×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

'Greasemonkey' Malware Targets Firefox

CmdrTaco posted more than 5 years ago | from the oh-this-can't-end-well dept.

Security 370

snydeq writes "Researchers have discovered a new type of malware that collects passwords for banking sites but targets only Firefox. The malware, dubbed 'Trojan.PWS.ChromeInject.A,' sits in Firefox's add-ons folder, registering itself as 'Greasemonkey,' the well-known collection of scripts that add functionality to Web pages rendered by Firefox. The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including PayPal, collecting logins and passwords, which it forwards to a server in Russia. Trojan infection can occur via drive-by download or download duping."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

370 comments

Is it also made by Micro$oft? (0, Troll)

Adolf Hitroll (562418) | more than 5 years ago | (#25990013)

Will it throw chairs at me?

Nope, but get a load of this... (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25990061)

A QUAD SIZED [ebay.com] Altoid that one of my friends sent me last night.

Re:Is it also made by Micro$oft? (0)

Anonymous Coward | more than 5 years ago | (#25990503)

Will it throw chairs at me?

No, but removing Vista will.

I wish (4, Funny)

gEvil (beta) (945888) | more than 5 years ago | (#25990055)

I wish I could use this as an excuse for all the money disappearing from my PayPal and bank accounts, but sadly I can't....

Re:I wish (3, Insightful)

maxwell demon (590494) | more than 5 years ago | (#25990127)

I wish I could use this as an excuse for all the money disappearing from my PayPal and bank accounts, but sadly I can't....

See? With Firefox, you wouldn't have that problem! :-)

PC ONLY? (0)

Anonymous Coward | more than 5 years ago | (#25990087)

So... this only affects Windows?

Re:PC ONLY? (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#25990137)

So... this only affects Windows?

Of course. What other OS offers such pathetic security?

Re:PC ONLY? (5, Funny)

thtrgremlin (1158085) | more than 5 years ago | (#25990165)

Virus and Malware are registered trademarks of the Microsoft corporation, so yeah, business as usual.

Re:PC ONLY? (0)

Anonymous Coward | more than 5 years ago | (#25990585)

That really IS funny.

However, as this virus is JavaScript-based and the infection vector is browsing to a malware-infested site, there's no reason why it won't work just as well on a Linux system!

Re:PC ONLY? (1)

aliquis (678370) | more than 5 years ago | (#25990317)

No? Since the plugins run on all platforms, or?

Re:PC ONLY? (5, Informative)

thtrgremlin (1158085) | more than 5 years ago | (#25990543)

Since reading the article is for loosers anyway...

This [plugin] is intended to be delivered onto a compromised computer system by other malware for subsequent download into Mozilla Firefox's Plugin folder

Since the computer need already be compromised... sure you can draw your own conclusion on that one :)

Re:PC ONLY? (1)

clone53421 (1310749) | more than 5 years ago | (#25990423)

PC != Windows. Unless the trojan installs via a Windows executable (which is a possible attack vector but certainly not the only possible one), the FF add-on/Javascript code will run on any platform.

Linux has less than 0.5% share, so does it matter? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25990847)

I'd say, no, it doesn't matter. Target windows. It's a big fat ugly bullseye right in the kisser.

What to do with the Money? (0, Flamebait)

toodeepforme (1370289) | more than 5 years ago | (#25990123)

Yes, but does that mean anything? I mean, unless it also documents online sites that sell vodka, are the russians honestly going to do anything with it?

only firefox? (0, Troll)

phrostie (121428) | more than 5 years ago | (#25990125)

ok, a little more information would be nice.

is this firefox only or does it affect all mozilla browsers?
Seamonkey?
Galeon?

does it affect all platforms since it's Java?

anyone know?

also (3, Interesting)

ODiV (51631) | more than 5 years ago | (#25990199)

What happens if you already have Greasemonkey? Would it stop working or does the malware work fine alongside it?

