Trojan Spoofs Firefox Extension, Steals IDs

Discussion in 'other security issues & news' started by ronjor, Jul 25, 2006.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,059
    Location:
    Texas
    Article
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    So use Opera!
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    But this basically means that there is a serious flaw in the extensions security model, correct? I mean how the heck can a site install an extension without a popup getting displayed? o_O
    I also think that FF should encourage people to only download extensions form their site, I suppose they have checked out all the extensions to see if they do not contain any malicious stuff or anything.
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Hello,
    So to get infected, you need to:
    Open a bogus mail.
    Open a bogus attachment.
    Install an extension and not worry that you install an extension that was downloaded NOT from the official site, but if you open strange mails and attachments, you definitely would not bother about something as inconsequential as the validity of the source.
    Wow, that's quite a lot stupidity needed.
    Mrk
     
  5. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,587
    Id switch tomorrow if only roboform was compatible with it.
    ellison
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    It was not needed in that case. It installed without user intevention.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan

    It is same as drive by download I think.
    Even rootkits can be installed just by visiting a malicious site without any intervention, i remember ur thread.
     
  8. dog

    dog Guest

    aigle re-read the article ... you need to excute the email attachment. ;)
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Always u get something and at the same time u loose some.
    Opera as a form filling option that is too premature.
    I have added "open in FF" button to my opera, so if I need something like this, I just open FF at that time via opera but Opera is main browser.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Sorry I thought it was not the case. Infact I had read it in hurry!
    thanks for correction.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    HI Dog I meant this.

    "Normally, Firefox extensions -- which in Windows have the .xpi file extension -- display a confirmation dialog that the user must acknowledge before the add-on installs. The bogus Numberedlinks, however, skips that."
     
  12. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    So what? It writes directly to the Firefox directory, IF YOU DOWNLOAD IT AND EXECUTE it. This is a completely different thing from drive-by-download.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Agree.
     
  14. A1SteakSauce

    A1SteakSauce Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    88
    Wow... And I thought you had to click "Install" to put an extension on Firefox. I like Firefox more than Opera because it is open source but if Firefox wasn't open source I would ditch it for Opera right away.
     
  15. dog

    dog Guest

    I'd guess it bypass the whole install routine because the excutable is dropping the package in the firefox doc/user folder ... I doubt FF needs to be open, nor is it required to run thru the regular install routine. Like already stated ... you need to be gullible to fall for this (ie. running an exe attachment).
     
  16. A1SteakSauce

    A1SteakSauce Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    88
    Ah... I see now. So it puts itself in the extensions folder. OK. That clears that up.
     
  17. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    I think this makes the security model pretty weak!
     
  18. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,174
    Location:
    Denmark
    Agreed, it seems highly unlikely that anyone will actually get this trojan into their system unless they really want to have it in there for some reason.
     
  19. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    "The security model"!?!? :rolleyes:

    Once you have executed the trojan on your machine it can do whatever it wants. Even if Firefox required that the extensions had been digitally signed to work, the trojan could have patched the Firefox executable so that the signature always matches anyway. It's ridiculous to think this is a Firefox flaw.
     
  20. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    I have to agree with TNT. If you choose to run an exe, it can freely replace any legimate file with a copy of itself, and you are dead unless you have some sort of system for checking legimate files (not just exes) like windows file protectiono_O (assuming it doesn't just work around it).

    With a bit more work, the attacker could have just replace the whole firefox.exe file with a trojanised copy, but that would be less stealthy then adding an extension.

    Still I suppose the same 'trick' can work with IE, to install BHOs,activex controls and whatnot right?
     
  21. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    440
    Location:
    U.K.
    Actually, there is every reason to consider this a Firefox flaw. Firefox employs a plugin architecture that can (obviously) be abused. While I agree that it takes manual action to have the trojan installer run in the first place, what it then does is to exploit an identified weakness in Firefox.

    I wonder, if the same technique was used to install an ActiveX control in IE, whether you would rush to claim it was not an IE flaw. I suspect not.
     
  22. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Hello,
    You double-click on an installer. It installs. What has this got to do with Firefox? ActiveX install THROUGH IE / Explorer. This Trojan installs from your MAIL ATTACHMENT. For that matter, this trojan can change your desktop, change your theme or change your favorites. Once you execute a file of your computer ...
    It did not install THROUGH Firefox while you were browsing a site in Firefox. It did not download itself and install itself by visiting a site. That's why it has nothing to do with Firefox.
    As to what can be abused - what cannot be abused when the user is stupid enough to open a strange mail & run a strange .exe attachment. Like asking what bullet-proof vest is good enough for someone: who picks a gun off the street and checks if it's loaded by aiming the barrel into his eye socket and pulling the trigger.
    Placing the "extension" is a nice way of diverting the attention to the presence of the trojan from the obvious locations like startup or such. Nothing more. It could also have been an add-on to your favorite p2p or a widget for Opera.
    Mrk
     
  23. dog

    dog Guest

    - 2 OT posts removed -
     
  24. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    No, there isn't.

    How? By running a trojan?
    What weakness? If a malware is running on a computer with the privileges to write to a directory, it can do ANYTHING it wants with the files in that directory. What would you do to prevent this? Execute plugins only if they're "trusted"? The malware could then replace the executable so that it runs plugins even if they're not trusted. That's not a security flaw in a program, it's a basic filesystem permission concept: if a trojan can write to a directory, there is nothing that prevents it from exploiting the programs in it. This applies to every program in existence, not just to Firefox.
     
  25. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Exactly.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.