Avast WEBforum

Other => General Topics => Topic started by: polonus on December 03, 2008, 08:29:42 PM

Title: Avast - are we protected?
Post by: polonus on December 03, 2008, 08:29:42 PM
Hi malware fighters,

Just a question. For the second time a virus has been found to install malware active as an extension in Firefox. Another time I was reminded of Eddy's warning some time ago here in this forum section about extensions and fx's security.
This time it concerns a hidden trojan - see this link:
http://www.bitdefender.fr/NW899-fr--BitDefender-detecte-une-nouvelle-methode-de-vol-des-mots-de-passe-sur-Internet.html
The Trojan is being loaded every time the browser starts up. Researchers found it filters data whenever users do their online banking. Earlier this year another malicious plug-in had a Trojan horse hiding there, Xorer.o, probably from Vietnam:
http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=189095&sitepanda=particulares
How can you spot in Firefox it has  "Trojan.PWS.ChromeInject.A" running, but the main question is are we protected by avast?
For obvious reasons  I run the NoScript 1.8.7. extension inside Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20081203 Shiretoko/3.1b3pre ID:20081203053737,

luntrus
Title: Re: Avast - are we protected?
Post by: FreewheelinFrank on December 03, 2008, 08:58:43 PM
Here's the English version:

http://news.bitdefender.com/NW900-en--BitDefender-Uncovers-New-Password-Stealing-Application.html (http://news.bitdefender.com/NW900-en--BitDefender-Uncovers-New-Password-Stealing-Application.html)
Title: Re: Avast - are we protected?
Post by: polonus on December 03, 2008, 09:38:38 PM
Hi FwF,

Very attentive for the translation to the Queen's English, but are we protected?

Damian
Title: Re: Avast - are we protected?
Post by: polonus on December 03, 2008, 10:58:50 PM
Hi FwF,

The maker of NoScript, Giorgio Maone commented to me on MozillaZine:
Quote
"You get a notification bar as soon as any site other than addons.mozilla.org tries to install a Firefox extension.
Even if you click on the "Allow" button, then you get a popup dialog which informs you that a certain party is trying to install an extension, and asking for a second confirmation after a 5 seconds countdown which rules out "blind" clicking. At that point, if you're so foolish to go on, you're ***** , but I think you've got more chances of getting infected by installing a regular executable."

Anyways a good advice from me would be only to install add-ons through the official Mozilla repository, and never from the maker's site, even if more recent version might be published there. In these respect folks Opera is a more secure browser than Fx, and add-ons can be a two-sided sword for people that do not know what they are doing,

pol
Title: Re: Avast - are we protected?
Post by: samuelvirucide on December 04, 2008, 01:32:44 AM
 ;D thanks for the info warning :D but i use now is opera 9.62 waiting for the final release of FF3.1 version :D
Title: Re: Avast - are we protected?
Post by: bob3160 on December 04, 2008, 02:40:06 PM
Why aren't they disclosing the name of the addon which is stealing your passwords ???
Title: Re: Avast - are we protected?
Post by: FreewheelinFrank on December 04, 2008, 07:46:06 PM
Quote
Why aren't they disclosing the name of the addon which is stealing your passwords  ???

Quote
The threat, known as Trojan.PWS.ChromeInject.A, was detected in the wild by anti-virus firm BitDefender. It can affect Firefox 2 and 3 and includes files that are named similarly to legitimate Firefox extensions.

http://www.computershopper.co.uk/news/240891/new-malware-targets-firefox-users.html# (http://www.computershopper.co.uk/news/240891/new-malware-targets-firefox-users.html#)
Title: Re: Avast - are we protected?
Post by: FreewheelinFrank on December 04, 2008, 07:48:49 PM
Quote
Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it, Canja said.

When it runs on a PC, it registers itself in Firefox's system files as "Greasemonkey," a well-known collection of scripts that add extra functionality to Web pages rendered by Firefox.

http://www.infoworld.com/article/08/12/04/Firefox_users_targeted_by_rare_piece_of_malware_1.html (http://www.infoworld.com/article/08/12/04/Firefox_users_targeted_by_rare_piece_of_malware_1.html)
Title: Re: Avast - are we protected?
Post by: alanrf on December 04, 2008, 08:56:53 PM
This is not an add-on as such. 

