Spyware Disguises Itself as Firefox Extension

Juha-Matti Laurio writes "The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. The trojan installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks. It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. The most dangerous part of the issue is that it records itself directly into the Firefox configuration data, avoiding the regular installation and confirmation process."

Not a vulnerability.

Note that this isn't a Firefox vulnerability.

The trojan is opened as a Windows executable from email attachments, and writes itself into the Firefox profile's configuration directory.

Re:Not a vulnerability.

I refuse to use this trojan until it's ported to Linux.

We have to send a message to developers that we want our apps native.

KFG

Re:Not a vulnerability.

Come on, You dont even have to be a script kiddie to write malware for Linux.

This is how it works:

First create an executable that will do bad things. It could even be a csh script. Then send emails to all and sundry like this and attach that file"

Dear Linuxuser,

This is a virus/trojan/worm/malware for Linux. It works on the honor system. Please forward the attachment to all addresses in your .mailrc first and then save it to disk, chmod +x and sudo it. Thank you.

Attachment: malware

make it open source

just send the source code in a nice tarball .

that way it's open source and people can improve it .

Re:Not a vulnerability.

csh ! What century have I entered this time.

Re:Not a vulnerability.

This is the one thing that keeps people from running Linux on their desktops! We normal users don't want to fiddle around with the commandline and stuff like that, we need a point-and-click-interface to compromise the security of our computers! Trust me, until this is fixed, Linux has no hope of ever becoming a serious competitor to Windows.

Re:Not a vulnerability.

Good point.

A friend of mine has certifications as an MCSE and a CNE. When I tell him to run "ipconfig /all" and "route print" (on his WinXP machine), the look of consternation and confusion on his face is priceless.

Re:Not a vulnerability.

A friend of mine has certifications as an MCSE and a CNE

With friends like that, who needs users?

Re:Not a vulnerability.

Not as priceless as the look on my face on reading that and noting that that clueless muppet gets paid a lot more than I do. Maybe I should get off my arse and get one of them MCSE thingies.

Re:Not a vulnerability.

It's depressing to me because I think MCSE used to mean something

It still does: Moron Confused by Sun Equipment.

Still better than Netware, which has two certification which stand for Certainly No Experience and Can't Network Anything.

Re:Not a vulnerability.

McAfee do not describe it as a Firefox exploit. They describe it as a VBS exploit originally written to target IE, i.e., a Windows exploit.

KFG

Emphasis on that.

This is an Outlook/IE "virus" who's payload is a keylogger and crap that hooks into Firefox.

This does not exploit any vulnerability in Firefox.

If your OS is not secure, no app running on it can be secured.

Re:Emphasis on that.

This is an Outlook/IE "virus" who's payload is a keylogger and crap that hooks into Firefox.

This is an user-executed email attachment with a trojan. It will happily be executed from Outlook Express, IE, Eudora and Thunderbird. McAfee mentions they've seen one version trying to exploit a three year old IE vulnerability. If you haven't patched that, well then you deserve to get nailed.

This does not exploit any vulnerability in Firefox

It is a vulnerability in that FF will happily load and execute any plugins dropped into its profile directory. The only time you are warned about installing someone is at download time. FF will never check for a signature or otherwise go "oh, a new plugin I've never seen. Hmmm, maybe I should ask the user about it?". Vulnerability.

If your OS is not secure, no app running on it can be secured.

If your OS is being operated by a user that executes attachments from "WalMart" that read "helo, teh attcachements for yuo pleasures" then your OS is not secure.

BTW, this progression is interesting. When FF came out just installing it would make the world safe, because it was invulnerable and impervious. Now I also have to switch operating systems? And when someone finds another exploit in SSH

Re:Emphasis on that.

It is a vulnerability in that FF will happily load and execute any plugins dropped into its profile directory. The only time you are warned about installing someone is at download time. FF will never check for a signature or otherwise go "oh, a new plugin I've never seen. Hmmm, maybe I should ask the user about it?". Vulnerability.

