Author Topic: Avast - are we protected?  (Read 19691 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Avast - are we protected?
« on: December 03, 2008, 08:29:42 PM »
Hi malware fighters,

Just a question. For the second time a virus has been found to install malware active as an extension in Firefox. Another time I was reminded of Eddy's warning some time ago here in this forum section about extensions and fx's security.
This time it concerns a hidden trojan - see this link:
http://www.bitdefender.fr/NW899-fr--BitDefender-detecte-une-nouvelle-methode-de-vol-des-mots-de-passe-sur-Internet.html
The Trojan is being loaded every time the browser starts up. Researchers found it filters data whenever users do their online banking. Earlier this year another malicious plug-in had a Trojan horse hiding there, Xorer.o, probably from Vietnam:
http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=189095&sitepanda=particulares
How can you spot in Firefox it has  "Trojan.PWS.ChromeInject.A" running, but the main question is are we protected by avast?
For obvious reasons  I run the NoScript 1.8.7. extension inside Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20081203 Shiretoko/3.1b3pre ID:20081203053737,

luntrus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast - are we protected?
« Reply #2 on: December 03, 2008, 09:38:38 PM »
Hi FwF,

Very attentive for the translation to the Queen's English, but are we protected?

Damian
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast - are we protected?
« Reply #3 on: December 03, 2008, 10:58:50 PM »
Hi FwF,

The maker of NoScript, Giorgio Maone commented to me on MozillaZine:
Quote
"You get a notification bar as soon as any site other than addons.mozilla.org tries to install a Firefox extension.
Even if you click on the "Allow" button, then you get a popup dialog which informs you that a certain party is trying to install an extension, and asking for a second confirmation after a 5 seconds countdown which rules out "blind" clicking. At that point, if you're so foolish to go on, you're ***** , but I think you've got more chances of getting infected by installing a regular executable."

Anyways a good advice from me would be only to install add-ons through the official Mozilla repository, and never from the maker's site, even if more recent version might be published there. In these respect folks Opera is a more secure browser than Fx, and add-ons can be a two-sided sword for people that do not know what they are doing,

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

samuelvirucide

  • Guest
Re: Avast - are we protected?
« Reply #4 on: December 04, 2008, 01:32:44 AM »
 ;D thanks for the info warning :D but i use now is opera 9.62 waiting for the final release of FF3.1 version :D

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48524
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Avast - are we protected?
« Reply #5 on: December 04, 2008, 02:40:06 PM »
Why aren't they disclosing the name of the addon which is stealing your passwords ???
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Avast - are we protected?
« Reply #6 on: December 04, 2008, 07:46:06 PM »
Quote
Why aren't they disclosing the name of the addon which is stealing your passwords  ???

Quote
The threat, known as Trojan.PWS.ChromeInject.A, was detected in the wild by anti-virus firm BitDefender. It can affect Firefox 2 and 3 and includes files that are named similarly to legitimate Firefox extensions.

http://www.computershopper.co.uk/news/240891/new-malware-targets-firefox-users.html#
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Avast - are we protected?
« Reply #7 on: December 04, 2008, 07:48:49 PM »
Quote
Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it, Canja said.

When it runs on a PC, it registers itself in Firefox's system files as "Greasemonkey," a well-known collection of scripts that add extra functionality to Web pages rendered by Firefox.

http://www.infoworld.com/article/08/12/04/Firefox_users_targeted_by_rare_piece_of_malware_1.html
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Avast - are we protected?
« Reply #8 on: December 04, 2008, 08:56:53 PM »
This is not an add-on as such. 

Apparently it requires pre-existing malware to download and install compromised components into the Firefox files structure.  As noted by FWF these components use filenames that are well known in Firefox.

Quote
SYMPTOMS:
Presence of the:
"%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll"
"%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js"
files in the Mozilla Firefox's plugins and chrome folders.

TECHNICAL DESCRIPTION:
It drops an executable file (which is a Firefox 3 plugin) and a JavaScript file (detected by Bitdefender as: Trojan.PWS.ChromeInject.A) into the Firefox plugins and chrome folders respectively.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Avast - are we protected?
« Reply #9 on: December 04, 2008, 09:39:54 PM »
Quote
This is not an add-on as such.

Apparently it requires pre-existing malware to download and install compromised components into the Firefox files structure.

It seems to resemble this Trojan from a couple of years ago.

Quote
And no doubt, this attack will embolden critics to say, "See, we told you so." But Dan Veditz, a security developer at Mozilla, said no amount of digital signing would prevent an attack like this one, as it relies not on the browser's default installer (whose installation files end in ".xpi") but on the user opening an executable program file (".exe") that is handled by the Windows operating system.

...

"This attack was perhaps a little too easy, but the reality is that once someone has launched an installer on their system, ultimately it becomes an arms race between how much effort we want to put in and what the attackers are willing to do" to circumvent it, Veditz said.

http://voices.washingtonpost.com/securityfix/2006/07/passwordstealing_trojan_disgui.html

The BitDefender report actually states 'plugin' rather than 'add-on' or 'extension. Plugins like Java and Flash appear in different places in Firefox (Tools>Add Ons/about:plugins).

