Firefox plug-in Trojan harvests logins
Spy on the wire
Virus writers have latched onto the popularity of Firefox with a new variant on the established practice of stealing online banking passwords.
A password pinching Trojan that poses as a Firefox Plugin is doing the rounds, Romanian security firm BitDefender warns. ChromeInject-A is typically downloaded onto Windows PCs already compromised by other strains of malware.
Once installed, the Trojan sits in Firefox's Plugin folder, activating every time the popular browser is started. The backdoor code looks for data exchanged between a compromised machine and a list of pre-programmed banking sites in Europe, Australia and the US.
Harvested login credentials are captured and subsequently posted to a server located in Russia.
More details on the bank sites targeted, along with the general behaviour of the Trojan, can be found in a write-up by BitDefender here.
BitDefender reports that incidents of the malware are "very low", so the attack is more notable for its novelty than its potency. Malware that capitalises on the popularity of Firefox is rare, but not unprecedented.
Two years ago a spyware package that masqueraded as an extension to the Firefox web browser was spotted on the net. Like ChromeInject-A, FormSpy failed to do much harm. ®
time for one-time logins
this is the typical use case for services like http://kyps.net
Yes, do you?
Extensions do *not* have to be signed. Mozilla stipulates only that any updates to extensions need to be secured, and that can be done either via an SSL link or a signed cert. A quick search on the number of unsigned Firefox extensions will provide illuminating results. People use unsigned addons all the time for lots of perfectly good reasons, and the system does not prevent them from doing so - also for perfectly good reasons.
Therefore, when presented with a warning that an extension is unsigned, many people make the perfectly reasonable decision to proceed to install it anyway. In other words, established user behaviour means the warning is not a useful indicator of a possible threat.
The article makes it clear that the malware is downloaded into the extensions folder by another piece of malware all ready to run, so the issue of "you can only download from Mozilla.com" does not apply.
> You go on for 5 paragraphs, and yet never say "WINDOZE".
While I don't read every article I don't think I've seen any writer here uses that term. They probably don't want to appear childish and unoriginal. Change the record, guys. The word plays on MS and Windows got old very quickly and cost you credibility. Why do you think peoples' eyes roll over or glaze when you gimps start on about Linux/Firefox/OpenOffice at every opportunity? Sheesh.