Okay, and then the next trojan will simply add itself to the file that Firefox checks to see if the extension is new, and you're back to square one.

Firefox isn't the problem. The fact that the thing can write to the application's directory means the computer is already compromised.

Re:Emphasis on that.

That's the legitimate extension. This trojan is not it.

RE: Emphasis on that.

Actually, if you read the article more closely (and similar articles that have appeared in no shortage of other places), the malware pretends to be the numberdlinks extension. Your post implies that the actual extension is malware, and this is untrue.

Additionally, if you read the Slashdot blurb, it's explained pretty clearly there.

Basically, if you click on e-mail attachments without knowing what they are, it's your own fault if your computer becomes infested with viruses and spyware.

Re: Emphasis on that.

No. It's not.

Any extension downloaded from addons.mozilla.org has been tested, is widely used, and subject to an enormous amount of user feedback.

Now, if you download an extension from kickme.to/malware, you get what you deserve.

Re:Not a vulnerability.

Actually, I'd call it a "man in the backdoor" attack, considering what it does to you...

Signatures don't matter here

You are talking about a situation where an executable has been run with your priveleges. It can do anything it wants to, especially in Windows where most people run as Administrators. It can disguise itself as a firefox extension, sure. But it could also modify the firefox binary, or simply install a sniffer running as a service, or format your drive, or any number of nasty things.

The only place a singature would matter in this case is when the trojan executable was run. If you are executing attached executables from an e-mail, then no amount of signature verification is going to protect you. The reality is that no technical process can exist that will prevent this kind of attack so long as users can install their own software.

Re:Not a vulnerability.

Note that this isn't a Firefox vulnerability. The trojan is opened as a Windows executable from email attachments, and writes itself into the Firefox profile's configuration directory.

While true, perhaps a related problem that actually is a vulnerability is the fact that Firefox (apparently) only checks for a valid signature on the plugin at download/install time. Maybe the Firefox configuration file, or at the very least the binaries for each extension, should be cryptographically verified at runtime.

Of course, this presupposes that Firefox hackers can manage to get their extensions signed, and if that's possible, then the malware authors could do the same. Unless...FF gets distributed with a mozilla.org CA cert, and extensions accepted and published on the mozilla site(s) get signed with that cert, then every "legitimate" extension from the mozilla sites will be verifiable at runtime. The user could opt out of that with an "allow execution [not installation] of unsigned extensions" preference setting, but the majority of users would be protected, so long as the malware doesn't also set that preference for the user. :)

(though even that last bit could be guarded against by creating a personal key to sign the config with, and every time you make a "security relevant configuration change" to the browser's settings, you have to re-sign the file.)

Re:Not a vulnerability.

... or until the trojan makes a trivial change in FireFox's binary.

Once you're pwned, you're pwned. If you give someone free reign on your box, he can do anything to any file writeable by you.

Re:Not a vulnerability.

While true, perhaps a related problem that actually is a vulnerability is the fact that Firefox (apparently) only checks for a valid signature on the plugin at download/install time. Maybe the Firefox configuration file, or at the very least the binaries for each extension, should be cryptographically verified at runtime.

Once someone's system is compromised, they can replace or alter the FireFox binary which verifies the signatures, replace libnssckbi.so, libsoftokn3.so, whatever.

You can't win at that point. If you're storing your operating system and executables on writable media, it can never be trusted to that level. The hardware would have to cryptographically verify the boot loader on disk, which would verify the kernel, which would then be able to verify everything it executes--FireFox alone can't do it.

(Say, what was that hardware-based Trusted Computing stuff supposed to do? In addition to ramming DRM down everyone's PCI bus, wasn't there system verification too?)

MozillaZine Has More

This MozillaZine article [mozillazine.org] has lots more on the trogan horse, including instructions for spotting if you have it.

