Slashdot Mirror
'Greasemonkey' Malware Targets Firefox
snydeq writes "Researchers have discovered a new type of malware that collects passwords for banking sites but targets only Firefox. The malware, dubbed 'Trojan.PWS.ChromeInject.A,' sits in Firefox's add-ons folder, registering itself as 'Greasemonkey,' the well-known collection of scripts that add functionality to Web pages rendered by Firefox. The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including PayPal, collecting logins and passwords, which it forwards to a server in Russia. Trojan infection can occur via drive-by download or download duping."
I wish I could use this as an excuse for all the money disappearing from my PayPal and bank accounts, but sadly I can't....
This guy's the limit!
Yes, it is not good that there is malware targeting Firefox, but it shows that Firefox is on it's way to be a market leader/dominator. Much like the recommendation of using antivirus on Macs, this shows that there is enough of a market penetration for Firefox that it has garnered the attention of malware writers.
I'd presume anything that supports Mozilla add-ons would be affected. But that is just a guess.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
Virus and Malware are registered trademarks of the Microsoft corporation, so yeah, business as usual.
Want Big Business out of government? Take away the incentive and start by getting government out of big business!
I would suggest that DO-NOT "Remember Passwords" and Login ids in any Browser where Sensitive Information will be sent ultimately.
Well, this just proves that it's easier to develop for Firefox than IE. ^_^ Of course, it's a very backhanded compliment.
#fuckbeta #iamslashdot #dicemustdie
What happens if you already have Greasemonkey? Would it stop working or does the malware work fine alongside it?
its javascript so the end code is probably cross-platform, weather the delivery takes place on multiple platforms i do not know but largely depends on the delivery mechanism, as a xpi it would probably be fully cross-platform.
mozila vs firefox, who friggen knows
someone should publish the javascript, the press report was totally bull
also java != javascript
It's just part of the mounting evidence that username/password combinations for banks is inherently flawed. "Somthing you know" can always easily be known by someone else. Bank security should (IMO) be also based on "something you have", like an ATM card.
If banks really wanted two-way authentication to work properly, they'd use a hardware device (USB-key) that had to be present in the machine to login to your account. The hardware device would be implemented in such a way to make it impossible to copy the functionality of it without physical access to it.
AccountKiller
No not funny, but it is scary how the people in the world's 2nd largest nuclear power appear to be so far beyond the normal rule of law.
I must've missed something. When did the US slip to number 2?
This guy's the limit!
Mozilla needs your permission to install plugins from unverified sources.
But since windows standard practice is to click on everything that has an OK on it, I think it doesn't matter.
Russia seems to be much larger than the United States?
No? Since the plugins run on all platforms, or?
from the article:
Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it, Canja said.
This is utterly unacceptable. They should give instructions to users on how to avoid downloading this.
They listed two ways in which systems get infected. One is "by being duped into downloading it." The instructions to avoid this are easily enough translated as your standard Internet hygien guidelines: "When websites offer browser-enhancements to you, say no," and "don't execute email attachments even if they come from trusted friends."
However, I want more detail about this "drive-by download" bit. There is a hole in my browser that will make it automatically download this addon, without prompting me? Give me a link. Give me the details. What versions have the hole? Has it been patched? Is there something I can do (other than "browse nothing") that will prevent this hole from being exploited? People need these details.
does it affect all platforms since it's Java?
anyone know?
It's not Java, it's JavaScript - two very different languages linked only by a common marketing fuckwit.
I'm old enough to remember when discussions on Slashdot were well informed.
There, fixed that for ya.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Yet another attempt at a classic type of malware designed to harvest web passwords has been detected...
There, fixed it for ya.
I don't think it is really fair to call it 'new' just because you havn't reported on this particular incident yet today. It is a little misleading. Glad I could help.
Want Big Business out of government? Take away the incentive and start by getting government out of big business!
The problem has been diagnosed by BitDefender, and they can sell you all the peace of mind you ask for.
PC != Windows. Unless the trojan installs via a Windows executable (which is a possible attack vector but certainly not the only possible one), the FF add-on/Javascript code will run on any platform.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
If I promise to spend it all on fine Russian vodka, can I have all your money?
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Ah, physical size. Gotcha. ; )
This guy's the limit!
Pluguns control YOU!
Free Martian Whores!
The cool thing about Firefox is that you can basically force users into installing malware by exploiting bug 59314. Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes.
-- Ed Avis ed@membled.com
This [plugin] is intended to be delivered onto a compromised computer system by other malware for subsequent download into Mozilla Firefox's Plugin folder
Since the computer need already be compromised... sure you can draw your own conclusion on that one :)
Want Big Business out of government? Take away the incentive and start by getting government out of big business!
someone should publish the javascript, the press report was totally bull
Meh, even without seeing the code it's pretty easy to figure out what they most likely did. All they'd have to do is create an onSubmit that sends an Ajax request to their server with the contents of the username and password fields on the form being submitted. Considering that add-ons (AdBlock, for example) can already inject and/or remove HTML from the dynamic page, it doesn't surprise me in the least.
Then all they have to do is figure out how to deploy it – obviously the Firefox plugin repository isn't going to host their malware, so distributing it in such a way that people are fooled into installing it is going to be tricky. 'Course, if you have control of a botnet, it might be possible to instruct the zombie machines to install it without the user's knowledge (not sure how FF's add-ons are managed, so it might or might not be possible, and it'd probably have to occur while FF wasn't running).
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
I'm not sure this is what you're referring to but in either case your post got me thinking:
Wouldn't an effective phishing defense (but not MITM) be for the RSA key fobs to have two numbers displayed instad of one, such that when you log in with the first number displayed on your fob, the bank replys with the 2nd number. If they don't match its likely a bogus site.
