Chaz Antonelli (mc4bbs) wrote,
Chaz Antonelli

Spyware disguises itself as Firefox extension!

The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. It is currently being openly disseminated through spam emails that purport to come from Wal-Mart. If the recipient opens the mail attachment while running a Windows operating system, the Trojan then installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks. It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. McAfee has dubbed the Trojan "FormSpy," although the company is still currently categorizing its distribution as low.

The file attached to the email consists of an executable Windows program, the AXM downloader. Once launched, it fetches the extension from the Internet and records itself directly into the Firefox configuration data, avoiding the regular installation process. Firefox extensions are normally distributed as XPI files, which ask the user for confirmation after forcing a pause of several seconds.

In a blog entry, Geok Meng Ong from McAfee Avert Labs called on users to take extreme caution when installing unsigned Firefox extensions from untrustworthy sources. This well-intended warning was actually off the mark on several points. One the one hand, only very few websites are authorized to install extensions without seeking additional approval. Furthermore there are at the moment virtually no signed extensions for Firefox or Mozilla. And finally, that mechanism would not have protected against this attack. This is because the user, in opening the file attachment and thereby allowing the foreign program to execute on his computer, automatically provides it with his own usage rights.

An effective protection against this attack is simply never to open file attachments that you have not requested. It is also important not to rely on seemly trustworthy 'From:' address fields, since these are easy to forge. When in doubt, confirm the legitimacy of the email with the purported sender in another way, such as by telephone. Further tips for safe handling of email are provided at heisec Emailcheck.

I'm a huge Firefox supporter, ever since Netscape became a clunky, over-bloated piece of crap (all versions following 4.71) -- Firefox offers a LOT more than Internet Explorer, and is open source! Check it out yourself at

As you can read here, writing a browser extention is not rocket science, and there have been hundreds, if not thousands of virus/worm/spyware style extentions for Microsoft's Internet Explorer. You always need to be careful of what software you allow to run on your computer when you have "administrator" level access. This goes for MacIntosh and UNIX systems as well (although this sort of thing is currently not as common -- yet.)

Know which "browser extentions" you are running at all times. Under Firefox, click on TOOLS then EXTENTIONS to see this information (the average user should have NONE in there!) -- for Internet Explorer, it's a bit more difficult. They're called Add-Ons, and you can see them from: Tools -> Internet Options -> Programs -> Manage Add-Ons. Several of the Internet Explorer Add-Ons are REQUIRED for proper web browsing, so use your brain to determine which ones can safely be "disabled" or removed.

(Firefox Extentions image ganked from here -- Thanks!)

Tags: firefox, news, technology

  • See it before anyone else!!

    The new episode of Dr. Who (The Impossible Astronaut), along with the corresponding Dr. Who Confidential and "My Sarah Jane -- a Tribute to…

  • Trailer Park Boys Live in NYC!

    The 'Trailer Park Boys' are coming to New York City for one night only, Friday, 21 January!! Trailer Park Boys is a Canadian comedy mockumentary…

  • What?!? No more Caprica?

    The SyFy (Sci-Fi) channel ran the last five (new) episodes of Caprica opposite ABC's release of the new series of "V" last night. Of course, my Tivo…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded