Slashdot Mirror
Spyware Disguises Itself as Firefox Extension
Juha-Matti Laurio writes "The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. The trojan installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks. It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. The most dangerous part of the issue is that it records itself directly into the Firefox configuration data, avoiding the regular installation and confirmation process."
My feeling is that Firefox desperately needs to implement some kind of trust model. I can understand why that might not be RSA PKCS since the system is crap for small publishers. But something is needed. Even a trust model based on PGP signing would be of benefit.
I'm sure some would argue that no one looks at signatures anyway, which might be an exaggeration, but it does have some truth. It is certainly no excuse for offering no trust model at all, or for Firefox UI designers to not be able to produce some simple traffic light trust system with sensible defaults to simplify it for those who can't or won't look at the certs.
Note that this isn't a Firefox vulnerability. The trojan is opened as a Windows executable from email attachments, and writes itself into the Firefox profile's configuration directory.
:)
While true, perhaps a related problem that actually is a vulnerability is the fact that Firefox (apparently) only checks for a valid signature on the plugin at download/install time. Maybe the Firefox configuration file, or at the very least the binaries for each extension, should be cryptographically verified at runtime.
Of course, this presupposes that Firefox hackers can manage to get their extensions signed, and if that's possible, then the malware authors could do the same. Unless...FF gets distributed with a mozilla.org CA cert, and extensions accepted and published on the mozilla site(s) get signed with that cert, then every "legitimate" extension from the mozilla sites will be verifiable at runtime. The user could opt out of that with an "allow execution [not installation] of unsigned extensions" preference setting, but the majority of users would be protected, so long as the malware doesn't also set that preference for the user.
(though even that last bit could be guarded against by creating a personal key to sign the config with, and every time you make a "security relevant configuration change" to the browser's settings, you have to re-sign the file.)
In that case... Who runs an exe they receive in an email? Unless I'm expecting it, and know the sender, I certainly won't.
Education must be the answer then. I learned not to open random executables from unknown sources many years ago. People apparently click them though. Teach a man to use the internet, and he'll be safe for a day. Teach a man to know the internet and he'll be safe for a lifetime.
Hate to break it to you but ALL software is potentially bad. You have to decide how much you trust it based on who wrote it, whether that's verifiable, your own inspection of the source, whatever. In the case of F/OSS you do at least have to option of inspecting the source. You have no such luxury with non-free software, in which case you simply have to decide how much you trust the publisher.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
... or until the trojan makes a trivial change in FireFox's binary.
Once you're pwned, you're pwned. If you give someone free reign on your box, he can do anything to any file writeable by you.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Once someone's system is compromised, they can replace or alter the FireFox binary which verifies the signatures, replace libnssckbi.so, libsoftokn3.so, whatever.
You can't win at that point. If you're storing your operating system and executables on writable media, it can never be trusted to that level. The hardware would have to cryptographically verify the boot loader on disk, which would verify the kernel, which would then be able to verify everything it executes--FireFox alone can't do it.
(Say, what was that hardware-based Trusted Computing stuff supposed to do? In addition to ramming DRM down everyone's PCI bus, wasn't there system verification too?)
What you don't seem to realize is that IE isn't embedded in 3rd party email clients like Thunderbird and Eudora, but the attachment will still hammer Firefix when you run it, just as it will in Outlook.
This is an user-executed email attachment with a trojan. It will happily be executed from Outlook Express, IE, Eudora and Thunderbird. McAfee mentions they've seen one version trying to exploit a three year old IE vulnerability. If you haven't patched that, well then you deserve to get nailed.
This does not exploit any vulnerability in Firefox
It is a vulnerability in that FF will happily load and execute any plugins dropped into its profile directory. The only time you are warned about installing someone is at download time. FF will never check for a signature or otherwise go "oh, a new plugin I've never seen. Hmmm, maybe I should ask the user about it?". Vulnerability.
If your OS is not secure, no app running on it can be secured.
If your OS is being operated by a user that executes attachments from "WalMart" that read "helo, teh attcachements for yuo pleasures" then your OS is not secure.
BTW, this progression is interesting. When FF came out just installing it would make the world safe, because it was invulnerable and impervious. Now I also have to switch operating systems? And when someone finds another exploit in SSH
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
You are talking about a situation where an executable has been run with your priveleges. It can do anything it wants to, especially in Windows where most people run as Administrators. It can disguise itself as a firefox extension, sure. But it could also modify the firefox binary, or simply install a sniffer running as a service, or format your drive, or any number of nasty things.
The only place a singature would matter in this case is when the trojan executable was run. If you are executing attached executables from an e-mail, then no amount of signature verification is going to protect you. The reality is that no technical process can exist that will prevent this kind of attack so long as users can install their own software.
This sig has been temporarily disconnected or is no longer in service
Forget the debate on FF vs IE and WinXX vs *nix - otherwise known as the 'My dad is bigger than your dad!' department. The issue is that an exploit, however it arrived on the machine, is targeting Firefox. All those smug 'it can't happen to me because I use xxxx version of yyyy product/os' should see this as the beginning of an onslaught on all *nix and open source projects in general. Yes, I realise this exploit was specifically on Windows but you are missing the big picture. That being an open source project went from a minor player to a major competitor and so became a big target. You may feel safe in your (insert *nix here) OS but the end of that house of cards is in sight. 'But I know what is secure and what is not, and my system is harded against such stuff!', I hear you cry. Well, if you realise that more and more people are running *nix based desktops and most of those new users have and need only basic 'Clue' on how to run their browser and wordprocessor then we are looking at an ever expanding problem. How long will it be before everyday users are downloading distros with Spyware built right into the kernel? 'But, I know how check a distro is genuine!!!', I hear you cry again. And again I say what about your average user - do they know instinctively how to check hashes on everything they download? No they do not! Mark this date in your calender - the end of OS smugness is in site.
No. It's not.
Any extension downloaded from addons.mozilla.org has been tested, is widely used, and subject to an enormous amount of user feedback.
Now, if you download an extension from kickme.to/malware, you get what you deserve.
Not as priceless as the look on my face on reading that and noting that that clueless muppet gets paid a lot more than I do. Maybe I should get off my arse and get one of them MCSE thingies.
Okay, and then the next trojan will simply add itself to the file that Firefox checks to see if the extension is new, and you're back to square one.
Firefox isn't the problem. The fact that the thing can write to the application's directory means the computer is already compromised.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Look, I got my MCSE in 1999, and I had to know how to use ipconfig and route as part of the course -- now, did that get covered in the test? I don't know. But it was part of the work we had to do in the TCP/IP module. It's depressing to me because I think MCSE used to mean something, but I also have encountered dolts who have a raft of acronyms after their email signature, and it's almost a sure-fire way of identifying useless chumps in the organization. I don't advertise my MCSE in my signature, and I instead refer to my 11 years' experience as my qualification for doing what I do: that, and the fact that almost everyone in the organization comes to me when they want something done right.