Slashdot Mirror
'Greasemonkey' Malware Targets Firefox
snydeq writes "Researchers have discovered a new type of malware that collects passwords for banking sites but targets only Firefox. The malware, dubbed 'Trojan.PWS.ChromeInject.A,' sits in Firefox's add-ons folder, registering itself as 'Greasemonkey,' the well-known collection of scripts that add functionality to Web pages rendered by Firefox. The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including PayPal, collecting logins and passwords, which it forwards to a server in Russia. Trojan infection can occur via drive-by download or download duping."
What happens if you already have Greasemonkey? Would it stop working or does the malware work fine alongside it?
It's just part of the mounting evidence that username/password combinations for banks is inherently flawed. "Somthing you know" can always easily be known by someone else. Bank security should (IMO) be also based on "something you have", like an ATM card.
If banks really wanted two-way authentication to work properly, they'd use a hardware device (USB-key) that had to be present in the machine to login to your account. The hardware device would be implemented in such a way to make it impossible to copy the functionality of it without physical access to it.
AccountKiller
The cool thing about Firefox is that you can basically force users into installing malware by exploiting bug 59314. Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes.
-- Ed Avis ed@membled.com
someone should publish the javascript, the press report was totally bull
Meh, even without seeing the code it's pretty easy to figure out what they most likely did. All they'd have to do is create an onSubmit that sends an Ajax request to their server with the contents of the username and password fields on the form being submitted. Considering that add-ons (AdBlock, for example) can already inject and/or remove HTML from the dynamic page, it doesn't surprise me in the least.
Then all they have to do is figure out how to deploy it – obviously the Firefox plugin repository isn't going to host their malware, so distributing it in such a way that people are fooled into installing it is going to be tricky. 'Course, if you have control of a botnet, it might be possible to instruct the zombie machines to install it without the user's knowledge (not sure how FF's add-ons are managed, so it might or might not be possible, and it'd probably have to occur while FF wasn't running).
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Not sure whether this should be considered a compliment, but to me it indicates that FF matters. It has enough market share for criminals to target.
Unfortunately not many details on this exploit: is it really an exploit in FF (for the drive-by download)? Or is it more like a trojan (for the download duping)?
I've had quite a few issues with Ubuntu because of my years of using windows. I'm used to hitting Enter rather than clicking for the default actions. Especially the overwrite file dialogs which default to 'no' in windows and 'yes' in ubuntu
Given that javascript can be injected into a page in various ways, and as you show it can access the contents of input fields. Would there be any milage in blocking access to the contents of password fields from javascript. Would that break many sites?
IIRC the file upload element works this way, to avpid revealing the file path to the website.
Oh good I'm safe then, it's firefox 3 plugin - won't work in my Firefox 1.5.x. Another good reason not to upgrade - securtiy is worse in the new version.
The Truth is a Virus!!!
Interesting...I'd not heard of such and option being available for PP, eBay or banks.
What bank is that with?
Do you have links on how to set this up with PP and eB? Is it one fob that does it for them all or one for each?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
well, I've been trying for a year to get Paypal to send me one, I even offered to PAY them for it. Nno go. I'm in Canada, and despite the fact that I use the same PayPal.com as all the US customers and they are constantly advertising it to me they refuse to send me one.
You are so wrong it's not funny.
One-Time-Password devices do little to protect against man-in-the-middle, man-in-the-browser, session hijacking, or CSRF attacks.
They are useful against some sorts of attacks, but not when the attacker is already in your browser. He just has to wait for you to log in normally, then he does what he wants with your session.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
I take back my complaint, I just tried it again and the charged me $5 CAD and said it'll be arriving in the mail shortly. I was logged in with my business account this time though, maybe that makes a difference.
Yay! I'm finally getting a PayPal RSA token. I can feel safer knowing my PayPal has equivalent security (on the authentication level anyway) as my Work VPN has had for years.
I do use Noscript on all my machines, but for my customers it really is a "nuke it from orbit" solution which causes more problems than it solves. What we need for Noscript is a "average Windows user" setting which would whitelist Youtube and the other popular video sites, along with a "horny guy" setting that would add Porntube, Redporn,etc. Because I have tried to teach my Windows customers about whitelisting but sadly it turns into another Vista style "always click allow" which kills the whole point. Perhaps a simpler dialog box interface for Noscript than the current one? Maybe one that would detect .flv,.swf,rmb,etc and have a simple "click if you want to play the video" button?
ACs don't waste your time replying, your posts are never seen by me.