I'm sure there are tehcnical issues to resolve to decouple the two keys to avoid a snooper / phisher from being able to guess the banks response etc etc. But in general, if we believe it is improved security to prove I am who I say I am, then could it work the other direction as well? I also realize that for the bank's part it isn't something they have but still something they know, but still at least it is something they know that changes such that a phisher won't know it [shrug]. I also get the feeling it might be more robust for the bank to provide a code first but the bank would still first need to know who you are (simple username I guess) to present the code spcific to your FOB, then you can feel confident that you are talking to your bank before you send out your code.
And perhaps this would help with a MITM attack since they might have to get the bank's response right as well [shrug].
If you can't be good, be good at it!
Firefox was written so all addons had to come from addons.mozilla.org. How is such a drive by download even possible?
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
I love job interviews that involve "Your resume says Java, so you must do some Javascript since they're so similar, right?"
At that point, telling the truth becomes a very hard decision to make.
Well the languages have many similarities. Most of them are the same as the similarities of JavaScript and Java and C++ but still for the novice coder they look like the same language. But yes they are very different languages not related to each other.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Does NoScript block JavaScript coming from other extensions? I highly doubt so.
The Tao of math: The numbers you can count are not the real numbers.
It is not clear whether Firefox actually has a vulnerability that allows such a drive by downloads, or if IE or other browsers with a vulnerability might allow a drive by download that attacks FireFox. Anyway if the user downloads bits from the net and executes it voluntarily, there is nothing one can do to protect such an activity.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
More details here
licet differant, aequabitur
Like you never "Temporarily allow myweirdpornvideos.com".
and i've always been derided as a microsoft fanboy. when i think its just common sense:
the amount of hacks and viruses and malware on an os/ browser has absolutely nothing to do with anything other than marketshare
you can try to make something as secure as possible, but if the incentive is high, hackers can always pay attention to security way more than you do, and find holes you did not anticipate, no matte rhow subtle
if something is full of security holes, it won't be hacked, if its market share is tiny
meanwhile if something is ironclad, it will still be hacked, if its maker share is huge. the incentive to find holes is so high, the most esoteric avenues of investigation are explored
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
That's it....I'm switching to IE!
my site of misleading and incorrect information!
According to the description, you have to get infected with some other malware first which would then stuff this thing into Firefox's folders and hook it in by manipulating the configuration. So my first thought is that the primary risk is (yet again) Windows users. They're the ones who'll be the targets of the initial malware. Even if you're a Windows user, if you aren't already having a problem with being regularly infected by malware you aren't at great risk. And if you are currently being regularly infected with malware, one more probably isn't your biggest problem. So a lot of sound and fury, signifying nothing we didn't already know and presenting no risk we haven't had for years.
However, I want more detail about this "drive-by download" bit. There is a hole in my browser that will make it automatically download this addon, without prompting me? Give me a link. Give me the details. What versions have the hole? Has it been patched? Is there something I can do (other than "browse nothing") that will prevent this hole from being exploited? People need these details.
It sounds like they're just playing "what-if". If you've got a malicious Firefox addon, how do you get your victims to install it? Obviously the first step is to trick them in to installing it - a variation on the trojan (as named). The other way is to try and install it without user interaction. How to do that? Find an exploit in the browser, a helper application (Flash, Acrobat, Quicktime, etc.), or the OS itself to perform a generically-labled drive-by download.
Whether any of this is actually happening or not is a big question. Actual case examples would be interesting. However, such details tend to get lost in the Corporate filter.
Viruses and Malware are features, not bugs!
Free Martian Whores!
Russia seems to be the largest country in the world.
Would this attack style apply to any Firefox platform - Linux, Mac, Windows? As I understand it, FF plugins are mostly written in Javascript. Even on more secure platforms like Mac and Linux, each user has access to his own FF plugins directory, so if any malicious code were to be executed as him, it could presumably write this "plugin" into that user's FF settings directory.
Except a dialog box only pops up when installing addons from a trusted source. When an addon comes from an untrusted source you get the information bar, which you can ignore or close.
I'm guessing the page in the bug (it's a non existent domain) uses an endless stream of alert()s which is the issue you described but does not affect installing addons from untrusted sources.
Not sure whether this should be considered a compliment, but to me it indicates that FF matters. It has enough market share for criminals to target.
Unfortunately not many details on this exploit: is it really an exploit in FF (for the drive-by download)? Or is it more like a trojan (for the download duping)?
Can't be physical size, Canada's a nuclear power and bigger than the US as well.
The problem with USB keys is that you have to install a client to handle the PKCS #11 with the browser. No bank wants to get in the business of telling customers to install software (and all the help desk problems that come with it).
OTP tokens have been the preferred method for consumer strong authentication, but only consumers in Europe have seem to taken to them. I don't really see people lining up to get the paypal OTP token.
Nowhere does it say it is Java. In fact, I don't see any Java. I see JavaScript, but that is completely unrelated to Java (if the name confuses you, take it up with Sun, their marketing department wanted to leech off of Java's success). There is only a JavaScript file and a Windows Netscape Plugin. So it probably only affects Windows.
That is the important part. I am betting it doesn't happen through any flaw in Firefox (sounds like maybe a downloadable executable which looks for and then infects Firefox), but the article doesn't say.
There are some really fancy words they use here to blow this completely out of proportion, for example, the word 'new' is completely inappropriate. I am pretty sure 'drive-by download' means 'thoughtless download'. Or go to any number of sites that track windows bugs that are begging Microsoft to fix (since you are not allowed to fix bugs yourself) and pick any number of vulnerabilities that would enable this. It is just yet another implementation of some old exploits.
