A new trojan uses actual Mozilla Firefox browser extensions as an entryway into an unsuspecting user's machine.
The FormSpy spyware trojan was spotted again late yesterday making the rounds via a spam email, says Craig Schmugar, virus research manager for McAfee Avert Labs. McAfee issued an alert on the malware yesterday. It was first discovered by McAfee earlier in the week.
"The order of the information was repackaged and then spammed out again, but pointed to the same FormSpy trojan," Schmugar says.
FormSpy is installed as a Firefox extension, unbeknownst to the user, when he or she downloads an attachment in the message. The message poses as Dell or Wal-Mart, for instance, thanking the user for shopping with them and says information on their order is in the attachment. When they click on the attachment, another new Trojan that McAfee found on Monday, Downloader-AXM, inserts FormSpy into the Firefox browser.
"Then an executable installs a modified Firefox extension," Schmugar says, with FormSpy. FormSpy captures keystrokes, so it can grab information on Web forms the user fills out. "It also sniffs traffic flowing over the wire to the local network," including passwords.
FormSpy shows up as "NumberedLinks 0.9" as it's installed into the Mozilla browser. It can transmit information captured via the user's browser to a malicious Website.
"The significant element of this mass-spamming is that the trojan author figured there was a significant enough number of Firefox users that it would be worth blindly sending this trojan out, without knowing which specific browser the recipients would be using," Schmugar says.
As of press time, McAfee had no reports of infected machines but had heard about the exploit from users who had seen but didn't fall for the scam. "The mass spamming of trojans is unfortunately a regular occurrence," Schmugar says.
So is there a way to secure extensions? Not really, Schmugar says, because making code more feature-rich also opens it up to vulnerabilities. "It's difficult to balance security and functionality in software."
A Mozilla spokesperson declined to comment.
Kelly Jackson Higgins, Senior Editor, Dark Reading