Forgot your password?
typodupeerror

Spyware Disguises Itself as Firefox Extension 247

Posted by timothy
from the not-yet-linux-compatible dept.
Juha-Matti Laurio writes "The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. The trojan installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks. It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. The most dangerous part of the issue is that it records itself directly into the Firefox configuration data, avoiding the regular installation and confirmation process."
This discussion has been archived. No new comments can be posted.

Spyware Disguises Itself as Firefox Extension

Comments Filter:
  • Not a vulnerability. (Score:5, Informative)

    by Short Circuit (52384) * <mikemol@gmail.com> on Thursday July 27, 2006 @01:46PM (#15792636) Homepage Journal
    Note that this isn't a Firefox vulnerability.

    The trojan is opened as a Windows executable from email attachments, and writes itself into the Firefox profile's configuration directory.
    • by kfg (145172) on Thursday July 27, 2006 @01:51PM (#15792709)
      I refuse to use this trojan until it's ported to Linux.

      We have to send a message to developers that we want our apps native.

      KFG
    • Emphasis on that. (Score:5, Informative)

      by khasim (1285) <brandioch.conner@gmail.com> on Thursday July 27, 2006 @01:54PM (#15792745)
      This is an Outlook/IE "virus" who's payload is a keylogger and crap that hooks into Firefox.

      This does not exploit any vulnerability in Firefox.

      If your OS is not secure, no app running on it can be secured.
      • If your OS is not secure, no app running on it can be secured.

        Ssh...don't tell the RIAA.
      • by dedazo (737510) on Thursday July 27, 2006 @02:39PM (#15793192) Journal
        This is an Outlook/IE "virus" who's payload is a keylogger and crap that hooks into Firefox.

        This is an user-executed email attachment with a trojan. It will happily be executed from Outlook Express, IE, Eudora and Thunderbird. McAfee mentions they've seen one version trying to exploit a three year old IE vulnerability. If you haven't patched that, well then you deserve to get nailed.

        This does not exploit any vulnerability in Firefox

        It is a vulnerability in that FF will happily load and execute any plugins dropped into its profile directory. The only time you are warned about installing someone is at download time. FF will never check for a signature or otherwise go "oh, a new plugin I've never seen. Hmmm, maybe I should ask the user about it?". Vulnerability.

        If your OS is not secure, no app running on it can be secured.

        If your OS is being operated by a user that executes attachments from "WalMart" that read "helo, teh attcachements for yuo pleasures" then your OS is not secure.

        BTW, this progression is interesting. When FF came out just installing it would make the world safe, because it was invulnerable and impervious. Now I also have to switch operating systems? And when someone finds another exploit in SSH

        • I agree with you here.

          There should be a way of signing the profile folder contents to detect outside changes.

          Knowledge is power, and being informed about a change to your profile will either set warning bells off or put you at ease (after you manually changed it yourself).
        • by mrchaotica (681592) * on Thursday July 27, 2006 @04:36PM (#15794383)
          It is a vulnerability in that FF will happily load and execute any plugins dropped into its profile directory. The only time you are warned about installing someone is at download time. FF will never check for a signature or otherwise go "oh, a new plugin I've never seen. Hmmm, maybe I should ask the user about it?". Vulnerability.

          Okay, and then the next trojan will simply add itself to the file that Firefox checks to see if the extension is new, and you're back to square one.

          Firefox isn't the problem. The fact that the thing can write to the application's directory means the computer is already compromised.

          • Re:Emphasis on that. (Score:3, Informative)

            by athakur999 (44340)
            Extensions can be happily installed inside a user's profile directory. It doesn't require write permissions to the Firefox application's directory to install an extension.

            There is nothing about "vulnerability" that would stop the same thing happening on a Linux box. The only saving grace for Linux at this point in time is that your average Linux user is smart enough to not execute random executable files they receive from people they don't know in an email message.

            • by penix1 (722987)
              "The only saving grace for Linux at this point in time is that your average Linux user is smart enough to not execute random executable files they receive from people they don't know in an email message."

              Although I agree with this statement, a lot of the time the really nasty ones are spread by people you *DO* know. You know the type. This is the user that actually believes clicking "Remove me from this list" will actually remove them from that spammer's list. These also tend to be those people that clog th
      • If your OS is not secure, no app running on it can be secured.

        Since it involves executing an attachment while being a Windows administrator, it's more about the user than any OS security issues in this case.
    • Nobody said it was a Firefox vulnerability.