And mind you, fta, it requires that a system already be infected with other malware that will install this java into your plugins folder. Unless the delivery system is cross platform, there is no way to get this into your plugins folder. Second, if it is installed manually, there is no validation necessary because it is not using the browser for the installation. Next, more than likely because this is being done remotely, the easiest thing to do is assume one kind of standard installation, and given it is masquerading as GreaseMonkey, it is better to cover your tracks by only installing the plugin onto machines that have a straight forward, default, c-drive install of Firefox. Having manually installed plugins before via script (custom ubuntu installer) different broswers, even between Mozilla web browser and Firefox web browser use different names for their directories. While it could hunt for the plugin directory and figure it out, that is a bit more work than just an assume or fail delivery system.
Want Big Business out of government? Take away the incentive and start by getting government out of big business!
Yes, the page has been taken down since it was mentioned in the bug report. I don't know what exactly it was trying to make the user run (perhaps just a Windows executable not a Firefox extension) but it was something unpleasant.
-- Ed Avis ed@membled.com
The cool thing about Firefox is that you can basically force users into installing malware by exploiting bug 59314. Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes.
If you're a moron, I guess. I see something do that, and I'm opening Task Manager and killing the entire process manually.
You register an authenticator with your account and every time you go to log on you have to key in the number the authenticator shows you.
Much easier than anything needing to be plug in and as such it can work with any device that could access the login page.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
You should register that domain name. It appears to be free at the moment.
Linux has 0.8% market share!
Though that's counting me and my beard of unusual size, so take it as you wish.
"This latest e-threat - called Trojan.PWS.ChromeInject.A - is intended to be delivered onto a compromised computer system by other malware"
SYMPTOMS: Presence of the: "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll"
TECHNICAL DESCRIPTION: It drops an executable file (which is a Firefox 3 plugin)
Does that mean it's Windows only ?
davecb5620@gmail.com
Why does anyone still do banking via PIN/TAN or normal passwords? My chip-card reader did cost 30 and has a numeric keypad on it. I never have to input any banking data via anything other than that device, which goes straight to the Java applet via a public key encryption system, and then to the bank via FinTS.
I hope I can upgrade to a class 3 or 4 reader soon.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Only if i can have the vodka
Even that still says nothing of consequence about the infection vectors. But it is certainly useful, so thanks.
SIGSEGV caught, terminating
wait... not that kind of sig.
Can we now blitz the collecting server with millions of bogus account records? Enough to make it not worthwhile trying them to find the good ones?
you can detect it by looking for the following 2 files: "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll" "%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js" Theoretically closing Firefox and deleting those might remove it. The recommendations are to run anti-virus software, which is a good idea since the rest of the article indicates this is usually added to already compromised machines. Locations of the files may vary by OS, but should still be in Firefox plugins and chrome theme.
It doesn't "target Firefox", it targets "Firefox on Windows 32 systems" This does not affect Linux, Mac, or other systems. Ehud
Only if you consider being an asshole to be cool.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Can this thing install if you have already loaded Greasemonkey?
Spyder
spelling "losers" correctly is for losers too.
Newsflash, teenybopper: The world is not divided into "morons" and "people who know how to kill apps in Taskman".
According to the article, it contains a file "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll", therefore it probably is Windows only.
The Tao of math: The numbers you can count are not the real numbers.
I've had quite a few issues with Ubuntu because of my years of using windows. I'm used to hitting Enter rather than clicking for the default actions. Especially the overwrite file dialogs which default to 'no' in windows and 'yes' in ubuntu
Since I haven't yet RTFA, I can't comment with any authority (as if I ever do), but if it's a javascript exploit, then I suppose it could affect any platform. My credit union's online banking portal only allows me to use Internet Explorer, so I can't even get to my bank account through Firefox or Opera or SWIron (which I prefer to Chrome). Oh the irony! Here's one instance where IE is a safer alternative to FF!
"the amount of hacks and viruses and malware on an os/ browser has absolutely nothing to do with anything other than marketshare"
They why go to the trouble of writing one for a browser with such a low market share. I mean how many bank accounts are accessed under Firefox ?
davecb5620@gmail.com
I ran into this when I visited a site that another admin got the Antivirus 2008 trojan from. Of course I'm on Ubuntu so I was pretty sure simply visiting the site wouldn't cause any problems. I kept getting prompted to install it so I just found out what link it kept calling and just modified my hosts file to point it to localhost and then I got out of it like I should.
Pretty devious exploit though.
Yes.
I just don't trust anything that bleeds for five days and doesn't die.
Linux has 0.8% market share!
Though that's counting me and my beard of unusual size, so take it as you wish.
Stallman, is that you?
Anybody want my mod points?
Tell you what... if you can find me, I might share it with you.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
But I thought the sequence usually went like this:
1. Install Firefox /. for pedantic usage of noScript to designate a particular add-on to Firefox, and for not using the general designation of either FX3 or FF3...
2. Install noScript
3. ???
4. Don't get infected by js vector based viruses.
5. Get flamed on
No, but really. If you have noScript, as most everyone I know using Fx does, then how do you get infected by a virus that uses js as an attack vector...
Guess I'll keep reading the thread and see if the answer arises.
2^3 * 31 * 647
At that point, telling the truth becomes a very hard decision to make.
No, at that point the question is where is the nearest door.
DT
Is this thing on? Hello?
taskmanager, end process, then restart the mozilla, and never go back on that website again
You can download a fix for it here.
This is not an exploit, this is a payload like a rootkit that targets Firefox... after your computer has already been compromised.
