îÕ ×ÏÔ, É ÄÏ FF ÄÏÂÒÁÌÉÓØ...
----------
Trojan Spoofs Firefox Extension, Steals IDs
By Gregg Keizer, TechWeb Technology News
An identity-stealing keylogger that disguises itself as a Firefox extension and
installs silently in the background was discovered Tuesday by security vendor
McAfee.
According to the Santa Clara, Calif.-based company, the "FormSpy" Trojan horse
monitors mouse movements and key presses to steal online banking or credit card
usernames and passwords, other login information, and URLs typed into Firefox,
the popular open-source browser. Another component of the Trojan sniffs out
passwords from ICQ and FTP sessions, and IMAP and POP3 traffic, said McAfee.
All collected information is sent to an IP address hard-coded into the Trojan.
The scam starts with spam posing as a message from the billing support
department of mega-retailer Wal-Mart, said Craig Schmugar, the virus research
manager at McAfee's Avert Labs. "There's an order number in the message, which
matches the number of the attachment," said Schmugar. "When someone opens the
attachment, the Trojan downloads and installs two components, a keylogger as
well as a sniffer." As of Tuesday afternoon, FormSpy had gained little traction.
But it's the way that FormSpy gets onto a machine that's unique, Schmugar said.
FormSpy masquerades as a Firefox extension, or browser add-on. It spoofs
Numberedlinks 0.9, an extension that in its legitimate form lets users navigate
links with the keypad. FormSpy uses some of the actual extension's code to put
its hooks into Firefox.
Normally, Firefox extensions -- which in Windows have the .xpi file extension
-- display a confirmation dialog that the user must acknowledge before the
add-on installs. The bogus Numberedlinks, however, skips that.
"The Trojan writes files directly to the Firefox folders without putting up the
confirmation," said Schmugar. Users who have been infected won't realize that
the bogus extension has been added to Firefox unless they call on the
Tools|Extensions command (in Firefox 2 Beta 1, Tools|Add-ons) and spot
"Numberedlinks 0.9" in the list.
Firefox's extensions have been criticized for lax security, in particular that
they're not digitally signed to vouchsafe their contents. Schmugar said
FormSpy's disguise argues for revisiting the topic.
"The Trojan is using a mechanism to get its code executed when it hooks into
Firefox [spoofing an extension]," he said, "and from a security model, that
kind of functionality is all over the place." Still, "better extension security
should be considered by Mozilla," he concluded.
Because of similar -- and long-standing -- threats posed by ActiveX controls,
Microsoft has made several changes to Internet Explorer, including blocking of
virtually all such add-ons by default in the upcoming IE 7, to protect users.
ActiveX controls, unlike Firefox extensions, are also digitally signed.
"Over time, malware writers will find a way to leverage Firefox to their
advantage," said Schmugar.
"Quite a number" of the original spammed messages were reported to McAfee,
Schmugar, said, but there had been "very little field submissions" of FormSpy
Trojan, so for the moment the threat remained low-level.
"In all likelihood, some of those who received the spam did run the attachment.
But how many were using Firefox, we don't know."
