Firefox users targeted by rare piece of malware

http://www.infoworld.com/article/08/12/04/Firefox_users_targeted_by_rare_piece_of_malware_1.html

Researchers at BitDefender have discovered a new type of malicious software that collects passwords for banking sites but targets only Firefox users.

The malware, which BitDefender dubbed "Trojan.PWS.ChromeInject.A" sits in Firefox's add-ons folder, said Viorel Canja, the head of BitDefender's lab. The malware runs when Firefox is started.

The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including Barclays, Wachovia, Bank of America, and PayPal along with two dozen or so Italian and Spanish banks. When it recognizes a Web site, it will collect logins and passwords, forwarding that information to a server in Russia.

Firefox has been continually gaining market share against main competitor Internet Explorer since its debut four years ago, which may be one reason why malware authors are looking for new avenues to infect computers, Canja said.

Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it, Canja said.

When it runs on a PC, it registers itself in Firefox's system files as "Greasemonkey," a well-known collection of scripts that add extra functionality to Web pages rendered by Firefox.

BitDefender has updated its products to detect it, and other vendors will likely follow suit quickly, Canja said. Users could avoid it by only downloading signed, verified software, but that's a measure that restricts the usability of a PC, he said.

The malware is not present in Mozilla's repository of add-ons, Canja said. Mozilla had taken steps to ensure that its official site hosting add-ons -- also called extensions -- are free from malware.

In May, Mozilla acknowledged that the Vietnamese language pack for Firefox contained a bit of unwanted code. Although widely reported as a virus, the language actually contained a line of HTML code that would cause users to view unwanted advertisements.

Mozilla now scans new add-ons for malware. However, those scans will only detect known threats, and there was no signature in the security software Mozilla was using at the time that could detect the code.

Mozilla said the code probably ended up in the language pack after the PC of its developer became infected. More than 16,000 people downloaded the language pack, but only about 1,000 people regularly use it.

After the incident, Mozilla said it would scan add-ons in its repository when antivirus signatures were updated.

 

This ^^^^^^^^ can affect any users, any browsers, at any times. Surf safely and sensibly, with no matter what browser one uses.

cheers ...

 

Except, no other browser has an extention called "Greasemonkey".

 

hmmmmm interesting...

do you think they are only targetting banking accounts?

I know this has no relation to gaming, but yesterday, my WoW account was mysteriously hacked into. I took the appropriate measures, changed my password, emailed Blizz, sent an ingame ticket, ran virus scanners, etc.

I take extreme care when clicking on outside links and I only go on websites i know have been tested, tried, and true. I also haven't downloaded anything of recent.

but thanks for this useful info! When I get home, I'm going to check all our computers for that "greasemonkey" extension and run virus/malware scanners one more time.

 

So if I'm using Greasemonkey for the Download Youtube Videos as MP4 option, I'm in danger?

 

Maybe. No better time to try out the latest stable build of Opera (9.62).

 

im running AVG virus scan then im going to follow this by running Windows Defender

 

If you have GreaseMonkey you are most likely OK; the danger would be if you do not have GreaseMonkey installed yet it shows up in the list of installed add-on extensions.

This malware apparently tries to hide itself by pretending to be GreaseMonkey.

Another good reason to run NoScript.

And regardless of which browser(s) you do use, take steps to secure the browser(s).

 

Scary one here. I would point out that some banks have very good authentication measures in place that help prevent this. I use BofA and when I want to log in on a new computer they text a pin number to my cellphone and I have to enter this as well as complete the other standard security questions. With paypal and Wow i have security keys, meaning that my password (or at least a portion of it) is different everytime. I highly recommend anyone who uses online banking frequently look into these additional security measures. I've had the paypal security key for about a year now and am very happy with the extra security it offers. My Wow account was hacked last year and frozen, I regained control and changed my password, but still didn't feel very safe. When they began offering a security key I ordered one immediately. The best system by far is BofA's text messaging system to your phone. It's simple and effective.

Both of these options (the security key and text message) mean that the hacker would have to have your password AND the security key or your cellphone. It's possible, but not very likely. There are ways around this, but it requires the hacker enter more information and makes it a little harder than simply entering a password.

 

i dont have GreaseMonkey installed how do i check if this Malware is on my computer - running AVG as we speak which has already found one danger. i use Paypal how do i keep my details and eevrything safe - of course i dont tell anyone the password and i never use remember password but what else can i do to keep things safe

 

Get the paypal security key. When I signed up for it it was a beta test, but I don't know if it's still in beta or not. Basically you pay shipping (5 or 6$) and they send you a small key that generates a different 6 digit number every 30 seconds. This key is registered on their server and it knows what number should appear so when you log in, you enter your password followed by the 6 digit number that's generated on the security key. Since e-bay bought out paypal the security key also works for ebay. WoW's security key is nearly identical.

 

any other way? as i dont use Payapl very often. is that 6$ a month?

 

You only pay once for the key. No cost after that. It could be a little more expensive now, but basically paypal gave me the key for free and I just had to pay for shipping. No monthly costs involved.

I guess it's actually 5$ Here's the link.

https://www.paypal.com/cgi-bin/webs...iven/securitycenter/PayPalSecurityKey-outside

It looks like they've got the mobile sms authentication now also, so you could set that up at no charge if you can receive text messages on your cellphone. I HIGHLY recommend anyone who has the option of using these extra measures take advantage of them.

 

Actually, I'm wondering the same thing. Can anyone help me out?