As far as I know, plugins are just installed by dropping the right file in the plugin folder- had to do it with RealPlayer once- and this is true for both Firefox and Opera.

Polonus, you do Firefox programming, can you elucidate further?
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast - are we protected?
« Reply #10 on: December 04, 2008, 10:15:19 PM »
Hi FwF,

The malicious code can be smuggled into the plug-in of some external coder before he uploads it to Firefox (he did not detect it at that time).  If no anti virus scanners (script debuggers) detect it, then it can for instance sneak into the code of a legit language pack starting to infect users of the plug-in.
See the developer's discussion on the previous incident here: https://bugzilla.mozilla.org/show_bug.cgi?id=432406
In mentioned incident it was pop-up adware that was served up unintentionally, but it also can be Trojan code etc. In the case of add-on 5954:
All help pages (*.xhxml) are malicious script right after
</hxml>:

<script src="hxxp://%6A%73..."></script>

This was not according the rules that language packs could not contain JS. So again JavaScript was at the root of all this evil.
We cannot believe the add-on developer on his or her blue eyes for it to be malware free and so all add-ons should be given the all green before being published by Mozilla, and you should be extra careful to trust third party add-ons, plug-ins, so refrain from using these...

In the mentioned recent incident we had another scenario: that the plugin is not being installed through FF itself, but has ended up on ones computer by other means. At that point, (most likely) all that needs to be done is for the DLL to be moved into the FF /plugins/ directory - no "install" necessary, becoming active thereafter.

You could check about:plugin & look for anything out of place, like npbasic.dll as the case may be.

The cool thing about Firefox is that you can basically force users into installing malware by exploiting bug 59314 [mozilla.org]. Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes. This is called a Cross Browser Modal Dialog Box.

Test at: https://bugzilla.mozilla.org/attachment.cgi?id=5099

Also see what our friend "essexboy" had to report on the mentioned malware here: http://forum.avast.com/index.php?topic=40713.msg341330#msg341330


polonus

« Last Edit: December 06, 2008, 04:11:49 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Avast - are we protected?
« Reply #11 on: December 08, 2008, 09:38:43 PM »
Good blog on this:

Quote
Firefox Malware?

A crappy thing happened last week - someone wrote some malware that infects Firefox. We obviously don’t like that very much at all, but I wanted to at least make it clear what is and isn’t happening, since there’s some confusion out there.

What is going on?

Basically for as long as there has been software, there have been nasty people out there who get you to download and install software which turns out to have hidden cargo.  Security folks use names like “virus,” “trojan,” “worm,” and “malware” to describe different types, but the point is that if a person can be tricked into running nasty programs, they can do nasty things.

In this case, rather than wiping your hard drive or turning all your icons upside down, this particular jerk has decided to mess with your Firefox. Once you run the program, it hooks into your Firefox and watches for you to visit certain sites, at which point it will steal your username and password.

How Can I Tell If I Have It?

You can open up your Firefox addons manager (Tools->Add-ons) and go to the “Plugins” section.  If you have a plugin called “Basic Example Plugin for Mozilla” you should disable it.

Does This Mean that Firefox is Insecure?

No, and here’s why:

    * This particular malware targets our program, but once you have malicious software running on your system, it can just as easily attack other programs, or harm your computer in other ways.
    * This isn’t contracted by just browsing around the web with Firefox 3. In fact, the Malware Protection features in Firefox 3 are designed specifically to prevent sites from being able to attack your computer.

The people getting infected here are either downloading enticing files that have the malware hiding inside (which is why Firefox 3 hands off all downloads to your computer’s virus scanner once downloaded) or, as some sites are reporting, people who have already been infected in the past having their computers forced to download this file as well.

Typical Firefox 3 users who avoid downloading software they don’t trust are unlikely to ever see this, and even the sites reporting it describe its incidence as “rare”.

What’s this I hear about GreaseMonkey?

There are some mentions of greasemonkey in a couple of the early reports based on some analysis of the code used by this malware, but I want to be clear that the (legitimate, and awesome) Greasemonkey Addon is not involved in this malware in any way. It is not involved in the installation or execution of the attack.

As always, the best defense is vigilance.  Use a browser with a solid security record and modern anti-malware defenses built in, and be very careful about downloading and running programs you find online.  If a bad guy is able to get you to run a program on your machine they will be able to do bad things, so we’ll keep trying to stop them and you keep trying to as well.

More details are also available on the official Mozilla security blog.

http://blog.johnath.com/2008/12/08/firefox-malware/
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast - are we protected?
« Reply #12 on: December 08, 2008, 09:52:01 PM »
Hi FwF,

Is the Mozilla-Default-Plug-in meant here, and should that be disabled?

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Avast - are we protected?
« Reply #13 on: December 08, 2008, 09:59:57 PM »
See reply #8 above.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Avast - are we protected?
« Reply #14 on: December 08, 2008, 10:01:06 PM »
Basic Example Plugin;)

Quote
To check whether your computer is infected, look for “Basic Example Plugin for Mozilla” in the Plugin list by choosing Add-ons from the Tools menu in Firefox.  Then choose Plugins. If you see this plugin, disable it.

http://blog.mozilla.com/security/2008/12/08/malicious-firefox-plugin/
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog