ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] Trojan Spoofs Firefox Extension, Steals IDs



îÕ ×ÏÔ, É ÄÏ FF ÄÏÂÒÁÌÉÓØ... 

----------
http://www.techweb.com/wire/security/191101268;jsessionid=ZSIPNB4RIMFWUQSNDLOSKH0CJUNN2JVN
Trojan Spoofs Firefox Extension, Steals IDs


By Gregg Keizer, TechWeb Technology News

An identity-stealing keylogger that disguises itself as a Firefox extension and 
installs silently in the background was discovered Tuesday by security vendor 
McAfee.

According to the Santa Clara, Calif.-based company, the "FormSpy" Trojan horse 
monitors mouse movements and key presses to steal online banking or credit card 
usernames and passwords, other login information, and URLs typed into Firefox, 
the popular open-source browser. Another component of the Trojan sniffs out 
passwords from ICQ and FTP sessions, and IMAP and POP3 traffic, said McAfee. 
All collected information is sent to an IP address hard-coded into the Trojan.

The scam starts with spam posing as a message from the billing support 
department of mega-retailer Wal-Mart, said Craig Schmugar, the virus research 
manager at McAfee's Avert Labs. "There's an order number in the message, which 
matches the number of the attachment," said Schmugar. "When someone opens the 
attachment, the Trojan downloads and installs two components, a keylogger as 
well as a sniffer." As of Tuesday afternoon, FormSpy had gained little traction.

But it's the way that FormSpy gets onto a machine that's unique, Schmugar said. 
FormSpy masquerades as a Firefox extension, or browser add-on. It spoofs 
Numberedlinks 0.9, an extension that in its legitimate form lets users navigate 
links with the keypad. FormSpy uses some of the actual extension's code to put 
its hooks into Firefox.

Normally, Firefox extensions -- which in Windows have the .xpi file extension 
-- display a confirmation dialog that the user must acknowledge before the 
add-on installs. The bogus Numberedlinks, however, skips that.

"The Trojan writes files directly to the Firefox folders without putting up the 
confirmation," said Schmugar. Users who have been infected won't realize that 
the bogus extension has been added to Firefox unless they call on the 
Tools|Extensions command (in Firefox 2 Beta 1, Tools|Add-ons) and spot 
"Numberedlinks 0.9" in the list.

Firefox's extensions have been criticized for lax security, in particular that 
they're not digitally signed to vouchsafe their contents. Schmugar said 
FormSpy's disguise argues for revisiting the topic.

"The Trojan is using a mechanism to get its code executed when it hooks into 
Firefox [spoofing an extension]," he said, "and from a security model, that 
kind of functionality is all over the place." Still, "better extension security 
should be considered by Mozilla," he concluded.

Because of similar -- and long-standing -- threats posed by ActiveX controls, 
Microsoft has made several changes to Internet Explorer, including blocking of 
virtually all such add-ons by default in the upcoming IE 7, to protect users. 
ActiveX controls, unlike Firefox extensions, are also digitally signed.

"Over time, malware writers will find a way to leverage Firefox to their 
advantage," said Schmugar.

"Quite a number" of the original spammed messages were reported to McAfee, 
Schmugar, said, but there had been "very little field submissions" of FormSpy 
Trojan, so for the moment the threat remained low-level.

"In all likelihood, some of those who received the spam did run the attachment. 
But how many were using Firefox, we don't know."




 




Copyright © Lexa Software, 1996-2009.