Re:only firefox? (2, Informative)

scientus (1357317) | more than 5 years ago | (#25990203)

its javascript so the end code is probably cross-platform, weather the delivery takes place on multiple platforms i do not know but largely depends on the delivery mechanism, as a xpi it would probably be fully cross-platform.

mozila vs firefox, who friggen knows

someone should publish the javascript, the press report was totally bull

also java != javascript

Re:only firefox? (2, Interesting)

clone53421 (1310749) | more than 5 years ago | (#25990557)

someone should publish the javascript, the press report was totally bull

Meh, even without seeing the code it's pretty easy to figure out what they most likely did. All they'd have to do is create an onSubmit that sends an Ajax request to their server with the contents of the username and password fields on the form being submitted. Considering that add-ons (AdBlock, for example) can already inject and/or remove HTML from the dynamic page, it doesn't surprise me in the least.

Then all they have to do is figure out how to deploy it – obviously the Firefox plugin repository isn't going to host their malware, so distributing it in such a way that people are fooled into installing it is going to be tricky. 'Course, if you have control of a botnet, it might be possible to instruct the zombie machines to install it without the user's knowledge (not sure how FF's add-ons are managed, so it might or might not be possible, and it'd probably have to occur while FF wasn't running).

Re:only firefox? (5, Insightful)

miknix (1047580) | more than 5 years ago | (#25990271)

Mozilla needs your permission to install plugins from unverified sources.

But since windows standard practice is to click on everything that has an OK on it, I think it doesn't matter.

Re:only firefox? (5, Insightful)

dedazo (737510) | more than 5 years ago | (#25990375)

But since users' standard practice is to click on everything that has an OK on it, I think it doesn't matter.

There, fixed that for ya.

Re:only firefox? (5, Insightful)

Brain-Fu (1274756) | more than 5 years ago | (#25990327)

from the article:
Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it, Canja said.

This is utterly unacceptable. They should give instructions to users on how to avoid downloading this.

They listed two ways in which systems get infected. One is "by being duped into downloading it." The instructions to avoid this are easily enough translated as your standard Internet hygien guidelines: "When websites offer browser-enhancements to you, say no," and "don't execute email attachments even if they come from trusted friends."

However, I want more detail about this "drive-by download" bit. There is a hole in my browser that will make it automatically download this addon, without prompting me? Give me a link. Give me the details. What versions have the hole? Has it been patched? Is there something I can do (other than "browse nothing") that will prevent this hole from being exploited? People need these details.

Re:only firefox? (5, Funny)

MrMr (219533) | more than 5 years ago | (#25990415)

The problem has been diagnosed by BitDefender, and they can sell you all the peace of mind you ask for.

Re:only firefox? (5, Interesting)

Ed Avis (5917) | more than 5 years ago | (#25990517)

The cool thing about Firefox is that you can basically force users into installing malware by exploiting bug 59314 [mozilla.org]. Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes.

Mod parent up please (0)

Anonymous Coward | more than 5 years ago | (#25990749)

Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes.

So is that the "drive-by download" method mentioned in the article? If so, the means to protect yourself are:

When it happens, hit ctl-alt-delete to get your task manager up, find firefox, and kill that task. If that doesn't work, restart your computer. Either way, don't go to that site again.

These instructions aren't great, of course, but they will work.

Re:only firefox? (1)

The MAZZTer (911996) | more than 5 years ago | (#25990927)

Except a dialog box only pops up when installing addons from a trusted source. When an addon comes from an untrusted source you get the information bar, which you can ignore or close.

I'm guessing the page in the bug (it's a non existent domain) uses an endless stream of alert()s which is the issue you described but does not affect installing addons from untrusted sources.

Re:only firefox? (1)

Ed Avis (5917) | more than 5 years ago | (#25991047)

Yes, the page has been taken down since it was mentioned in the bug report. I don't know what exactly it was trying to make the user run (perhaps just a Windows executable not a Firefox extension) but it was something unpleasant.

