Slashdot Mirror
'Greasemonkey' Malware Targets Firefox
snydeq writes "Researchers have discovered a new type of malware that collects passwords for banking sites but targets only Firefox. The malware, dubbed 'Trojan.PWS.ChromeInject.A,' sits in Firefox's add-ons folder, registering itself as 'Greasemonkey,' the well-known collection of scripts that add functionality to Web pages rendered by Firefox. The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including PayPal, collecting logins and passwords, which it forwards to a server in Russia. Trojan infection can occur via drive-by download or download duping."
I wish I could use this as an excuse for all the money disappearing from my PayPal and bank accounts, but sadly I can't....
See? With Firefox, you wouldn't have that problem! :-)
The Tao of math: The numbers you can count are not the real numbers.
Yes, it is not good that there is malware targeting Firefox, but it shows that Firefox is on it's way to be a market leader/dominator. Much like the recommendation of using antivirus on Macs, this shows that there is enough of a market penetration for Firefox that it has garnered the attention of malware writers.
Mozilla needs your permission to install plugins from unverified sources.
But since windows standard practice is to click on everything that has an OK on it, I think it doesn't matter.
from the article:
Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it, Canja said.
This is utterly unacceptable. They should give instructions to users on how to avoid downloading this.
They listed two ways in which systems get infected. One is "by being duped into downloading it." The instructions to avoid this are easily enough translated as your standard Internet hygien guidelines: "When websites offer browser-enhancements to you, say no," and "don't execute email attachments even if they come from trusted friends."
However, I want more detail about this "drive-by download" bit. There is a hole in my browser that will make it automatically download this addon, without prompting me? Give me a link. Give me the details. What versions have the hole? Has it been patched? Is there something I can do (other than "browse nothing") that will prevent this hole from being exploited? People need these details.
There, fixed that for ya.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
If banks really wanted two-way authentication to work properly, they'd use a hardware device (USB-key) that had to be present in the machine to login to your account. The hardware device would be implemented in such a way to make it impossible to copy the functionality of it without physical access to it.
Yeah, but I'd love to access my bank information from linux, thanks.
I would suggest that DO-NOT "Remember Passwords" and Login ids in any Browser where Sensitive Information will be sent ultimately.,/quote>
Well, that'll stop the really stupid malware authors that sit down at your PC and copy the file that stores your passwords. But it won't stop the one who left a key logger, the other who is doing control scrapes, the guy looking over your shoulder, the in-memory debugger that waits for a POST submission and copies everything in the data struct, or the FBI (who knows about those magazines under your bed too).
If you want to offer some advice to people that'll result in a real increase in security, tell them to install NoScript, or not to download executables and run them without scanning them. Tell them to install Spybot, or AdAware, or AVG Free. But don't ask them to turn off a convenient feature because it will stop the .1% of attackers too stupid to figure out a better way of getting that information.
#fuckbeta #iamslashdot #dicemustdie
and i've always been derided as a microsoft fanboy. when i think its just common sense:
the amount of hacks and viruses and malware on an os/ browser has absolutely nothing to do with anything other than marketshare
you can try to make something as secure as possible, but if the incentive is high, hackers can always pay attention to security way more than you do, and find holes you did not anticipate, no matte rhow subtle
if something is full of security holes, it won't be hacked, if its market share is tiny
meanwhile if something is ironclad, it will still be hacked, if its maker share is huge. the incentive to find holes is so high, the most esoteric avenues of investigation are explored
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
That is already the case. AFAIK, almost no online banking fraud is done by attacking the bank's website. It is the user's PC that gets hacked.
What the other poster suggests is quite possible, and has been done for years. There are many smartcards and authentication devices made by companies like RSA that you use to log in with challenge-response. Because the secret key is held on the device and is never disclosed to the outside world, you cannot copy a device without physically disassembling it and getting out the key by probing the electronics.
Because you can't download free smileys or animated cursors to install on your smartcard, or indeed load any software onto it at all, it cannot be attacked with downloadable malware.
-- Ed Avis ed@membled.com
How do I know that the latest update to Forecastfox isn't now ready my browsing history or passwords and uploading that information to a third party. Many addons do not need access to the web page being rendered, so I wonder why there isn't some additional layer of security there.
You don't. You are trusting solely that the developers are honest and/or that an interested third party reviews their code to ensure it does not do this. But this isn't any different than closed-source; When you install Windows, you're trusting that Microsoft hasn't trojaned their software either. Really, what people fail to understand is that all security is based on trust.
What's mind-blowing though, is that people overwhelmingly are honest.
#fuckbeta #iamslashdot #dicemustdie
Newsflash, teenybopper: The world is not divided into "morons" and "people who know how to kill apps in Taskman".
This is not an exploit, this is a payload like a rootkit that targets Firefox... after your computer has already been compromised.
I would be surprised if there ISN'T a similar payload targeting IE delivered by the same malware.
Bingo, I have seen malware in both Firefox and IE installed using the "endless loop" dialog box that the previous poster pointed out on Bugzilla(BTW, how freakin sad is it that the bug is from pre-1.0 and is still there?). Here is how I saw it work, by using a test box i keep for bug testing and removal practice. I found the bug by going through the users history and going where he went.
Here is how it works. You get Mr. Stupid Horny Guy to look at some topsites, you know the ones, a bunch of hot babe thumbnails that take them to yet more topsites. After a few minutes he will hit a site with a dialog box that says something like "You won a free hour in our hot babe video vault! Simply click yes to download the player and watch your hot videos full screen!" but thanks to the bug if he hits cancel it simply throws another dialog box in his face until he hits yes. If Mr Stupid Horny Guy even knows about ctrl/alt/del (which many don't) they will find the PC slow to a crawl whenever they try to launch it. So for Mr Stupid Horny Guy the choices come down to A=yank the plug out of the back, or B=click yes. So you can guess which of those 2 gets chosen more often.
I just wish Mozilla would put a cancel button automatically on all dialog boxes that would just kill all scripts on a page. It would probably cut way down on the drive by downloads, at least the ones I have come across.
ACs don't waste your time replying, your posts are never seen by me.
if they had identified the server that it tried to contact, either by hostname or IP address, so that those with the capability to do so, could block connectivity to it from their network(s) and/or customers. ISP's could add a simple ACL to a router, home users might put a 127.0.0.1 entry in /etc/hosts, etc.
Of course one thing they completely left out was if this 'plugin' ran only on Windows Firefox or if other platforms were susceptible as well.
And quite frankly, if that host was providing some legitimate service that doing this ended up blocking, well, oh fucking well. Keep the thieves off your network and you can avoid that type of problem.
Another option of course, (for individuals and private/company networks, but probably not so for commercial ISP's) would be to just null-route the entirety of Russia (using blackholes.us), and then selective override individual address spaces as and if needed.
Every bank in Mexico uses OTP authentication with a small physical device that generates a random key.
When will the US catch up with the rest of the world in terms of technology? ;)
Can I still log in to my PayPal account if I lose or break my token, or if I don't have my mobile phone with me?
Yes. During login, we'll ask you questions to help confirm your identity. When you answer them correctly, you'll be able to log in.
Isn't the whole point of this device that you have to have it to log in? What extra security does asking some questions to confirm my identity do if I have a virus logging everything I type?
But since users' standard practice, as trained by M$ security theatre over many years, is to click on everything that has an OK on it, I think it doesn't matter.
There, fixed that for ya.
---
Don't be a programmer-bureaucrat; someone who substitutes marketing buzzwords and software bloat for verifiable improvements.
A 6 digit number that changes every minute? Good luck with that.