Author Topic: Firefox users targeted by rare piece of malware  (Read 15702 times)

0 Members and 1 Guest are viewing this topic.

doomer

  • Guest
Firefox users targeted by rare piece of malware
« on: December 06, 2008, 06:01:23 AM »
Researchers at BitDefender have discovered a new type of malicious software that collects passwords for banking sites but targets only Firefox users.

Quote
The malware, which BitDefender dubbed "Trojan.PWS.ChromeInject.A" sits in Firefox's add-ons folder, said Viorel Canja, the head of BitDefender's lab. The malware runs when Firefox is started. The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including Barclays, Wachovia, Bank of America, and PayPal along with two dozen or so Italian and Spanish banks.

More information on that subject can be found here.

I guess it was very easy for Firefox to declare that it is the most secure browser while it was still hugely unpopular. Now that it has gained just a bit of popularity, it has already been targeted. I am very curious to see how Mozilla handles the new security threats, but I doubt they will ever be as effective in patching zero-day exploits as Microsoft has been when patching their legendary browser, also known as Internet Explorer.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Firefox users targeted by rare piece of malware
« Reply #1 on: December 06, 2008, 06:10:22 AM »
You are a bit late to the party - especially for one gloating a little over a breach that is described by the discoverer BitDefender as rare and no doubt the Firefox fanboys will similarly go to town over the next IE breach ... give it a few weeks.   

It has already been under discussion for a while here.
« Last Edit: December 06, 2008, 06:25:55 AM by alanrf »

doomer

  • Guest
Re: Firefox users targeted by rare piece of malware
« Reply #2 on: December 06, 2008, 01:30:47 PM »
Better late than never. ;)

And I have been seeing massive amounts of Firefox fanboys here that gloat on IE's supposed demise for pages on end. :)

I am introducing balance, but unlike Firefox Anti-IE Blog myth posters, I am actually providing real factual examples that have been verified as genuine.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Firefox users targeted by rare piece of malware
« Reply #3 on: December 06, 2008, 01:49:07 PM »
Halio Doomer,

As a test pilot of the latest Firefox trunkbuilds, and into security for Firefox (and Flock) for some time now (bugzilla, MozillaZine) I am strongly opposed to such discussions. A more secure and safer browser just does not exist at the moment, not seen from the standpoint of being vulnerable as from the standpoint of offering some form of secured privacy. It simply does not exist, and there are parties involved that do everything to prevent such a rare bird to evolve, if we will ever see it. A British professor foretold that we will not experience ANY personal privacy towards the year 2011, and no one will mind because it will be the same for everyone....
There are a couple of things that are greatly favorable to the malcreants to topple the scale over to their side: script, enhanced functionality (webbugs, Super cookies, ID tags, redirects, injection with dangerous code), outdated protocols that were not developed with any modern Internet security environment in mind (see recent and perturbing problems). It is a contant struggle against a deluge of malware, and the dykes should be strong. To loose oneself in an endless hopeless discussion which browser is better security wise is showing that one does not really understand what issues are involved, and what the real threats are or may become,

polonus
« Last Edit: December 06, 2008, 01:52:22 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Firefox users targeted by rare piece of malware
« Reply #4 on: December 06, 2008, 03:41:09 PM »
Alas I am now working on a new Firefox exploit, it comes down with the latest update and shows in this way : Question
Quote
Have you just updated Firefox and received notification of an addon update but nothing appeared to happen ?
Answer
Quote
Yes, I believe I recently received an addon notification similar to the one you describe.
From my thread at G2G
It adds the following registry items
Quote
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{993BA307-7D97-42D3-96E3-56173DA2BB60}"=-
"{61B7FB5D-0E79-40DF-8E45-2BCB2DF177E8}"=-
And the following extensions
Quote
C:\Documents and Settings\*****\Local Settings\Application Data\{993BA307-7D97-42D3-96E3-56173DA2BB60}
C:\Documents and Settings\*****\Local Settings\Application Data\{61B7FB5D-0E79-40DF-8E45-2BCB2DF177E8}
A redirect is noted in the following manner
Quote
I noted the interim URL was something like "rdrct.google.goored"
I may have diisabled or corrupted the chrome on FF to kill this but I feel that is a small price to pay  

So with popularity come the exploits and infections.  No browser is 100% secure IE8 on Vista comes close but then it is only a matter of time before  a way is found around that  

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Firefox users targeted by rare piece of malware
« Reply #5 on: December 06, 2008, 04:16:25 PM »
Update on this - I had to nuke his chrome folder to destroy it, so a FF re-install was required.  But now running good   

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Firefox users targeted by rare piece of malware
« Reply #6 on: December 06, 2008, 04:22:07 PM »
This is not a Firefox exploit. It doesn't install with a fake extension installation/update dialogue. The malware is installed by running a Trojan via an exploit in unpatched software. As such any browser is equally vulnerable.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Firefox users targeted by rare piece of malware
« Reply #7 on: December 06, 2008, 04:26:47 PM »
Unfortunately it is firefox related.  No matter which way you spin it, my user had no problems with IE
http://forums.mozillazine.org/viewtopic.php?f=38&t=948945&st=0&sk=t&sd=a

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Firefox users targeted by rare piece of malware
« Reply #8 on: December 06, 2008, 04:41:34 PM »
Hi essexboy,

Yes this malware is inherent to the use of Fx, so in this respect Eddy's remarks about Fx's insecurity were right (when martket share grows the amount of malware for a browser does also).