Re:only firefox? (1)

D_Blackthorne (1412855) | more than 5 years ago | (#25991049)

The cool thing about Firefox is that you can basically force users into installing malware by exploiting bug 59314. Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes.

If you're a moron, I guess. I see something do that, and I'm opening Task Manager and killing the entire process manually.

Re:only firefox? (1)

_Sprocket_ (42527) | more than 5 years ago | (#25990717)

However, I want more detail about this "drive-by download" bit. There is a hole in my browser that will make it automatically download this addon, without prompting me? Give me a link. Give me the details. What versions have the hole? Has it been patched? Is there something I can do (other than "browse nothing") that will prevent this hole from being exploited? People need these details.

It sounds like they're just playing "what-if". If you've got a malicious Firefox addon, how do you get your victims to install it? Obviously the first step is to trick them in to installing it - a variation on the trojan (as named). The other way is to try and install it without user interaction. How to do that? Find an exploit in the browser, a helper application (Flash, Acrobat, Quicktime, etc.), or the OS itself to perform a generically-labled drive-by download.

Whether any of this is actually happening or not is a big question. Actual case examples would be interesting. However, such details tend to get lost in the Corporate filter.

Re:only firefox? (1)

thtrgremlin (1158085) | more than 5 years ago | (#25991045)

There are some really fancy words they use here to blow this completely out of proportion, for example, the word 'new' is completely inappropriate. I am pretty sure 'drive-by download' means 'thoughtless download'. Or go to any number of sites that track windows bugs that are begging Microsoft to fix (since you are not allowed to fix bugs yourself) and pick any number of vulnerabilities that would enable this. It is just yet another implementation of some old exploits.

And mind you, fta, it requires that a system already be infected with other malware that will install this java into your plugins folder. Unless the delivery system is cross platform, there is no way to get this into your plugins folder. Second, if it is installed manually, there is no validation necessary because it is not using the browser for the installation. Next, more than likely because this is being done remotely, the easiest thing to do is assume one kind of standard installation, and given it is masquerading as GreaseMonkey, it is better to cover your tracks by only installing the plugin onto machines that have a straight forward, default, c-drive install of Firefox. Having manually installed plugins before via script (custom ubuntu installer) different broswers, even between Mozilla web browser and Firefox web browser use different names for their directories. While it could hunt for the plugin directory and figure it out, that is a bit more work than just an assume or fail delivery system.

Re:only firefox? (5, Funny)

Simon Brooke (45012) | more than 5 years ago | (#25990367)

does it affect all platforms since it's Java?

anyone know?

It's not Java, it's JavaScript - two very different languages linked only by a common marketing fuckwit.

Re:only firefox? (1)

77Punker (673758) | more than 5 years ago | (#25990609)

I love job interviews that involve "Your resume says Java, so you must do some Javascript since they're so similar, right?"

At that point, telling the truth becomes a very hard decision to make.

Re:only firefox? (1)

jellomizer (103300) | more than 5 years ago | (#25990617)

Well the languages have many similarities. Most of them are the same as the similarities of JavaScript and Java and C++ but still for the novice coder they look like the same language. But yes they are very different languages not related to each other.

Re:only firefox? (2, Informative)

The MAZZTer (911996) | more than 5 years ago | (#25991003)

Nowhere does it say it is Java. In fact, I don't see any Java. I see JavaScript, but that is completely unrelated to Java (if the name confuses you, take it up with Sun, their marketing department wanted to leech off of Java's success). There is only a JavaScript file and a Windows Netscape Plugin. So it probably only affects Windows.

This is a veiled blessing... (2, Insightful)

mamono (706685) | more than 5 years ago | (#25990131)

Yes, it is not good that there is malware targeting Firefox, but it shows that Firefox is on it's way to be a market leader/dominator. Much like the recommendation of using antivirus on Macs, this shows that there is enough of a market penetration for Firefox that it has garnered the attention of malware writers.