I would be surprised if there ISN'T a similar payload targeting IE delivered by the same malware.
"the majority of bugs and spyware and crap out there now is obviously written by people without much talent"
i'm not saying the guys doing this are good, or deserve anything but jailtime/ fine/ etc
but they certainly are not stupid
meanwhile, by thinking they are stupid, you are displaying an unhealthy amount of arrogance and hubris
do you know what it takes to find a hole in a system and exploit it?
yu have to surpass the minds of those who have already given the area a lot of thought
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Users could be infected with the Trojan either from a drive-by download, ...
Depends on what TFAA meant by drive-by download... worst case in my imagination would be that it installs itself without asking mother may I. I believe that there is a little install countdown thingie that at least makes sure that the question stays on the screen long enough so that you can see that something is going on, rather than letting an errant keypress or mouse click install it.
DT
Is this thing on? Hello?
Kill-task. But ya, that's a serious bug. And how about the master-password pop-up? I'm not any good with javascript (I hack what I have to) but wouldn't it be possible (trivial) to create an identical pop-up and exploit that?
Not that I'm trying to bang on FF, but as a chronic 'save session' user I notice that password pop-up a lot (especially because it comes up multiple times if you have multiple windows open in the restored session).
Quack, quack.
Mozilla needs your permission to install plugins from unverified sources. But since windows standard practice is to click on everything that has an OK on it, I think it doesn't matter.
IIRC, it doesn't need your permission, it simply won't do it without manually editing the configuration file. The Bitdefender article has some insight on how it works.
All that crap about "drive by downloads" is BS. The only way you could get this is if your machine was already compromised.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
Who needs this headache; not me. I'm going back to IE.
As for the people who write these programs, they need to be PUT TO DEATH.
Seriously, if you want to steal from me, come to my house. I promise to make it a fair fight. ;)
That's actually pretty strange... the "default" action is, by tradition, supposed to be the one that's easier to "undo".
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Agree. Can we get people to take signature verification more seriously now? There have been a number of Firefox extensions, including some well-known, well-used ones, that are unsigned. (I can't remember if Flashblock, Adblock and NoScript are among them.) Is it a big hassle to sign the extensions? (This is not a rhetorical question; I really would like to know.)
You know how Kaminsky found this glaring bug in the DNS system that people have been using for ages, and people said, "What!? How could such a huge flaw go for so long with no one saying anything?" Well, right here we have a glaring flaw in the Firefox extension system. Firefox is a vector for extension malware. I'm saying it now.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
TFA says that on Windows it registers itself as Greasemonkey. What does it register itself as on OS X/Linux? And what if Greasemonkey is already installed?
Not exactly devious, since that bug is apparently as old as my 4th Grader nephew...
It is written in Java script, but the delivery system is windows only. This malware also does not use its own delivery system. (don't worry, you would have to read the article to know that and we all know reading the article is for losers)
Want Big Business out of government? Take away the incentive and start by getting government out of big business!
Read.article. Most of your 'insightful' comment applies to Windows and piggy-backing on a Windows exploit. The other OS's you mention (ie: not Windows) would be exploited by ignoring the FF warning dialog about installing untrusted add-ons and installing it anyway (not so much an exploit).
That said, if you're done being cheeky: software is complicated. Bugs are a simple reality and inevitably lead to some kind of exploitability. But Linux and Mac (along with FF and numerous other open tools) get a bit of credit for implementing basic controls (accounts with privilege separation in the OS's) and responding quickly and proactively.
Windows is only now trying it, but their implementation is so cumbersome it's defeating it's own purpose.
Any Vista user out there that haven't already tried it there are several open source sudo for Windows implementations that make using non-privileged accounts more viable. I think I use Sudowin which seemed to work the best for me, but I'm not on my home computer.
Quack, quack.
Bingo, I have seen malware in both Firefox and IE installed using the "endless loop" dialog box that the previous poster pointed out on Bugzilla(BTW, how freakin sad is it that the bug is from pre-1.0 and is still there?). Here is how I saw it work, by using a test box i keep for bug testing and removal practice. I found the bug by going through the users history and going where he went.
Here is how it works. You get Mr. Stupid Horny Guy to look at some topsites, you know the ones, a bunch of hot babe thumbnails that take them to yet more topsites. After a few minutes he will hit a site with a dialog box that says something like "You won a free hour in our hot babe video vault! Simply click yes to download the player and watch your hot videos full screen!" but thanks to the bug if he hits cancel it simply throws another dialog box in his face until he hits yes. If Mr Stupid Horny Guy even knows about ctrl/alt/del (which many don't) they will find the PC slow to a crawl whenever they try to launch it. So for Mr Stupid Horny Guy the choices come down to A=yank the plug out of the back, or B=click yes. So you can guess which of those 2 gets chosen more often.
I just wish Mozilla would put a cancel button automatically on all dialog boxes that would just kill all scripts on a page. It would probably cut way down on the drive by downloads, at least the ones I have come across.
ACs don't waste your time replying, your posts are never seen by me.
if they had identified the server that it tried to contact, either by hostname or IP address, so that those with the capability to do so, could block connectivity to it from their network(s) and/or customers. ISP's could add a simple ACL to a router, home users might put a 127.0.0.1 entry in /etc/hosts, etc.
Of course one thing they completely left out was if this 'plugin' ran only on Windows Firefox or if other platforms were susceptible as well.
And quite frankly, if that host was providing some legitimate service that doing this ended up blocking, well, oh fucking well. Keep the thieves off your network and you can avoid that type of problem.
Another option of course, (for individuals and private/company networks, but probably not so for commercial ISP's) would be to just null-route the entirety of Russia (using blackholes.us), and then selective override individual address spaces as and if needed.
