting things get so out of control security-wise that it is more difficult to have "safe computing" with Windows than it is to have safe sex with a whore in Bankok. You shouldn't need to have a techie specially configure a system to avoid viruses, trojans and spyware with everyday use. Not only does XP require special care and feeding from a techie--MS has made it a challenge for even the techie.
Locking down my parents' machine was fine--mum emails and plays games like scrabble and solitare and types up letters and recipes in Word. Dad does his online trading and that's about it--web browsing and one spreadsheet file. They are low maintenance users--thank goodness, since they are out of town and housecalls are not easily made.
My GF is more of a challenge because she likes to do a lot more with her computer. When I locked her PC down like my parents she found the restrictions intolerable and told me to change it back. She is now a "power user" more-or-less and can install some stuff on her PC. It is a matter of education and she now knows that when in doubt to ignore it. For example, she never opens files sent through IM from ANYONE unless it is a file she specifically asked just prior. Same goes for emails. She knows about email headers and how banks and online shops do not ask for account numbers and passwords over email. It takes time to learn but it can be done. Less patient techie-types might just not bother and migrate to Linux or MacOS.
The most challenging of ALL users has to be the typical teenaged girl. You cannot blame the techie for this one. Putting a teenaged girl in front of WinXP is like throwing large quantities of gunpowder into a campfire. XP is alluring to teenaged girls--the default XP desktop even looks kile it was specifically designed for the "OMG! Ponies!" crowd. It lures them in I tell you--and they have no fear at all. Malware designers cater to these tastes and create lures that fit right into the XP trap. They even use the ActiveX warning dialogue that pops up in IE--they populate it with messages to the effect that "you need to click OK to get your comet tail cursors and super smilies and to speed up the computer and use this rilly rilly cuuuuule website 'K?". From there all hope is lost.
When I locked down my sister's PC her teenaged stepdaugter got quite upset. She was mad that I "broke the computer" and took away her purple talking gorilla and her Kazaa Lite music thingy and her MSN smilies etc. etc. The Teenage Female does NOT like to be told that her favourie stuff is crap and has no place on the computer. It was quite a challenge to get her to accept restrictions and she just didn't want to learn how to safely live without them, but it was done--she has her own iPos and uses iTunes for her music now, has contented herself with the smilies and winks offered within MSN itself and so on. It also helped that she eventually saw how much more responsive the computer was without a tonne of useless ad-crap in it.
So don't blame the techie for Microsoft's crappy engineering. Not only does being a Microsoft techie for your friends and family require technical prowess it requires patience that not all people have. I understand completely why he dumped Windows.