Password-Stealing Trojan Disguised as Firefox Extension
A spam e-mail making its rounds with a file attachment disguised as an "extension" or add-on for the Mozilla Firefox browser is actually a Trojan horse program, which allows attackers to install programs that intercept Web traffic from a victim's computer and monitor what he or she types, such as passwords and other login information.
According to analysis from McAfee AVERT, the spoofed message is designed to look like it came from the Wal-Mart billing support department. It includes an order number in the body of the e-mail and the same order number as the name of the attachment. If a Windows user clicks on the attachment, it will lead to the installation of a malicious program that steals passwords and monitors the victim's network activity (unless he or she has taken our advice to avoid using their computer under the all-powerful "administrator" account.)
Once installed, this malware is disguised as the Numberlinks 0.9 extension for Firefox, taking its name from a legitimate add-on designed to make it easier for Firefox users browse the Web without a mouse. Firefox extensions normally prompt the user to install them, but this one silently patches the user's browser without giving any notice. The next time the victim restarts the browser, the spying program -- which McAfee has dubbed "FormSpy" -- will start up automatically.
Mozilla has taken heat from security experts in the past about neglecting to digitally "sign" third-party extensions so that users have some assurance that Mozilla has vetted the developer's work. And no doubt, this attack will embolden critics to say, "See, we told you so." But Dan Veditz, a security developer at Mozilla, said no amount of digital signing would prevent an attack like this one, as it relies not on the browser's default installer (whose installation files end in ".xpi") but on the user opening an executable program file (".exe") that is handled by the Windows operating system.
Before Mozilla released Firefox 1.5.0.2, attackers were using a similar method to slip the "MyWebSearch Toolbar" onto users' Firefox browsers. With version 1.5.0.2, Mozilla added code that simply removed the toolbar installation files. Veditz said Mozilla could similarly remove this attack avenue from future versions of Firefox, but added that the bad guys could simply tweak a few things to get around it.
"This attack was perhaps a little too easy, but the reality is that once someone has launched an installer on their system, ultimately it becomes an arms race between how much effort we want to put in and what the attackers are willing to do" to circumvent it, Veditz said.
Security Fix has warned readers many times in the past, but it bears repeating often: Do not open e-mail attachments that arrive in messages you weren't expecting. Even if they appear to come from someone you know, it's a good idea to reply and await a response, just to make sure the e-mail's "From" address was not faked by the attackers.
Finally, scan any attachments with up-to-date anti-virus software before opening them: Because of the inherent difficulties of virus detection, there will always be things that can't be blocked, but this kind of safeguard is still a very good habit for Windows users to get into. If you don't have anti-virus tools installed or you want to get a diagnosis from more than one anti-virus product, submit the suspect file for a free scan at Virustotal.
Incidentally, Mozilla is expected today to release a new version of Firefox today, 1.5.0.5, that includes about a dozen security updates as well as stability fixes. Security Fix will have more info on that update shortly after its release.
By Brian Krebs |
July 26, 2006; 3:03 PM ET
Latest Warnings
Previous: FBI Charges HOPE Speaker with Witness Tampering, Obstructing Justice |
Next: Mozilla Issues Security Updates for Firefox
Posted by: Nate Kully | July 26, 2006 7:21 PM
The trojan was a EXECUTABLE file (*.exe) that was sent as an e-mail attachment. There is VERY LITTLE a browser (or and e-mail program) can do if users ACTIVELY open and execute attachments from unknown sources.
You could at least use Thunderbird (instead of Outlook) as your e-mail program, as it provides much better protection against such scams (http://www.mozilla.com/thunderbird/)
BTW: To the first commenter: The second "F" in Firefox is not capitalized. ;-)
Posted by: Peter Reaper | July 27, 2006 5:27 AM
Did you know that you can significantly speed up Firefox? You can find manual how to easily tweak Firefox over here: http://www.miscproject.com/blog/about/
Posted by: mozila | July 27, 2006 6:29 AM
Did you know that you can significantly speed up Firefox? You can find manual how to easily tweak Firefox over here: http://www.miscproject.com/blog/about/
Posted by: melon | July 27, 2006 6:35 AM
Yes, Firefox version 1.5.0.5 is now available. (I just downloaded the update.)
Posted by: John Johnson | July 27, 2006 9:51 AM
Or you could get a Mac.
Posted by: Ladyowl | July 27, 2006 10:46 AM
Or you could get a new line.
Sorry, I know you Mac users have to puff up your chest and parade around constantly to try to justify all that money you spent for your solid gold boat anchor.
I had a Mac - now I've got productivity.
Sheeeeeesh!!!
Posted by: Piperllew | July 27, 2006 12:27 PM
Getting a Mac won't solve anything. Anyone who pays attention to security blogs or any of the like knows that Macs have been falling victim to a slew of security threats since the debut of OSX. Windows has been hammered on by hackers so much that it's actually become MORE secure than a Mac given a few basic security precautions have been taken. The bottom line is that anyone who blindly clicks on attached executables is just asking for trouble. Besides, Outlook usually assumes the user is too dumb to decide which attachments to open and automatically blocks access to certain possibly undesirable file types.