      Oh sorry, I forgot, nobody actually reads the articles here...
      • The headline makes it seem like Firefox is bad because there's a new piece of spyware that takes advantage of it.

        Darn, I knew this was going to happen sooner or later. Time to switch to IE. oh, wait a minute...

    • by DrXym (126579)
      Well yes it is. Firefox extensions are an easy way to trojan a system. Anyone can write an extension and put it up on the addons site and there isn't even the requirement that it be signed. There is no enforcement of trust at all except for a primitive domain whitelist system. I think it would be fairly trivial to produce a malicious extension. Worse, you could even craft one that works on Linux, OS X and Windows in one fell swoop, since you have unfettered access to all of the XPCOM objects running in Fire
      • Well yes it is. Firefox extensions are an easy way to trojan a system.
        1. Not more then any other software you install.
        2. This isn't really an extension, more like a modified version of Firefox.
        • This exploit might be a hacked Firefox, but even the vanilla Firefox is an easy attack vector.

          The very first page you see after installing tells you to Install Extensions [mozilla.org]. And what is only a few clicks from that page? Hundreds of untrusted extensions, with the new ones helpfully listed first.

          It would be TRIVIAL to insert a trojan onto that site. You can guarantee that people would download and install it without thinking twice. With a little more effort you could even hack a popular extension's home sit

          • by arose (644256)

            It would be TRIVIAL to insert a trojan onto that site.

            I still don't see how that differs from a trojan on, say, SourceForge--that's just how trojans are.

            The funny thing is IE was panned for ActiveX control issues and yet Firefox contains something just as serious in extensions.

            IMHO problem with ActiveX are the seemingly endless vulnerabilities that enable drive by installations, I don't see this with Firefox.

            It is true that extensions must be voluntarily fetched by a user so the user base as a whole h

      • by archen (447353)
        I think you'll still end up with the same problems though. Where does firefox keep it's list of trusts? In the registry, or a config file? People will want to develop/install plugins that aren't signed so you'll need to be able to make exceptions. Where will the settings for the exceptions be stored? In the registry or config file?

        I think this just gives you a false sense of security. If you're OS were secure and you knew for a fact that no one else could ever write to the firefox config files or the r
      • Any piece of software capable of running executable code is vulnerable to trojans. Anyone can write an executable program to do nasty stuff, and there's no reasonable way for an application to tell the difference. Firefox can't figure out on its own that an extension which deletes files or sends email is malicious, because such functionality can conceivably be useful. The only real solution is to educate people about running untrusted executable code, and Firefox already takes every reasonable precaution
      • by sterno (16320) on Thursday July 27, 2006 @02:52PM (#15793327) Homepage
        You are talking about a situation where an executable has been run with your priveleges. It can do anything it wants to, especially in Windows where most people run as Administrators. It can disguise itself as a firefox extension, sure. But it could also modify the firefox binary, or simply install a sniffer running as a service, or format your drive, or any number of nasty things.

        The only place a singature would matter in this case is when the trojan executable was run. If you are executing attached executables from an e-mail, then no amount of signature verification is going to protect you. The reality is that no technical process can exist that will prevent this kind of attack so long as users can install their own software.
      • This malware had read-write access to C:\Program Files\Firefox. Nothing would have stopped it from disabling any signature-checking code that might have existed.

        The Firefox extension trust model is as secure as SSL and the SHA-1 hash function.

      • You might as well say that Debian, sourceforge or freshmeat need to all implement trust models.

        Executables can end up trashing your system, even if they aren't meant to do so.
        • by DrXym (126579)
          Well the should. In fact, I read just the other day that Debian will be signing packages at long last. It's not brain surgery to do either - Red Hat has been doing it for a very long time.
    • by dschuetz (10924) <slash&david,dasnet,org> on Thursday July 27, 2006 @02:03PM (#15792856) Homepage
      Note that this isn't a Firefox vulnerability. The trojan is opened as a Windows executable from email attachments, and writes itself into the Firefox profile's configuration directory.

      While true, perhaps a related problem that actually is a vulnerability is the fact that Firefox (apparently) only checks for a valid signature on the plugin at download/install time. Maybe the Firefox configuration file, or at the very least the binaries for each extension, should be cryptographically verified at runtime.