On the other hand with the info you gave us about it in your above posting about this malicious plug-in we can easily kill it with FreeFixer. So folks Use Freefixer to kill it, and download the latest version from here: http://www.freefixer.com/static/freefixersetup.exe

Seems to me actually it is not much different from a drive by HBO install,

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Firefox users targeted by rare piece of malware
« Reply #9 on: December 06, 2008, 04:56:14 PM »
Nobody has denied it's Firefox related, but in my opinion, calling it an exploit is trying to spin it. The Mozillazine link states that "Firefox does make it possible for other software to install extensions via the Windows Registry."

The link also states that the Firefox redirects are probably not the result of an infection via the extensions update connection, but of a spyware/Trojan infection.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48524
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Firefox users targeted by rare piece of malware
« Reply #10 on: December 06, 2008, 06:20:58 PM »
Relax Frank, it's not the end of the world nor is it the first time Firefox has been targeted.
The more popular it becomes, the more it will have to deal with targeted attacks.
I know it hurts but that's the price of fame.  :)
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Firefox users targeted by rare piece of malware
« Reply #11 on: December 06, 2008, 06:35:31 PM »
The only thing that annoys me is the IE fanboys trying to portray this as a Firefox exploit when it's not.

Quote
Malicious extensions

There have been a few reports of malware being installed as a hidden Firefox extension, via the Windows Registry. In the reported cases, the HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\ key was used to install the malicious extension. This may be the case if you see a message when starting Firefox that a new add-on has been installed but nothing new is listed in the Add-ons manager and this registry key is present. See this forum topic for more information.

http://kb.mozillazine.org/Uninstalling_add-ons#Windows_Registry_extension

Please don't try to attribute emotions to me nor tell me what I already know. This issue is nothing new, see the discussion here:

http://forum.avast.com/index.php?topic=40643.0
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Firefox users targeted by rare piece of malware
« Reply #12 on: December 06, 2008, 07:19:50 PM »
Relax Frank, it's not the end of the world nor is it the first time Firefox has been targeted.
The more popular it becomes, the more it will have to deal with targeted attacks.
I know it hurts but that's the price of fame.  :)

Most of these don't seem to be Firefox-specific- they just contain the term 'Firefox' because Firefox is one of many processes the malware attempts to kill one of many names the malware calls itself on P2P networks.

A couple seem to inject themselves into the Firefox process, but not specifically because they also target IE.

JS_FFSNIFF.A does seem to target Firefox, by posing as a legitimate extension:

Quote
Mozilla has taken heat from security experts in the past about neglecting to digitally "sign" third-party extensions so that users have some assurance that Mozilla has vetted the developer's work.

http://blog.washingtonpost.com/securityfix/2006/07/passwordstealing_trojan_disgui.html

This story of course was about a Trojan that could install itself as an extension without any user interaction, although it did require the user to run an .exe file.  :o

Some of the other malware listed by Secunia seem to be exploits for long-patched vulnerabilities in older versions.

So keeping up to date, not installing extensions from unknown sites and not running  executables from email attachments seems to be enough to keep safe even without the extra precautions you mention Polonus.

Still, there's no denying that Firefox is becoming a target for the malware writers.

http://forum.avast.com/index.php?topic=23535.msg193999#msg193999


"Still, there's no denying that Firefox is becoming a target for the malware writers."

FreewheelinFrank, 2006.


That's more than two years ago.
« Last Edit: December 06, 2008, 07:22:32 PM by FreewheelinFrank »
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Firefox users targeted by rare piece of malware
« Reply #13 on: December 06, 2008, 07:26:10 PM »
Hi FwF,

Like to help you there. Firefox with the NoScript add-on installed and running has NEVER been vulnerable - zero times. In spite of all the patches, all known vulnerabilities did not apply to Firefox + NoScript. That is why I do not understand why a similar concept has never been brought aboard Firefox by default or inside Internet Explorer. Giorgio Maone's extensions has not failed once.
And what the reason is this has not materialized long ago for the users of browsers, I think we never will get the real answers, but it makes you wonder, does not it?

ust to stay on topic. The Trojan is known as Trojan.pws.chromeinject.a and installs inside the Fx add-ons-folder. There the Trojan poses as Greasemonkey, a popular extension (that brought similar problems before) to influence rendering of web pages.

Every time the browser starts the malware starts to be active. Using java script it recognizes over hundred banks and financial institutions, and when the user visits one of these, the malware registrates passwords to pass them on later to a Russian server.

The malware will be soon recognized by av-scanners, but the malware shows malcreants now also target users of Firefox with this trojan, but you have to visit a malicious website or download the malware manually to get infected. The Mozilla add-on site is secure, because there add-on's are checked.  Trojan.pws.chromeinject.a is not a unique issue, in 2006 a Trojan with the name Formspy already posed as an extension inside Firefox,

polonus

« Last Edit: December 06, 2008, 07:46:56 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Hard_ROCKER

  • Guest
Re: Firefox users targeted by rare piece of malware
« Reply #14 on: December 06, 2008, 07:45:46 PM »
Hi FwF,

Like to help you there. Firefox with the NoScript add-on installed and running has NEVER been vulnerable - zero times. In spite of all the patches, all known vulnerabilities did not apply to Firefox + NoScript. That is why I do not understand why a similar concept has never been brought aboard Firefox by default or inside Internet Explorer. Giorgio Maone's extensions has not failed once.
And what the reason is this has not materialized long ago for the users of browsers, I think we never will get the real answers, but it makes you wonder, does not it?

polonus

Because it's a pain in the arse having to allow/disallow scripts on every single website my friend that's why. Also the reason why i avoid NoScript like the devil. I believe i am not the only one that feels that way. ;D