New Firefox Trojan Spotted

Discussion in 'other security issues & news' started by Daveski17, Oct 11, 2010.

Thread Status:
Not open for further replies.
  1. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
  2. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Unfortunately it only mentions what it does once the malware executes, not how it all started. I'm thinking perhaps user double clicks nudepics.exe and then it's pwnage..
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Unfortunately, this is the way it is with most reports of new scary malware.

    Your conclusion is probably the correct one!

    ----
    rich
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    What an idiot, even a Facebook page. Who's "pwned" now? As to someone double-clicking a file called "nudepics.exe", well, they kind of deserve what they get.
     
  5. tlu

    tlu Guest

    This shows again how dangerous it is to work with admin rights or with UAC disabled. (And yes, Rmus, I know that AE would also protect against it;) ) The modified file is NOT in the FF profile, admin rights are required. It's always the same story.
     
  6. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    The rogue Security Tool installs to LUA/Standard user's files and without a peep from UAC.

    Same old story, yep.
     
  7. tlu

    tlu Guest

    I'm not quite sure what you are referring to. Anyway - there is user-mode malware but admin rights would still be required to modify that FF file. Besides, I always strongly recommend to implement LUA + SRP/Applocker = game over for any trojan as its installation/execution is simply prohibited.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Using Pedro's scenario, it would not, because social engineering tricks would lead the user to grant administrative rights to install a video codec or "update the flash."

    That's interesting! Since it's a .js file in the FF directory, I wouldn't think admin rights would be required.

    ----
    rich
     
  9. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    It seems to be located in C:\Program Files\Mozilla Firefox\components\ Rich, so in normal circumstances, a LUA would not be able to write there.
    And the instructions to edit that file were apparently available.
    The malware writer probably took it from here:
    Hacking Firefox to Always Auto Save Password Without Showing Notification Bar
     
  10. wat0114

    wat0114 Guest

    The standard account is still going to reduce the damaging effects considerably (assuming malware installs to user space), and then a firewall controlling outbound comms (yea, the kind that so many say is useless :rolleyes: ) will stop dead any keylogger-type comms from sending out. Of course a default-deny setup will render the malware useless unless, of course, the user permits it to install as admin. Sandboxie properly configured will kill it as well.
     
  11. tlu

    tlu Guest

    Yes, if you install something with admin rights you're lost.

    As already mentioned by Pedro a limited user has no write permission.
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, I was thinking of people (like myself!) who install programs to a different partition.

    Those who use LUA must install in Program Files. I see this is good protection indeed!

    thanks for the clarification.

    ----
    rich
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    OK, that explains it.

    Still some creator/owner issues may exist when and admin user is changed to a LUA user. To be on the safe side, install your OS and create a new LUA account afterwards
     
    Last edited: Oct 13, 2010
  14. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    :rolleyes:
    New holes, old holes...same old...same old...
     
Loading...
Thread Status:
Not open for further replies.