back to article Firefox plug-in Trojan harvests logins

Virus writers have latched onto the popularity of Firefox with a new variant on the established practice of stealing online banking passwords. A password pinching Trojan that poses as a Firefox Plugin is doing the rounds, Romanian security firm BitDefender warns. ChromeInject-A is typically downloaded onto Windows PCs already …

COMMENTS

This topic is closed for new posts.
Silver badge

Covering All Bases and Betting the House 42 Win Win .... Every Time in Every Time Zone

"so the attack is more notable for its novelty than its potency."

It may also be a disarming/disalming stealthy sleeper successfully embedded, John. Future Mission... As Yet Unknown. :-)

A lot has happened since ... “Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know.” .... http://nbfs.wordpress.com/2006/11/10/rumsfeldisms/

0
0
Coat

Back to IE then

Just pass me any coat, I have to get out of here quickly before the fanboys turn up

0
0
Coat

Is it this one?

http://www.theregister.co.uk/2008/12/03/microsoft_ooxml_html_firefox_viewer_interoperability/

Okay, okay...

0
0
Anonymous Coward

More of a PEBCAK issue then?

"typically downloaded onto Windows PCs already compromised by other strains of malware"

So, the user has to have already allowed their machine to be compromised before this can happen?

Firefox can't prevent people from being stupid.

0
0

Does not compute

"incidents of the malware are "very low", so the attack is more notable for its novelty than its potency" -

Sorry, those two concepts are not the same thing at all. This malware is in the form of a payload and relies on the PC already being infected with something else to enable it to be installed in the first place, so all that needs to happen is for bigger bot herders to include this code into their bot updates for it to affect more people instantly.

"Potency" is a measure of how much harm the malware can cause - and in this case I would say it could be substantial. It is designed to steal your actual money, and it takes advantage of popular myths that Firefox is somehow "more secure" to lull users into not taking security seriously.

It constantly irritates me that many people dismiss malware victims as being somehow "stupid". Its illuminating that many of these same observers also like to say how proud they are that they do not use anti-malware systems, as though smugness is some sort of ultimate shield.

0
0

@amanfromMars

> Covering All Bases and Betting the House 42 Win Win .... Every Time in Every Time Zone

That would be the House of Representatives, the House of Commons, the House of Windsor, &c &c.

And with those covered, next up all the Houses of Cards, the Houses of the Holy, the house-boys, &c &c.

Wicked's been there and done that, as wicked is.

0
0
Silver badge
Stop

@RMartin

Do you actually *use* Firefox? Firefox contains a built-in security mechanism when it comes to plugins. First off, plugins use a whitelist system; they will *only* be installable from locations you specify (addins.mozilla.org is included by default--but all the addins there are screened before being listed). Furthermore, if an addon isn't signed by Mozilla, it warns that the plugin is unsigned and will force you to sit it out for a few seconds to think about what you're about to do before the Install button becomes available. Indeed, a prompt to install is thrown even *when* the plugin is signed.

0
0
Silver badge

Scrolls at Dawn

"Wicked's been there and done that, as wicked is." .... By Luther Blissett Posted Thursday 4th December 2008 14:15 GMT

I'll look forward to comparing Wicked notes, Luther, there might be something missing or even something extra.

0
0
Gates Horns

Yet another...

Yet another Windows only Firefox plugin.

That sucks...

....wait, what?

0
0

Something more substantial might be required

Like the name of the malicious plugin, or what it's being punted as doing.

0
0
Thumb Down

a WINDOZE firefox trojan, but article doesn't say so.

It installs into Firefox, if you're stupid enough. But without WINDOZE, it can't even run-- the main work is done by the following file,

"%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll"

And since it's trying to install into the PROGRAM directory, rather than the user's profile, VISTA provides a bit more protection than XP. But even here at the Reg, the darn article says **NOTHING** about the trojan being viable exclusively on Win32. Could you all PLEASE put this important information in articles like this ???? You go on for 5 paragraphs, and yet never say "WINDOZE".

0
0
Joke

This troyan was made for strenghtening your health

Since Flood IT teaches people to lift arse from da chair& take a walk towards the nearest ATM when a transfer is needed. Get Healthy - March!

0
0
Anonymous Coward

@Rick Stockton

> You go on for 5 paragraphs, and yet never say "WINDOZE".

While I don't read every article I don't think I've seen any writer here uses that term. They probably don't want to appear childish and unoriginal. Change the record, guys. The word plays on MS and Windows got old very quickly and cost you credibility. Why do you think peoples' eyes roll over or glaze when you gimps start on about Linux/Firefox/OpenOffice at every opportunity? Sheesh.

0
0
Anonymous Coward

Somewhat clever

for not needing any security holes to work. Even better would be to make a semi-useful plugin that also contains malicious code. It does what it claims to, so it wouldn't come under immediate suspicion.

In principle, it's a lot like codec trojans, just using a different program.

0
0

@Charles

Yes, do you?

Extensions do *not* have to be signed. Mozilla stipulates only that any updates to extensions need to be secured, and that can be done either via an SSL link or a signed cert. A quick search on the number of unsigned Firefox extensions will provide illuminating results. People use unsigned addons all the time for lots of perfectly good reasons, and the system does not prevent them from doing so - also for perfectly good reasons.

Therefore, when presented with a warning that an extension is unsigned, many people make the perfectly reasonable decision to proceed to install it anyway. In other words, established user behaviour means the warning is not a useful indicator of a possible threat.

The article makes it clear that the malware is downloaded into the extensions folder by another piece of malware all ready to run, so the issue of "you can only download from Mozilla.com" does not apply.

0
0
Anonymous Coward

time for one-time logins

this is the typical use case for services like http://kyps.net

0
0
This topic is closed for new posts.

Forums