Re:This is a veiled blessing... (3, Insightful)

Madball (1319269) | more than 5 years ago | (#25990411)

Yay! We're safe because mac/linux/firefox is secure by design. Oops. Yay! We're safe because no one bothers with attacks on us. Oops. Yay! We're being attacked and thus might finally be important?
----
Note: Actually a fanboy, but a realistic one.

Re:This is a veiled blessing... (5, Insightful)

thtrgremlin (1158085) | more than 5 years ago | (#25991085)

I think an important thing to note here is that this is not using a Firefox exploit. It is using existing malware to manually install a plugin into Firefox. There is no proof of concept here at all, but point taken.

I should have know it was a mistake (0)

Anonymous Coward | more than 5 years ago | (#25990153)

Never punch the Greasemonkey!

But the deal on the nuclear wessel was too good to pass up. Plus my IP address was apparently being broadcast TO THE WORLD!

DO-NOT "Remember Passwords" (4, Informative)

Hari Kant (1124085) | more than 5 years ago | (#25990173)

I would suggest that DO-NOT "Remember Passwords" and Login ids in any Browser where Sensitive Information will be sent ultimately.

Re:DO-NOT "Remember Passwords" (5, Informative)

maxwell demon (590494) | more than 5 years ago | (#25990297)

I guess the malware remenmbered those passwords itself, so not storing them in the password manager wouldn't help.

IMHO the fact that you can use plugins with Firefox means that there should be an extra security barrier inside Firefox that disallows extensions to get passwords (e.g. when accessing the password lines, it would just get the stars which are also displayed on the screen).

Re:DO-NOT "Remember Passwords" (1)

duplicate-nickname (87112) | more than 5 years ago | (#25990659)

That's a really good point. How do I know that the latest update to Forecastfox isn't now ready my browsing history or passwords and uploading that information to a third party. Many addons do not need access to the web page being rendered, so I wonder why there isn't some additional layer of security there.

Re:DO-NOT "Remember Passwords" (4, Informative)

clone53421 (1310749) | more than 5 years ago | (#25990715)

Javascript is already capable of getting the value of a password field, and even if it wasn't they could just redirect the form action and get the password that way.

Try this: go to Paypal.com (any page with a password field, really), type in something arbitrary into the password field, and then paste this into the address bar:

javascript:for(var a=document.getElementsByTagName("input"),i=0;i<a.length;i++)if(a[i].type=="password"){alert(a[i].value);i=a.length;}void(0);

Re:DO-NOT "Remember Passwords" (1)

Kamokazi (1080091) | more than 5 years ago | (#25990945)

That should be an optional setting though, because many people like to use password managers, and plugins should be able to catch and manage passwords if we allow them to.

Maybe a warning dialog "XXX extension is trying to record or monitor your password? Allow or Deny?" (yes, I worded that like UAC on purpose for comedic effect)

Re:DO-NOT "Remember Passwords" (1)

clone53421 (1310749) | more than 5 years ago | (#25990589)

Um, all they'd have to do is gather the username/password from the form when you submitted it. Considering that add-ons can dynamically rewrite the HTML of the page you're on (AdBlock, for example), that wouldn't be hard. Send the login credentials to their server using Ajax before the form submits, and you'll never know it happened.

Re:DO-NOT "Remember Passwords" (3, Insightful)

girlintraining (1395911) | more than 5 years ago | (#25990635)

I would suggest that DO-NOT "Remember Passwords" and Login ids in any Browser where Sensitive Information will be sent ultimately.,/quote>

Well, that'll stop the really stupid malware authors that sit down at your PC and copy the file that stores your passwords. But it won't stop the one who left a key logger, the other who is doing control scrapes, the guy looking over your shoulder, the in-memory debugger that waits for a POST submission and copies everything in the data struct, or the FBI (who knows about those magazines under your bed too).

