December 4th, 2008

Password stealing malware masquerades as Firefox add-on

Posted by Dancho Danchev @ 7:05 am

Categories: Anti Virus, Botnets, Browsers, Hackers, Malware, Passwords, Spyware and Adware

Tags: Security, Cyberthreats, Firefox, Password Stealing Malware, E-banking, Dancho Danchev

Malware researchers at BitDefender are reporting on a newly discovered malware (Trojan.PWS.ChromeInject.B) that when once dropped in Firefox’s add-ons directory starts operating as such, and attempts to steal accounting data from a predefined list of over a hundred E-banking sites. Once the accounting data is obtained, it’s forwarded to a free web space hosting provider in Russia. Earlier this year, a more severe incident took place when the Vietnamese Language Pack hosted at Mozilla’s official list was infected with malware.

“It drops an executable file (which is a Firefox 3 plugin) and a JavaScript file (detected by Bitdefender as: Trojan.PWS.ChromeInject.A) into the Firefox plugins and chrome folders respectively. It filters the URLs within the Mozilla Firefox browser and whenever encounter the following addresses opened in the Firefox browser it captures the login credentials. It is the first malware that targets Firefox. The filtering is done by a JavaScript file running in Firefox’s chrome environment.”

Despite the novel approach used, the malware would have made a huge impact if it were released several years ago when E-banking authentication was still in its infancy since plain simple keylogging is one part of the session hijacking tactics used. And while they will indeed obtain the accounting data, this is no longer sufficient for a successful compromise of a bank account. In comparison, the techniques used by sophisticated crimeware like Zeus, Sinowal and Wsnpoem undermine the majority of two-factor authentication mechanisms used by E-banking providers, since once you start doing E-banking from a compromised environment nothing’s really what it seems to be anymore.