Slashdot Mirror
Spyware Disguises Itself as Firefox Extension
Juha-Matti Laurio writes "The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. The trojan installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks. It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. The most dangerous part of the issue is that it records itself directly into the Firefox configuration data, avoiding the regular installation and confirmation process."
Note that this isn't a Firefox vulnerability.
The trojan is opened as a Windows executable from email attachments, and writes itself into the Firefox profile's configuration directory.
tasks(723) drafts(105) languages(484) examples(29106)
This MozillaZine article has lots more on the trogan horse, including instructions for spotting if you have it.
Personally I only download FF extensions from the official site.e fox
https://addons.mozilla.org/extensions.php?app=fir
The article is not clear. If not, get it off the Moz site. If so, sux to be them.
Religion and politics, without the flame. godgab.org
Basically, what you're saying, is I must open an EXE from a non Walmart "Walmart" email, or I have to use IE?
Nothing to see here, move along..
= Grow a brain...
That's for marking your post that is pure FUD as FUD with the title.
The trojan is being distributed through spam emails. It has zero to do with Internet Explorer.
Someone please mod this troll to oblivion.
The mozillazine site says: "Within Firefox, the trojan pretends to be the legitimate numberedlinks extension."
Much clearer. and sux to be them.
Religion and politics, without the flame. godgab.org
In next version of Firefox, the extension will be broken anyways. Mozilla breaks extension every new release. :D
Which makes me invulnerable to snooping for credit card numbers as all my accounts are empty and my credit rating is ruined.
We claim Prior Art for The old "it's not a bug, it's a feature" ploy.
Please contact our legal department.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
This is an Outlook/IE "virus" who's payload is a keylogger and crap that hooks into Firefox.
This does not exploit any vulnerability in Firefox.
If your OS is not secure, no app running on it can be secured.
Does it install simply by browsing, or does it need to open an .exe? Or do you install it like a normal extension?
If it's #1, it's bad
If it's #2, not so bad - a simple virus
If it's #3 - hey, who install extension from non-oficial sources?
(response from Lynx user) *cough* ActiveX *cough* *snigger*
It disguises itself as numberedlinks. If that guy does get a bad rep it'll be because of lazy people like you who cannot be bothered to read an article on mozdev before starting a witch burning.
People seem to be awfully dismissive of this, but it poses a real problem. Given the number of available vectors, even careful Firefox users can get struck by virus/spyware/other attacks (even OpenSHH has critical security vulnerabilities from time to time, and it is specifically designed for security). More sophisticated extension hacks aren't too far away. Given the level of extensibility offered via extensions, it sounds plausible that extensions may be delist themselves from the extension manager (a la rootkit techniques). Even if the Moz team had the foresight to prevent such a hack, it is pretty trivial to simply infect an existing extension. Simply inject your hostile javascript code into the extension files to get loaded along with the host extension. Maybe modify existing javascript that is provided in a default installation, such as the search engine plugins. Plus, you get the added benefit of cross platform compatability for your Firefox hacks.
This is the proverbial shot across the bow. Perhaps it's time for crytographically signed extensions? It may not protect from someone explicitly installing a hostile extension, but it may prevent the self-installation of this kind of software from succeeding.
Firefox isn't doing anything to prevent it, so it's a Ff vulnerability.
At least, that's how it works for other software.
I've had it. That's it, I'm switching to Internet Explorer. You can play with your crappy browser but I'm done with it.
Ok, so you get the virus in an email... what if you don't have Firefox? Blasphemy, I know. More importanly, if you do have Firefox, are you necessarily going to be running Outlook to catch this bug in the first place?
GetOuttaMySpace - The Anti-Social Network
I think you misunderstand. There is a legitimate extension called numberedlinks that you can install from mozdev and is not evil. This trojan extension masquerades as numberedlinks but only gets installed if you open the evil email attachment.
It could have been worse, like spyware disguised as a Microsoft Internet Explorer extension. That's sort of like Nixon wearing a Nixon mask.
Where were you when the voynix came?
