New Firefox Trojan Spotted

Read about it here.

 

Unfortunately it only mentions what it does once the malware executes, not how it all started. I'm thinking perhaps user double clicks nudepics.exe and then it's pwnage..

 

Unfortunately, this is the way it is with most reports of new scary malware.

Your conclusion is probably the correct one!

----
rich

 

What an idiot, even a Facebook page. Who's "pwned" now? As to someone double-clicking a file called "nudepics.exe", well, they kind of deserve what they get.

 

This shows again how dangerous it is to work with admin rights or with UAC disabled. (And yes, Rmus, I know that AE would also protect against it ) The modified file is NOT in the FF profile, admin rights are required. It's always the same story.

 

The rogue Security Tool installs to LUA/Standard user's files and without a peep from UAC.

Same old story, yep.

 

I'm not quite sure what you are referring to. Anyway - there is user-mode malware but admin rights would still be required to modify that FF file. Besides, I always strongly recommend to implement LUA + SRP/Applocker = game over for any trojan as its installation/execution is simply prohibited.

 

Using Pedro's scenario, it would not, because social engineering tricks would lead the user to grant administrative rights to install a video codec or "update the flash."

That's interesting! Since it's a .js file in the FF directory, I wouldn't think admin rights would be required.

----
rich

 

It seems to be located in C:\Program Files\Mozilla Firefox\components\ Rich, so in normal circumstances, a LUA would not be able to write there.
And the instructions to edit that file were apparently available.
The malware writer probably took it from here:

Hacking Firefox to Always Auto Save Password Without Showing Notification Bar

 

The standard account is still going to reduce the damaging effects considerably (assuming malware installs to user space), and then a firewall controlling outbound comms (yea, the kind that so many say is useless ) will stop dead any keylogger-type comms from sending out. Of course a default-deny setup will render the malware useless unless, of course, the user permits it to install as admin. Sandboxie properly configured will kill it as well.

 

Yes, if you install something with admin rights you're lost.

As already mentioned by Pedro a limited user has no write permission.

 

OK, I was thinking of people (like myself!) who install programs to a different partition.

Those who use LUA must install in Program Files. I see this is good protection indeed!

thanks for the clarification.

----
rich

 

OK, that explains it.

Still some creator/owner issues may exist when and admin user is changed to a LUA user. To be on the safe side, install your OS and create a new LUA account afterwards

 

New holes, old holes...same old...same old...