"so the attack is more notable for its novelty than its potency."

It may also be a disarming/disalming stealthy sleeper successfully embedded, John. Future Mission... As Yet Unknown. :-)

A lot has happened since ... “Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know.” .... http://nbfs.wordpress.com/2006/11/10/rumsfeldisms/

"typically downloaded onto Windows PCs already compromised by other strains of malware"

So, the user has to have already allowed their machine to be compromised before this can happen?

Firefox can't prevent people from being stupid.

"incidents of the malware are "very low", so the attack is more notable for its novelty than its potency" -

Sorry, those two concepts are not the same thing at all. This malware is in the form of a payload and relies on the PC already being infected with something else to enable it to be installed in the first place, so all that needs to happen is for bigger bot herders to include this code into their bot updates for it to affect more people instantly.

"Potency" is a measure of how much harm the malware can cause - and in this case I would say it could be substantial. It is designed to steal your actual money, and it takes advantage of popular myths that Firefox is somehow "more secure" to lull users into not taking security seriously.

It constantly irritates me that many people dismiss malware victims as being somehow "stupid". Its illuminating that many of these same observers also like to say how proud they are that they do not use anti-malware systems, as though smugness is some sort of ultimate shield.

> Covering All Bases and Betting the House 42 Win Win .... Every Time in Every Time Zone

That would be the House of Representatives, the House of Commons, the House of Windsor, &c &c.

And with those covered, next up all the Houses of Cards, the Houses of the Holy, the house-boys, &c &c.

Wicked's been there and done that, as wicked is.

"Wicked's been there and done that, as wicked is." .... By Luther Blissett Posted Thursday 4th December 2008 14:15 GMT

I'll look forward to comparing Wicked notes, Luther, there might be something missing or even something extra.

Like the name of the malicious plugin, or what it's being punted as doing.

> You go on for 5 paragraphs, and yet never say "WINDOZE".

While I don't read every article I don't think I've seen any writer here uses that term. They probably don't want to appear childish and unoriginal. Change the record, guys. The word plays on MS and Windows got old very quickly and cost you credibility. Why do you think peoples' eyes roll over or glaze when you gimps start on about Linux/Firefox/OpenOffice at every opportunity? Sheesh.

for not needing any security holes to work. Even better would be to make a semi-useful plugin that also contains malicious code. It does what it claims to, so it wouldn't come under immediate suspicion.

In principle, it's a lot like codec trojans, just using a different program.

Yes, do you?

Extensions do *not* have to be signed. Mozilla stipulates only that any updates to extensions need to be secured, and that can be done either via an SSL link or a signed cert. A quick search on the number of unsigned Firefox extensions will provide illuminating results. People use unsigned addons all the time for lots of perfectly good reasons, and the system does not prevent them from doing so - also for perfectly good reasons.

Therefore, when presented with a warning that an extension is unsigned, many people make the perfectly reasonable decision to proceed to install it anyway. In other words, established user behaviour means the warning is not a useful indicator of a possible threat.

The article makes it clear that the malware is downloaded into the extensions folder by another piece of malware all ready to run, so the issue of "you can only download from Mozilla.com" does not apply.

this is the typical use case for services like http://kyps.net