If you want to offer some advice to people that'll result in a real increase in security, tell them to install NoScript, or not to download executables and run them without scanning them. Tell them to install Spybot, or AdAware, or AVG Free. But don't ask them to turn off a convenient feature because it will stop the .1% of attackers too stupid to figure out a better way of getting that information.

In Putin's Russia (-1, Offtopic)

MosesJones (55544) | more than 5 years ago | (#25990201)

All of your plug-ins communicate with a centrally controlled authority.

No not funny, but it is scary how the people in the world's 2nd largest nuclear power appear to be so far beyond the normal rule of law.

Re:In Putin's Russia (1, Funny)

gEvil (beta) (945888) | more than 5 years ago | (#25990245)

No not funny, but it is scary how the people in the world's 2nd largest nuclear power appear to be so far beyond the normal rule of law.

I must've missed something. When did the US slip to number 2?

Re:In Putin's Russia (1)

solafide (845228) | more than 5 years ago | (#25990287)

Russia seems to be much larger than the United States?

Username/password combo for banks flawed. (5, Interesting)

Vellmont (569020) | more than 5 years ago | (#25990243)

It's just part of the mounting evidence that username/password combinations for banks is inherently flawed. "Somthing you know" can always easily be known by someone else. Bank security should (IMO) be also based on "something you have", like an ATM card.

If banks really wanted two-way authentication to work properly, they'd use a hardware device (USB-key) that had to be present in the machine to login to your account. The hardware device would be implemented in such a way to make it impossible to copy the functionality of it without physical access to it.

Re:Username/password combo for banks flawed. (1)

qoncept (599709) | more than 5 years ago | (#25990437)

The hardware device would be implemented in such a way to make it impossible to copy the functionality of it without physical access to it.

That should be simple enough. Seriously, though, if a key like that were introduced, it would just be one more layer these people would have to overcome.

It's just part of the mounting evidence that username/password combinations for banks is inherently flawed. "Somthing you know" can always easily be known by someone else. Bank security should (IMO) be also based on "something you have", like an ATM card.

True that. I find it incredibly stupid that, not only is my mother's maiden name not hard to come by, but when I type it it shows up in plain text. Or if I call to get my password reset and you are sitting in the cube next to me, you know my father's middle name. And that is all you need to know to reset my password again.

Re:Username/password combo for banks flawed. (1)

maxwell demon (590494) | more than 5 years ago | (#25990627)

Seriously, though, if a key like that were introduced, it would just be one more layer these people would have to overcome.

Well, a physical device is a layer which isn't so easily overcome through the network. Provided it doesn't have any security holes of its own, of course. But then, you'd not want to just rely on an USB stick, because that one could be physically stolen. Better would be an ATM card reader with builtin PIN keypad (so the pin doesn't even reach the possibly compromised computer).

Re:Username/password combo for banks flawed. (2, Informative)

Elemental MrJohnson (866951) | more than 5 years ago | (#25990523)

Some banks already do this (at least in the UK). They send out a card reader that you use for a challenge/response when you put your bank card and PIN in. It's only required for making payments to new people, so you can your view balance and make payments to people or organisations you've made at least one payment to before. It's not perfect but it goes some way towards improving security. More here [natwest.com]

Re:Username/password combo for banks flawed. (2, Interesting)

the 99th penguin (1453) | more than 5 years ago | (#25990559)

Seems to vary from country to country, in some (like Sweden I believe, UK banks seem to have more of a PRNG device, at least that's what Barclays gave me) all banks provide a Challenge-Response system for logging into your account, similar to the RSA fob I am sure many here have used for secure logon.

Re:Username/password combo for banks flawed. (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25990563)

If banks really wanted two-way authentication to work properly, they'd use a hardware device (USB-key) that had to be present in the machine to login to your account. The hardware device would be implemented in such a way to make it impossible to copy the functionality of it without physical access to it.

Yeah, but I'd love to access my bank information from linux, thanks.