Apparently it requires pre-existing malware to download and install compromised components into the Firefox files structure.  As noted by FWF these components use filenames that are well known in Firefox.

Quote
SYMPTOMS:
Presence of the:
"%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll"
"%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js"
files in the Mozilla Firefox's plugins and chrome folders.

TECHNICAL DESCRIPTION:
It drops an executable file (which is a Firefox 3 plugin) and a JavaScript file (detected by Bitdefender as: Trojan.PWS.ChromeInject.A) into the Firefox plugins and chrome folders respectively.
Title: Re: Avast - are we protected?
Post by: FreewheelinFrank on December 04, 2008, 09:39:54 PM
Quote
This is not an add-on as such.

Apparently it requires pre-existing malware to download and install compromised components into the Firefox files structure.

It seems to resemble this Trojan from a couple of years ago.

Quote
And no doubt, this attack will embolden critics to say, "See, we told you so." But Dan Veditz, a security developer at Mozilla, said no amount of digital signing would prevent an attack like this one, as it relies not on the browser's default installer (whose installation files end in ".xpi") but on the user opening an executable program file (".exe") that is handled by the Windows operating system.

...

"This attack was perhaps a little too easy, but the reality is that once someone has launched an installer on their system, ultimately it becomes an arms race between how much effort we want to put in and what the attackers are willing to do" to circumvent it, Veditz said.

http://voices.washingtonpost.com/securityfix/2006/07/passwordstealing_trojan_disgui.html (http://voices.washingtonpost.com/securityfix/2006/07/passwordstealing_trojan_disgui.html)

The BitDefender report actually states 'plugin' rather than 'add-on' or 'extension. Plugins like Java and Flash appear in different places in Firefox (Tools>Add Ons/about:plugins).

As far as I know, plugins are just installed by dropping the right file in the plugin folder- had to do it with RealPlayer once- and this is true for both Firefox and Opera.

Polonus, you do Firefox programming, can you elucidate further?
Title: Re: Avast - are we protected?
Post by: polonus on December 04, 2008, 10:15:19 PM
Hi FwF,

The malicious code can be smuggled into the plug-in of some external coder before he uploads it to Firefox (he did not detect it at that time).  If no anti virus scanners (script debuggers) detect it, then it can for instance sneak into the code of a legit language pack starting to infect users of the plug-in.
See the developer's discussion on the previous incident here: https://bugzilla.mozilla.org/show_bug.cgi?id=432406
In mentioned incident it was pop-up adware that was served up unintentionally, but it also can be Trojan code etc. In the case of add-on 5954:
All help pages (*.xhxml) are malicious script right after
</hxml>:

<script src="hxxp://%6A%73..."></script>

This was not according the rules that language packs could not contain JS. So again JavaScript was at the root of all this evil.
We cannot believe the add-on developer on his or her blue eyes for it to be malware free and so all add-ons should be given the all green before being published by Mozilla, and you should be extra careful to trust third party add-ons, plug-ins, so refrain from using these...

In the mentioned recent incident we had another scenario: that the plugin is not being installed through FF itself, but has ended up on ones computer by other means. At that point, (most likely) all that needs to be done is for the DLL to be moved into the FF /plugins/ directory - no "install" necessary, becoming active thereafter.

You could check about:plugin & look for anything out of place, like npbasic.dll as the case may be.

The cool thing about Firefox is that you can basically force users into installing malware by exploiting bug 59314 [mozilla.org]. Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes. This is called a Cross Browser Modal Dialog Box.

Test at: https://bugzilla.mozilla.org/attachment.cgi?id=5099

Also see what our friend "essexboy" had to report on the mentioned malware here: http://forum.avast.com/index.php?topic=40713.msg341330#msg341330


polonus

Title: Re: Avast - are we protected?
Post by: FreewheelinFrank on December 08, 2008, 09:38:43 PM
Good blog on this:

Quote
Firefox Malware?

