• Location: Braintree, MA
• Mood: geeky
• Music: Genesis - Abacab

Spyware disguises itself as Firefox extension!

The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. It is currently being openly disseminated through spam emails that purport to come from Wal-Mart. If the recipient opens the mail attachment while running a Windows operating system, the Trojan then installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks. It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. McAfee has dubbed the Trojan "FormSpy," although the company is still currently categorizing its distribution as low.

The file attached to the email consists of an executable Windows program, the AXM downloader. Once launched, it fetches the extension from the Internet and records itself directly into the Firefox configuration data, avoiding the regular installation process. Firefox extensions are normally distributed as XPI files, which ask the user for confirmation after forcing a pause of several seconds.

In a blog entry, Geok Meng Ong from McAfee Avert Labs called on users to take extreme caution when installing unsigned Firefox extensions from untrustworthy sources. This well-intended warning was actually off the mark on several points. One the one hand, only very few websites are authorized to install extensions without seeking additional approval. Furthermore there are at the moment virtually no signed extensions for Firefox or Mozilla. And finally, that mechanism would not have protected against this attack. This is because the user, in opening the file attachment and thereby allowing the foreign program to execute on his computer, automatically provides it with his own usage rights.

An effective protection against this attack is simply never to open file attachments that you have not requested. It is also important not to rely on seemly trustworthy 'From:' address fields, since these are easy to forge. When in doubt, confirm the legitimacy of the email with the purported sender in another way, such as by telephone. Further tips for safe handling of email are provided at heisec Emailcheck.

---

I'm a huge Firefox supporter, ever since Netscape became a clunky, over-bloated piece of crap (all versions following 4.71) -- Firefox offers a LOT more than Internet Explorer, and is open source! Check it out yourself at http://www.mozilla.com/firefox/

As you can read here, writing a browser extention is not rocket science, and there have been hundreds, if not thousands of virus/worm/spyware style extentions for Microsoft's Internet Explorer. You always need to be careful of what software you allow to run on your computer when you have "administrator" level access. This goes for MacIntosh and UNIX systems as well (although this sort of thing is currently not as common -- yet.)

Know which "browser extentions" you are running at all times. Under Firefox, click on TOOLS then EXTENTIONS to see this information (the average user should have NONE in there!) -- for Internet Explorer, it's a bit more difficult. They're called Add-Ons, and you can see them from: Tools -> Internet Options -> Programs -> Manage Add-Ons. Several of the Internet Explorer Add-Ons are REQUIRED for proper web browsing, so use your brain to determine which ones can safely be "disabled" or removed.

(Firefox Extentions image ganked from here -- Thanks!)