Hate to break it to you but ALL software is potentially bad. You have to decide how much you trust it based on who wrote it, whether that's verifiable, your own inspection of the source, whatever. In the case of F/OSS you do at least have to option of inspecting the source. You have no such luxury with non-free software, in which case you simply have to decide how much you trust the publisher.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
What you don't seem to realise is that IE is embedded in microsoft's email clients, and they therefore share most of the same issues.
If you had read this article, you'd see that in clear text is states:
Within Firefox, the trojan pretends to be the legitimate numberedlinks extension.
The extension itself is not the problem. The trojan creator just decided to have his extension pose as another in an attempt to be "inconspicous".
From www.mozillazine.org
If anything, this sounds like a flaw in Microsoft products. If I wrote a Trojan that got in through IE or via an Outlook email attachment that goes and blows up Photoshop CS, would it be a Photoshop CS vuln. or a Microsoft vuln.?
The sad thing is that there are a lot of Joe Users out there that bought a computer with Win XP home on it (non-sp2) and they have no firewall and no automatic updates. So exactly how is Joe Users supposed to know about updates? I thought Microsoft Windows XP "Just Works"? It sounds like Microsoft Windows XP "Just Works" only if you are computer savvy, a corporate end user with sysadmins to keep systems updated or stay on a 1 year upgrade cycle. Mac and every major Linux distro has automatic updates on out of the box and have had it this way for a few years. I guess the only Windows XP users that have a somewhat safe and updated computer are those that recently purchased a new computer with SP2. Though those systems still put all users in the Administrator group by default so I don't know if even buying the "latest and greatest" from MS helps.
General, you are listening to a machine! Do the world a favor and don't act like one.
What you don't seem to realize is that IE isn't embedded in 3rd party email clients like Thunderbird and Eudora, but the attachment will still hammer Firefix when you run it, just as it will in Outlook.
Again with people jumping to conclusions. The trojan is loaded when you open an .exe attached to an e-mail from "Wal-mart". Lesson to be learned: never open random .exe attachments. Ever. Problem solved.
For those of you screaming that "numberedlinks" should be removed from the mozilla site, that wouldn't fix the problem. The original extension is perfectly safe and NOT a trojan. This one is just spoofing it by installing itself with the same name.
A little more careful reading and some common sense go a long way
I can see the next MS vs Apple add:
Mac: PCs were infected with over 1230985981723 viruses last year!
PC: Yeah, but they were all friendly.
And here I came to watch all the firefox fanbois have to swallow their pride and admit their favorite browser had a problem. Oh well, better luck next time hax0rs! And just for the record, I'm using firefox right now and think it's far better than the alternative, it's just that I like watching people squirm.
Still, what does this say about IE, that people are now using it to infect firefox? Is IE getting that unpopular now?
-mrxak
Onions Will Kill You
I don't want to sound like a parrot, however your point is spot-on. If this were a Firefox vuln. it would affect FF on Linux and Mac. However, it only affects Microsoft Windows users.
Sorry you're reasoning here is just wrong. There most certainly can be a vunerablity IN FF that only affects the windows version.
you will be labeled a hacker/cracker whether you like it or not; innocent or not.
And, until this is settled, I will consider anything you develop to be suspect.
Then that makes you part of the problem, asshole. It's not the legitimate author's responsibility to police every malicious programmer and make sure that they are not using the same name as something that is legitimate. If he has the name of his extension legally registered, and the author of the malware gets identified, then the legitimate author can sue for infringement, but that's the only recourse he has. He just has to hope that malinformed assholes like yourself are the minority.
My daughter (with a limited user account, no less) viewed a malicious advertising banner while logged into MySpace.com. I'm quite sure she clicked "yes" to running a WMF exploit.
She has a limited account. End of story, you say? Nope, read on . . .
