Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spyware Disguises Itself as Firefox Extension

Posted by ryuzaki0 on from the not-yet-linux-compatible dept.

Juha-Matti Laurio writes "The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. The trojan installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks. It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. The most dangerous part of the issue is that it records itself directly into the Firefox configuration data, avoiding the regular installation and confirmation process."

30 of 247 comments (clear)

  1. Not a vulnerability. by Short+Circuit · · Score: 5, Informative

    Note that this isn't a Firefox vulnerability.

    The trojan is opened as a Windows executable from email attachments, and writes itself into the Firefox profile's configuration directory.

    --
    tasks(723) drafts(105) languages(484) examples(29106)
    1. Re:Not a vulnerability. by kfg · · Score: 5, Funny

      I refuse to use this trojan until it's ported to Linux.

      We have to send a message to developers that we want our apps native.

      KFG

    2. Re:Not a vulnerability. by dschuetz · · Score: 4, Insightful

      Note that this isn't a Firefox vulnerability. The trojan is opened as a Windows executable from email attachments, and writes itself into the Firefox profile's configuration directory.

      While true, perhaps a related problem that actually is a vulnerability is the fact that Firefox (apparently) only checks for a valid signature on the plugin at download/install time. Maybe the Firefox configuration file, or at the very least the binaries for each extension, should be cryptographically verified at runtime.

      Of course, this presupposes that Firefox hackers can manage to get their extensions signed, and if that's possible, then the malware authors could do the same. Unless...FF gets distributed with a mozilla.org CA cert, and extensions accepted and published on the mozilla site(s) get signed with that cert, then every "legitimate" extension from the mozilla sites will be verifiable at runtime. The user could opt out of that with an "allow execution [not installation] of unsigned extensions" preference setting, but the majority of users would be protected, so long as the malware doesn't also set that preference for the user. :)

      (though even that last bit could be guarded against by creating a personal key to sign the config with, and every time you make a "security relevant configuration change" to the browser's settings, you have to re-sign the file.)

    3. Re:Not a vulnerability. by kfg · · Score: 5, Informative

      McAfee do not describe it as a Firefox exploit. They describe it as a VBS exploit originally written to target IE, i.e., a Windows exploit.

      KFG

    4. Re:Not a vulnerability. by KiloByte · · Score: 4, Insightful

      ... or until the trojan makes a trivial change in FireFox's binary.

      Once you're pwned, you're pwned. If you give someone free reign on your box, he can do anything to any file writeable by you.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    5. Re:Not a vulnerability. by greed · · Score: 5, Insightful
      While true, perhaps a related problem that actually is a vulnerability is the fact that Firefox (apparently) only checks for a valid signature on the plugin at download/install time. Maybe the Firefox configuration file, or at the very least the binaries for each extension, should be cryptographically verified at runtime.

      Once someone's system is compromised, they can replace or alter the FireFox binary which verifies the signatures, replace libnssckbi.so, libsoftokn3.so, whatever.

      You can't win at that point. If you're storing your operating system and executables on writable media, it can never be trusted to that level. The hardware would have to cryptographically verify the boot loader on disk, which would verify the kernel, which would then be able to verify everything it executes--FireFox alone can't do it.

      (Say, what was that hardware-based Trusted Computing stuff supposed to do? In addition to ramming DRM down everyone's PCI bus, wasn't there system verification too?)

    6. Re:Not a vulnerability. by 140Mandak262Jamuna · · Score: 5, Funny
      Come on, You dont even have to be a script kiddie to write malware for Linux.

      This is how it works:

      First create an executable that will do bad things. It could even be a csh script. Then send emails to all and sundry like this and attach that file"

      Dear Linuxuser,

      This is a virus/trojan/worm/malware for Linux. It works on the honor system. Please forward the attachment to all addresses in your .mailrc first and then save it to disk, chmod +x and sudo it. Thank you.

