Tick-like banking Trojan drills into Firefox, sucks out info
Neloweg spreading across UK, Netherlands
A new banking Trojan is spreading in the UK and the Netherlands, Symantec warns.
Neloweg operates much like its more famous cybercrime toolkit predecessor ZeuS, but with a couple of subtle twists.
The malware is designed to snatch online login credentials, primarily (but not exclusively) those for online banking sites. It infects machines by tricking Microsoft Windows users into installing it via a drive-by-download, spam or targeted email, or with the help of other malware.
Neloweg also targets browsers that utilise the Trident (Internet Explorer), Gecko (Firefox) and WebKit (Chrome/Safari) browser engines. In the case of Firefox, the Trojan buries itself, becoming an integral component of the browser on infected machines – rather than a simple extension – a development that makes the Neloweg more stealthy than previous strains of banking malware.
"In the past we have seen threats create malicious extensions," Gutierrez writes. "All users had to do was disable that particular add-on and they would be safe.
"For Neloweg, this is not the case. Since it is a component, it does not appear as an add-on in Firefox’s add-ons Manager, like other extensions and plugins do. Furthermore, because of the way Firefox is designed, Neloweg will be recreated and reinstalled every time Firefox attempts to connect to the Internet." ®
And it is spread, how, exactly?
An article with zero useful information. It would have been nice to know:
* How does a machine become infected? Visit a malicious site? Or what?
* How does the trojan get installed? Does the user have to agree to run a program? What permissions does the trojan require (ordinary user? root?)
* What operating systems are affected?
* What do you do to protect yourself?
All the article does is to tell us the sky if falling in. Well thanks.
Correction - firefox on MS's rubbish OS's
"In the case of Firefox, the Trojan buries itself, becoming an integral component of the browser on infected machines – rather than a simple extension – a development that makes the Neloweg more stealthy than previous strains of banking malware."
Not on my linux install it won't. The firefox binary and all its libraries binary are owned by root and don't have write permissions but are run as a local user. Good luck to some malware trying to burrow its way into that.
Re: Re: Correction - firefox on MS's rubbish OS's
And Windows 7 / Server 2008 are notable by their absence from that list, which means that MS definitely made the right changes in separating out user & administrator privileges.
What was more interesting was the targetting of smaller browsers that licence the major engines, so it is a very carefully crafted package.