back to article Tick-like banking Trojan drills into Firefox, sucks out info

A new banking Trojan is spreading in the UK and the Netherlands, Symantec warns. Neloweg operates much like its more famous cybercrime toolkit predecessor ZeuS, but with a couple of subtle twists. "Like Zeus, Neloweg can detect which site it is on and add custom JavaScript. But while Zeus uses an included configuration file, …

COMMENTS

This topic is closed for new posts.
  1. James 51 Silver badge

    What about Opera and Opera Mini?

    See title.

    1. Anonymous Coward
      Anonymous Coward

      Re: What about the price of fish?

      Err.. you tell us?

  2. Anonymous Coward
    Anonymous Coward

    At a (wild) guess...

    ... it might be a "xulrunner extension" which acts like a dll of sorts. It's a bit like a plugin only different. Such a thing still generally sits in a file you can delete (along with the easily rebuildable and usually automatically rebuilt module indices) and then it should vanish. Unless the malware has more tricks up its sleeves.

    1. itzman

      Re: At a (wild) guess...

      http://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-4221-99

      ==>

      "This threat may be downloaded through a drive-by download, spam, targeted email, or by other malware.

      When the Trojan is executed, it may drop the following files:

      %ProgramFiles%\Mozilla Firefox\components\nsILego.xpt

      %ProgramFiles%\Mozilla Firefox\components\nsLego.js

      %ProgramFiles%\Mozilla Firefox\error.jar

      %System%\[FILE NAME].dll

      It then deletes the following file:

      %ProgramFiles%\Java\jre6\lib\deploy\jqs\ff\chrome\content\overlay.js

      ....."

  3. boltar Silver badge
    Stop

    Correction - firefox on MS's rubbish OS's

    "In the case of Firefox, the Trojan buries itself, becoming an integral component of the browser on infected machines – rather than a simple extension – a development that makes the Neloweg more stealthy than previous strains of banking malware."

    Not on my linux install it won't. The firefox binary and all its libraries binary are owned by root and don't have write permissions but are run as a local user. Good luck to some malware trying to burrow its way into that.

    1. itzman
      Linux

      Re: Correction - firefox on MS's rubbish OS's

      Indeed:

      "Systems Affected:

      Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000"

      Another blow for penguins!

      1. Mayhem

        Re: Re: Correction - firefox on MS's rubbish OS's

        And Windows 7 / Server 2008 are notable by their absence from that list, which means that MS definitely made the right changes in separating out user & administrator privileges.

        What was more interesting was the targetting of smaller browsers that licence the major engines, so it is a very carefully crafted package.

        1. Jean-Luc Silver badge
          Facepalm

          Re: Re: Re: Correction - firefox on MS's rubbish OS's

          And I wonder whether those Win 7 users are protected if they, like many genius Win 7 reviewers typically recommend, went out of their way to disable Windows UAC (pseudo-Sudo) prompting?

          Seriously, even when Microsoft does something right, some users who should know better (otherwise why be reviewing Win 7 Pro???) manage to aim solidly at their foot.

          All good for the Penguins and Fanbois in this instance, but let's face it: the bad guys are getting smarter.

    2. Piloti
      Linux

      Re: Correction - firefox on MS's rubbish OS's

      How do you do that ?

      Does that mean that everytime you open FF, you need to enter the root password ?

      I use Ubuntu, if that helps.

      P.

      1. Chemist

        Re: Re: Correction - firefox on MS's rubbish OS's

        It goes like this :

        On my system firefox-bin has permissions rwxr-xr-x and the owner is root.

        So only root can change the file but all users can execute it. Hope that helps. No password needed to run Firefox

      2. br0die
        Boffin

        @piloti

        I think what he is saying is the opposite (i.e. standard behaviour with your Ubuntu install):

        Unless you launch Firefox with "sudo firefox", ff is running with user permissions, not root, so it does not have permissions necessary to write.

    3. Mage Silver badge

      Re: Correction - firefox on MS's rubbish OS's

      You are making assumption that the user doesn't install something that carries this.

      Also it uses remote configuration, so likely needs no write access once the user has installed whatever carries it. Assuming it's really a Trojan in original SW sense of the word.