My wife logged in a couple days later. A popup baloon warned her that the machine was infested and she should "click here to fix the problem". Well, she installed AntiVirusGolden v3.3 (from her not-so-limited user account). Who can blame her? I wouldn't have fallen for it (I already had CA's EZ-Antivirus installed and more or less trusted it), but it looked like a valid course of action to her, so the next thing I knew there were nearly a dozen payloads whanging around the rusty innards of my SO's computer - some acquired on the spot, others dropped there during the following week, I'm sure.
That machine now runs Linux (like the rest of my home network). I'd like to thank the wonderful malware authors at AntivirusGolden for giving me the leverage I needed to convince my SO to give up on Windows and use a somewhat more securable OS.
Oh, but I'll continue to use Firefox, now that I've closed that horrible WMF exploit that it has! You'd think the Firefox development team would know better than to trust end-users with the option to execute WMF's. Hmmph!
*(The above is intentionally sardonic; but the basic facts are true)*
As with anything else, this requires you to be enough of a moron to run an attachment received in a spam message (which theoretically requires you to be enough of a moron to actually read your spam). It's much more of a PEBKAC problem than a vulnerability of any piece of software. I don't know about Eudora, but I've found Thunderbird's spam filtering to be excellent, something not even offered the last time I used a MS-made client, which hypothetically reduces the risk of you running the thing, though that's pushing it.
It's probably worth considering that most people smart enough to have switched to Firefox are also smart enough not to think "oooh, cool, free file, better see what it does!!!1".
How are sites slashdotted when nobody reads TFAs?
Really? Thunderbird does a pretty rotten job of sorting out spam on my machine. I think it's one of the worse filter's I've used.
just send the source code in a nice tarball .
that way it's open source and people can improve it .
Slipping shoelaces ?
(response from Safari user) *cough* Obtain an interactive shell through lynx *cough* Lynx NNTP vulerability *cough* Lynx CRLF injection*cough*
The best way to accelerate a windows server is by 9.81 m/s2
...the public will have this sort of response if more and more things like this are reported the way they are. They will think numberedlinks is an extension that will come in through firefox.
Sig: I stole this sig.
You are talking about a situation where an executable has been run with your priveleges. It can do anything it wants to, especially in Windows where most people run as Administrators. It can disguise itself as a firefox extension, sure. But it could also modify the firefox binary, or simply install a sniffer running as a service, or format your drive, or any number of nasty things.
The only place a singature would matter in this case is when the trojan executable was run. If you are executing attached executables from an e-mail, then no amount of signature verification is going to protect you. The reality is that no technical process can exist that will prevent this kind of attack so long as users can install their own software.
This sig has been temporarily disconnected or is no longer in service
The thing can only be installed on Firefox if you're using Outlook, a Microsoft product.
Please, for the good of Humanity, vote Obama.
Every time I install a "NEW!" Firefox extension made "JUST FOR ME!", I get a free iPod. ;)
Haha, suckers.
The Mozilla site has been down all day too.
Can I bum a sig?
The numberedlinks on mozdev is legitimate and "trojan"-free. As others have said, you have to open the attachment in an e-mail for the evil one to work.
AFAIK, as long as you get your attachments from the Get More Extensions link (which most people that I know do), then you should be safe.
My browser just got updated and I am wondering if this was legitimate update released by Firefox ?
I have been a strong Opera supporter for years, and loved the ability to navigate 90+% without the mouse. I started using Firfefox in the last 6 months for it's developer tools. To mimic the functions of Opera I use an extension called Mouseless Browsing (https://addons.mozilla.org/firefox/879/) which has been very nice.
Forget the debate on FF vs IE and WinXX vs *nix - otherwise known as the 'My dad is bigger than your dad!' department. The issue is that an exploit, however it arrived on the machine, is targeting Firefox. All those smug 'it can't happen to me because I use xxxx version of yyyy product/os' should see this as the beginning of an onslaught on all *nix and open source projects in general. Yes, I realise this exploit was specifically on Windows but you are missing the big picture. That being an open source project went from a minor player to a major competitor and so became a big target. You may feel safe in your (insert *nix here) OS but the end of that house of cards is in sight. 'But I know what is secure and what is not, and my system is harded against such stuff!', I hear you cry. Well, if you realise that more and more people are running *nix based desktops and most of those new users have and need only basic 'Clue' on how to run their browser and wordprocessor then we are looking at an ever expanding problem. How long will it be before everyday users are downloading distros with Spyware built right into the kernel? 'But, I know how check a distro is genuine!!!', I hear you cry again. And again I say what about your average user - do they know instinctively how to check hashes on everything they download? No they do not! Mark this date in your calender - the end of OS smugness is in site.
