Firefox-only malware found - Democratic Underground

charlie

(1000+ posts) Send PM | Profile | Ignore

Thu Dec-04-08 08:39 PM
Original message

Firefox-only malware found

Researchers at BitDefender have discovered a new type of malicious software that collects passwords for banking sites but targets only Firefox users.

The malware, which BitDefender dubbed "Trojan.PWS.ChromeInject.A" sits in Firefox's add-ons folder, said Viorel Canja, the head of BitDefender's lab. The malware runs when Firefox is started.

The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including Barclays, Wachovia, Bank of America, and PayPal along with two dozen or so Italian and Spanish banks. When it recognizes a Web site, it will collect logins and passwords, forwarding that information to a server in Russia.

...

When it runs on a PC, it registers itself in Firefox's system files as "Greasemonkey," a well-known collection of scripts that add extra functionality to Web pages rendered by Firefox.

http://www.infoworld.com/article/08/12/04/Firefox_users_targeted_by_rare_piece_of_malware_1.html

How to detect it

Presence of the:
"%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll"
"%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js"
files in the Mozilla Firefox's plugins and chrome folders.

http://www.bitdefender.com/VIRUS-1000451-en--Trojan.PWS.ChromeInject.B.html

Printer Friendly | Permalink | | Top

RoyGBiv

(1000+ posts) Send PM | Profile | Ignore

Thu Dec-04-08 10:08 PM
Response to Original message

1. I just skimmed ...

So, I can be asked to RTFA, but I'll pose the question anyway.

Is NoScript a defense against this?

I enable javascript very selectively, which makes browsing an adventure sometimes, but I prefer it. Is this the sort of thing NoScript would block?

Printer Friendly | Permalink | | Top

charlie

(1000+ posts) Send PM | Profile | Ignore

Thu Dec-04-08 10:28 PM
Response to Reply #1

2. I wouldn't expect so

The script is installed in the chrome directory, where Firefox uses javascript to power its GUI widgets. It's outside the webpage sandbox, so NoScript can't reach it. As far as I can tell.

Printer Friendly | Permalink | | Top

RoyGBiv

(1000+ posts) Send PM | Profile | Ignore

Thu Dec-04-08 10:41 PM
Response to Reply #2

3. Hrrrmmm ...

Disturbing.

Thanks for the heads-up.

Printer Friendly | Permalink | | Top

charlie

(1000+ posts) Send PM | Profile | Ignore

Thu Dec-04-08 10:51 PM
Response to Reply #3

4. If NoScript *could* be tweaked to block it

you know that it would've been updated 5 minutes after the news hit the wire. That guy issues revisions so often it's almost annoying :)

Sometimes I'll put off restarting after a download, only to find a new version has come out in the meantime. Or I'll update from the Mozilla repository and the initial redirect to his homepage informs me I don't don't have the latest from his site. That dude is just a tinkering fool... and all props and much appreciation to him for it.

Printer Friendly | Permalink | | Top

RoyGBiv

(1000+ posts) Send PM | Profile | Ignore

Thu Dec-04-08 11:20 PM
Response to Reply #4

5. No kidding ...

I am sometimes annoyed by it, but then I come to my senses. Would that all writers of software be that committed.

Reminds me ... I need to send him some money.

Printer Friendly | Permalink | | Top

DU AdBot (1000+ posts)

Tue Apr 23rd 2024, 06:24 PM
Response to Original message

Advertisements [?]

Top

Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators

Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.