What if banks had to respond back with RSA code? (1)

Jumperalex (185007) | more than 5 years ago | (#25990575)

I'm not sure this is what you're referring to but in either case your post got me thinking:

Wouldn't an effective phishing defense (but not MITM) be for the RSA key fobs to have two numbers displayed instad of one, such that when you log in with the first number displayed on your fob, the bank replys with the 2nd number. If they don't match its likely a bogus site.

I'm sure there are tehcnical issues to resolve to decouple the two keys to avoid a snooper / phisher from being able to guess the banks response etc etc. But in general, if we believe it is improved security to prove I am who I say I am, then could it work the other direction as well? I also realize that for the bank's part it isn't something they have but still something they know, but still at least it is something they know that changes such that a phisher won't know it [shrug]. I also get the feeling it might be more robust for the bank to provide a code first but the bank would still first need to know who you are (simple username I guess) to present the code spcific to your FOB, then you can feel confident that you are talking to your bank before you send out your code.

And perhaps this would help with a MITM attack since they might have to get the bank's response right as well [shrug].

Re:Username/password combo for banks flawed. (1)

saintsfan (1171797) | more than 5 years ago | (#25990621)

some Banks do hardware authentication (USB key or RSA solution), especially for commercial banking/payment services. It just hasn't been rolled out to many retail customers. considering many banks dont provide wire transfer services over the web to regular retail customers, it may not be necessary in all cases (although online statements might facilitate fraud). but IMO, it isn't practical or even feasible to make anything "impossible" to copy/replicate or get around in some manner, but obviously more secure is better for this.

Re:Username/password combo for banks flawed. (1)

vally_manea (911530) | more than 5 years ago | (#25990665)

Actually my bank has that and I guess almost all the banks in my country have something similar - they call it a DigiPass and basically it's a small electronic device where each time you want access to the Home Bank you enter a PIN and it returns a onetime password.

Re:Username/password combo for banks flawed. (1)

thrillseeker (518224) | more than 5 years ago | (#25990971)

It doesn't seem to me to be so hard that a bank couldn't autocall/autotext your cellphone and ask you to verify a transaction.

Re:Username/password combo for banks flawed. (0)

Anonymous Coward | more than 5 years ago | (#25990787)

Hardware/ checks do not prevent MITM attacks.

Two factor authentication is better: Bank sends you a text message on your cellphone and you type it back to bank. Better yet, have a live human being do this and use.

But all this security talk is very silly:

Online fraud will flourish because banks are making out like gangbusters on "card not present" transactions. If they make 20 million / year due to "card not present" transactions, but lose 5 million / year to fraud, there is no reason at all to curb online fraud.

Moreover, most ID theft is no big deal, banks will cover you. Fraud is is an acceptable risk designed into the system.

Re:Username/password combo for banks flawed. (1)

sexconker (1179573) | more than 5 years ago | (#25990893)

"The hardware device would be implemented in such a way to make it impossible to copy the functionality of it without physical access to it."

And the banking site should be implemented in a such a way that hackers can't hack it.

And the car should be implemented in such a way that it won't break.

Re:Username/password combo for banks flawed. (1)

Technician (215283) | more than 5 years ago | (#25990947)

Bank security should (IMO) be also based on "something you have", like an ATM card.

I was thinking along the lines more like an IP range. If I could register and lock all transactions to the Comcast domain IP range, then most of these out of country attacks would fail.

The ability to register 2 domain IP ranges would be nice, so those who shop on break at work for faster connections could do it.

Only if you want to be in the IT business (3, Informative)

joeflies (529536) | more than 5 years ago | (#25990999)

The problem with USB keys is that you have to install a client to handle the PKCS #11 with the browser. No bank wants to get in the business of telling customers to install software (and all the help desk problems that come with it).

OTP tokens have been the preferred method for consumer strong authentication, but only consumers in Europe have seem to taken to them. I don't really see people lining up to get the paypal OTP token.

