Trojan Spoofs Firefox Extension, Steals IDs

Then to get rid of it since it would be in the extension folder would you just have to manually delete the file from the folder? I'm sorry if this is jsut a dumb idea. I'm not very computer smart.

 

This article from mozillaZine explains what you have to do to get this on your system and it's quite a lot of work.

http://www.mozillazine.org

Lamehand

 

No you don't. It can infect your machine if you haven't patched IE against the VBS/Psyme vulnerability (which is unlikely to be a problem for anyone on here) as a Drive By installation as mentioned by previous posters earlier in this thread.

There seams to be a lot of hostility to this story (not referring to any individual but just to some responses I have read around the net) and I suspect it indicates that some people have a huge emotional attachment to Firefox. I would like to see a trust certificate model in Firefox with checks against a banned list of extensions on loading an extension to make this sort of disruption more difficult. Hence my comment about the "security model".

This "extension" is interesting as it uses an old exploit to knobble a browser that users are often very trusting of. I for one do all my financial transactions in Firefox and not in IE and I suspect I am not alone in this (for those whose banks don't use ActiveX).

Fairy

 

Hello,

You need to do at least 2 deliberate steps to get infected.

To some of your points:

1. .... haven't patched IE ... - says everything.

2. Hostility - trying to present Firefox as a security liability just so the "experts" can say "Firefox is as vulnerable as IE" or "it has had as many vulnerabilities as IE" or "this only ever happened in IE but can also happen in Firefox" truly sincerely piss me off.

Such statements are:

Inaccurate
intented to monger fear
Aggressive marketing

Firefox does not need certificate against a user being a moron. As to certificates, for 600 dollars, ANYONE can buy a certificate.

For that matter, the exploit could just invisibly patched Firefox executable. And then what? You would still be infected and not even know it.

As to Firefox vulnerabilities, people only talk, "experts" only talk. I want one demonstration with screenshots or even a movie showing how you get hit by a drive-by-download in Firefox. No one has ever even remotely hinted at such a demonstration. Something like:

Here, I go to this site:
screenshot

I move my mouse cursor about:
screenshot

I exit the site and I'm infected:
screenshot

Here are the infections (HJT, startup etc):
screenshots

Once someone shows me a live example of Firefox actually doing something bad, I'll stop being annoyed by stupid stories.

Mrk

 

I haven't said "Firefox is as vulnerable as IE" or any of your other quotes and neither have the experts that you refer to. I really don't understand the anger/hostility being expressed here. Nobody is insulting peoples mothers here! All that has happened is that a couple of peices of malware have collaborated to produce a nasty that targets Firefox (via IE). Many users seam to be in denial and don't want to have any bad publicity about their browser even when the publicity is factual.

The unsigned Extensions in Firefox remain a weakness. It doesn't make it a bad browser (it's my browser of choice). However this is a sign that Firefox is now a target for malware authors and that the community is reacting in a "head in the sand" manner.

Fairy

 

This trojan could have targeted Firefox no matter the extensions being signed or not, that's the point. If you let it overwrite files in the Firefox directory, it can do whatever it wants with the executable or dlls, so the fact that it created an extension to do its evil deed is completely irrelevant. It could have done ANYTHING.

Other than that, there is "signed" ActiveX malware (look up for the Carima trojan-dialers for an example).

I'm all for "signed" extensions, but this trojan's method nothing to do with a Firefox "vulnerability". All a signature does for an extension is verifying that the extension has not been tampered with after it was put on the distributing site. All it does is tell you that the distributing site was not compromised, but it doesn't verify that it's not malware, nor absolutely it makes Firefox "uncorruptable" by trojans.

 

Indeed. It is a fact that for some time now, more vulnerabilities have been discovered in FF than in IE. Sure, that doesn't make it a 'bad' browser - it is good for a number of reasons, as is IE (irrespective of certain people being completely unable to accept this). Then again, you can't argue with zealots, because only they are 'right', only they know the 'facts'. Of course, that is wrong, and all but the zealots know that.

 

If you have to be using an unpatched vulnerable version of IE to get hit with a drive by download (whose payload then delivers into a FF directory), then that is a drive by download caused by a vulnerability in IE not FF.

Signed extensions sound good, but they should be free. Otherwise, it will stifle creativity in the extension community.
And it seems that signed extensions wouldn't really protect you from this type of attack vector (executing an attachment). User education about not running email attacments would do the most good here.

 

"Zealots"? Don't make me laugh. I do not even think Firefox implements an acceptable security model for a complex application like a modern web browser, that's why I always run it sandboxed.

What you fail to understand is a basic security concept, as in "a trojan can replace any file it has permissions to write to". To claim an application is vulnerable because a trojan that already got complete access to the system can write to its binaries is laughable. Simple as that.

It is utterly, completely obvious that if Firefox used signed extensions the malware authors would have modeled the trojan to target Firefox on something else (you think compromising it's "signature verification" routines couldn't have been done? Why?). To claim that Firefox is vulnerable because it can be compromised by a trojan running already on the system is like saying an application is vulnerable because I can go and delete it. It's absolute nonsense.

 

Hello,
Like I said 655 times till now: Please someone show me how you get infected through Firefox - by a drive-by-download thingie. Could someone please demonstrate this and shatter my bubble? Please, someone create a short article with 4-5 screenies, showing this procedure - you visit a site, you get infected. Could someone please convince me that I'm wrong?
Mrk

 

Later development I think. But again this is a IE flaw, not a firefox flaw. Using that vulnerability, it can pretty much target anyway it wants anyway and do anything it wants anyway. It doesn't have to use firefox.

Altough I agree with you that this sometimes happens, this is not the case here.

We are talking about a method of infection that depends on user error (choosing to run the attachment yourself) and/or vulnerabilities in another product (in IE to be exact!) after which the malware can do as it pleases.

It's fairly unique in that it choose to target firefox, but it can easily attack any other target. Given that the problem stems not from firefox vulnerabilities, there isn't much firefox can do.

This unfortunately doesn't help much not against the type of attack we are talking about. I can't see why the malware added cannot be signed , after all anyone can write an extension and sign it.

That's assuming the trojan doesn't just directly patch the exe and dlls to bypass the signature checking.