New piece of spyware does its dirty work using a real Mozilla Firefox extension
July 26, 2006
A new trojan uses actual Mozilla Firefox browser extensions as an entryway into an unsuspecting user's machine.
The FormSpy spyware trojan was spotted again late yesterday making the rounds via a spam email, says Craig Schmugar, virus research manager for McAfee Avert Labs. McAfee issued an alert on the malware yesterday. It was first discovered by McAfee earlier in the week.
"The order of the information was repackaged and then spammed out again, but pointed to the same FormSpy trojan," Schmugar says.
FormSpy is installed as a Firefox extension, unbeknownst to the user, when he or she downloads an attachment in the message. The message poses as Dell or Wal-Mart, for instance, thanking the user for shopping with them and says information on their order is in the attachment. When they click on the attachment, another new Trojan that McAfee found on Monday, Downloader-AXM, inserts FormSpy into the Firefox browser.
"Then an executable installs a modified Firefox extension," Schmugar says, with FormSpy. FormSpy captures keystrokes, so it can grab information on Web forms the user fills out. "It also sniffs traffic flowing over the wire to the local network," including passwords.
FormSpy shows up as "NumberedLinks 0.9" as it's installed into the Mozilla browser. It can transmit information captured via the user's browser to a malicious Website.
"The significant element of this mass-spamming is that the trojan author figured there was a significant enough number of Firefox users that it would be worth blindly sending this trojan out, without knowing which specific browser the recipients would be using," Schmugar says.
As of press time, McAfee had no reports of infected machines but had heard about the exploit from users who had seen but didn't fall for the scam. "The mass spamming of trojans is unfortunately a regular occurrence," Schmugar says.
So is there a way to secure extensions? Not really, Schmugar says, because making code more feature-rich also opens it up to vulnerabilities. "It's difficult to balance security and functionality in software."
A Mozilla spokesperson declined to comment.
— Kelly Jackson Higgins, Senior Editor, Dark Reading
McAfee Inc. (NYSE: MFE)
About the Author(s)
You May Also Like
Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024Defending Against Today's Threat Landscape with MDR
April 18, 2024Securing Code in the Age of AI
April 24, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024Black Hat Asia - April 16-19 - Learn More
April 16, 2024