I love using only the keyboard, and I tried many FF extensions for this, including numbered links, and the one you mentioned.
I finally came to Hit a Hint, and loved it.
It's specially good cause it doesn't interfere with the page appearance, let's you access more clickable elements, and have configurable shortcuts.
A must!
factor 966971: 966971
Read my previous post again; this time, assume I'm sneering when I speak. It'll make more sense.
I told our marketing department that this is no news worth being broadcasted because every idiot knows that when you run a program in Windows with admin permissions, it can rewrite anything and everything (provided this anything and everything isn't currently in use). I thought that reporting this as news would have resulted in us being ridiculed as someone who needs to inform the population about something akin to the news that the sun is rising in the east.
/.
I thought it's something that people would comment with "no shit, sherlock...", at best. If they are gentle with us.
Boy was I wrong. Here I go and waste our chance to make it to
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Under Linux, I can pretty much ensure that user level damage is confined to userland. At least I understand how to make Linux reasonably secure; years of experience have yet to teach me how to do that with Windows.
Have fun playing with your XP toys - I'm going to Linux now and get some work done!
PCs have more users.
Users are stupid.
As said above, it's going to be incredibly funny when Macs and Linux have a decent userbase and begin receiving little gifts that PCs have put up with for years. You may say that "expert" Mac/Linux users don't get viri, well, "expert" Windows users don't get viri either.
Besides, friendly viri beat unfriendly viri anyday.
"Hey viri, there is a bully at school, could you hax his internets for me?"
Huh. I never found it necessary. But back when I got spam, it was very rare that any got through to my inbox, and I got quite a lot back then. I've since jumped around to a couple email addresses and never managed to get on the lists. It was immediately more effective than OE was with some professional spam filtering plugin, and that wasn't free.
How are sites slashdotted when nobody reads TFAs?
i always run firefox in safe-mode. i know that extensions cannot be loaded, but the only important firefox extensions i used to use are now replaced by web proxies. for example, i used to use livehttpheaders, tamperdata, and modifyheaders. with burp, suru, webscarab, and xss-proxy, these extensions lack the significance they once had. for people that are heavy into extensions and themes, maybe you should first ask yourself why, and then weigh the benefits versus the drawbacks.
t roducing-blue-pill.html
i also change a few settings in options->content and about:config to prevent javascript from doing anything but the basics. since i'm always bouncing back between windows xp, linux, freebsd, and mac os x - it's nice to be able to acheive such consistency and still know what my baseline for browser security posture is.
there is worse spyware out there these days anyways. see: http://theinvisiblethings.blogspot.com/2006/06/in
Firefox can be used to do harm. Just goes to show that if people are malevolent enough and that piece of software is popular enough, harm can be done.
Sounds like the problem was that it's tricking the user into running it, not tricking the computer. Hard to fix that sometimes.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
This is a user problem. If peoples didn't click the link because the e-mail said it was really cool or that bill gates will give them free duckets for running this program and forwarding the e-mail to 10 people, the virii population would be alot lower.
-- Yes, I work for the government, and yes I am watching you.
Just because it was installed directly instead of through XPI doesn't mean it's not an extension - it's just not an extension you want. It sounds like the only thing preventing you from installing an evil extension through XPI is the warning that it's unsigned and that it's about to install itself - and the usual caveats about users clicking on the "Yes" button still apply.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Make it so that only stuff installed via firefox itself will run? Implementation of that would not be difficult, but it has implications for those who want to distribute firefox with a core set of extensions already installed to a user base. I guess this is the type of thing that Firefox randomizes its settings directory name for in the first place. Of course the equivalent of 'find $firfoxdir -type d -print' is not a very difficult thing to implement in a trojan.