 

Does Greasemonkey show up in your list of little Firefox plugins? If yes, then you've got this malware, if not, then you're ok.

One of the biggest reasons not to use Firefox IMVHO, is plugins. It leaves the browser open to attacks. Opera has everything you need built in.

 

Wow. Will this affect us Chrome users?

 

ah it seems i dont have it then, ive never used Opera might have to have a look at it.

 

If you installed GreaseMonkey yourself it will be there legitimately. If you did not install GreaseMonkey yet it shows up in your list of installed Firefox add-on extensions, then that is a problem.

Not in my opinion or experience; Opera is missing quite a bit. Still, I do have Opera and Firefox both installed currently.

 

True. I'm still using Firefox. I don't download any extensions.

 

Opera is horrible with formatting some pages. Sometimes all I see is gibberish and a bunch of symbols for some forums.

Thanks, but I'll take my chances with Firefox.

 

Bullcrap post by Baserk.

Apologies towards Silas.

 

Thank you both. It would appear that I'm in the clear. Thanks again.

 

Or NoScript

 

Did you even read the post(s) to which I replied? Let me post them here again.

To these quotes, I replied this, taking into account they DO NOT have the Greaseretard or whatever plugin installed just like they said -

I take it you haven't installed the comprehend-it-for-me plugin?

 

Yeah, I know. The user(s) to whom I replied do not have Greasedonkey installed, as they told us in their posts.

 

Ah!, a malware targeted against Firefox... really awful.

The smell of phishing is in the air, I feel sorry for whoever that gets infected by this piece of "exotic" malware.

I just checked my 'Mozilla Firefox' folder for the malware and I did not find anything suspicious or any of the files listed in the BitDefender Entry, phew, anyway, I guess I will put the Mozilla Firefox on-watch in Comodo's Defense+, just in case.

Anyway, safe surfing, guys.

Postdata: My take on checking if you have this malware is checking for the files in the 'Mozilla Firefox' folder found in either \Program Files (XP / Vista 32-Bit) or \Program Files (x86) (XP / Vista 64-Bit), the files' names are in the BitTorrent Report found in this thread:

Be safe.

 

Silas, I've been too hasty in my response indeed.
My bad, I f****d up.

I'll google for the comprehend plug-in,
My apologies...

 

I assume this affects Minefield and Shiretoko as well as they are pretty much Firefox.

 

Both are Firefox. They could be affected.

I'm sure Mozilla will release a security patch soon. Just hang tight.

 

Since it is a rogue that masquerades as a Firefox add-on extension but is not really an add-on extension itself, it may or may not be caught by the existing Firefox security. Nevertheless, it is generally a good idea to have that setting active.

 

It certainly is. I don't know why that is even an option.

 

There is an informative article on this here that states that GreaseMonkey is not involved in any way

 

Yes, we know it's Firefox which is the main culprit.

 

Could you be banging your Opera drum any louder in this thread?

Simple fact: This attack could also have targeted Opera instead of Firefox, every browser suffers from vulnerabilities, the difference is that Firefox actually has a userbase big enough to be worthwhile attacking.

Enjoy your terrible browser though, I'll stick to Firefox + Noscript.

 

Hee, hee! I'll bet the IE afficionados are enjoying just sitting back on the sidelines watching the anti-IE crowd tear itself to pieces.

 

They need something to be happy about occasionally.

 

Yes.

*DUM DUM DUM, ANOTHER ONE BITES THE DUST!*

Simpler fact: It'd be very difficult, probably impossible, because Opera is complete in itself, and it doesn't rely on 20,000,000 plugins to help browse the net, any of which can be targeted.

Do tell when the next plugin becomes a liability!

 

http://www.google.com/search?hl=en&q=opera+vulnerability&btnG=Google+Search&aq=f&oq=

Doobedoo, not looking so bulletproof now.

 

Opera 9.23?

 

Your very naive if you believe a program, like Opera, is untouchable.

Why would hackers target a crappy, rarely used browser like Opera?

 

;-) http://www.securityfocus.com/bid/32015
No need to attack O "closed" add-ons!

cheers ...

 

What I meant was, with millions of "FF's" plugins, it's easier for the hackers to attack it. They'd just target a plugin and then target "FF" via it. It'd be impossible for them to tear into Opera using this technique because Opera doesn't need any plugins to operate.

 

Bottom line - any browsers are succeptible to attack, one way or another. Surf safely and enjoy your preferred browser!

cheers ...

 

More like -

I never said Opera is unbreakable, just that not by this technique (the "download omg-omg-fast-internetz plugin" and then be hacked)!

 

NO one in this thread so far mentioned anything about an "omg-omg-fast-internetz plugin" ... you are the first!

Anyway, this is why FF is requiring all add-ons to be conformed and signature-proofed to close out backdoors!

cheers ...

 

i'm using the bare-bone firefox with no additional plug-ins. no problems here. works fine.

 

And therefore has many more ways to attack it since by default it's doing a lot more than Firefox.

Anyone stupid enough to download and install every Firefox plugin they see is stupid enough to be tricked into clicking a suspicious link.

Of course anyone with any sense whatsoever runs Firefox with Noscript and wouldn't have been hit by this malware anyway.

And for the record, I'm running a whopping two Firefox addons here.

 

and judging by his logic, OS X is better than Windows because Windows is targeted more from attacks... But, which OS is he using?

 

Lunix.


.

 

looks like ur using vista 64.