A crappy thing happened last week - someone wrote some malware that infects Firefox. We obviously don’t like that very much at all, but I wanted to at least make it clear what is and isn’t happening, since there’s some confusion out there.

What is going on?

Basically for as long as there has been software, there have been nasty people out there who get you to download and install software which turns out to have hidden cargo.  Security folks use names like “virus,” “trojan,” “worm,” and “malware” to describe different types, but the point is that if a person can be tricked into running nasty programs, they can do nasty things.

In this case, rather than wiping your hard drive or turning all your icons upside down, this particular jerk has decided to mess with your Firefox. Once you run the program, it hooks into your Firefox and watches for you to visit certain sites, at which point it will steal your username and password.

How Can I Tell If I Have It?

You can open up your Firefox addons manager (Tools->Add-ons) and go to the “Plugins” section.  If you have a plugin called “Basic Example Plugin for Mozilla” you should disable it.

Does This Mean that Firefox is Insecure?

No, and here’s why:

    * This particular malware targets our program, but once you have malicious software running on your system, it can just as easily attack other programs, or harm your computer in other ways.
    * This isn’t contracted by just browsing around the web with Firefox 3. In fact, the Malware Protection features in Firefox 3 are designed specifically to prevent sites from being able to attack your computer.

The people getting infected here are either downloading enticing files that have the malware hiding inside (which is why Firefox 3 hands off all downloads to your computer’s virus scanner once downloaded) or, as some sites are reporting, people who have already been infected in the past having their computers forced to download this file as well.

Typical Firefox 3 users who avoid downloading software they don’t trust are unlikely to ever see this, and even the sites reporting it describe its incidence as “rare”.

What’s this I hear about GreaseMonkey?

There are some mentions of greasemonkey in a couple of the early reports based on some analysis of the code used by this malware, but I want to be clear that the (legitimate, and awesome) Greasemonkey Addon is not involved in this malware in any way. It is not involved in the installation or execution of the attack.

As always, the best defense is vigilance.  Use a browser with a solid security record and modern anti-malware defenses built in, and be very careful about downloading and running programs you find online.  If a bad guy is able to get you to run a program on your machine they will be able to do bad things, so we’ll keep trying to stop them and you keep trying to as well.

More details are also available on the official Mozilla security blog.

http://blog.johnath.com/2008/12/08/firefox-malware/ (http://blog.johnath.com/2008/12/08/firefox-malware/)
Title: Re: Avast - are we protected?
Post by: polonus on December 08, 2008, 09:52:01 PM
Hi FwF,

Is the Mozilla-Default-Plug-in meant here, and should that be disabled?

pol
Title: Re: Avast - are we protected?
Post by: alanrf on December 08, 2008, 09:59:57 PM
See reply #8 above.
Title: Re: Avast - are we protected?
Post by: FreewheelinFrank on December 08, 2008, 10:01:06 PM
Basic Example Plugin.  ;)

Quote
To check whether your computer is infected, look for “Basic Example Plugin for Mozilla” in the Plugin list by choosing Add-ons from the Tools menu in Firefox.  Then choose Plugins. If you see this plugin, disable it.

http://blog.mozilla.com/security/2008/12/08/malicious-firefox-plugin/ (http://blog.mozilla.com/security/2008/12/08/malicious-firefox-plugin/)
Title: Re: Avast - are we protected?
Post by: bob3160 on December 08, 2008, 11:12:07 PM
Call me stupid but it simply says a popular plugin.  It doesn't say which popular plugin.
There happen to be many.  ???
Title: Re: Avast - are we protected?
Post by: alanrf on December 09, 2008, 03:58:48 AM
If you followed "the credit" link it would have shown you precisely the information I posted in reply #8 above.
Title: Re: Avast - are we protected?
Post by: Sesame on December 09, 2008, 04:46:02 AM
Call me stupid but it simply says a popular plugin.  It doesn't say which popular plugin.
There happen to be many.  ???
Bob, the trojan disguises as Greasemonkey as you can see the below quote from this site (http://blog.mozilla.com/security/2008/12/08/malicious-firefox-plugin/), which is posted by Frank.
Quote
If a user has been tricked into installing this plug-in, or had it installed through a separate vulnerability it may compromise passwords and the user’s accounts.  This trojan is not Greasemonkey, even though it uses some of Greasemonkey’s internal Ids.