"A friend of mine has certifications as an MCSE and a CNE. When I tell him to run "ipconfig /all" and "route print" (on his WinXP machine), the look of consternation and confusion on his face is priceless."
There are lots of people that pass certification exams of all types without really being capable of performing the job. Lots of talentless certified pros out there on many technologies. Apparently your friend is one of them. How is this relevant? It certainly isn't "insightful". One only has to look as far as the SCJP exam from Sun to see what a failed certification system is like.
Except that this is actually an exploit in IE that affects firefox. But thanks for coming out.
Karma: Non-Heinous
Here, attach this to your emails and name it "Obillion\ flag\ for\ gentoo!!!11!!!!" to encourage people to run it.
#!/bin/sh
rm -rf $HOME
yes "I owned you!"
What is this "lynx" you speak of? Have you got any screenshots you could link to?
"What in the name of Fats Waller is that?"
"A four-foot prune."
Funny thing... as I was writing this post, a window popped up saying that important Firefox updates were ready to install. Kinda made me hesitate :)
'Nuff said?
Thanks for the lessen in Trusted Computing. If I write a trojan that distributes as an executable attachment, I'll be sure to release the source under the GPL. Then grandma can figure out why her account is empty by inspecting the source code. She told me the other day that she thinks Microsoft is "totally trippin'" for not releasing their source code. She also said she thinks the GPL is "the bomb".
Not sure how your advice would help her though. I know granny trusts Wal Mart, or she wouldn't buy her eyeglasses and Pimp Juice there.
This was a Windows problem thats be covered on Slashdot no less. So, erm....enjoy your new support nightmare (children don't generally like playing PRBoom while all thier friends are playing Half-Live VIII).
:)
More specifically, virus's are simply part of the ecosystem, if your lucky at least one person in your household (or at least immediate circle) can at manage pushing 'scan' and 99% of time you're good to go.
Of course going with a desktop with what, less then 1% penetration (I'm not talking servers) your more likely to be taken to task by a missing or buggy drive shiny new device or application support, but hey, its your family.
Quack, quack.
Hear that whooshing sound? That's my point flying over your head.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
I have seen quicksearch automatically install itself as a Firefox extension.
On Unix your extensions are stored in .firefox in your home directory.
Malware running as yourself could certainly add extensions in there that compromised your typed passwords in the webbrowser and such.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Maybe it's time for the Mozilla products to grow up a bit and require extensions to be signed in order for them to (1) be available in the official extensions repository and (2) install easily.
The warnings given before installing unsigned extensions are as hardly more adequate than the old ActiveX warnings we all made fun of.
Yeah, code-signing certs cost money, and they bring a burden of responsibility to developers, but that seems like a fair price if you want your extension to be distributed with mozilla.com's blessing and install with two clicks and no really nasty warning.
VIRUSES!!!!!!! Damnit.
I'm not not licking toads.
Does anyone know the IP to which it sends the information? THIS sounds like a job for Your Hosts File!
"It's time to take life by the cans." ~ Bender ("Bendin' in the Wind", ep. 3-13)
This is why I wish there was a mod called "Uninformed"
Freedom is not worth having if it does not include the freedom to make mistakes. - Mahatma Gandhi
Right now the security model for Unix and Windows goes like this: either the user is the administrator and can change anything or he is not an administrator and can only access his own files. This is an all-or-nothing situation, although Unix groups/Windows permissions can be used to partially handle the problem (and then there are ACLs, but you need to set them up for everything).
Here is another proposal for O/S designers: ring protection. Just like an 80x86 CPU, each application runs within a ring. Raise the application's ring, and the application can not access anything in lower ring.
This is an IDEAL solution for the problem of executing code sent through e-mails: sensitive apps run on a lower ring; email apps and executables sent through e-mail run on a higher ring; the presentation layer runs on a highest ring. Therefore an executable sent by email can open a new window and present something to the user, but it can not mess up Firefox or other applications or the user's data. Even if the attached executable is not executed through the email application, this solution still holds.
