Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spyware Disguises Itself as Firefox Extension

Posted by ryuzaki0 on from the not-yet-linux-compatible dept.

Juha-Matti Laurio writes "The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. The trojan installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks. It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. The most dangerous part of the issue is that it records itself directly into the Firefox configuration data, avoiding the regular installation and confirmation process."

14 of 247 comments (clear)

  1. Not a vulnerability. by Short+Circuit · · Score: 5, Informative

    Note that this isn't a Firefox vulnerability.

    The trojan is opened as a Windows executable from email attachments, and writes itself into the Firefox profile's configuration directory.

    --
    tasks(723) drafts(105) languages(484) examples(29106)
    1. Re:Not a vulnerability. by kfg · · Score: 5, Informative

      McAfee do not describe it as a Firefox exploit. They describe it as a VBS exploit originally written to target IE, i.e., a Windows exploit.

      KFG

    2. Re:Not a vulnerability. by DrXym · · Score: 2, Informative

      Well the should. In fact, I read just the other day that Debian will be signing packages at long last. It's not brain surgery to do either - Red Hat has been doing it for a very long time.

  2. MozillaZine Has More by Anonymous Coward · · Score: 5, Informative

    This MozillaZine article has lots more on the trogan horse, including instructions for spotting if you have it.

  3. Personally... by celardore · · Score: 4, Informative

    Personally I only download FF extensions from the official site.
    https://addons.mozilla.org/extensions.php?app=fire fox

    1. Re:Personally... by Anonymous Coward · · Score: 2, Informative

      Thats not whats going on. This trojan isn't installed as an extension, it comes as a regular old .exe in an email, which when you run it, then edits the firefox configuration files to add itself into the extension list without going through the normal extension process.

  4. Emphasis on that. by khasim · · Score: 4, Informative

    This is an Outlook/IE "virus" who's payload is a keylogger and crap that hooks into Firefox.

    This does not exploit any vulnerability in Firefox.

    If your OS is not secure, no app running on it can be secured.

    1. Re:Emphasis on that. by _Sprocket_ · · Score: 4, Informative

      That's the legitimate extension. This trojan is not it.

    2. RE: Emphasis on that. by KURAAKU+Deibiddo · · Score: 5, Informative

      Actually, if you read the article more closely (and similar articles that have appeared in no shortage of other places), the malware pretends to be the numberdlinks extension. Your post implies that the actual extension is malware, and this is untrue.

      Additionally, if you read the Slashdot blurb, it's explained pretty clearly there.

      Basically, if you click on e-mail attachments without knowing what they are, it's your own fault if your computer becomes infested with viruses and spyware.

    3. Re:Emphasis on that. by athakur999 · · Score: 2, Informative

      Extensions can be happily installed inside a user's profile directory. It doesn't require write permissions to the Firefox application's directory to install an extension.

      There is nothing about "vulnerability" that would stop the same thing happening on a Linux box. The only saving grace for Linux at this point in time is that your average Linux user is smart enough to not execute random executable files they receive from people they don't know in an email message.

      --
      "People that quote themselves in their signatures bother me" - athakur999
  5. Re:Is numberedlinks legit? by savala · · Score: 2, Informative
    The article is not clear. If not, get it off the Moz site. If so, sux to be them.

    It is: "presenting itself as a legitimate existing extension called numberedlinks".

    The McAfee characteristics page (2nd tab - stupid that that isn't directly linkable) also says:

    The original component installs the following files:
    * %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome\n umberedlinks.jar

    FormSpy installs these additional files:
    * %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome\n umberedlinks.jar (modified - FormSpy)
  6. Re:Why is mozdev.org still... by Anonymous Coward · · Score: 1, Informative

    I think you misunderstand. There is a legitimate extension called numberedlinks that you can install from mozdev and is not evil. This trojan extension masquerades as numberedlinks but only gets installed if you open the evil email attachment.

  7. Re:Why is mozdev.org still... by Anonymous Coward · · Score: 1, Informative

    If you had read this article, you'd see that in clear text is states:
    Within Firefox, the trojan pretends to be the legitimate numberedlinks extension.

    The extension itself is not the problem. The trojan creator just decided to have his extension pose as another in an attempt to be "inconspicous".

  8. RTFA by sensei85 · · Score: 5, Informative

    Again with people jumping to conclusions. The trojan is loaded when you open an .exe attached to an e-mail from "Wal-mart". Lesson to be learned: never open random .exe attachments. Ever. Problem solved.

    For those of you screaming that "numberedlinks" should be removed from the mozilla site, that wouldn't fix the problem. The original extension is perfectly safe and NOT a trojan. This one is just spoofing it by installing itself with the same name.

    A little more careful reading and some common sense go a long way