'Greasemonkey' Malware Targets Firefox

snydeq writes "Researchers have discovered a new type of malware that collects passwords for banking sites but targets only Firefox. The malware, dubbed 'Trojan.PWS.ChromeInject.A,' sits in Firefox's add-ons folder, registering itself as 'Greasemonkey,' the well-known collection of scripts that add functionality to Web pages rendered by Firefox. The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including PayPal, collecting logins and passwords, which it forwards to a server in Russia. Trojan infection can occur via drive-by download or download duping."

I wish

[gEvil (beta) (945888)]

I wish I could use this as an excuse for all the money disappearing from my PayPal and bank accounts, but sadly I can't....

Re:

[maxwell demon (590494)]

I wish I could use this as an excuse for all the money disappearing from my PayPal and bank accounts, but sadly I can't....

See? With Firefox, you wouldn't have that problem! :-)

Re:I wish

[Hoi Polloi (522990)]

Now you can ask for a government bailout!

Re:I wish

[Lumpy (12016)]

I give out my paypal password all the time.

It's Fire98-myFun.

it will do you no good without my keyfob and it's current 6 digit number. My bank, paypal, ebay, and 2 of my credit cards use the same keyfob because they use verisign and it defeats every single one of these trojans, keyloggers, and scammers. Why they are not common place I'll never understand.

Re:I wish

[cayenne8 (626475)]

"it will do you no good without my keyfob and it's current 6 digit number. My bank, paypal, ebay, and 2 of my credit cards use the same keyfob because they use verisign and it defeats every single one of these trojans, keyloggers, and scammers. Why they are not common place I'll never understand."

Interesting...I'd not heard of such and option being available for PP, eBay or banks.

What bank is that with?

Do you have links on how to set this up with PP and eB? Is it one fob that does it for them all or one for each?

Re:I wish

[Lumpy (12016)]

http://www.coolest-gadgets.com/20070118/paypal-security-key-fob/ [coolest-gadgets.com]

covers paypal and ebay. It's been in place over a year now. You will need to go searching online in ebay and Paypal to find the real links. I had to be logged in to find them and they are internal links.

My bank is a michigan only bank, so it'll probably not be available to you, but the whole system is verisign based so if the company uses verisigns system the same keyfob works for all of them.

Re:I wish

[Lumpy (12016)]

https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside [paypal.com]

found a public paypal page with more info about it.

Re:I wish

[spammb (1356807)]

This has to be one of the stupidest devices ever from the FAQ [kindurl.com]:

Can I still log in to my PayPal account if I lose or break my token, or if I don't have my mobile phone with me?
Yes. During login, we'll ask you questions to help confirm your identity. When you answer them correctly, you'll be able to log in.

Isn't the whole point of this device that you have to have it to log in? What extra security does asking some questions to confirm my identity do if I have a virus logging everything I type?

DO-NOT "Remember Passwords"

[Hari Kant (1124085)]

I would suggest that DO-NOT "Remember Passwords" and Login ids in any Browser where Sensitive Information will be sent ultimately.

Re:DO-NOT "Remember Passwords"

[maxwell demon (590494)]

I guess the malware remenmbered those passwords itself, so not storing them in the password manager wouldn't help.

IMHO the fact that you can use plugins with Firefox means that there should be an extra security barrier inside Firefox that disallows extensions to get passwords (e.g. when accessing the password lines, it would just get the stars which are also displayed on the screen).

Re:DO-NOT "Remember Passwords"

[clone53421 (1310749)]

Javascript is already capable of getting the value of a password field, and even if it wasn't they could just redirect the form action and get the password that way.

Try this: go to Paypal.com (any page with a password field, really), type in something arbitrary into the password field, and then paste this into the address bar:

javascript:for(var a=document.getElementsByTagName("input"),i=0;i<a.length;i++)if(a[i].type=="password"){alert(a[i].value);i=a.length;}void(0);

Re:DO-NOT "Remember Passwords"

[girlintraining (1395911)]

I would suggest that DO-NOT "Remember Passwords" and Login ids in any Browser where Sensitive Information will be sent ultimately.,/quote>

Well, that'll stop the really stupid malware authors that sit down at your PC and copy the file that stores your passwords. But it won't stop the one who left a key logger, the other who is doing control scrapes, the guy looking over your shoulder, the in-memory debugger that waits for a POST submission and copies everything in the data struct, or the FBI (who knows about those magazines under your bed too).

