Hi malware fighters,

Just a question. For the second time a virus has been found to install malware active as an extension in Firefox. Another time I was reminded of Eddy’s warning some time ago here in this forum section about extensions and fx’s security.
This time it concerns a hidden trojan - see this link:
http://www.bitdefender.fr/NW899-fr--BitDefender-detecte-une-nouvelle-methode-de-vol-des-mots-de-passe-sur-Internet.html
The Trojan is being loaded every time the browser starts up. Researchers found it filters data whenever users do their online banking. Earlier this year another malicious plug-in had a Trojan horse hiding there, Xorer.o, probably from Vietnam:
http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=189095&sitepanda=particulares
How can you spot in Firefox it has “Trojan.PWS.ChromeInject.A” running, but the main question is are we protected by avast?
For obvious reasons I run the NoScript 1.8.7. extension inside Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20081203 Shiretoko/3.1b3pre ID:20081203053737,

luntrus

Here’s the English version:

http://news.bitdefender.com/NW900-en--BitDefender-Uncovers-New-Password-Stealing-Application.html

Hi FwF,

Very attentive for the translation to the Queen’s English, but are we protected?

Damian

Hi FwF,

The maker of NoScript, Giorgio Maone commented to me on MozillaZine:

"You get a notification bar as soon as any site other than addons.mozilla.org tries to install a Firefox extension. Even if you click on the "Allow" button, then you get a popup dialog which informs you that a certain party is trying to install an extension, and asking for a second confirmation after a 5 seconds countdown which rules out "blind" clicking. At that point, if you're so foolish to go on, you're ***** , but I think you've got more chances of getting infected by installing a regular executable."

Anyways a good advice from me would be only to install add-ons through the official Mozilla repository, and never from the maker’s site, even if more recent version might be published there. In these respect folks Opera is a more secure browser than Fx, and add-ons can be a two-sided sword for people that do not know what they are doing,

pol

;D thanks for the info warning but i use now is opera 9.62 waiting for the final release of FF3.1 version

Why aren’t they disclosing the name of the addon which is stealing your passwords ???

Why aren't they disclosing the name of the addon which is stealing your passwords ???

The threat, known as Trojan.PWS.ChromeInject.A, was detected in the wild by anti-virus firm BitDefender. It can affect Firefox 2 and 3 and includes [b]files[/b] that are [b]named similarly to legitimate Firefox extensions[/b].

http://www.computershopper.co.uk/news/240891/new-malware-targets-firefox-users.html#

Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it, Canja said.

When it runs on a PC, it registers itself in Firefox’s system files as “Greasemonkey,” a well-known collection of scripts that add extra functionality to Web pages rendered by Firefox.

http://www.infoworld.com/article/08/12/04/Firefox_users_targeted_by_rare_piece_of_malware_1.html

This is not an add-on as such.

Apparently it requires pre-existing malware to download and install compromised components into the Firefox files structure. As noted by FWF these components use filenames that are well known in Firefox.

SYMPTOMS: Presence of the: "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll" "%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js" files in the Mozilla Firefox's plugins and chrome folders.

TECHNICAL DESCRIPTION:
It drops an executable file (which is a Firefox 3 plugin) and a JavaScript file (detected by Bitdefender as: Trojan.PWS.ChromeInject.A) into the Firefox plugins and chrome folders respectively.

This is not an add-on as such.

Apparently it requires pre-existing malware to download and install compromised components into the Firefox files structure.

It seems to resemble this Trojan from a couple of years ago.

And no doubt, this attack will embolden critics to say, "See, we told you so." But Dan Veditz, a security developer at Mozilla, said no amount of digital signing would prevent an attack like this one, as it relies not on the browser's default installer (whose installation files end in ".xpi") but on the user opening an executable program file (".exe") that is handled by the Windows operating system.

…

“This attack was perhaps a little too easy, but the reality is that once someone has launched an installer on their system, ultimately it becomes an arms race between how much effort we want to put in and what the attackers are willing to do” to circumvent it, Veditz said.

http://voices.washingtonpost.com/securityfix/2006/07/passwordstealing_trojan_disgui.html

The BitDefender report actually states ‘plugin’ rather than ‘add-on’ or 'extension. Plugins like Java and Flash appear in different places in Firefox (Tools>Add Ons/about:plugins).

As far as I know, plugins are just installed by dropping the right file in the plugin folder- had to do it with RealPlayer once- and this is true for both Firefox and Opera.

Polonus, you do Firefox programming, can you elucidate further?

Hi FwF,

The malicious code can be smuggled into the plug-in of some external coder before he uploads it to Firefox (he did not detect it at that time). If no anti virus scanners (script debuggers) detect it, then it can for instance sneak into the code of a legit language pack starting to infect users of the plug-in.
See the developer’s discussion on the previous incident here: https://bugzilla.mozilla.org/show_bug.cgi?id=432406
In mentioned incident it was pop-up adware that was served up unintentionally, but it also can be Trojan code etc. In the case of add-on 5954:
All help pages (*.xhxml) are malicious script right after
:

This was not according the rules that language packs could not contain JS. So again JavaScript was at the root of all this evil.
We cannot believe the add-on developer on his or her blue eyes for it to be malware free and so all add-ons should be given the all green before being published by Mozilla, and you should be extra careful to trust third party add-ons, plug-ins, so refrain from using these…

In the mentioned recent incident we had another scenario: that the plugin is not being installed through FF itself, but has ended up on ones computer by other means. At that point, (most likely) all that needs to be done is for the DLL to be moved into the FF /plugins/ directory - no “install” necessary, becoming active thereafter.