Personally...

Personally I only download FF extensions from the official site.
https://addons.mozilla.org/extensions.php?app=fire fox [mozilla.org]

Re:Personally...

In that case... Who runs an exe they receive in an email? Unless I'm expecting it, and know the sender, I certainly won't.

Education must be the answer then. I learned not to open random executables from unknown sources many years ago. People apparently click them though. Teach a man to use the internet, and he'll be safe for a day. Teach a man to know the internet and he'll be safe for a lifetime.

Re:Personally...

Teach a man to send an "internet," and he can be a senator!

http://www.youtube.com/watch?v=DClkE64nFDY [youtube.com]
Fast forward to about 2:00.

Is numberedlinks legit?

The article is not clear. If not, get it off the Moz site. If so, sux to be them.

Hmmmm

Basically, what you're saying, is I must open an EXE from a non Walmart "Walmart" email, or I have to use IE?

Nothing to see here, move along..

Break extension

In next version of Firefox, the extension will be broken anyways. Mozilla breaks extension every new release. :D

Thankfully, I'm running IE

Which makes me invulnerable to snooping for credit card numbers as all my accounts are empty and my credit rating is ruined.

What does MS say?

We claim Prior Art for The old "it's not a bug, it's a feature" ploy.
Please contact our legal department.

How does it work?

Does it install simply by browsing, or does it need to open an .exe? Or do you install it like a normal extension?
If it's #1, it's bad
If it's #2, not so bad - a simple virus
If it's #3 - hey, who install extension from non-oficial sources?

The tip of the iceberg...

People seem to be awfully dismissive of this, but it poses a real problem. Given the number of available vectors, even careful Firefox users can get struck by virus/spyware/other attacks (even OpenSHH has critical security vulnerabilities from time to time, and it is specifically designed for security). More sophisticated extension hacks aren't too far away. Given the level of extensibility offered via extensions, it sounds plausible that extensions may be delist themselves from the extension manager (a la rootkit techniques). Even if the Moz team had the foresight to prevent such a hack, it is pretty trivial to simply infect an existing extension. Simply inject your hostile javascript code into the extension files to get loaded along with the host extension. Maybe modify existing javascript that is provided in a default installation, such as the search engine plugins. Plus, you get the added benefit of cross platform compatability for your Firefox hacks.

This is the proverbial shot across the bow. Perhaps it's time for crytographically signed extensions? It may not protect from someone explicitly installing a hostile extension, but it may prevent the self-installation of this kind of software from succeeding.

that's it, I'm switching to Internet Explorer

I've had it. That's it, I'm switching to Internet Explorer. You can play with your crappy browser but I'm done with it.

Crapshoot

Ok, so you get the virus in an email... what if you don't have Firefox? Blasphemy, I know. More importanly, if you do have Firefox, are you necessarily going to be running Outlook to catch this bug in the first place?

Spyware Disguised as an MSIE Extension

It could have been worse, like spyware disguised as a Microsoft Internet Explorer extension. That's sort of like Nixon wearing a Nixon mask.

RTFA

Again with people jumping to conclusions. The trojan is loaded when you open an .exe attached to an e-mail from "Wal-mart". Lesson to be learned: never open random .exe attachments. Ever. Problem solved.

For those of you screaming that "numberedlinks" should be removed from the mozilla site, that wouldn't fix the problem. The original extension is perfectly safe and NOT a trojan. This one is just spoofing it by installing itself with the same name.

A little more careful reading and some common sense go a long way

Firefox is horribly vulnerable; I have proof.

On a machine which I maintain for my SO and children, M$ XP Pro is installed. The default browser is FireFox, which I have managed to convince my SO and children to use.

My daughter (with a limited user account, no less) viewed a malicious advertising banner while logged into MySpace.com. I'm quite sure she clicked "yes" to running a WMF exploit.

She has a limited account. End of story, you say? Nope, read on . . .