If you want to offer some advice to people that'll result in a real increase in security, tell them to install NoScript, or not to download executables and run them without scanning them. Tell them to install Spybot, or AdAware, or AVG Free. But don't ask them to turn off a convenient feature because it will stop the .1% of attackers too stupid to figure out a better way of getting that information.

Good on you!

[girlintraining (1395911)]

Well, this just proves that it's easier to develop for Firefox than IE. ^_^ Of course, it's a very backhanded compliment.

Username/password combo for banks flawed.

[Vellmont (569020)]

It's just part of the mounting evidence that username/password combinations for banks is inherently flawed. "Somthing you know" can always easily be known by someone else. Bank security should (IMO) be also based on "something you have", like an ATM card.

If banks really wanted two-way authentication to work properly, they'd use a hardware device (USB-key) that had to be present in the machine to login to your account. The hardware device would be implemented in such a way to make it impossible to copy the functionality of it without physical access to it.

Only if you want to be in the IT business

[joeflies (529536)]

The problem with USB keys is that you have to install a client to handle the PKCS #11 with the browser. No bank wants to get in the business of telling customers to install software (and all the help desk problems that come with it).

OTP tokens have been the preferred method for consumer strong authentication, but only consumers in Europe have seem to taken to them. I don't really see people lining up to get the paypal OTP token.

i've said this many times

[circletimessquare (444983)]

and i've always been derided as a microsoft fanboy. when i think its just common sense:

the amount of hacks and viruses and malware on an os/ browser has absolutely nothing to do with anything other than marketshare

you can try to make something as secure as possible, but if the incentive is high, hackers can always pay attention to security way more than you do, and find holes you did not anticipate, no matte rhow subtle

if something is full of security holes, it won't be hacked, if its market share is tiny

meanwhile if something is ironclad, it will still be hacked, if its maker share is huge. the incentive to find holes is so high, the most esoteric avenues of investigation are explored

Re:i've said this many times

[Sounder40 (243087)]

The reason Windows is targeted is because it's model of sharing everything was so wide open to so many exploits. And don't forget the numerous buffer-overflow vulnerabilities. Top that off with the fact that it is so pervasive, and you have the deadly combination we have now.

Linux/Unix, on the other hand, was written with clear lines of delineation between the user and kernel spaces. And attention was paid to avoid buffer overflow vulnerabilities.

Not saying that there aren't exploits available in Linux and Unix... There are. It's just designed from the ground up to be more secure than Windows.

So part of what you said is correct: The pervasiveness of Windows is a major reason why it is targeted. But you can't avoid the poor security design of Windows as a cause as well.

virii should be a word

[circletimessquare (444983)]

1. it just sounds cool
2. sometimes in scrabble, you need to get rid of a lot of Is

language isn't a top down authoritarian function, its trickle up from the bottom

therefore, here in this thread, based on my authority of having none at all, i hereby announce "virii" to be a valid word in the english language

use it profusely, use it constantly, use it anywhere

and in such a way, make it a valid word

motion has passed

that's it...

[xiao_haozi (668360)]

That's it....I'm switching to IE!

FireFox matters.

[wvmarle (1070040)]

Not sure whether this should be considered a compliment, but to me it indicates that FF matters. It has enough market share for criminals to target.

Unfortunately not many details on this exploit: is it really an exploit in FF (for the drive-by download)? Or is it more like a trojan (for the download duping)?

malware targets Windows ..

[rs232 (849320)]

"This latest e-threat - called Trojan.PWS.ChromeInject.A - is intended to be delivered onto a compromised computer [bitdefender.co.uk] system by other malware"

SYMPTOMS: Presence of the: "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll"

TECHNICAL DESCRIPTION: It drops an executable file (which is a Firefox 3 plugin)

Does that mean it's Windows only ?

