Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spyware Disguises Itself as Firefox Extension

Posted by ryuzaki0 on from the not-yet-linux-compatible dept.

Juha-Matti Laurio writes "The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. The trojan installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks. It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. The most dangerous part of the issue is that it records itself directly into the Firefox configuration data, avoiding the regular installation and confirmation process."

8 of 247 comments (clear)

  1. Not a vulnerability. by Short+Circuit · · Score: 5, Informative

    Note that this isn't a Firefox vulnerability.

    The trojan is opened as a Windows executable from email attachments, and writes itself into the Firefox profile's configuration directory.

    --
    tasks(723) drafts(105) languages(484) examples(29106)
    1. Re:Not a vulnerability. by kfg · · Score: 5, Informative

      McAfee do not describe it as a Firefox exploit. They describe it as a VBS exploit originally written to target IE, i.e., a Windows exploit.

      KFG

  2. MozillaZine Has More by Anonymous Coward · · Score: 5, Informative

    This MozillaZine article has lots more on the trogan horse, including instructions for spotting if you have it.

  3. Personally... by celardore · · Score: 4, Informative

    Personally I only download FF extensions from the official site.
    https://addons.mozilla.org/extensions.php?app=fire fox

  4. Emphasis on that. by khasim · · Score: 4, Informative

    This is an Outlook/IE "virus" who's payload is a keylogger and crap that hooks into Firefox.

    This does not exploit any vulnerability in Firefox.

    If your OS is not secure, no app running on it can be secured.

    1. Re:Emphasis on that. by _Sprocket_ · · Score: 4, Informative

      That's the legitimate extension. This trojan is not it.

    2. RE: Emphasis on that. by KURAAKU+Deibiddo · · Score: 5, Informative

      Actually, if you read the article more closely (and similar articles that have appeared in no shortage of other places), the malware pretends to be the numberdlinks extension. Your post implies that the actual extension is malware, and this is untrue.

      Additionally, if you read the Slashdot blurb, it's explained pretty clearly there.

      Basically, if you click on e-mail attachments without knowing what they are, it's your own fault if your computer becomes infested with viruses and spyware.

  5. RTFA by sensei85 · · Score: 5, Informative

    Again with people jumping to conclusions. The trojan is loaded when you open an .exe attached to an e-mail from "Wal-mart". Lesson to be learned: never open random .exe attachments. Ever. Problem solved.

    For those of you screaming that "numberedlinks" should be removed from the mozilla site, that wouldn't fix the problem. The original extension is perfectly safe and NOT a trojan. This one is just spoofing it by installing itself with the same name.

    A little more careful reading and some common sense go a long way