My wife logged in a couple days later. A popup baloon warned her that the machine was infested and she should "click here to fix the problem". Well, she installed AntiVirusGolden v3.3 (from her not-so-limited user account). Who can blame her? I wouldn't have fallen for it (I already had CA's EZ-Antivirus installed and more or less trusted it), but it looked like a valid course of action to her, so the next thing I knew there were nearly a dozen payloads whanging around the rusty innards of my SO's computer - some acquired on the spot, others dropped there during the following week, I'm sure.

That machine now runs Linux (like the rest of my home network). I'd like to thank the wonderful malware authors at AntivirusGolden for giving me the leverage I needed to convince my SO to give up on Windows and use a somewhat more securable OS.

Oh, but I'll continue to use Firefox, now that I've closed that horrible WMF exploit that it has! You'd think the Firefox development team would know better than to trust end-users with the option to execute WMF's. Hmmph!

*(The above is intentionally sardonic; but the basic facts are true)*

Suckers...

Every time I install a "NEW!" Firefox extension made "JUST FOR ME!", I get a free iPod.
Haha, suckers. ;)

FireFox site is down

The Mozilla [mozilla.com] site has been down all day too.

Clarification

The numberedlinks on mozdev [mozdev.org] is legitimate and "trojan"-free. As others have said, you have to open the attachment in an e-mail for the evil one to work.

AFAIK, as long as you get your attachments from the Get More Extensions [mozilla.org] link (which most people that I know do), then you should be safe.

Any Firefox updates released ?

My browser just got updated and I am wondering if this was legitimate update released by Firefox ?

numbered links, different extension

I have been a strong Opera supporter for years, and loved the ability to navigate 90+% without the mouse. I started using Firfefox in the last 6 months for it's developer tools. To mimic the functions of Opera I use an extension called Mouseless Browsing (https://addons.mozilla.org/firefox/879/) which has been very nice.

Looking at the big picture!

Forget the debate on FF vs IE and WinXX vs *nix - otherwise known as the 'My dad is bigger than your dad!' department. The issue is that an exploit, however it arrived on the machine, is targeting Firefox. All those smug 'it can't happen to me because I use xxxx version of yyyy product/os' should see this as the beginning of an onslaught on all *nix and open source projects in general. Yes, I realise this exploit was specifically on Windows but you are missing the big picture. That being an open source project went from a minor player to a major competitor and so became a big target. You may feel safe in your (insert *nix here) OS but the end of that house of cards is in sight. 'But I know what is secure and what is not, and my system is harded against such stuff!', I hear you cry. Well, if you realise that more and more people are running *nix based desktops and most of those new users have and need only basic 'Clue' on how to run their browser and wordprocessor then we are looking at an ever expanding problem. How long will it be before everyday users are downloading distros with Spyware built right into the kernel? 'But, I know how check a distro is genuine!!!', I hear you cry again. And again I say what about your average user - do they know instinctively how to check hashes on everything they download? No they do not! Mark this date in your calender - the end of OS smugness is in site.

I'm a moron

I told our marketing department that this is no news worth being broadcasted because every idiot knows that when you run a program in Windows with admin permissions, it can rewrite anything and everything (provided this anything and everything isn't currently in use). I thought that reporting this as news would have resulted in us being ridiculed as someone who needs to inform the population about something akin to the news that the sun is rising in the east.

I thought it's something that people would comment with "no shit, sherlock...", at best. If they are gentle with us.