    4. Antony Riley
      Thumb Down

      Re: Correction - firefox on MS's rubbish OS's

      No, it installs in ~/.mozilla, which means no matter your operating system you are still very much vulnerable.

      1. Paul Crawford Silver badge

        @Antony Riley

        The example paths for the stuff dropped were the OS ones, presumably equivalent to /usr/lib/firefox-10.0.2/components/ and similar on my Linux box, and they would need root/sudo to write there.

        Also the symantic text says it is executed, and also changes the registry, so presumably is Windows-specific.

        However, it could as a user program write to the likes of /home/paul/.mozilla/firefox/{random}.default/extensions/{more random}/components but the question is would it be executed? Could it be downloaded with execute permissions, or be a script that Firefox is (incorrectly) running?

      2. Paul RND*1000

        Re: Re: Correction - firefox on MS's rubbish OS's

        I can see how that would be the case for an extension, which could (I assume) be installed per-user without admin privileges.

        For a browser component though? Are those installable at a per-user level at all? Seems like that should be something requiring root privileges. Just curious...

    5. Chemist

      Re: Correction - firefox on MS's rubbish OS's

      @boltar

      Don't know who's downvoting you but they are wrong

      1. Anonymous Coward
        Anonymous Coward

        Re: Correction - firefox on MS's rubbish OSes

        Downvoting because he used an apostrophe to create a plural.

  4. Mage Silver badge

    Missing info

    How is it caught?

    Installing a stupid toolbar?

    A "trojan" suggests that something is installed by the user that has this in it.

    1. Bonce

      Re: Missing info

      And how is it cured?

  5. peredur
    FAIL

    And it is spread, how, exactly?

    An article with zero useful information. It would have been nice to know:

    * How does a machine become infected? Visit a malicious site? Or what?

    * How does the trojan get installed? Does the user have to agree to run a program? What permissions does the trojan require (ordinary user? root?)

    * What operating systems are affected?

    * What do you do to protect yourself?

    All the article does is to tell us the sky if falling in. Well thanks.

    Cheers

    Peter

    1. diodesign (Written by Reg staff) Silver badge

      Re: And it is spread, how, exactly?

      Mostly valid points - I've added an extra line and a link. To protect against infection or to remove it, consult your favourite AV brand.

      C.

      1. peredur

        Re: Re: And it is spread, how, exactly?

        Thank you.

        From what you say ("It tricks Windows users") and from the link (all Windows-specific stuff), it seems as though my Ubuntu install is not under any immediate threat.

        Cheers

        Peter

  6. Anonymous Coward
    Anonymous Coward

    internet banking

    utter madness.

    1. Anonymous Coward
      Anonymous Coward

      So you're the man in the queue

      Trying to pay £100 in half crowns into your account?

    2. Maty

      Re: internet banking

      Internet banking: sometimes it makes sense.

      Here in Canada, my bank is a half-kilometer down a twisty ice covered road - that is, the bank is 10km away and 1/2km lower down the mountain.

      Driving there every time I want to do some basic banking would be utter madness.

  7. Anonymous Coward
    Anonymous Coward

    Cue Firefox version 40...

    Though they're probably added the initial fix in version 30 at my time of writing ;)

  8. Anonymous Coward
    Anonymous Coward

    This is the reason...

    Why having a challenge/response security is very important with online banking.

    One of the banks which got involved into all this is the Rabobank in the Netherlands. That is; they got mentioned in the Dutch newspapers, but it was immediately stated that the same problems applied to others (ING for example).

    However; Rabo generates a challenge based on the amount you're transferring. That challenge is then used to create (one or more) response value(s) which are then used to authorize the transfer. In other words: if you pay careful attention to what you're signing off to then you /will/ notice that something is going wrong.

    Another issue to keep in mind: this is also a good reason to keep all your important software located on your C (Windows system drive), esp. when using Vista or Windows 7. For example; as can be read on the URL shown in the article; one of the locations this trojan tries to attack is %Program Files%\Mozilla FireFox\ (adding stuff like error.jar, components\nsLego.js, etc).

    However; accessing %Program Files% on your system partition will require a raised environment (administrative access). On my Windows 7 this would trigger a password prompt, on others it would trigger an UAC confirmation. Either way; you would get alerted as to what is going on.