      Of course, this presupposes that Firefox hackers can manage to get their extensions signed, and if that's possible, then the malware authors could do the same. Unless...FF gets distributed with a mozilla.org CA cert, and extensions accepted and published on the mozilla site(s) get signed with that cert, then every "legitimate" extension from the mozilla sites will be verifiable at runtime. The user could opt out of that with an "allow execution [not installation] of unsigned extensions" preference setting, but the majority of users would be protected, so long as the malware doesn't also set that preference for the user. :)

      (though even that last bit could be guarded against by creating a personal key to sign the config with, and every time you make a "security relevant configuration change" to the browser's settings, you have to re-sign the file.)

      • by KiloByte (825081) on Thursday July 27, 2006 @02:13PM (#15792941)
        ... or until the trojan makes a trivial change in FireFox's binary.

        Once you're pwned, you're pwned. If you give someone free reign on your box, he can do anything to any file writeable by you.
      • by greed (112493) on Thursday July 27, 2006 @02:14PM (#15792955)
        While true, perhaps a related problem that actually is a vulnerability is the fact that Firefox (apparently) only checks for a valid signature on the plugin at download/install time. Maybe the Firefox configuration file, or at the very least the binaries for each extension, should be cryptographically verified at runtime.

        Once someone's system is compromised, they can replace or alter the FireFox binary which verifies the signatures, replace libnssckbi.so, libsoftokn3.so, whatever.

        You can't win at that point. If you're storing your operating system and executables on writable media, it can never be trusted to that level. The hardware would have to cryptographically verify the boot loader on disk, which would verify the kernel, which would then be able to verify everything it executes--FireFox alone can't do it.

        (Say, what was that hardware-based Trusted Computing stuff supposed to do? In addition to ramming DRM down everyone's PCI bus, wasn't there system verification too?)

    • Note that this isn't a Firefox vulnerability.

      Pretty much. It may be possible for the firefox developers to block this on their end, by inserting some kludges for the windows builds, but the exploit itself is an exploit of Windows/IE, and won't affect Firefox on a sane system. (Not even on Windows, if IE is thoroughly removed and a sane email program used.)

    • Firefox isn't doing anything to prevent it, so it's a Ff vulnerability.

      At least, that's how it works for other software.
      • At least, that's how it works for other software.

        How does "other software" keep me from tweaking the registry?
      • In general, if the next lower layer can't be trusted, the security of whatever you're evaluating is screwed.

        By way of example, at my previous job I used a linux boot floppy to change the local administrator password on a Windows NT4 system, thus owning the machine at the next boot. By an extension of your standard, this represented a Windows vulnerability, because whatever measures Windows may have taken to prevent such a thing (like NTFS) were ineffective.

        I think that's a clear mis-assessment of the true v
    • Well, seeing that firefox does a 5... 4... 3... 2.. 1... timeout to install unsigned extensions, perhaps they should crack down a bit more on authenticity, and only provide extensions registered on their site or something similar.

      I think this is a FF problem, just like with other SW that gets hacked.
      • perhaps they should ... only provide extensions registered on their site or something similar.

        That's already done, but this malware bypasses that because it's executed elsewhere on the system (i.e. there's nothing Firefox could possibly do at this point).

        I think this is a FF problem, just like with other SW that gets hacked.

        That's either because you haven't bothered to inform yourself about the problem, or because you're trolling.

    • "Note that this isn't a Firefox vulnerability."

      I consider the entire Firefox extension mechanism one big vulnerable open door. On Windows, it's no big deal. There is no vulnerability that Firefox enables under Windows that Windows itself doesn't already provide. Under other operating systems with correct separation of programs and data, though (such as anything Unix-like), the extension mechanism is bypassing the operating system's protections.

      Linux systems provide applications in root-protected director
    • And if you're running Thunderbird, along with things like Popfile, etc. you have a much smaller chanced of this being a problem.

      Everyone to whom I've recommended Firefox has also received the recommendation that they install Thunderbird and Popfile.

      This is just McAffee trying to drum up business.
  • MozillaZine Has More (Score:5, Informative)

    by Anonymous Coward on Thursday July 27, 2006 @01:46PM (#15792642)
    This MozillaZine article [mozillazine.org] has lots more on the trogan horse, including instructions for spotting if you have it.
  • Personally... (Score:4, Informative)

    by celardore (844933) on Thursday July 27, 2006 @01:47PM (#15792657)
    Personally I only download FF extensions from the official site.
    https://addons.mozilla.org/extensions.php?app=fire fox [mozilla.org]
    • Re:Personally... (Score:2, Informative)

      by Anonymous Coward
      Thats not whats going on. This trojan isn't installed as an extension, it comes as a regular old .exe in an email, which when you run it, then edits the firefox configuration files to add itself into the extension list without going through the normal extension process.
  • Hmmmm (Score:4, Interesting)

    by robpoe (578975) on Thursday July 27, 2006 @01:50PM (#15792686)
    Basically, what you're saying, is I must open an EXE from a non Walmart "Walmart" email, or I have to use IE?

