Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Greasemonkey' Malware Targets Firefox

Posted by CmdrTaco on from the oh-this-can't-end-well dept.

snydeq writes "Researchers have discovered a new type of malware that collects passwords for banking sites but targets only Firefox. The malware, dubbed 'Trojan.PWS.ChromeInject.A,' sits in Firefox's add-ons folder, registering itself as 'Greasemonkey,' the well-known collection of scripts that add functionality to Web pages rendered by Firefox. The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including PayPal, collecting logins and passwords, which it forwards to a server in Russia. Trojan infection can occur via drive-by download or download duping."

9 of 370 comments (clear)

  1. DO-NOT "Remember Passwords" by Hari+Kant · · Score: 4, Informative

    I would suggest that DO-NOT "Remember Passwords" and Login ids in any Browser where Sensitive Information will be sent ultimately.

    1. Re:DO-NOT "Remember Passwords" by maxwell+demon · · Score: 5, Informative

      I guess the malware remenmbered those passwords itself, so not storing them in the password manager wouldn't help.

      IMHO the fact that you can use plugins with Firefox means that there should be an extra security barrier inside Firefox that disallows extensions to get passwords (e.g. when accessing the password lines, it would just get the stars which are also displayed on the screen).

      --
      The Tao of math: The numbers you can count are not the real numbers.
    2. Re:DO-NOT "Remember Passwords" by clone53421 · · Score: 4, Informative

      Javascript is already capable of getting the value of a password field, and even if it wasn't they could just redirect the form action and get the password that way.

      Try this: go to Paypal.com (any page with a password field, really), type in something arbitrary into the password field, and then paste this into the address bar:

      javascript:for(var a=document.getElementsByTagName("input"),i=0;i<a.length;i++)if(a[i].type=="password"){alert(a[i].value);i=a.length;}void(0);

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  2. Re:PC ONLY? by thtrgremlin · · Score: 5, Informative
    Since reading the article is for loosers anyway...

    This [plugin] is intended to be delivered onto a compromised computer system by other malware for subsequent download into Mozilla Firefox's Plugin folder

    Since the computer need already be compromised... sure you can draw your own conclusion on that one :)

    --
    Want Big Business out of government? Take away the incentive and start by getting government out of big business!
  3. Re:only firefox? by Rudisaurus · · Score: 4, Informative

    More details here

    --
    licet differant, aequabitur
  4. Re:only firefox? by Vancorps · · Score: 4, Informative

    I ran into this when I visited a site that another admin got the Antivirus 2008 trojan from. Of course I'm on Ubuntu so I was pretty sure simply visiting the site wouldn't cause any problems. I kept getting prompted to install it so I just found out what link it kept calling and just modified my hosts file to point it to localhost and then I got out of it like I should.

    Pretty devious exploit though.

  5. Re:PC ONLY? by drachenstern · · Score: 4, Informative

    But I thought the sequence usually went like this:

    1. Install Firefox
    2. Install noScript
    3. ???
    4. Don't get infected by js vector based viruses.
    5. Get flamed on /. for pedantic usage of noScript to designate a particular add-on to Firefox, and for not using the general designation of either FX3 or FF3...

    No, but really. If you have noScript, as most everyone I know using Fx does, then how do you get infected by a virus that uses js as an attack vector...

    Guess I'll keep reading the thread and see if the answer arises.

    --
    2^3 * 31 * 647
  6. Re:I wish by Lumpy · · Score: 4, Informative

    I give out my paypal password all the time.

    It's Fire98-myFun.

    it will do you no good without my keyfob and it's current 6 digit number. My bank, paypal, ebay, and 2 of my credit cards use the same keyfob because they use verisign and it defeats every single one of these trojans, keyloggers, and scammers. Why they are not common place I'll never understand.

    --
    Do not look at laser with remaining good eye.
  7. LIST OF BANKS; seems to be windoze-only by rickst29 · · Score: 4, Informative

    "Trojan.PWS.ChromeInject.B" is definitely only effective in Windows, because it installs and executes these files: "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll" "%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js" browser.js calls the The dll file, which can't run in Linux, etc. unless you're running a WINDOZE Firefox via crossover (which would be insanely stupid). Also, since it's installed into the program directory (rather than the user's profile), VISTA will almost certainly make you click for "administrator confirmation" before writing the files. (I don't know for sure, because I don't have VISTA.) - - - - - When I enter the URL for http://www.bitdefender.com/VIRUS-1000451-en--Trojan.PWS.ChromeInject.A.html#, the page content is identical the version for "Trojan.PWS.CHromeInject.B" (even the given name is "Trojan.PWS.ChromeInject.B", they even over-wrote the ChromeInject.A page by accident or, ChromeInject.A isn't spreading in the wild AND has nearly identical characteristcs, perhaps differing only in file sizes.) BitDefender provides the following list of banks their page for this version, http://www.bitdefender.com/VIRUS-1000451-en--Trojan.PWS.ChromeInject.B.html: It filters the URLs within the Mozilla Firefox browser and whenever encounter the following addresses opened in the Firefox browser it captures the login credentials. akbank.com caixasabadell.net credem.it areasegura.banif.es banca.cajaen.es openbank.es poste.it banesto.es carnet.cajarioja.es gruposantander.es intelvia.cajamurcia.es net.kutxa.net bancopastor.es bancamarch.es caixamanlleu.es elmonte.es ibercajadirecto.com bancopopular.es bancogallego.es bancajaproximaempresas.com caixa*.es caja*.es ccm.es bancoherrero.com bankoa.es bbvanetoffice.com bgnetplus.com bv-i.bancodevalencia.es clavenet.net fibancmediolanum.es sabadellatlantico.com arquia.es banking.*.de westpac.com.au adelaidebank.com.au pncs.com.au nationet.com online.hbs.net.au www.qccu.com.au boq.com.au banksa.com anz.com suncorpmetway.com.au quiubi.it cariparma.it bancaintesa.it popso.it fmbcc.bcc.it secservizi.it bancamediolanum.it csebanking.it fineco.it gbw2.it gruppocarige.it in-biz.it isideonline.it iwbank.it bancaeuro.it bancagenerali.it bcp.it unibanking.it uno-e.com unipolbanca.it carifvg.com cariparo.it carisbo.it islamic-bank.com banking.first-direct.com natwestibanking.com itibank.co.uk co-operativebank.co.uk lloydstsb.co.uk mybankoffshore.alil.co.im abbeynational.co.uk mybusinessbank.co.uk barclays.com online.co.uk my.if.com anbusiness.com hsbc.co anbusiness.com co-operativebankonline.co.uk halifax-online.co.uk ibank.cahoot.com smile.co.uk caterallenonline.co.uk tdcanadatrust.com schwab.com wachovia.com bankofamerica kfhonline.com wamu.com wellsfargo.com procreditbank.bg chase.com 53.com citizensbankonline.com e-gold.com paypal.com usbank.com suntrust.com banquepopulaire.fr onlinebanking.nationalcity.com