Re:Username/password combo for banks flawed. (1)

Ephemeriis (315124) | more than 5 years ago | (#25991033)

It's just part of the mounting evidence that username/password combinations for banks is inherently flawed. "Somthing you know" can always easily be known by someone else. Bank security should (IMO) be also based on "something you have", like an ATM card.

If banks really wanted two-way authentication to work properly, they'd use a hardware device (USB-key) that had to be present in the machine to login to your account. The hardware device would be implemented in such a way to make it impossible to copy the functionality of it without physical access to it.

It is certainly do-able.

Software manufacturers have been using dongles of various types for years now. I've got a couple clients with software installed that requires a USB dongle to be plugged into their PC in order to run. Shouldn't be too hard to do something like that for your banking site.

Or how about the VPN keychain fob things? Folks have been using those RSA keychain fobs to secure VPN logins for ages... Even Blizzard is using them now [blizzard.com]. Why not use them to log in to your bank's website?

Actually Blizzard got this right (1)

Shivetya (243324) | more than 5 years ago | (#25991061)

You register an authenticator with your account and every time you go to log on you have to key in the number the authenticator shows you.

Much easier than anything needing to be plug in and as such it can work with any device that could access the login page.

NoScript FTW (0)

BearGrylls (1388063) | more than 5 years ago | (#25990347)

If you use Firefox along with NoScript [noscript.net] you are protected from this kind of attack and many others. I highly recommend Firefox users look into this.

Re:NoScript FTW (4, Funny)

kalirion (728907) | more than 5 years ago | (#25990681)

Like you never "Temporarily allow myweirdpornvideos.com".

Re:NoScript FTW (2, Funny)

Anonymous Coward | more than 5 years ago | (#25991109)

You should register that domain name. It appears to be free at the moment.

Re:NoScript FTW (0)

Anonymous Coward | more than 5 years ago | (#25990775)

You are also protected from effective use of most sites

new? (1)

thtrgremlin (1158085) | more than 5 years ago | (#25990377)

Yet another attempt at a classic type of malware designed to harvest web passwords has been detected...

There, fixed it for ya.

I don't think it is really fair to call it 'new' just because you havn't reported on this particular incident yet today. It is a little misleading. Glad I could help.

Is this what is causing the script to fail? (0)

Anonymous Coward | more than 5 years ago | (#25990513)

I have been having problems only with slashdot using firefox, on multiple machines with ubuntu. Is this the bug that is causing the script to hang?

Wait, I thought... (1)

Thelasko (1196535) | more than 5 years ago | (#25990601)

Firefox was written so all addons had to come from addons.mozilla.org. How is such a drive by download even possible?

Re:Wait, I thought... (2, Informative)

Thelasko (1196535) | more than 5 years ago | (#25990743)

Here's the important part:

is intended to be delivered onto a compromised computer system by other malware for subsequent download into Mozilla Firefox's Plugin folder. Once installed it gets to work every time Firefox is started.

Apparently Firefox has protections so plugins can only be downloaded from addons.mozilla.org, but if they are downloaded by another program, and placed in the appropriate folder, Firefox will use them.

There are two things to know about this:
1) Another piece of malware has to be present on the machine for this to happen.
2) There is a "feature" in Firefox that allows it to run any program in the plugin folder.

Yeah, there's a bug in Firefox, but it's not the root cause.

Re:Wait, I thought... (1)

Todd Knarr (15451) | more than 5 years ago | (#25990769)

This thing isn't installed via Firefox's add-on process, or even by Firefox at all. It's installed by other malware that's already infected your system. Not hard, just write a few files into Firefox's add-on directory and then edit Firefox's configuration files to register the new add-on by hand. Any competent programmer with some experience with XML processing could code that up in an afternoon.

Re:Wait, I thought... (1)

DavidTC (10147) | more than 5 years ago | (#25991009)

I don't think this is normally installed in that manner. I'm suspecting this is installed via some Windows vulnerability.

