|07-27-2006, 04:29 PM||#1 (permalink)|
MSgt USMC Ret
Join Date: Aug 2004
Location: San Diego
Anti-Virus Firms Warn of Trojan Horse Mozilla Firefox Extension
Anti-virus firms are reporting that a trojan horse that takes the form of a Mozilla Firefox extension has been spotted in the wild. The trojan, which McAfee has named FormSpy and Sophos has dubbed Troj/FireSpy-A, captures information entered into the browser, including, but not limited to, passwords and banking details, and sends them to a remote computer. The trojan comes with a Windows executable that can also record ICQ, POP3, IMAP and FTP passwords. Within Firefox, the trojan pretends to be the legitimate numberedlinks extension.
The FormSpy trojan does not use any Firefox security flaws to infect computers. Instead, it is downloaded and installed automatically by a piece of Windows malware known as Downloader-AXM, which exists solely for the purpose of surreptitiously downloading and running trojan horses. Once downloaded by Downloader-AXM, FormSpy installs itself in Firefox by directly modifying Firefox user profile files, completely bypassing the standard Firefox extension installation mechanism (and warning messages).
To get infected by FormSpy in this way, a user must already have Downloader-AXM on his or her system. First spotted earlier this week, Downloader-AXM is distributed as a Windows executable attached to a spoof email purporting to be a order confirmation message from Wal-Mart. However, McAfee says that they have also seen attempts to install FormSpy using the three-year-old VBS/Psyme exploit in Microsoft Internet Explorer.
To check for infection, Firefox users are advised to examine their list of installed extensions (accessible from the Tools menu as the Extensions item). The unexpected presence of "Numbered Links 0.9" indicates a possible infection. The McAfee virus profile of FormSpy includes more information about the files installed by the trojan. McAfee believes that the number of infections is currently low.
TechWeb has an article about FormSpy. In the report, Craig Schmugar, virus research manager at McAfee's Avert Labs, expresses concerns about the ease with which the FormSpy trojan is able to disguise itself as the legitimate numberedlinks extension and suggests that Firefox developers should address this.
|07-27-2006, 07:44 PM||#2 (permalink)|
Join Date: Sep 2004
Re: Anti-Virus Firms Warn of Trojan Horse Mozilla Firefox Extension
Thanks for the heads up. Done checked and seem to be clean.
|antivirus, extension, firefox, firms, horse, mozilla, trojan, warn|
|Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)|
|Thread||Thread Starter||Forum||Replies||Last Post|
|Is Firefox still safer than IE?||USMCRET6391||Technology and Computers||0||05-13-2005 08:04 AM|
|IT pros: What's wrong with Firefox isn't Firefox's fault||USMCRET6391||Technology and Computers||0||04-15-2005 12:42 AM|
|The History of Mozilla Firefox: From Phoenix, to Firebird, to Firefox||USMCRET6391||Technology and Computers||0||04-04-2005 09:05 AM|
|Celebrity Viruses||Navy6064||The Fouled Anchor||8||04-01-2005 08:21 PM|
|New To The Site?||Need Information?|