    So my suggestion is; even if you have 2 partitions (system & data, a common way for Windows computers to be setup) then always try to install important software onto C and the rest onto other locations.

    1. SYNTAX__ERROR
      Thumb Down

      Re: This is the reason...

      %Program Files% is simply a variable that contains the path to your Program Files folder. It does not matter on which partition you have configured that folder to reside. The folder will have the same permissions regardless of where it is located.

      Even if you chose to install programs in a custom folder there is no reason why it could not be given the same ACL.

      Non-useful advice. I have machines that don't even have a C: drive.

  9. the old rang
    Thumb Down

    This is a MICROSOFT PROBLEM

    This is a MICROSOFT PROBLEM Affecting several browsers, especially including INTERNET EXPLORE (ie: IE) and also, Chrome/Chromium, as well as Firefox...

    But, in typical reporting for diners at the Redmond lunch wagon, the blaring headline ONLY targets Firefox, for a MICROSOFT WINDOWS PROBLEM...

    I bet you also tell how Bill Gates is pushing raising the price of Gas/Petrol for the saviour of the economy, Obama... NOT

    1. Bjorg
      Trollface

      Re: This is a MICROSOFT PROBLEM

      The headline targets Firefox because it's the worst offender. And like most malware, it's not an OS or application problem, it's a user problem. If you're stupid enough to install every bit of malware that asks you politely, then you deserve to get your banking details stolen. I... don't even know why I'm responding to this. Slow day at work, I guess. Next time don't tie it back into your political views and you won't be such an obvious troll. And don't use caps lock so much. And spell a majority of your words correctly. And oh my god I should have been an English teacher just so I could fail kids like you over and over again.

      1. the old rang
        Happy

        Re: Re: This is a MICROSOFT PROBLEM

        I apologize. I detected, in the article, specific mention that the problem was MICROSOFT software (only identified after the headline... so, you may have missed it.

        And, no, I avoid using software, as pitiful as you have described...

        I use No Windows malware. Dumped it years ago. I am moving into much more secure software, run by groups not selling or outright giving away personal info to the 'government ins' for political paybacks.

        I usually avoid Microsoft hot-heads... could not resist, this time.

        The black-hats still consider Windows/etc. easy pickings`.....

        Not as bad as what Redmond does to you, but, easy

    2. Anonymous Coward
      Windows

      Re: This is a MICROSOFT PROBLEM

      Well, there is also an easy MS solution for it. MSIE has the 'InPrivate mode' which basically tells it not to load nor activate any extensions and it won't store any internet data (cookies, temporary files, etc.).

      Bottom line; if you use this mode to do online banking then trojans like these stand no chance because they don't get activated in the first place.

      1. the old rang

        Re: Re: This is a MICROSOFT PROBLEM

        I see it is imitating Firefox again (and google, sort of)

        I gave you a thumbs up for using your head and giving sound advice.

        I still no longer use Microsoft, malware.

  10. Anonymous Coward
    Anonymous Coward

    Windows trojan drills into multiple browsers on Windows only platform

    Windows only and you need to enter the ADMIN password to get it to run.

  11. Lars Silver badge
    Coat

    Trojan drills into Firefox

    Yes, it would be nice if the header would always tell what OS is affected like "Trojan drills into Firefox for Windows" or "Trojan drills into Firefox for Linux" and so on.

    Over the years Microsoft has managed to paint viruses and trojans etc. as an "act of god" where Microsoft is totally innocent and so blamelessly keen and able to run to our rescue fast as hell.

    1. Lars Silver badge
      Coat

      Re: Trojan drills into Firefox

      And, of course, I forgot to mention the illusion that Ballmer has started to throw chairs in the face of the "act of god" and Gates has left the golf court in a hurry shouting about trusted computing and temporally leaving all the starving children to moot this "act of god" for our benefit.

  12. T J
    WTF?

    There are people who still use Windows?

    What are they, Amish or Menonite or something?

    1. boond0x
      Coffee/keyboard

      Re: There are people who still use Windows?

      Yes, except that they belong to the special, exclusive sect called "almost every major corporation in existence today."

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019