What about Opera and Opera Mini?
See title.
A new banking Trojan is spreading in the UK and the Netherlands, Symantec warns. Neloweg operates much like its more famous cybercrime toolkit predecessor ZeuS, but with a couple of subtle twists. "Like Zeus, Neloweg can detect which site it is on and add custom JavaScript. But while Zeus uses an included configuration file, …
... it might be a "xulrunner extension" which acts like a dll of sorts. It's a bit like a plugin only different. Such a thing still generally sits in a file you can delete (along with the easily rebuildable and usually automatically rebuilt module indices) and then it should vanish. Unless the malware has more tricks up its sleeves.
http://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-4221-99
==>
"This threat may be downloaded through a drive-by download, spam, targeted email, or by other malware.
When the Trojan is executed, it may drop the following files:
%ProgramFiles%\Mozilla Firefox\components\nsILego.xpt
%ProgramFiles%\Mozilla Firefox\components\nsLego.js
%ProgramFiles%\Mozilla Firefox\error.jar
%System%\[FILE NAME].dll
It then deletes the following file:
%ProgramFiles%\Java\jre6\lib\deploy\jqs\ff\chrome\content\overlay.js
....."
"In the case of Firefox, the Trojan buries itself, becoming an integral component of the browser on infected machines – rather than a simple extension – a development that makes the Neloweg more stealthy than previous strains of banking malware."
Not on my linux install it won't. The firefox binary and all its libraries binary are owned by root and don't have write permissions but are run as a local user. Good luck to some malware trying to burrow its way into that.
And Windows 7 / Server 2008 are notable by their absence from that list, which means that MS definitely made the right changes in separating out user & administrator privileges.
What was more interesting was the targetting of smaller browsers that licence the major engines, so it is a very carefully crafted package.
And I wonder whether those Win 7 users are protected if they, like many genius Win 7 reviewers typically recommend, went out of their way to disable Windows UAC (pseudo-Sudo) prompting?
Seriously, even when Microsoft does something right, some users who should know better (otherwise why be reviewing Win 7 Pro???) manage to aim solidly at their foot.
All good for the Penguins and Fanbois in this instance, but let's face it: the bad guys are getting smarter.
You are making assumption that the user doesn't install something that carries this.
Also it uses remote configuration, so likely needs no write access once the user has installed whatever carries it. Assuming it's really a Trojan in original SW sense of the word.
The example paths for the stuff dropped were the OS ones, presumably equivalent to /usr/lib/firefox-10.0.2/components/ and similar on my Linux box, and they would need root/sudo to write there.
Also the symantic text says it is executed, and also changes the registry, so presumably is Windows-specific.
However, it could as a user program write to the likes of /home/paul/.mozilla/firefox/{random}.default/extensions/{more random}/components but the question is would it be executed? Could it be downloaded with execute permissions, or be a script that Firefox is (incorrectly) running?
I can see how that would be the case for an extension, which could (I assume) be installed per-user without admin privileges.
For a browser component though? Are those installable at a per-user level at all? Seems like that should be something requiring root privileges. Just curious...
An article with zero useful information. It would have been nice to know:
* How does a machine become infected? Visit a malicious site? Or what?
* How does the trojan get installed? Does the user have to agree to run a program? What permissions does the trojan require (ordinary user? root?)
* What operating systems are affected?
* What do you do to protect yourself?
All the article does is to tell us the sky if falling in. Well thanks.
Cheers
Peter
Why having a challenge/response security is very important with online banking.
One of the banks which got involved into all this is the Rabobank in the Netherlands. That is; they got mentioned in the Dutch newspapers, but it was immediately stated that the same problems applied to others (ING for example).
However; Rabo generates a challenge based on the amount you're transferring. That challenge is then used to create (one or more) response value(s) which are then used to authorize the transfer. In other words: if you pay careful attention to what you're signing off to then you /will/ notice that something is going wrong.
Another issue to keep in mind: this is also a good reason to keep all your important software located on your C (Windows system drive), esp. when using Vista or Windows 7. For example; as can be read on the URL shown in the article; one of the locations this trojan tries to attack is %Program Files%\Mozilla FireFox\ (adding stuff like error.jar, components\nsLego.js, etc).
However; accessing %Program Files% on your system partition will require a raised environment (administrative access). On my Windows 7 this would trigger a password prompt, on others it would trigger an UAC confirmation. Either way; you would get alerted as to what is going on.
So my suggestion is; even if you have 2 partitions (system & data, a common way for Windows computers to be setup) then always try to install important software onto C and the rest onto other locations.
%Program Files% is simply a variable that contains the path to your Program Files folder. It does not matter on which partition you have configured that folder to reside. The folder will have the same permissions regardless of where it is located.
Even if you chose to install programs in a custom folder there is no reason why it could not be given the same ACL.
Non-useful advice. I have machines that don't even have a C: drive.
This is a MICROSOFT PROBLEM Affecting several browsers, especially including INTERNET EXPLORE (ie: IE) and also, Chrome/Chromium, as well as Firefox...
But, in typical reporting for diners at the Redmond lunch wagon, the blaring headline ONLY targets Firefox, for a MICROSOFT WINDOWS PROBLEM...
I bet you also tell how Bill Gates is pushing raising the price of Gas/Petrol for the saviour of the economy, Obama... NOT
The headline targets Firefox because it's the worst offender. And like most malware, it's not an OS or application problem, it's a user problem. If you're stupid enough to install every bit of malware that asks you politely, then you deserve to get your banking details stolen. I... don't even know why I'm responding to this. Slow day at work, I guess. Next time don't tie it back into your political views and you won't be such an obvious troll. And don't use caps lock so much. And spell a majority of your words correctly. And oh my god I should have been an English teacher just so I could fail kids like you over and over again.
I apologize. I detected, in the article, specific mention that the problem was MICROSOFT software (only identified after the headline... so, you may have missed it.
And, no, I avoid using software, as pitiful as you have described...
I use No Windows malware. Dumped it years ago. I am moving into much more secure software, run by groups not selling or outright giving away personal info to the 'government ins' for political paybacks.
I usually avoid Microsoft hot-heads... could not resist, this time.
The black-hats still consider Windows/etc. easy pickings`.....
Not as bad as what Redmond does to you, but, easy
Well, there is also an easy MS solution for it. MSIE has the 'InPrivate mode' which basically tells it not to load nor activate any extensions and it won't store any internet data (cookies, temporary files, etc.).
Bottom line; if you use this mode to do online banking then trojans like these stand no chance because they don't get activated in the first place.
Yes, it would be nice if the header would always tell what OS is affected like "Trojan drills into Firefox for Windows" or "Trojan drills into Firefox for Linux" and so on.
Over the years Microsoft has managed to paint viruses and trojans etc. as an "act of god" where Microsoft is totally innocent and so blamelessly keen and able to run to our rescue fast as hell.
And, of course, I forgot to mention the illusion that Ballmer has started to throw chairs in the face of the "act of god" and Gates has left the golf court in a hurry shouting about trusted computing and temporally leaving all the starving children to moot this "act of god" for our benefit.