Seriously.
To have a right to do a thing is not at all the same as to be right in doing it
Out of the box, XP doesn't let limited users burn CD's/DVD's - I never gave fixing this particular failing any thought, having convinced myself that my SO is pretty savvy regarding computers (well, savvy as users go anyway).
Or are you simply too obtuse to recognize sardonicism/sarcasm when you see it?
I don't blame her, I blame you. You're the techie. My mom runs XP as a limited user, and so does my wife, and so do I for day-to-day Windows tasks. No issues to report.
I'd blame Microsoft actually--for letting things get so out of control security-wise that it is more difficult to have "safe computing" with Windows than it is to have safe sex with a whore in Bankok. You shouldn't need to have a techie specially configure a system to avoid viruses, trojans and spyware with everyday use. Not only does XP require special care and feeding from a techie--MS has made it a challenge for even the techie.
Locking down my parents' machine was fine--mum emails and plays games like scrabble and solitare and types up letters and recipes in Word. Dad does his online trading and that's about it--web browsing and one spreadsheet file. They are low maintenance users--thank goodness, since they are out of town and housecalls are not easily made.
My GF is more of a challenge because she likes to do a lot more with her computer. When I locked her PC down like my parents she found the restrictions intolerable and told me to change it back. She is now a "power user" more-or-less and can install some stuff on her PC. It is a matter of education and she now knows that when in doubt to ignore it. For example, she never opens files sent through IM from ANYONE unless it is a file she specifically asked just prior. Same goes for emails. She knows about email headers and how banks and online shops do not ask for account numbers and passwords over email. It takes time to learn but it can be done. Less patient techie-types might just not bother and migrate to Linux or MacOS.
The most challenging of ALL users has to be the typical teenaged girl. You cannot blame the techie for this one. Putting a teenaged girl in front of WinXP is like throwing large quantities of gunpowder into a campfire. XP is alluring to teenaged girls--the default XP desktop even looks kile it was specifically designed for the "OMG! Ponies!" crowd. It lures them in I tell you--and they have no fear at all. Malware designers cater to these tastes and create lures that fit right into the XP trap. They even use the ActiveX warning dialogue that pops up in IE--they populate it with messages to the effect that "you need to click OK to get your comet tail cursors and super smilies and to speed up the computer and use this rilly rilly cuuuuule website 'K?". From there all hope is lost.
When I locked down my sister's PC her teenaged stepdaugter got quite upset. She was mad that I "broke the computer" and took away her purple talking gorilla and her Kazaa Lite music thingy and her MSN smilies etc. etc. The Teenage Female does NOT like to be told that her favourie stuff is crap and has no place on the computer. It was quite a challenge to get her to accept restrictions and she just didn't want to learn how to safely live without them, but it was done--she has her own iPos and uses iTunes for her music now, has contented herself with the smilies and winks offered within MSN itself and so on. It also helped that she eventually saw how much more responsive the computer was without a tonne of useless ad-crap in it.
So don't blame the techie for Microsoft's crappy engineering. Not only does being a Microsoft techie for your friends and family require technical prowess it requires patience that not all people have. I understand completely why he dumped Windows.
There are always ways to check what an executable program is doing. *nix, and to some extent windoze , have a bunch of tools that allow you to trace sockets and files used, even the code itself if your assembly is still good (damn!). And of course there's always the option of egress firewalling to stop malware from phoning home. I trust _paid for_ essential software, like firewalls and OSes. I trust it because: 1. It's used by thousands of more qualified people than me that can spot malware 2. It's paranoid not trusting the software, while its underlying hardware is not foolproof either 3. I feel secure knowing that the collective value of my actions on my PC is less than the cost to break its protections and use the data. So I sleep tight at night.
<before>now</before>
well i guess this means no soup for me.
-- Yes, I work for the government, and yes I am watching you.