If you have the "plug-in," which is rather unlikely,you should disable it , following this instruction (http://blog.johnath.com/2008/12/08/firefox-malware/).
Title: Re: Avast - are we protected?
Post by: Avastfan1 on December 09, 2008, 09:54:19 AM
Hi Polonus,

Interesting article!

Is the trojan one of the Firefox extensions which I use?

Thanks and keep up the great work Polonus!

---------------------------------------------------------------------------------------
Adblock Plus 1.0
British English Dictionary 1.1.9
DownloadHelper 3.5.1
Dr. Web anti-virus link checker 1.0.18
Finjan Secure Browsing 1.314
Forcefield Toobar 1.2 (Note: this is a ZA product)
Java Quick Start 1.0
McAfee SiteAdvisor 26.6 (Note: this is disabled)
MultirowBookmarksToolbar 3.3
Netcraft Anti-Phishing Toolbar 1.2
Noscript 1.8.7.4
Panic Button 1.1.1
Realplayer Browser Record Plugin 1.0
ShopIP 0.8.10r22b0272
Title: Re: Avast - are we protected?
Post by: alanrf on December 09, 2008, 08:48:27 PM
avastfan1,

if you had read through the thread then you would know it is not recognizable as any extension at all.
Title: Re: Avast - are we protected?
Post by: Avastfan1 on December 09, 2008, 11:10:26 PM
Hi Alan,

I did read through the thread but I got confused :(

I am not that great with computers but I am trying :)

Thanks,

Avastfan1
Title: Re: Avast - are we protected?
Post by: Sesame on December 10, 2008, 12:45:32 AM
Avastfan1, the name of malicious "plug-in" is:
Basic Example Plugin.  ;)

Quote
To check whether your computer is infected, look for “Basic Example Plugin for Mozilla” in the Plugin list by choosing Add-ons from the Tools menu in Firefox.  Then choose Plugins. If you see this plugin, disable it.

http://blog.mozilla.com/security/2008/12/08/malicious-firefox-plugin/ (http://blog.mozilla.com/security/2008/12/08/malicious-firefox-plugin/)
Title: Re: Avast - are we protected?
Post by: Avastfan1 on December 10, 2008, 02:39:32 PM
Thanks Rumpel!
Title: Re: Avast - are we protected?
Post by: Sesame on December 11, 2008, 02:30:37 AM
Well, the thanks go to Frank.  ;)
Title: Re: Avast - are we protected?
Post by: alanrf on December 11, 2008, 07:44:10 AM
It was simply a repost of a pre-existing reply #14 by FWF that apparently revealed all. 

The same information posted earlier in the thread (I have been very remiss in assuming) could have been seen in Firefox by typing about:plugins in the URL line of Firefox. 
Title: Re: Avast - are we protected?
Post by: Sesame on December 11, 2008, 09:03:55 AM
It was simply a repost of a pre-existing reply #14 by FWF that apparently revealed all.
That part is already covered. 

Well, the thanks go to Frank.  ;)

The problem here is that the information at first was quite confusing partly because the malicious "plugin" uses some of Greasemonkey IDs and partly because most of us don't scroll back to the OP, reading each post when we are browsing threads.  The other thread (http://forum.avast.com/index.php?&topic=40713.0), in fact, derailed to religious beliefs and I couldn't see they were talking of the same topic till I scrolled back.

Browsing boards is quite different from reading a book/thesis which is well sorted.  The information was much more confusing to people who dropped in the threads than to those who followed them from the start.
Title: Re: Avast - are we protected?
Post by: FreewheelinFrank on December 11, 2008, 09:33:52 AM
I noticed this comment over at MozillaZine:

Quote
I too updated. to the new Firefox and I noticed a box popped up and it said that a new add-on had been installed. I thought it was something to do with the firefox updating. I had not asked for any new add-on, and I didn't actually see anything new Then I saw, from PCAdvisor,Mozilla Firefox users are being targeted by a new Trojan that steals online banking passwords. The malware, which is being spread by drive-by downloads or by duping users into downloading it, is stored in the Firefox add-on folder and is registered as 'Greasemonkey', which are scripts that add extra functionality to Firefox. It starts working as soon as the browser is opened.

