Anti-Virus Firms Warn of Trojan Horse Mozilla Firefox Extension

USMCRET6391 · 07-27-2006, 04:29 PM

Anti-virus firms are reporting that a trojan horse that takes the form of a Mozilla Firefox extension has been spotted in the wild. The trojan, which McAfee has named FormSpy and Sophos has dubbed Troj/FireSpy-A, captures information entered into the browser, including, but not limited to, passwords and banking details, and sends them to a remote computer. The trojan comes with a Windows executable that can also record ICQ, POP3, IMAP and FTP passwords. Within Firefox, the trojan pretends to be the legitimate numberedlinks extension.

The FormSpy trojan does not use any Firefox security flaws to infect computers. Instead, it is downloaded and installed automatically by a piece of Windows malware known as Downloader-AXM, which exists solely for the purpose of surreptitiously downloading and running trojan horses. Once downloaded by Downloader-AXM, FormSpy installs itself in Firefox by directly modifying Firefox user profile files, completely bypassing the standard Firefox extension installation mechanism (and warning messages).

To get infected by FormSpy in this way, a user must already have Downloader-AXM on his or her system. First spotted earlier this week, Downloader-AXM is distributed as a Windows executable attached to a spoof email purporting to be a order confirmation message from Wal-Mart. However, McAfee says that they have also seen attempts to install FormSpy using the three-year-old VBS/Psyme exploit in Microsoft Internet Explorer.

To check for infection, Firefox users are advised to examine their list of installed extensions (accessible from the Tools menu as the Extensions item). The unexpected presence of "Numbered Links 0.9" indicates a possible infection. The McAfee virus profile of FormSpy includes more information about the files installed by the trojan. McAfee believes that the number of infections is currently low.

TechWeb has an article about FormSpy. In the report, Craig Schmugar, virus research manager at McAfee's Avert Labs, expresses concerns about the ease with which the FormSpy trojan is able to disguise itself as the legitimate numberedlinks extension and suggests that Firefox developers should address this.

Grimmy · 07-27-2006, 07:44 PM

Thanks for the heads up. Done checked and seem to be clean.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Is Firefox still safer than IE?	USMCRET6391	Technology and Computers	0	05-13-2005 08:04 AM
IT pros: What's wrong with Firefox isn't Firefox's fault	USMCRET6391	Technology and Computers	0	04-15-2005 12:42 AM
The History of Mozilla Firefox: From Phoenix, to Firebird, to Firefox	USMCRET6391	Technology and Computers	0	04-04-2005 09:05 AM
Celebrity Viruses	Navy6064	The Fouled Anchor	8	04-01-2005 08:21 PM

New To The Site?	Need Information?
Introduce yourself in Roll Call Enjoy the benefits of Membership Review rules on the site Create your own Blog!	Help add Military Facts and Research to the site Get access to the Private Clubs

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)