Try holding down ctrl-w while closing the dialog. Works much of the time.
Yeah, but that 0.5% has crazy phat loot from not being ripped off by the windows only malware
Javascript alerts can't have input boxes on them, so it's not "easy" to make a box that looks like the master password box. However, you could do one of those in-page popups with a background that looks like a window in XP with the default theme that looks like it. Anyone on a different OS or different style might notice, but people on the default might not.
No, he would have said GNU/Linux.
English is not this
The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including Barclays, Wachovia, Bank of America, and PayPal along with two dozen or so Italian and Spanish banks. When it recognizes a Web site, it will collect logins and passwords, forwarding that information to a server in Russia.
If you have a "master password" set in FireFox to protect your passwords, would THAT foil it's collection method? I'm guessing that it simply moves through the bookmark and then open password file vs. having to wait until you enter the password into a form.
If you've never been modded as "flamebait" or "troll," you've never tried to argue a minority viewpoint here!
Wow, a whole slew of other people have replied and still nobody else figured out that the 2nd largest nuclear power, whose people appear to be so far beyond the normal rule of law, refers to Russia.
Recall that the rogue server that's collecting the login credentials is located in Russia...
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
To install a firefox addon without the gui, all you have to do is insert the extension (unzipped) into the correct folder. I know this because I do it to quickly test extensions during development by using a symbolic link to the actual folder.
I suppose the crackers would still have to crack into the user's computer some other way first.
Once you start despising the jerks, you become one.
Oh good I'm safe then, it's firefox 3 plugin - won't work in my Firefox 1.5.x. Another good reason not to upgrade - securtiy is worse in the new version.
The Truth is a Virus!!!
It's not?!?!?!?
Oh Damn! I am going to have to redefine my social expectations again.
InnerWeb
Freud might say that Intelligent Design is religion's ID.
That's what you get for thinking.
Wait a minute... Is that you Bill? Mr. Gates, you're retired now... go fishing or something, ya bastard.
It's the Stay-Puft Marshmallow Man.
Apparently several files get placed in the %programfiles%\Mozilla Firefox\plugins folder.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Actually, I'd guess that the probability of finding people who do online banking is probably higher among the geek community.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Notepad.exe?
Nerd rage is the funniest rage.
Hey, thanks for mentioning NoScript...I'd not heard of it and am messing with it now.
Hehe..because all your friends use something, please don't assume everyone else does...thank you for mentioning this!
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Most of the bloatware (plugins) comes from "normal" applications like VOIP, anti-virus, Google apps of any form, Yahoo, ...
The only difference is that evil sites uses this code to steal stuff.
The core of the problem is that ________ (insert your favourite company) should put a better security on plugins and don't allow 3rd party companies to install their crap at will.
Love many, trust a few, do harm to none.
prompt() much?
But no, it probably wouldn't look exactly like the master password input box, and the password would be visible as they typed it. Still, some people might be dumb enough to fall for it.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
No, it monitors the sites you visits and steals your username/password combo when you log in.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
GNU is the other 99.2%.
NOTE: I'm enjoying the general idea of these jokes; not the fact that some of them are targetting Stallman, who is a great guy and a visionary, that most of us wouldn't be doing what we're doing without.
Interestingly, Opera does give the option to disable all scripts on a page whenever one pops a dialog box.
Now if only they could find a way to skip the damned adds that places put now between 2 pages. Even when you block them, you still have a page that says "Click to continue"
Can I put on my 'told you so' t-shirt now?
No, you can't. The trojan doesn't attack the password list file, it scrapes the login credentials from forms of sites when you visit them.
Anyway, are you aware of any way of obtaining username/password information from the "woefully unprotected" password list? I'm not saying a way doesn't exist, but I don't know of any.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
The malware calls itself "Greasemonkey" to avoid detection, but it's completely unrelated to the real Greasemonkey add-on.
Same as all the "spyware removal" or "antivirus" tools that are really adware/trojans... it's just to get it on your machine and prevent you from trying to delete it...
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
I've seen many a unix system owned by a worm, and Apple is now telling users to install antivirus software; so your joke isn't really that funny these days.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
A certificate-based login (which you can play with at www.cacert.org) would solve this problem. When you initially set it up with your bank, they should require gobs of information proving your identity (full card number, CCV, address, social security number, and last ATM transaction data should suffice), and then they'll let you generate a key for your browser. This easily qualifies as "something you have" for two-factor authentication without needing anything silly like a USB key that would cost the bank money on a per-key basis in time and resources. (Footnote: This isn't as well documented as it should be; your best bet is to play with cacert.org's free implementation. There's tidbits of it in Wikipedia's TLS article, and cacert's wiki has a decent Client Certs page that says a little more.)
After that, you'll need that key plus the tools already employed. Most banks these days already have interesting ways to prove their own identity to you (they supply you with an image and some secret text you agreed upon earlier), then they have some clever input mechanism that tries to bypass keyloggers and javascript hacks.
Also recall that banks are VERY good about locking your account; a properly protected four-digit number is actually secure enough if you're only allowed two failed logins per day (regardless of source) since the code would take up to 5000 days (13+ years) to crack, and I'm sure there are further safeguards for that kind of case.
To banking software firms: I would immediately switch* to an online bank that performs this configuration. So would others. Don't forget: people like me are consulted regularly by family and social networks for advice about this very topic. (* Assuming the bank is FDIC/NCUA-insured, otherwise well-received and regarded, and fully pays for a few ATM usage fees each month).
Use my userscript to add story images to Slashdot. There's no going back.
It's javascript in firefox, so the malware writers could have made it platform-independent with a little bit more work. But did they? NO! Yet another example of ignoring the Linux platform.