Fix

[Frankie70 (803801)]

You can download a fix for it here [microsoft.com].

LIST OF BANKS; seems to be windoze-only

[rickst29 (553930)]

"Trojan.PWS.ChromeInject.B" is definitely only effective in Windows, because it installs and executes these files: "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll" "%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js" browser.js calls the The dll file, which can't run in Linux, etc. unless you're running a WINDOZE Firefox via crossover (which would be insanely stupid). Also, since it's installed into the program directory (rather than the user's profile), VISTA will almost certainly make you click for "administrator confirmation" before writing the files. (I don't know for sure, because I don't have VISTA.) - - - - - When I enter the URL for http://www.bitdefender.com/VIRUS-1000451-en--Trojan.PWS.ChromeInject.A.html# [bitdefender.com], the page content is identical the version for "Trojan.PWS.CHromeInject.B" (even the given name is "Trojan.PWS.ChromeInject.B", they even over-wrote the ChromeInject.A page by accident or, ChromeInject.A isn't spreading in the wild AND has nearly identical characteristcs, perhaps differing only in file sizes.) BitDefender provides the following list of banks their page for this version, http://www.bitdefender.com/VIRUS-1000451-en--Trojan.PWS.ChromeInject.B.html [bitdefender.com]: It filters the URLs within the Mozilla Firefox browser and whenever encounter the following addresses opened in the Firefox browser it captures the login credentials. akbank.com caixasabadell.net credem.it areasegura.banif.es banca.cajaen.es openbank.es poste.it banesto.es carnet.cajarioja.es gruposantander.es intelvia.cajamurcia.es net.kutxa.net bancopastor.es bancamarch.es caixamanlleu.es elmonte.es ibercajadirecto.com bancopopular.es bancogallego.es bancajaproximaempresas.com caixa*.es caja*.es ccm.es bancoherrero.com bankoa.es bbvanetoffice.com bgnetplus.com bv-i.bancodevalencia.es clavenet.net fibancmediolanum.es sabadellatlantico.com arquia.es banking.*.de westpac.com.au adelaidebank.com.au pncs.com.au nationet.com online.hbs.net.au www.qccu.com.au boq.com.au banksa.com anz.com suncorpmetway.com.au quiubi.it cariparma.it bancaintesa.it popso.it fmbcc.bcc.it secservizi.it bancamediolanum.it csebanking.it fineco.it gbw2.it gruppocarige.it in-biz.it isideonline.it iwbank.it bancaeuro.it bancagenerali.it bcp.it unibanking.it uno-e.com unipolbanca.it carifvg.com cariparo.it carisbo.it islamic-bank.com banking.first-direct.com natwestibanking.com itibank.co.uk co-operativebank.co.uk lloydstsb.co.uk mybankoffshore.alil.co.im abbeynational.co.uk mybusinessbank.co.uk barclays.com online.co.uk my.if.com anbusiness.com hsbc.co anbusiness.com co-operativebankonline.co.uk halifax-online.co.uk ibank.cahoot.com smile.co.uk caterallenonline.co.uk tdcanadatrust.com schwab.com wachovia.com bankofamerica kfhonline.com wamu.com wellsfargo.com procreditbank.bg chase.com 53.com citizensbankonline.com e-gold.com paypal.com usbank.com suntrust.com banquepopulaire.fr onlinebanking.nationalcity.com

Re:PC ONLY?

[thtrgremlin (1158085)]

Virus and Malware are registered trademarks of the Microsoft corporation, so yeah, business as usual.

Re:PC ONLY?

[drachenstern (160456)]

But I thought the sequence usually went like this:

1. Install Firefox
2. Install noScript
3. ???
4. Don't get infected by js vector based viruses.
5. Get flamed on /. for pedantic usage of noScript to designate a particular add-on to Firefox, and for not using the general designation of either FX3 or FF3...

No, but really. If you have noScript, as most everyone I know using Fx does, then how do you get infected by a virus that uses js as an attack vector...

Guess I'll keep reading the thread and see if the answer arises.

Re:PC ONLY?

