Original URL: http://www.theregister.co.uk/2006/07/26/firefox_malware_extension/

Spyware poses as Firefox extension

Trojan downloader launches secondary attack

By John Leyden

Posted in Security, 26th July 2006 13:51 GMT

Virus writers have created a spyware package that poses as an extension to the Firefox web browser.

FormSpy, which poses as the legitimate NumberedLinks 0.9 extension, is programmed to steal confidential information from compromised machines including passwords, credit card numbers, and ebanking login details. The malware is also capable of sniffing passwords from ICQ, FTP, and email traffic before sending this data to a hacker-controlled website.

FormSpy is normally downloaded onto compromised machines already infected with another Trojan program, called Downloader-AXM. It can also spread as a drive-by download from compromised websites.

Downloader-AXM began spreading via virus infected spam messages (example here) earlier this week. Fortunately, the attack is not yet widespread, according to net security firm McAfee, which has published a detailed write-up of the threat here. ®