How can I discover whether I have this. I am using XP home with all recent updates and AD-aware, and Avast antivirus and Comodo Firewall, and did a full scan 2 weeks ago.

http://forums.mozillazine.org/viewtopic.php?f=38&t=948945&p=5202845#p5202845 (http://forums.mozillazine.org/viewtopic.php?f=38&t=948945&p=5202845#p5202845)

I also received notifation of a new add-on in Firefox yesterday, but I'm pretty sure it was just an add-on I had installed previously which had been disabled after a Firefox update being re-enabled after an update.

Just to be clear, a "new add-on has been installed" does not necessarily mean you have the malicious spyware add-on.

If you see such a notification please follow the advice here:

   |
   |
   |
   V
Title: Re: Avast - are we protected?
Post by: alanrf on December 11, 2008, 11:18:44 AM
Quote
The problem here is that the information at first was quite confusing partly because the malicious "plugin" uses some of Greasemonkey IDs

Nothing has changed from the information I posted from BitDefender in reply#8 a week ago.  All this about Greasemonkey was and is misleading and you will note was never mentioned in the reports in BitDefender the discoverers of the problem.

Quote
and partly because most of us don't scroll back to the OP

I suspect that, sadly, you are correct ... like cushions we all bear the imprint of the last *ss that sat on us.
Title: Re: Avast - are we protected?
Post by: FreewheelinFrank on December 11, 2008, 12:27:17 PM
The InfoWorld report I linked to mentions that the "Trojan" is registered as "Greasemonkey."

The report seems to be quoting from Viorel Canja, the head of BitDefender's lab.

Make of that what you will.
Title: Re: Avast - are we protected?
Post by: alanrf on December 11, 2008, 01:24:29 PM
Well, the way that article is written it is not easy to tell what is a direct quote from him and what is not but it certainly can be read that way and it is copied (surprise surprise) in many of the articles about it (which all look very like the Ars Technica story). 

However, it is not included in the BitDefender Press Center news release.

For a rare problem I guess I will not spend any more time on it. 
Title: Re: Avast - are we protected?
Post by: bob3160 on December 11, 2008, 02:49:21 PM
Seems to me that what we have here is some one trying to make newqs rather than simply reporting news.

Seem to go on all the time now.  ;)
Title: Re: Avast - are we protected?
Post by: FreewheelinFrank on December 11, 2008, 03:02:41 PM
Bob, you're a right hypocrite the way you stick your oar in, then pretend to be above it all.

 ::)
Title: Re: Avast - are we protected?
Post by: bob3160 on December 12, 2008, 03:54:45 AM
Peace Frank, It's the Christmas seaasn.
Title: Re: Avast - are we protected?
Post by: alanrf on December 12, 2008, 04:55:43 AM
And as Tiny Tim said "God bless us - everyone".
Title: Re: Avast - are we protected?
Post by: FreewheelinFrank on December 13, 2008, 09:52:31 PM
As noted previously, the following or similar message does not necessarily mean a user has the spyware add-on:

Quote
I too updated. to the new Firefox and I noticed a box popped up and it said that a new add-on had been installed.

This can just mean a previously disabled add-on has been re-enabled after an update.

Here's a useful tip from MozillaZine to check if Firefox really is hijacked:

Quote
If you want to see if you have the exact thing that I had, go to google.com and search for anything. Right click the first result and click "Copy", then "Paste" it into Notepad. You do not have this if it says:

http://www.the-site-you-expected.com

However, you have a problem if it's something like:

http //123.goored.com/url=http://www.some-other-site.com

http://forums.mozillazine.org/viewtopic.php?f=38&t=948945&st=0&sk=t&sd=a&start=45