      Attachment: malware

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    7. Re:Not a vulnerability. by zo1dberg · · Score: 5, Funny

      This is the one thing that keeps people from running Linux on their desktops! We normal users don't want to fiddle around with the commandline and stuff like that, we need a point-and-click-interface to compromise the security of our computers! Trust me, until this is fixed, Linux has no hope of ever becoming a serious competitor to Windows.

    8. Re:Not a vulnerability. by Not+The+Real+Me · · Score: 5, Funny

      Good point.

      A friend of mine has certifications as an MCSE and a CNE. When I tell him to run "ipconfig /all" and "route print" (on his WinXP machine), the look of consternation and confusion on his face is priceless.

    9. Re:Not a vulnerability. by PsychoSid · · Score: 5, Funny

      csh ! What century have I entered this time.

    10. Re:Not a vulnerability. by RedOregon · · Score: 4, Funny

      Actually, I'd call it a "man in the backdoor" attack, considering what it does to you...

      --
      Skivvy Niner? Email me!
      HEY! Look left just ONE MORE TIME!
    11. Re:Not a vulnerability. by soft_guy · · Score: 4, Funny

      A friend of mine has certifications as an MCSE and a CNE

      With friends like that, who needs users?

      --
      Avoid Missing Ball for High Score
    12. Re:Not a vulnerability. by cyber-vandal · · Score: 4, Insightful

      Not as priceless as the look on my face on reading that and noting that that clueless muppet gets paid a lot more than I do. Maybe I should get off my arse and get one of them MCSE thingies.

    13. Re:Not a vulnerability. by drinkypoo · · Score: 4, Funny
      It's depressing to me because I think MCSE used to mean something

      It still does: Moron Confused by Sun Equipment.

      Still better than Netware, which has two certification which stand for Certainly No Experience and Can't Network Anything.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. MozillaZine Has More by Anonymous Coward · · Score: 5, Informative

    This MozillaZine article has lots more on the trogan horse, including instructions for spotting if you have it.

  3. Personally... by celardore · · Score: 4, Informative

    Personally I only download FF extensions from the official site.
    https://addons.mozilla.org/extensions.php?app=fire fox

    1. Re:Personally... by SydShamino · · Score: 4, Funny

      Teach a man to send an "internet," and he can be a senator!

      http://www.youtube.com/watch?v=DClkE64nFDY
      Fast forward to about 2:00.

      --
      It doesn't hurt to be nice.
  4. Break extension by Anonymous Coward · · Score: 5, Funny

    In next version of Firefox, the extension will be broken anyways. Mozilla breaks extension every new release. :D

  5. Thankfully, I'm running IE by Anonymous Coward · · Score: 5, Funny

    Which makes me invulnerable to snooping for credit card numbers as all my accounts are empty and my credit rating is ruined.

  6. Emphasis on that. by khasim · · Score: 4, Informative

    This is an Outlook/IE "virus" who's payload is a keylogger and crap that hooks into Firefox.

    This does not exploit any vulnerability in Firefox.

    If your OS is not secure, no app running on it can be secured.

    1. Re:Emphasis on that. by _Sprocket_ · · Score: 4, Informative

      That's the legitimate extension. This trojan is not it.

    2. RE: Emphasis on that. by KURAAKU+Deibiddo · · Score: 5, Informative

      Actually, if you read the article more closely (and similar articles that have appeared in no shortage of other places), the malware pretends to be the numberdlinks extension. Your post implies that the actual extension is malware, and this is untrue.

      Additionally, if you read the Slashdot blurb, it's explained pretty clearly there.

      Basically, if you click on e-mail attachments without knowing what they are, it's your own fault if your computer becomes infested with viruses and spyware.

    3. Re:Emphasis on that. by dedazo · · Score: 5, Insightful
      This is an Outlook/IE "virus" who's payload is a keylogger and crap that hooks into Firefox.

      This is an user-executed email attachment with a trojan. It will happily be executed from Outlook Express, IE, Eudora and Thunderbird. McAfee mentions they've seen one version trying to exploit a three year old IE vulnerability. If you haven't patched that, well then you deserve to get nailed.