Intron: the portion of DNA which expresses nothing useful.
and weather != whether
"There can be little doubt that union activities lead to continuous and progressive inflation." F. A. Hayek
China is also nuclear and bigger than the US. Certainly population wise, and the physical size is arguably bigger.
1. it just sounds cool
2. sometimes in scrabble, you need to get rid of a lot of Is
language isn't a top down authoritarian function, its trickle up from the bottom
therefore, here in this thread, based on my authority of having none at all, i hereby announce "virii" to be a valid word in the english language
use it profusely, use it constantly, use it anywhere
and in such a way, make it a valid word
motion has passed
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Sure it does! Just don't allow "chrome:".
Ahem, I do indubitably believe that in that case it is referred to as the "more loose" in point of fact, quite, yes, what what.
This is why I run the NoScript Plugin for Firefox
It blocks Java Flash and other scripts from running until I white list the source.
http://noscript.net/
If you think it's expensive to hire a professional to do the job, wait until you hire an amateur. --Red Adair
"Trojan.PWS.ChromeInject.B" is definitely only effective in Windows, because it installs and executes these files: "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll" "%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js" browser.js calls the The dll file, which can't run in Linux, etc. unless you're running a WINDOZE Firefox via crossover (which would be insanely stupid). Also, since it's installed into the program directory (rather than the user's profile), VISTA will almost certainly make you click for "administrator confirmation" before writing the files. (I don't know for sure, because I don't have VISTA.) - - - - - When I enter the URL for http://www.bitdefender.com/VIRUS-1000451-en--Trojan.PWS.ChromeInject.A.html#, the page content is identical the version for "Trojan.PWS.CHromeInject.B" (even the given name is "Trojan.PWS.ChromeInject.B", they even over-wrote the ChromeInject.A page by accident or, ChromeInject.A isn't spreading in the wild AND has nearly identical characteristcs, perhaps differing only in file sizes.) BitDefender provides the following list of banks their page for this version, http://www.bitdefender.com/VIRUS-1000451-en--Trojan.PWS.ChromeInject.B.html: It filters the URLs within the Mozilla Firefox browser and whenever encounter the following addresses opened in the Firefox browser it captures the login credentials. akbank.com caixasabadell.net credem.it areasegura.banif.es banca.cajaen.es openbank.es poste.it banesto.es carnet.cajarioja.es gruposantander.es intelvia.cajamurcia.es net.kutxa.net bancopastor.es bancamarch.es caixamanlleu.es elmonte.es ibercajadirecto.com bancopopular.es bancogallego.es bancajaproximaempresas.com caixa*.es caja*.es ccm.es bancoherrero.com bankoa.es bbvanetoffice.com bgnetplus.com bv-i.bancodevalencia.es clavenet.net fibancmediolanum.es sabadellatlantico.com arquia.es banking.*.de westpac.com.au adelaidebank.com.au pncs.com.au nationet.com online.hbs.net.au www.qccu.com.au boq.com.au banksa.com anz.com suncorpmetway.com.au quiubi.it cariparma.it bancaintesa.it popso.it fmbcc.bcc.it secservizi.it bancamediolanum.it csebanking.it fineco.it gbw2.it gruppocarige.it in-biz.it isideonline.it iwbank.it bancaeuro.it bancagenerali.it bcp.it unibanking.it uno-e.com unipolbanca.it carifvg.com cariparo.it carisbo.it islamic-bank.com banking.first-direct.com natwestibanking.com itibank.co.uk co-operativebank.co.uk lloydstsb.co.uk mybankoffshore.alil.co.im abbeynational.co.uk mybusinessbank.co.uk barclays.com online.co.uk my.if.com anbusiness.com hsbc.co anbusiness.com co-operativebankonline.co.uk halifax-online.co.uk ibank.cahoot.com smile.co.uk caterallenonline.co.uk tdcanadatrust.com schwab.com wachovia.com bankofamerica kfhonline.com wamu.com wellsfargo.com procreditbank.bg chase.com 53.com citizensbankonline.com e-gold.com paypal.com usbank.com suntrust.com banquepopulaire.fr onlinebanking.nationalcity.com
By looking at the number of downloads I see that NoScript has been downloaded over 31 milion times and a quarter of a milion downloads each week on avarage...
Here be signatures
sorry about the formatting, I should have used preview! Per above, it definitely is Windows-only.
Just go to the URL, http://www.bitdefender.com/VIRUS-1000451-en--Trojan.PWS.ChromeInject.B.html
Since the computer need already be compromised...
Or the user can be tricked into installing the plugin. All the security in the world can't save users from themselves.
You might think it's common sense that marketshare is all that matters, but we hammered this out years ago when comparing attack rates on IIS vs Apache.
Obviously marketshare is a factor. Ease of infiltration is another factor. A more popular platform will be attacked less if the chance of success is lower, because at the end of the day going after the weaker but less popular platform can still net you more compromised systems. If you only look at desktop browsers and OSes, you might not think this is the case, but that's only because right now the most popular program and the most vulnerable program are the same, and that the up-and-coming browser can only claim to be better than the most popular one on security issues, not actually good.
In any case, common sense should not be telling you that the security of the program doesn't affect the number of hacks and viruses. Making the reasonable assumption that all code contains some number of bugs does not in any way imply that they are equally prevalent or equally easy to find in any given program, or that the time to discover the bugs is always the same and dependent only on desire. Exploring esoteric avenues of investigation because the incentive is so high does not guarantee a timely result. If it takes substantial time and effort to find an exploit, which is then fixed, requiring another substantial effort to find another exploit, then it may not be in the hackers interest to go after this target versus a lower profile one where exploits can be found faster and more frequently in spit of bug fixes.