    Nothing to see here, move along..
    • I concur. This is just yet another script-kiddie 'sploit toy, and McAfee is just trying to keep itself in the headlines for a little while, so that people don't forget that it is still around.

          -dZ.
  • by Anonymous Coward on Thursday July 27, 2006 @01:53PM (#15792729)
    In next version of Firefox, the extension will be broken anyways. Mozilla breaks extension every new release. :D
  • by Anonymous Coward on Thursday July 27, 2006 @01:53PM (#15792732)
    Which makes me invulnerable to snooping for credit card numbers as all my accounts are empty and my credit rating is ruined.
  • We claim Prior Art for The old "it's not a bug, it's a feature" ploy.
    Please contact our legal department.
  • How does it work? (Score:2, Insightful)

    by Klaidas (981300)
    Does it install simply by browsing, or does it need to open an .exe? Or do you install it like a normal extension?
    If it's #1, it's bad
    If it's #2, not so bad - a simple virus
    If it's #3 - hey, who install extension from non-oficial sources?
    • Does it install simply by browsing, or does it need to open an .exe? Or do you install it like a normal extension?
      If it's #1, it's bad
      If it's #2, not so bad - a simple virus
      If it's #3 - hey, who install extension from non-oficial sources?


      Does this user not RTFA? Or is he trying to just get karma? Or where they just trying to get a first post?
      If it's #1, typical slashdot reader
      If it's #2, stupid karma whore
      If it's #3 - god, I hope not they where way to slow
  • by Anonymous Coward
    People seem to be awfully dismissive of this, but it poses a real problem. Given the number of available vectors, even careful Firefox users can get struck by virus/spyware/other attacks (even OpenSHH has critical security vulnerabilities from time to time, and it is specifically designed for security). More sophisticated extension hacks aren't too far away. Given the level of extensibility offered via extensions, it sounds plausible that extensions may be delist themselves from the extension manager (a
  • by Anonymous Coward on Thursday July 27, 2006 @02:08PM (#15792904)
    I've had it. That's it, I'm switching to Internet Explorer. You can play with your crappy browser but I'm done with it.
  • Ok, so you get the virus in an email... what if you don't have Firefox? Blasphemy, I know. More importanly, if you do have Firefox, are you necessarily going to be running Outlook to catch this bug in the first place?

    • Sure, there are lots of people who use Firefox and Outlook. I'm one, and so is everyone else in my department. We have to use Outlook for work, and we choose to use Firefox as our browser (usually with the IE extension to view parts of the intranet that use ActiveX). Happily, our anti-spam systems on both the gateways and the Exchange servers are configured to strip out .exe files (and most other attachments), so we (probably) won't fall prey to this thing.
  • by krell (896769) on Thursday July 27, 2006 @02:11PM (#15792927) Journal
    It could have been worse, like spyware disguised as a Microsoft Internet Explorer extension. That's sort of like Nixon wearing a Nixon mask.
  • RTFA (Score:5, Informative)

    by sensei85 (989372) on Thursday July 27, 2006 @02:16PM (#15792981)
    Again with people jumping to conclusions. The trojan is loaded when you open an .exe attached to an e-mail from "Wal-mart". Lesson to be learned: never open random .exe attachments. Ever. Problem solved.

    For those of you screaming that "numberedlinks" should be removed from the mozilla site, that wouldn't fix the problem. The original extension is perfectly safe and NOT a trojan. This one is just spoofing it by installing itself with the same name.

    A little more careful reading and some common sense go a long way
  • by mmell (832646) <mmell@hotmail.com> on Thursday July 27, 2006 @02:31PM (#15793110)
    On a machine which I maintain for my SO and children, M$ XP Pro is installed. The default browser is FireFox, which I have managed to convince my SO and children to use.

    My daughter (with a limited user account, no less) viewed a malicious advertising banner while logged into MySpace.com. I'm quite sure she clicked "yes" to running a WMF exploit.