Boy was I wrong. Here I go and waste our chance to make it to /.

firefox -safe-mode &

i always run firefox in safe-mode. i know that extensions cannot be loaded, but the only important firefox extensions i used to use are now replaced by web proxies. for example, i used to use livehttpheaders, tamperdata, and modifyheaders. with burp, suru, webscarab, and xss-proxy, these extensions lack the significance they once had. for people that are heavy into extensions and themes, maybe you should first ask yourself why, and then weigh the benefits versus the drawbacks.

i also change a few settings in options->content and about:config to prevent javascript from doing anything but the basics. since i'm always bouncing back between windows xp, linux, freebsd, and mac os x - it's nice to be able to acheive such consistency and still know what my baseline for browser security posture is.

there is worse spyware out there these days anyways. see: http://theinvisiblethings.blogspot.com/2006/06/int roducing-blue-pill.html [blogspot.com]

Exploit or not exploit

Firefox can be used to do harm. Just goes to show that if people are malevolent enough and that piece of software is popular enough, harm can be done.

Seems a good opportunity to improve extensions?

Make it so that only stuff installed via firefox itself will run? Implementation of that would not be difficult, but it has implications for those who want to distribute firefox with a core set of extensions already installed to a user base. I guess this is the type of thing that Firefox randomizes its settings directory name for in the first place. Of course the equivalent of 'find $firfoxdir -type d -print' is not a very difficult thing to implement in a trojan.

WalMart and Firefox extensions?

I don't know why anyone would believe that WalMart sent them an extension for Firefox in the first place. To me, that would raise a red flag.

Funny thing... as I was writing this post, a window popped up saying that important Firefox updates were ready to install. Kinda made me hesitate :)

New.net quicksearch also does this

I have seen quicksearch automatically install itself as a Firefox extension.

Yay for low-barrier unsigned extensions

Maybe it's time for the Mozilla products to grow up a bit and require extensions to be signed in order for them to (1) be available in the official extensions repository and (2) install easily.

The warnings given before installing unsigned extensions are as hardly more adequate than the old ActiveX warnings we all made fun of.

Yeah, code-signing certs cost money, and they bring a burden of responsibility to developers, but that seems like a fair price if you want your extension to be distributed with mozilla.com's blessing and install with two clicks and no really nasty warning.

Where does it send the data?

Does anyone know the IP to which it sends the information? THIS sounds like a job for Your Hosts File!

A better security model is needed.

Right now the security model for Unix and Windows goes like this: either the user is the administrator and can change anything or he is not an administrator and can only access his own files. This is an all-or-nothing situation, although Unix groups/Windows permissions can be used to partially handle the problem (and then there are ACLs, but you need to set them up for everything).

Here is another proposal for O/S designers: ring protection. Just like an 80x86 CPU, each application runs within a ring. Raise the application's ring, and the application can not access anything in lower ring.

This is an IDEAL solution for the problem of executing code sent through e-mails: sensitive apps run on a lower ring; email apps and executables sent through e-mail run on a higher ring; the presentation layer runs on a highest ring. Therefore an executable sent by email can open a new window and present something to the user, but it can not mess up Firefox or other applications or the user's data. Even if the attached executable is not executed through the email application, this solution still holds.

Good news for OSS

It shows that Firefox is popular enough to attract the specific attention of virus/trojan writers.

Seriously.

Re:FUD

That's for marking your post that is pure FUD as FUD with the title.

The trojan is being distributed through spam emails. It has zero to do with Internet Explorer.

Someone please mod this troll to oblivion.

Re:FUD

What you don't seem to realize is that IE isn't embedded in 3rd party email clients like Thunderbird and Eudora, but the attachment will still hammer Firefix when you run it, just as it will in Outlook.

Re:and?

(response from Lynx user) *cough* ActiveX *cough* *snigger*

Re:Why is mozdev.org still...

It disguises itself as numberedlinks. If that guy does get a bad rep it'll be because of lazy people like you who cannot be bothered to read an article on mozdev before starting a witch burning.

Re:Why is mozdev.org still...

Hate to break it to you but ALL software is potentially bad. You have to decide how much you trust it based on who wrote it, whether that's verifiable, your own inspection of the source, whatever. In the case of F/OSS you do at least have to option of inspecting the source. You have no such luxury with non-free software, in which case you simply have to decide how much you trust the publisher.