Spyware Disguises Itself as Firefox Extension

Juha-Matti Laurio writes "The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. The trojan installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks. It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. The most dangerous part of the issue is that it records itself directly into the Firefox configuration data, avoiding the regular installation and confirmation process."

Hmmmm

[robpoe]

Basically, what you're saying, is I must open an EXE from a non Walmart "Walmart" email, or I have to use IE?

Nothing to see here, move along..

Firefox is horribly vulnerable; I have proof.

[mmell]

On a machine which I maintain for my SO and children, M$ XP Pro is installed. The default browser is FireFox, which I have managed to convince my SO and children to use.

My daughter (with a limited user account, no less) viewed a malicious advertising banner while logged into MySpace.com. I'm quite sure she clicked "yes" to running a WMF exploit.

She has a limited account. End of story, you say? Nope, read on . . .

My wife logged in a couple days later. A popup baloon warned her that the machine was infested and she should "click here to fix the problem". Well, she installed AntiVirusGolden v3.3 (from her not-so-limited user account). Who can blame her? I wouldn't have fallen for it (I already had CA's EZ-Antivirus installed and more or less trusted it), but it looked like a valid course of action to her, so the next thing I knew there were nearly a dozen payloads whanging around the rusty innards of my SO's computer - some acquired on the spot, others dropped there during the following week, I'm sure.

That machine now runs Linux (like the rest of my home network). I'd like to thank the wonderful malware authors at AntivirusGolden for giving me the leverage I needed to convince my SO to give up on Windows and use a somewhat more securable OS.

Oh, but I'll continue to use Firefox, now that I've closed that horrible WMF exploit that it has! You'd think the Firefox development team would know better than to trust end-users with the option to execute WMF's. Hmmph!

*(The above is intentionally sardonic; but the basic facts are true)*

Re: Emphasis on that.

[trifish]

Ok, I stand corrected. Anyway, it is still a valid concern that any Firefox extension could actually be a Trojan horse.

Re:Emphasis on that.

[LiquidCoooled]

I agree with you here.

There should be a way of signing the profile folder contents to detect outside changes.

Knowledge is power, and being informed about a change to your profile will either set warning bells off or put you at ease (after you manually changed it yourself).

Re:Emphasis on that.

[TheSpoom]

Microsoft has tried to do this multiple times. Ever hear of Windows System File Protection [microsoft.com]?

Not that they've ever entirely succeeded, but the idea has been run through its paces a few times.