    She has a limited account. End of story, you say? Nope, read on . . .

    My wife logged in a couple days later. A popup baloon warned her that the machine was infested and she should "click here to fix the problem". Well, she installed AntiVirusGolden v3.3 (from her not-so-limited user account). Who can blame her? I wouldn't have fallen for it (I already had CA's EZ-Antivirus installed and more or less trusted it), but it looked like a valid course of action to her, so the next thing I knew there were nearly a dozen payloads whanging around the rusty innards of my SO's computer - some acquired on the spot, others dropped there during the following week, I'm sure.

    That machine now runs Linux (like the rest of my home network). I'd like to thank the wonderful malware authors at AntivirusGolden for giving me the leverage I needed to convince my SO to give up on Windows and use a somewhat more securable OS.

    Oh, but I'll continue to use Firefox, now that I've closed that horrible WMF exploit that it has! You'd think the Firefox development team would know better than to trust end-users with the option to execute WMF's. Hmmph!

    *(The above is intentionally sardonic; but the basic facts are true)*

    • How does this make FF 'horribly vulnerable'? The WMF flaw is, by definition, a Windows problem not a FF one. That's like saying your new alarm system is flawed because someone left the front door unlocked.
    • (from her not-so-limited user account). Who can blame her?

      I don't blame her, I blame you. You're the techie. My mom runs XP as a limited user, and so does my wife, and so do I for day-to-day Windows tasks. No issues to report.

      Any time I am in the home of a friend or relative that has an insecure Windows box, I set them up with automatic updates, turn on the XP firewall, install AVG Free, convert them to a limited user account, and add a separate admin account for software installation. It ususally takes 2

  • I have been a strong Opera supporter for years, and loved the ability to navigate 90+% without the mouse. I started using Firfefox in the last 6 months for it's developer tools. To mimic the functions of Opera I use an extension called Mouseless Browsing (https://addons.mozilla.org/firefox/879/) which has been very nice.

    • I love using only the keyboard, and I tried many FF extensions for this, including numbered links, and the one you mentioned.

      I finally came to Hit a Hint [mozilla.org], and loved it.
      It's specially good cause it doesn't interfere with the page appearance, let's you access more clickable elements, and have configurable shortcuts.

      A must!
  • by Aeomer (990057) on Thursday July 27, 2006 @03:18PM (#15793579)
    Forget the debate on FF vs IE and WinXX vs *nix - otherwise known as the 'My dad is bigger than your dad!' department. The issue is that an exploit, however it arrived on the machine, is targeting Firefox. All those smug 'it can't happen to me because I use xxxx version of yyyy product/os' should see this as the beginning of an onslaught on all *nix and open source projects in general. Yes, I realise this exploit was specifically on Windows but you are missing the big picture. That being an open source project went from a minor player to a major competitor and so became a big target. You may feel safe in your (insert *nix here) OS but the end of that house of cards is in sight. 'But I know what is secure and what is not, and my system is harded against such stuff!', I hear you cry. Well, if you realise that more and more people are running *nix based desktops and most of those new users have and need only basic 'Clue' on how to run their browser and wordprocessor then we are looking at an ever expanding problem. How long will it be before everyday users are downloading distros with Spyware built right into the kernel? 'But, I know how check a distro is genuine!!!', I hear you cry again. And again I say what about your average user - do they know instinctively how to check hashes on everything they download? No they do not! Mark this date in your calender - the end of OS smugness is in site.
  • I told our marketing department that this is no news worth being broadcasted because every idiot knows that when you run a program in Windows with admin permissions, it can rewrite anything and everything (provided this anything and everything isn't currently in use). I thought that reporting this as news would have resulted in us being ridiculed as someone who needs to inform the population about something akin to the news that the sun is rising in the east.

    I thought it's something that people would commen
  • by alskjdfasd (108880)
    i always run firefox in safe-mode. i know that extensions cannot be loaded, but the only important firefox extensions i used to use are now replaced by web proxies. for example, i used to use livehttpheaders, tamperdata, and modifyheaders. with burp, suru, webscarab, and xss-proxy, these extensions lack the significance they once had. for people that are heavy into extensions and themes, maybe you should first ask yourself why, and then weigh the benefits versus the drawbacks.

    i also change a few setting

"And do you think (fop that I am) that I could be the Scarlet Pumpernickel?" -- Looney Tunes, The Scarlet Pumpernickel (1950, Chuck Jones)

Working...