Put succinctly: "the amount of hacks and viruses and malware on an os/ browser has absolutely nothing to do with anything other than marketshare" is trivially wrong, at its simplest you could say that the number of hacks and viruses is related to (marketshare * vulnerability).
The enemies of Democracy are
Considering that add-ons (AdBlock, for example) can already inject and/or remove HTML from the dynamic page, it doesn't surprise me in the least.
Oh great. I hope the FF team doesn't take this as reason to remove the ability of plugins to do this.
They already screwed up file selection dialogs for alleged security reasons. In FF3, if you need to select a file for upload in some interactive form, you can't type or edit the filename - only click through a file selection dialog. This is an enourmous PITA if you've got a number of things you're uploading, or if you're happier typing instead of clicking. And, they've locked this down so you can't write a plugin to fix things, lest someone write a malware plugin to circumvent their "defense".
On the way straight back to a read-only web. Early 90's here we come!
Newsflash, teenybopper: The world is not divided into "morons" and "people who know how to kill apps in Taskman".
That's right, its morons and people who use an OS with a "kill" command. :-)
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
Considering that the ability of add-ons to interact with the dynamic HTML page is vitally important to numerous add-ons' functionality, I don't think they'll remove this.
Yes, not being able to type into the file upload box is a PITA, and I really don't know why they disabled this... it's not like they couldn't have just prevented scripts from interacting with the input element. If the element can't be focused (meaning the text entry part, to steal keypresses, not the button part which pops up the file open dialog – which is handy to be able to programmatically launch) and its value can't be read or changed, then there's not much a script could do maliciously.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Well, it is frequently updated. Sometimes several times in a day.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
I do use Noscript on all my machines, but for my customers it really is a "nuke it from orbit" solution which causes more problems than it solves. What we need for Noscript is a "average Windows user" setting which would whitelist Youtube and the other popular video sites, along with a "horny guy" setting that would add Porntube, Redporn,etc. Because I have tried to teach my Windows customers about whitelisting but sadly it turns into another Vista style "always click allow" which kills the whole point. Perhaps a simpler dialog box interface for Noscript than the current one? Maybe one that would detect .flv,.swf,rmb,etc and have a simple "click if you want to play the video" button?
ACs don't waste your time replying, your posts are never seen by me.
Duh, use Killbox instead. Not all programs can be end-tasked.
But since users' standard practice, as trained by M$ security theatre over many years, is to click on everything that has an OK on it, I think it doesn't matter.
There, fixed that for ya.
---
Don't be a programmer-bureaucrat; someone who substitutes marketing buzzwords and software bloat for verifiable improvements.
All the security in the world will not keep paypal from fucking your account over and freezing your funds. Just go to paypalsucks.org or some similar site and read the horror stories. The fact that these scammers have gone on for so long without having to conform to normal banking standards is simply beyond belief. At least ebay is now finally letting third parties in on the payments.
zosxavius photography
+1 not a looser. A malicious plugin? sure, but not this one. You need to be tricked into installing the malware, then at the plugin developers (whoever) can choose to install it on your system, basically.
Want Big Business out of government? Take away the incentive and start by getting government out of big business!
I mean the annoyance factor, you keep being a good user and hitting cancel to install the software and it just keeps automatically reloading so the user can never get out of it without losing all their stuff.
With the restore session feature you could end the task and the be right back where you left on when you re-opened FF. I think devious is the right word but I'd be open to a few other adjectives like annoying or irritating.
I am sure Microsoft will find someway to sue them for trademark infringement, or something. Maybe they can still get a patent, not for the virus, but for "a method or process for efficiently and discretely inserting points in code for future necessary improvements to amortize software engineering productivity". eh?
More proof Microsoft may have already had this trademarked or patented.
Want Big Business out of government? Take away the incentive and start by getting government out of big business!
The cool thing about Firefox is that you can basically force users into installing malware by exploiting bug 59314. Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes.
It just proves that modal dialogs suck.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
So now Slashdot is running ads for Bitdefender disguised as stories? For shame...
SYMPTOMS: Presence of the: "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll"
Does this mean that it can be avoided by not putting Firefox on your "c" drive?
Don't be a twitter. We both know that users receive no training from Microsoft, and that in fact even in Windows it is really almost never a good idea to click the "OK" button (Cancel is always the safe option). Users being users though, they'll always choose "OK".
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Actually, yes, it is a big deal. Just like ActiveX, signatures have to be signed by a certificate issued by a "trusted" authority. Which means paying $400 to Verisign or some other such agency.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
No, Wordpad is far less pleasant.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
a) that's a good point, my apologies for doing that ASSuME thing again...
b) I heard about it from the same group I heard about Fx, so... I mean, if I say Fx to someone who's never heard about it, I say noScript in the next breath. To me they go together like bread and butter, or perhaps, macaroni and cheese. Or Steak and Beer. or... er... yah
c) [t]he[y] does a phenomenally good job with the software, and there are some other good add-ons from that same origination vector.
---
So what other add-on's do you frequently use? I prefer to use flag-fox for a little browser visual cue/check, and I use download statusbar, adblockplus and foxmarks. other than that, I don't have a large number of add-ons running, but my officemates use stuff like fire.fm, and weatherbug...
2^3 * 31 * 647
Stallman... is a great guy and a visionary, that most of us wouldn't be doing what we're doing without.
Stallman, is that you?
yeah it's very difficult for most of the users when the malware are registered trademarks of the Microsoft corporation.
