Password-Stealing Trojan Disguised as Firefox Extension
A spam e-mail making its rounds with a file attachment disguised as an "extension" or add-on for the Mozilla Firefox browser is actually a Trojan horse program, which allows attackers to install programs that intercept Web traffic from a victim's computer and monitor what he or she types, such as passwords and other login information.
According to analysis from McAfee AVERT, the spoofed message is designed to look like it came from the Wal-Mart billing support department. It includes an order number in the body of the e-mail and the same order number as the name of the attachment. If a Windows user clicks on the attachment, it will lead to the installation of a malicious program that steals passwords and monitors the victim's network activity (unless he or she has taken our advice to avoid using their computer under the all-powerful "administrator" account.)
Once installed, this malware is disguised as the Numberlinks 0.9 extension for Firefox, taking its name from a legitimate add-on designed to make it easier for Firefox users browse the Web without a mouse. Firefox extensions normally prompt the user to install them, but this one silently patches the user's browser without giving any notice. The next time the victim restarts the browser, the spying program -- which McAfee has dubbed "FormSpy" -- will start up automatically.
Mozilla has taken heat from security experts in the past about neglecting to digitally "sign" third-party extensions so that users have some assurance that Mozilla has vetted the developer's work. And no doubt, this attack will embolden critics to say, "See, we told you so." But Dan Veditz, a security developer at Mozilla, said no amount of digital signing would prevent an attack like this one, as it relies not on the browser's default installer (whose installation files end in ".xpi") but on the user opening an executable program file (".exe") that is handled by the Windows operating system.
Before Mozilla released Firefox 188.8.131.52, attackers were using a similar method to slip the "MyWebSearch Toolbar" onto users' Firefox browsers. With version 184.108.40.206, Mozilla added code that simply removed the toolbar installation files. Veditz said Mozilla could similarly remove this attack avenue from future versions of Firefox, but added that the bad guys could simply tweak a few things to get around it.
"This attack was perhaps a little too easy, but the reality is that once someone has launched an installer on their system, ultimately it becomes an arms race between how much effort we want to put in and what the attackers are willing to do" to circumvent it, Veditz said.
Security Fix has warned readers many times in the past, but it bears repeating often: Do not open e-mail attachments that arrive in messages you weren't expecting. Even if they appear to come from someone you know, it's a good idea to reply and await a response, just to make sure the e-mail's "From" address was not faked by the attackers.
Finally, scan any attachments with up-to-date anti-virus software before opening them: Because of the inherent difficulties of virus detection, there will always be things that can't be blocked, but this kind of safeguard is still a very good habit for Windows users to get into. If you don't have anti-virus tools installed or you want to get a diagnosis from more than one anti-virus product, submit the suspect file for a free scan at Virustotal.
Incidentally, Mozilla is expected today to release a new version of Firefox today, 220.127.116.11, that includes about a dozen security updates as well as stability fixes. Security Fix will have more info on that update shortly after its release.
July 26, 2006; 3:03 PM ET
Categories: Latest Warnings
Save & Share: Previous: FBI Charges HOPE Speaker with Witness Tampering, Obstructing Justice
Next: Mozilla Issues Security Updates for Firefox
The comments to this entry are closed.