Finally... (0)

Anonymous Coward | more than 5 years ago | (#25990631)

I would think it is FAR easier to write malware for Firefox than IE since Firefox has a huge community of mod-installers.

Take that Firefox fanboys, now shut the hell up and realize you're vulnerable too.

"but it's open source - that means its secure"

Attack vector. (1)

140Mandak262Jamuna (970587) | more than 5 years ago | (#25990655)

Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it, Canja said.

It is not clear whether Firefox actually has a vulnerability that allows such a drive by downloads, or if IE or other browsers with a vulnerability might allow a drive by download that attacks FireFox. Anyway if the user downloads bits from the net and executes it voluntarily, there is nothing one can do to protect such an activity.

Where is the "add-ons" you speak of? (0)

Anonymous Coward | more than 5 years ago | (#25990673)

What is an "add-ons" folder? I don't see one if my Firefox directory. You mean the extensions folder? Or the plugins folder? Or modules folder?

i've said this many times (3, Insightful)

circletimessquare (444983) | more than 5 years ago | (#25990689)

and i've always been derided as a microsoft fanboy. when i think its just common sense:

the amount of hacks and viruses and malware on an os/ browser has absolutely nothing to do with anything other than marketshare

you can try to make something as secure as possible, but if the incentive is high, hackers can always pay attention to security way more than you do, and find holes you did not anticipate, no matte rhow subtle

if something is full of security holes, it won't be hacked, if its market share is tiny

meanwhile if something is ironclad, it will still be hacked, if its maker share is huge. the incentive to find holes is so high, the most esoteric avenues of investigation are explored

Re:i've said this many times (1)

drunkennewfiemidget (712572) | more than 5 years ago | (#25991083)

What you're failing to notice, however, is that the proliferation of these virii and trojans would be slowed by the fact that the majority of bugs and spyware and crap out there now is obviously written by people without much talent. Actually make it difficult for them to break into things, and you certainly won't see the issue eradicated, but you will see it go down. Significantly.

Nothing new here (1)

Todd Knarr (15451) | more than 5 years ago | (#25990693)

According to the description, you have to get infected with some other malware first which would then stuff this thing into Firefox's folders and hook it in by manipulating the configuration. So my first thought is that the primary risk is (yet again) Windows users. They're the ones who'll be the targets of the initial malware. Even if you're a Windows user, if you aren't already having a problem with being regularly infected by malware you aren't at great risk. And if you are currently being regularly infected with malware, one more probably isn't your biggest problem. So a lot of sound and fury, signifying nothing we didn't already know and presenting no risk we haven't had for years.

Re:Nothing new here (1)

Burz (138833) | more than 5 years ago | (#25990919)

...or you have to press the "Install" button in the add-on dialog while you're at an untrusted site.

The article is a bit vague, but ultimately this is just a Trojan.

To the smart people... (0)

Anonymous Coward | more than 5 years ago | (#25990731)

Anyone have an actual link to something on how to see if you are infected and how to correct it????

Any Platform? (1)

tedhiltonhead (654502) | more than 5 years ago | (#25990849)

Would this attack style apply to any Firefox platform - Linux, Mac, Windows? As I understand it, FF plugins are mostly written in Javascript. Even on more secure platforms like Mac and Linux, each user has access to his own FF plugins directory, so if any malicious code were to be executed as him, it could presumably write this "plugin" into that user's FF settings directory.

FireFox matters. (2, Interesting)

wvmarle (1070040) | more than 5 years ago | (#25990973)

Not sure whether this should be considered a compliment, but to me it indicates that FF matters. It has enough market share for criminals to target.

Unfortunately not many details on this exploit: is it really an exploit in FF (for the drive-by download)? Or is it more like a trojan (for the download duping)?

How does this install? (1)

The MAZZTer (911996) | more than 5 years ago | (#25991021)

That is the important part. I am betting it doesn't happen through any flaw in Firefox (sounds like maybe a downloadable executable which looks for and then infects Firefox), but the article doesn't say.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...