Get Connected with Friends
I once went to a job interview (it was in the eighties, please be gentle...) where the suit interviewing me said:
"Basic programming, huh? Well we're far more advanced than that here."
I didn't get the job.
"I'm a snake if we disagree"-Jethro Tull, Bungle in the Jungle
I've had it. Virusses, malware, spam. A lot comes from Russia and China.
Time to let them go. Let them infect their own internet.
Privacy is terrorism.
That's a valid concern. I'm not worried about my desktop machine being stolen, but my copy of FF Portable on a flash drive does have a master password. Like I said, I'm still not sure whether it's possible to crack the cold physical files if you can get your hands on them, but since I don't let anyone else on my computer, I'm not worried about them getting into my passwords in a "hot" Firefox session.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Indeed - if you're a geek (which we both are) you'll know about securing files, exposure and the like.
Wait... you mean letting Limewire share my "My Documents" folder was a bad idea? and my "Program Files"? ;)
And anyway, it won't be long before someone *does* write an exploit that pulls out the passwords from a live session - if they're displayed, in english, on the screen, they're vulnerable
That would be a pretty ineffective attack vector, because geeks wouldn't be likely to get infected, and non-geeks generally don't even know it's possible to view the passwords...
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
- Most users are not techies and do not know about kill(1) or even Windows task manager. Firefox is intended for everyone, not just propellerheads.
- Even if in some magical world the kill(1) command were understood by everybody, Firefox should not rely on you using it for something that should be taken care of in the browser; just like it purges its disk cache automatically and does not expect the user to manually run 'df' and 'rm'.
- Even in that magical world, kill(1) will not terminate the running Javascript in a single tab. All it can do is signal the entire process. If you kill the Firefox process then you lose all your work in other tabs. (If you ask to restore the tabs on startup, then you get back to the same endless loop of Javascript...)
- Firefox is designed to be able to operate in 'kiosk' setups where the task manager or command prompt is not available.
Of course you are much too smart to be coerced into installing anything by an endless series of Javascript popups. But it does work a lot of the time; otherwise the malware authors wouldn't do it.
-- Ed Avis ed@membled.com
And the geeks are most unlikly to install malware ..
davecb5620@gmail.com
The default of FF is afaik to not password-protect the password list. This is an option that has to be switched on manually, hidden in the preferences somewhere. I don't remember having ever got the question of FF to password-protect this list, not even on a first use (i.e. storing the first password in the list).
I use Adblock Plus, Download Statusbar, DownloadHelper, FireFTP, IE Tab, and Tab Mix Plus. I've also used FasterFox in the past but I don't think they have an official Firefox 3.0 version of it out yet (I primarily like it for its easy "clear cache" shortcut).
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
The Ugly aren't people. They're in a whole other classification.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
I'm guessing putting BASIC in all caps didn't help?
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Interesting idea... though if Firefox is installed in a non-standard location it's still probably identified in the Windows Registry and as such it'd be technically possible to locate the install and put the files in the correct location. I have no idea whether the malware is smart enough to actually do that...
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
True, but I've never been able to get the plaintext usernames/passwords out of my password list file even though I didn't set a master password. It stank when I had to reinstall Firefox and I lost all my saved login information... even though I made a backup of my old profile before I trashed it, I couldn't decrypt the usernames/passwords for the saved logins.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
But since users' standard practice, as trained by M$ security theatre over many years, is to click on everything that has an OK on it, I think it doesn't matter.
There, fixed that for ya.
Yeah! The allow/deny app access control in Vista is the exact example how microbloft "train" users to simply click without reading.
If your OS is constantly popping up windows with YES/NO, ALLOW/DENY, ACCEPT/CANCEL .. whatever, you'll get pissed off and click on whatever shows up next without even reading.
Micro$oft clearly has it share of guilty on this one.
And yet here we are, with an exploit - *so what* if it can only run on a compromised machine, us geeks will catch-and-kill it but the chairman of your company won't when he installs FF at home 'because his son said it's the best'.
What do you mean, "so what if it can only run on a compromised machine"?!
Once your machine is compromised by malware, you're FUCKED and your browser's security doesn't enter into it -- unless your browser was the vector by which your machine got compromised which is not the case here. The malware will log your keys, or it will load the browser itself and peek at the memory containing the unencrypted passwords that must at some point exist, and that's it. Browser security can't prevent this; only a platform like Trusted Computing can. FF is better because it is less of a vector for external attacks, not because it can prevent local exploitation when the system it is running on is compromised.
So go ahead and put on your "I told you so" shirt, just make sure to put the parenthetical (something obvious and pointless) between "you" and "so".
The enemies of Democracy are
Sorry I was thinking of a normal user name:/password: box. I forgot that the master password box only has one value..
There, fixed that for ya.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
In Firefox 2.0.18 (Mac OS-X):
Go to Preferences, tab Security, click the Show Passwords button for a list of saved logins, and in that window again Show Passwords, and one more click to confirm.
VoilÃ, all your saved passwords, all in plain text.
The Security tab is also where you can set your master password, by the way. I assume setting this password will also encrypt your saved passwords, not sure as I have never tried it.
Go to Preferences, tab Security, click the Show Passwords button for a list of saved logins, and in that window again Show Passwords, and one more click to confirm.
Yeah, that works fine — unless you want to recover passwords from a backed-up profile after you've had to reinstall Firefox. The password file is encrypted anyway, even without a master password set. Look for yourself... the password file is called %userprofile%\Application Data\Mozilla\Firefox\Profiles\*\signons*.txt.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
It automatically updates itself so that's not a part of the equation...
Here be signatures
javascript:void(document.body.style.textTransform="lowercase");
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
That's my cryptic way of saying he used too much caps lock.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.