      This does not exploit any vulnerability in Firefox

      It is a vulnerability in that FF will happily load and execute any plugins dropped into its profile directory. The only time you are warned about installing someone is at download time. FF will never check for a signature or otherwise go "oh, a new plugin I've never seen. Hmmm, maybe I should ask the user about it?". Vulnerability.

      If your OS is not secure, no app running on it can be secured.

      If your OS is being operated by a user that executes attachments from "WalMart" that read "helo, teh attcachements for yuo pleasures" then your OS is not secure.

      BTW, this progression is interesting. When FF came out just installing it would make the world safe, because it was invulnerable and impervious. Now I also have to switch operating systems? And when someone finds another exploit in SSH

      --
      Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
    4. Re: Emphasis on that. by PhoenixPath · · Score: 5, Insightful

      No. It's not.

      Any extension downloaded from addons.mozilla.org has been tested, is widely used, and subject to an enormous amount of user feedback.

      Now, if you download an extension from kickme.to/malware, you get what you deserve.

    5. Re:Emphasis on that. by mrchaotica · · Score: 5, Insightful
      It is a vulnerability in that FF will happily load and execute any plugins dropped into its profile directory. The only time you are warned about installing someone is at download time. FF will never check for a signature or otherwise go "oh, a new plugin I've never seen. Hmmm, maybe I should ask the user about it?". Vulnerability.

      Okay, and then the next trojan will simply add itself to the file that Firefox checks to see if the extension is new, and you're back to square one.

      Firefox isn't the problem. The fact that the thing can write to the application's directory means the computer is already compromised.

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  7. Re:and? by hotdiggitydawg · · Score: 4, Funny

    (response from Lynx user) *cough* ActiveX *cough* *snigger*

  8. Spyware Disguised as an MSIE Extension by krell · · Score: 5, Funny

    It could have been worse, like spyware disguised as a Microsoft Internet Explorer extension. That's sort of like Nixon wearing a Nixon mask.

    --
    Where were you when the voynix came?
  9. RTFA by sensei85 · · Score: 5, Informative

    Again with people jumping to conclusions. The trojan is loaded when you open an .exe attached to an e-mail from "Wal-mart". Lesson to be learned: never open random .exe attachments. Ever. Problem solved.

    For those of you screaming that "numberedlinks" should be removed from the mozilla site, that wouldn't fix the problem. The original extension is perfectly safe and NOT a trojan. This one is just spoofing it by installing itself with the same name.

    A little more careful reading and some common sense go a long way

  10. Firefox is horribly vulnerable; I have proof. by mmell · · Score: 4, Interesting
    On a machine which I maintain for my SO and children, M$ XP Pro is installed. The default browser is FireFox, which I have managed to convince my SO and children to use.

    My daughter (with a limited user account, no less) viewed a malicious advertising banner while logged into MySpace.com. I'm quite sure she clicked "yes" to running a WMF exploit.

    She has a limited account. End of story, you say? Nope, read on . . .

    My wife logged in a couple days later. A popup baloon warned her that the machine was infested and she should "click here to fix the problem". Well, she installed AntiVirusGolden v3.3 (from her not-so-limited user account). Who can blame her? I wouldn't have fallen for it (I already had CA's EZ-Antivirus installed and more or less trusted it), but it looked like a valid course of action to her, so the next thing I knew there were nearly a dozen payloads whanging around the rusty innards of my SO's computer - some acquired on the spot, others dropped there during the following week, I'm sure.

    That machine now runs Linux (like the rest of my home network). I'd like to thank the wonderful malware authors at AntivirusGolden for giving me the leverage I needed to convince my SO to give up on Windows and use a somewhat more securable OS.

    Oh, but I'll continue to use Firefox, now that I've closed that horrible WMF exploit that it has! You'd think the Firefox development team would know better than to trust end-users with the option to execute WMF's. Hmmph!

    *(The above is intentionally sardonic; but the basic facts are true)*

  11. make it open source by kdemetter · · Score: 5, Funny

    just send the source code in a nice tarball .

    that way it's open source and people can improve it .

    --
    Slipping shoelaces ?