[thtrgremlin (1158085)]

It is written in Java script, but the delivery system is windows only. This malware also does not use its own delivery system. (don't worry, you would have to read the article to know that and we all know reading the article is for losers)

Re:PC ONLY?

[Intron (870560)]

It's javascript in firefox, so the malware writers could have made it platform-independent with a little bit more work. But did they? NO! Yet another example of ignoring the Linux platform.

Re:PC ONLY?

[thtrgremlin (1158085)]

Since reading the article is for loosers anyway...

This [plugin] is intended to be delivered onto a compromised computer system by other malware for subsequent download into Mozilla Firefox's Plugin folder

Since the computer need already be compromised... sure you can draw your own conclusion on that one :)

Re:PC ONLY?

[by Anonymous Coward]

spelling "losers" correctly is for losers too.

Re:Linux has less than 0.5% share, so does it matt

[dhasenan (758719)]

Linux has 0.8% market share!

Though that's counting me and my beard of unusual size, so take it as you wish.

Re:Linux has less than 0.5% share, so does it matt

[russlar (1122455)]

Linux has 0.8% market share!

Though that's counting me and my beard of unusual size, so take it as you wish.

Stallman, is that you?

Re:Linux has less than 0.5% share, so does it matt

[Whalou (721698)]

Linux has 0.8% market share!

Though that's counting me and my beard of unusual size, so take it as you wish.

Stallman, is that you?

No, he would have said GNU/Linux.

also

[ODiV (51631)]

What happens if you already have Greasemonkey? Would it stop working or does the malware work fine alongside it?

Re:only firefox?

[miknix (1047580)]

Mozilla needs your permission to install plugins from unverified sources.

But since windows standard practice is to click on everything that has an OK on it, I think it doesn't matter.

Re:only firefox?

[dedazo (737510)]

But since users' standard practice is to click on everything that has an OK on it, I think it doesn't matter.

There, fixed that for ya.

Re:only firefox?

[Brain-Fu (1274756)]

from the article:
Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it, Canja said.

This is utterly unacceptable. They should give instructions to users on how to avoid downloading this.

They listed two ways in which systems get infected. One is "by being duped into downloading it." The instructions to avoid this are easily enough translated as your standard Internet hygien guidelines: "When websites offer browser-enhancements to you, say no," and "don't execute email attachments even if they come from trusted friends."

However, I want more detail about this "drive-by download" bit. There is a hole in my browser that will make it automatically download this addon, without prompting me? Give me a link. Give me the details. What versions have the hole? Has it been patched? Is there something I can do (other than "browse nothing") that will prevent this hole from being exploited? People need these details.

Re:only firefox?

[MrMr (219533)]

The problem has been diagnosed by BitDefender, and they can sell you all the peace of mind you ask for.

Re:only firefox?

[Ed Avis (5917)]

The cool thing about Firefox is that you can basically force users into installing malware by exploiting bug 59314 [mozilla.org]. Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes.

Re:only firefox?

[Vancorps (746090)]

I ran into this when I visited a site that another admin got the Antivirus 2008 trojan from. Of course I'm on Ubuntu so I was pretty sure simply visiting the site wouldn't cause any problems. I kept getting prompted to install it so I just found out what link it kept calling and just modified my hosts file to point it to localhost and then I got out of it like I should.

Pretty devious exploit though.

Re:only firefox?

[hairyfeet (841228)]

Bingo, I have seen malware in both Firefox and IE installed using the "endless loop" dialog box that the previous poster pointed out on Bugzilla(BTW, how freakin sad is it that the bug is from pre-1.0 and is still there?). Here is how I saw it work, by using a test box i keep for bug testing and removal practice. I found the bug by going through the users history and going where he went.

Here is how it works. You get Mr. Stupid Horny Guy to look at some topsites, you know the ones, a bunch of hot babe thumbnails that take them to yet more topsites. After a few minutes he will hit a site with a dialog box that says something like "You won a free hour in our hot babe video vault! Simply click yes to download the player and watch your hot videos full screen!" but thanks to the bug if he hits cancel it simply throws another dialog box in his face until he hits yes. If Mr Stupid Horny Guy even knows about ctrl/alt/del (which many don't) they will find the PC slow to a crawl whenever they try to launch it. So for Mr Stupid Horny Guy the choices come down to A=yank the plug out of the back, or B=click yes. So you can guess which of those 2 gets chosen more often.