Posted by: SGoldman | July 27, 2006 1:34 PM
I got a message while using firefix saying that an update was installed and will be active the enxt time I start Firefox. I did not open any email attachtments. I have not yet re-started Firefox. What do I do? Will un-installing Firefox and re-installing it work ?
Posted by: Shane | July 27, 2006 2:58 PM
Most likely, Firefox just updated itself. All Firefox updates take effect when you shut it down and restart. No worries.
Posted by: Piperllew | July 27, 2006 3:08 PM
Thanks for your reply. But I read that Firefox prompts you before installing any updates? I did not get any prompt, it installed by itself.
Posted by: Shane | July 27, 2006 3:12 PM
While I was writing my last comment, I took a look at my Firefox help menu and noticed it was in the process of installing the update. All I had to do was let ZoneAlarm know that the new Firefox program had permission.
Everything's lovely.
Posted by: Piperllew | July 27, 2006 3:13 PM
What security blogs are recommended for learning more about Mac attacks? We have both Macs and PCs, and have found the Macs to run faster and be more productive, but it is difficult to know which are the best anti-virus and spyware and firewall products for Macs. Any help with this would be greatly appreciated.
Thanks for the info on Firefox - we use that as our alternative browser on both Mac and PC. We don't normally open attachments without checking them out first, but we don't ALWAYS do that if we get busy and forget. Thanks for the warning!
Posted by: Susan | July 27, 2006 3:18 PM
This attack can be equally effective against OS X and Linux since it is a Firefox extension. Assuming the creator of this trojan didn't write any Windows specific XPCOM code in C++, it should install just fine on a Mac or Linux version of Firefox. The only Windows-specific part is probably the installer, which can certainly be easily changed. Even though most Linux and Mac users presumably do not run as root, it is still possible to silently install the trojan into the user's local Firefox profile.
Posted by: Qian Wang | July 27, 2006 3:20 PM
I suspect that, like myself - your Firefox is set to automatically download and install updates.
If you would like to check; go to
Tools/Options/Advanced/Update
Firefox has excellent Options menus for managing your browser.
Posted by: Piperllew | July 27, 2006 3:24 PM
I cannot believe some of these comments. Firefox doesn't have ANY anti-spyware features!! These Myths get bigger every day. Get the facts:
Posted by: Andrew | July 27, 2006 7:45 PM
No hassle, just last night Firefox signalled me that there was an update for my German version and that was it + the new Thunderbird.
I have never been able to understand, why people would want to use IE the most insecure browser. Never used it only Netscape & Firefox.
Firefox in combination with a good non hijacking & non-Microsoft/Symantec firewall + spybot or new Netscape antivirus routine is just perfect.
There was a time, when my computers ran problem free and that was the time, when not a single Microsoft program ran on my machines.
Posted by: wdk | July 27, 2006 10:08 PM
Once again, Firefox (or substitute any other program/browser/etc.) is taking heat for something that the END USER controls: opening attachments to emails.
As noted in the article (and often repeated) the end user should NOT open attachments...
So when do the end users assume responsibility for their own actions?
While I agree that there has to be some accountability to the creators of programs, there also has to come a time when, just like dealing with a child, you have to let them suffer the consequences of their actions.
And let's not forget the last part of the equation: severely prosecuting the people that spend all of their time MAKING these trojan horses/viruses/malware products. If we don't have the proper legal recourse. then it's high time we figure out HOW to.
OK.. that's MY two-cents worth!
Posted by: MaggieB | July 28, 2006 1:30 PM
I agree with MaggieB - Firefox can't stop a user from opening a suspicious attachment.
After all these years, it still baffles me that people don't understand even the most basic precautions they should be taking when using the internet. We teach our kids not to take things from strangers; how is it that so many people forget that lesson as soon as they log onto their computers?
Posted by: Anonymous | July 28, 2006 9:06 PM
@ Andrew:
>>Firefox doesn't have ANY anti-spyware features!!
Firefox's absence of native ability to run (with or without the user being prompted) ActiveX controls isn't an anti-spyware feature?
Its ability to disable Java (if installed) and JavaScript isn't an anti-spyware feature?
http://www.mozilla.org/support/firefox/options#webfeatures
Its ability to disallow web sites from auto-installing software updates & extensions (there are malicious .XPIs out there) isn't an anti-spyware feature?
Its absence of native ability to tell a mail client how to handle its security, such that if Firefox's security settings are misconfigured it doesn't thereby open a second vector for malware through the mail client (unlike the "integrated" IE/OE combo), isn't an anti-spyware feature?
It's a web browser, not a magic wand.
Posted by: Mark Odell | July 28, 2006 10:32 PM
You mean people STILL download things from strange attachments?
Posted by: Wyn | August 1, 2006 1:40 PM
I want to learn Trojan horse program, and who can I use it? Is there any site for that?
Posted by: lava | August 7, 2006 3:50 AM
Iava... huh?
Posted by: Dejuan | August 7, 2006 3:48 PM
How do i get this Password Stealer and this bank info
Posted by: Richard | August 11, 2006 7:48 PM
The comments to this entry are closed.
This is very interesting to read because for the longest time I have heard nothing but great things about FireFox (well, compared to IE). FireFox is so highly regarded because of its anti-spyware features and I guess that I didn't even take into account the idea of trojan horses etc. Whether or not they decide to hire a third-party does not make a difference because it is still the best browser out there.
Thanks for the info