You could check about:plugin & look for anything out of place, like npbasic.dll as the case may be.

The cool thing about Firefox is that you can basically force users into installing malware by exploiting bug 59314 [mozilla.org]. Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes. This is called a Cross Browser Modal Dialog Box.

Test at: https://bugzilla.mozilla.org/attachment.cgi?id=5099

Also see what our friend “essexboy” had to report on the mentioned malware here: http://forum.avast.com/index.php?topic=40713.msg341330#msg341330

polonus

Good blog on this:

[b]Firefox Malware?[/b]

A crappy thing happened last week - someone wrote some malware that infects Firefox. We obviously don’t like that very much at all, but I wanted to at least make it clear what is and isn’t happening, since there’s some confusion out there.

What is going on?

Basically for as long as there has been software, there have been nasty people out there who get you to download and install software which turns out to have hidden cargo. Security folks use names like “virus,” “trojan,” “worm,” and “malware” to describe different types, but the point is that if a person can be tricked into running nasty programs, they can do nasty things.

In this case, rather than wiping your hard drive or turning all your icons upside down, this particular jerk has decided to mess with your Firefox. Once you run the program, it hooks into your Firefox and watches for you to visit certain sites, at which point it will steal your username and password.

How Can I Tell If I Have It?

You can open up your Firefox addons manager (Tools->Add-ons) and go to the “Plugins” section. If you have a plugin called “Basic Example Plugin for Mozilla” you should disable it.

Does This Mean that Firefox is Insecure?

No, and here’s why:

* This particular malware targets our program, but once you have malicious software running on your system, it can just as easily attack other programs, or harm your computer in other ways.
* This isn’t contracted by just browsing around the web with Firefox 3. In fact, the Malware Protection features in Firefox 3 are designed specifically to prevent sites from being able to attack your computer.

The people getting infected here are either downloading enticing files that have the malware hiding inside (which is why Firefox 3 hands off all downloads to your computer’s virus scanner once downloaded) or, as some sites are reporting, people who have already been infected in the past having their computers forced to download this file as well.

Typical Firefox 3 users who avoid downloading software they don’t trust are unlikely to ever see this, and even the sites reporting it describe its incidence as “rare”.

What’s this I hear about GreaseMonkey?

There are some mentions of greasemonkey in a couple of the early reports based on some analysis of the code used by this malware, but I want to be clear that the (legitimate, and awesome) Greasemonkey Addon is not involved in this malware in any way. It is not involved in the installation or execution of the attack.

As always, the best defense is vigilance. Use a browser with a solid security record and modern anti-malware defenses built in, and be very careful about downloading and running programs you find online. If a bad guy is able to get you to run a program on your machine they will be able to do bad things, so we’ll keep trying to stop them and you keep trying to as well.

More details are also available on the official Mozilla security blog.

http://blog.johnath.com/2008/12/08/firefox-malware/

Hi FwF,

Is the Mozilla-Default-Plug-in meant here, and should that be disabled?

pol

See reply #8 above.

Basic Example Plugin.

To check whether your computer is infected, look for “Basic Example Plugin for Mozilla” in the Plugin list by choosing Add-ons from the Tools menu in Firefox. Then choose Plugins. If you see this plugin, disable it.

http://blog.mozilla.com/security/2008/12/08/malicious-firefox-plugin/

Call me stupid but it simply says a popular plugin. It doesn’t say which popular plugin.
There happen to be many. ???

If you followed “the credit” link it would have shown you precisely the information I posted in reply #8 above.

Bob, the trojan disguises as Greasemonkey as you can see the below quote from [color=blue][b][u]this site, which is posted by Frank.

If a user has been tricked into installing this plug-in, or had it installed through a separate vulnerability it may compromise passwords and the user’s accounts. This trojan is not Greasemonkey, even though it uses some of Greasemonkey’s internal Ids.

If you have the “plug-in,” which is rather unlikely,you should disable it , following [color=blue][b][u]this instruction.

Hi Polonus,

Interesting article!

Is the trojan one of the Firefox extensions which I use?

Thanks and keep up the great work Polonus!

Adblock Plus 1.0
British English Dictionary 1.1.9
DownloadHelper 3.5.1
Dr. Web anti-virus link checker 1.0.18
Finjan Secure Browsing 1.314
Forcefield Toobar 1.2 (Note: this is a ZA product)
Java Quick Start 1.0
McAfee SiteAdvisor 26.6 (Note: this is disabled)
MultirowBookmarksToolbar 3.3
Netcraft Anti-Phishing Toolbar 1.2
Noscript 1.8.7.4
Panic Button 1.1.1
Realplayer Browser Record Plugin 1.0
ShopIP 0.8.10r22b0272

avastfan1,

if you had read through the thread then you would know it is not recognizable as any extension at all.