I just wish Mozilla would put a cancel button automatically on all dialog boxes that would just kill all scripts on a page. It would probably cut way down on the drive by downloads, at least the ones I have come across.

Re:only firefox?

[hairyfeet (841228)]

I do use Noscript on all my machines, but for my customers it really is a "nuke it from orbit" solution which causes more problems than it solves. What we need for Noscript is a "average Windows user" setting which would whitelist Youtube and the other popular video sites, along with a "horny guy" setting that would add Porntube, Redporn,etc. Because I have tried to teach my Windows customers about whitelisting but sadly it turns into another Vista style "always click allow" which kills the whole point. Perhaps a simpler dialog box interface for Noscript than the current one? Maybe one that would detect .flv,.swf,rmb,etc and have a simple "click if you want to play the video" button?

Re:only firefox?

[Rudisaurus (675580)]

More details here [bitdefender.com]

Re:only firefox?

[Simon Brooke (45012)]

does it affect all platforms since it's Java?

anyone know?

It's not Java, it's JavaScript - two very different languages linked only by a common marketing fuckwit.

Re:

[The MAZZTer (911996)]

Nowhere does it say it is Java. In fact, I don't see any Java. I see JavaScript, but that is completely unrelated to Java (if the name confuses you, take it up with Sun, their marketing department wanted to leech off of Java's success). There is only a JavaScript file and a Windows Netscape Plugin. So it probably only affects Windows.

Re:

[clone53421 (1310749)]

someone should publish the javascript, the press report was totally bull

Meh, even without seeing the code it's pretty easy to figure out what they most likely did. All they'd have to do is create an onSubmit that sends an Ajax request to their server with the contents of the username and password fields on the form being submitted. Considering that add-ons (AdBlock, for example) can already inject and/or remove HTML from the dynamic page, it doesn't surprise me in the least.

Then all they have to do is figure out how to deploy it – obviously the Firefox plugin repository i

Re:

[Madball (1319269)]

Yay! We're safe because mac/linux/firefox is secure by design. Oops. Yay! We're safe because no one bothers with attacks on us. Oops. Yay! We're being attacked and thus might finally be important?
----
Note: Actually a fanboy, but a realistic one.

Gah...

[msimm (580077)]

Read.article. Most of your 'insightful' comment applies to Windows and piggy-backing on a Windows exploit. The other OS's you mention (ie: not Windows) would be exploited by ignoring the FF warning dialog about installing untrusted add-ons and installing it anyway (not so much an exploit).

That said, if you're done being cheeky: software is complicated. Bugs are a simple reality and inevitably lead to some kind of exploitability. But Linux and Mac (along with FF and numerous other open tools) get a bit of credit for implementing basic controls (accounts with privilege separation in the OS's) and responding quickly and proactively.

Windows is only now trying it, but their implementation is so cumbersome it's defeating it's own purpose.

Any Vista user out there that haven't already tried it there are several open source sudo [sourceforge.net] for Windows [sourceforge.net] implementations that make using non-privileged accounts more viable. I think I use Sudowin [sourceforge.net] which seemed to work the best for me, but I'm not on my home computer.

Re:This is a veiled blessing...

[thtrgremlin (1158085)]

I think an important thing to note here is that this is not using a Firefox exploit. It is using existing malware to manually install a plugin into Firefox. There is no proof of concept here at all, but point taken.

Re:NoScript FTW

[kalirion (728907)]

Like you never "Temporarily allow myweirdpornvideos.com".

Re:

[Thelasko (1196535)]

Here's the important part:

is intended to be delivered onto a compromised computer system by other malware for subsequent download into Mozilla Firefox's Plugin folder. Once installed it gets to work every time Firefox is started.

Apparently Firefox has protections so plugins can only be downloaded from addons.mozilla.org, but if they are downloaded by another program, and placed in the appropriate folder, Firefox will use them.

There are two things to know about this:
1) Another piece of malware has to be