'Greasemonkey' Malware Targets Firefox

snydeq writes "Researchers have discovered a new type of malware that collects passwords for banking sites but targets only Firefox. The malware, dubbed 'Trojan.PWS.ChromeInject.A,' sits in Firefox's add-ons folder, registering itself as 'Greasemonkey,' the well-known collection of scripts that add functionality to Web pages rendered by Firefox. The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including PayPal, collecting logins and passwords, which it forwards to a server in Russia. Trojan infection can occur via drive-by download or download duping."

I wish

[gEvil (beta) (945888)]

I wish I could use this as an excuse for all the money disappearing from my PayPal and bank accounts, but sadly I can't....

Good on you!

[girlintraining (1395911)]

Well, this just proves that it's easier to develop for Firefox than IE. ^_^ Of course, it's a very backhanded compliment.

Username/password combo for banks flawed.

[Vellmont (569020)]

It's just part of the mounting evidence that username/password combinations for banks is inherently flawed. "Somthing you know" can always easily be known by someone else. Bank security should (IMO) be also based on "something you have", like an ATM card.

If banks really wanted two-way authentication to work properly, they'd use a hardware device (USB-key) that had to be present in the machine to login to your account. The hardware device would be implemented in such a way to make it impossible to copy the functionality of it without physical access to it.

that's it...

[xiao_haozi (668360)]

That's it....I'm switching to IE!

Fix

[Frankie70 (803801)]

You can download a fix for it here [microsoft.com].

Re:PC ONLY?

[thtrgremlin (1158085)]

Virus and Malware are registered trademarks of the Microsoft corporation, so yeah, business as usual.

Re:PC ONLY?

[drachenstern (160456)]

But I thought the sequence usually went like this:

1. Install Firefox
2. Install noScript
3. ???
4. Don't get infected by js vector based viruses.
5. Get flamed on /. for pedantic usage of noScript to designate a particular add-on to Firefox, and for not using the general designation of either FX3 or FF3...

No, but really. If you have noScript, as most everyone I know using Fx does, then how do you get infected by a virus that uses js as an attack vector...

Guess I'll keep reading the thread and see if the answer arises.

Re:PC ONLY?

[thtrgremlin (1158085)]

Since reading the article is for loosers anyway...

This [plugin] is intended to be delivered onto a compromised computer system by other malware for subsequent download into Mozilla Firefox's Plugin folder

Since the computer need already be compromised... sure you can draw your own conclusion on that one :)

Re:PC ONLY?

[by Anonymous Coward]

spelling "losers" correctly is for losers too.

Re:Linux has less than 0.5% share, so does it matt

[dhasenan (758719)]

Linux has 0.8% market share!

Though that's counting me and my beard of unusual size, so take it as you wish.

Re:Linux has less than 0.5% share, so does it matt

[russlar (1122455)]

Linux has 0.8% market share!

Though that's counting me and my beard of unusual size, so take it as you wish.

Stallman, is that you?

Re:Linux has less than 0.5% share, so does it matt

[Whalou (721698)]

Linux has 0.8% market share!

Though that's counting me and my beard of unusual size, so take it as you wish.

Stallman, is that you?

No, he would have said GNU/Linux.

Re:only firefox?

[miknix (1047580)]

Mozilla needs your permission to install plugins from unverified sources.

But since windows standard practice is to click on everything that has an OK on it, I think it doesn't matter.

Re:only firefox?

[dedazo (737510)]

But since users' standard practice is to click on everything that has an OK on it, I think it doesn't matter.

There, fixed that for ya.

Re:only firefox?

[Brain-Fu (1274756)]

from the article:
Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it, Canja said.

This is utterly unacceptable. They should give instructions to users on how to avoid downloading this.

They listed two ways in which systems get infected. One is "by being duped into downloading it." The instructions to avoid this are easily enough translated as your standard Internet hygien guidelines: "When websites offer browser-enhancements to you, say no," and "don't execute email attachments even if they come from trusted friends."

However, I want more detail about this "drive-by download" bit. There is a hole in my browser that will make it automatically download this addon, without prompting me? Give me a link. Give me the details. What versions have the hole? Has it been patched? Is there something I can do (other than "browse nothing") that will prevent this hole from being exploited? People need these details.

Re:only firefox?

[MrMr (219533)]

The problem has been diagnosed by BitDefender, and they can sell you all the peace of mind you ask for.

Re:only firefox?

[Ed Avis (5917)]

The cool thing about Firefox is that you can basically force users into installing malware by exploiting bug 59314 [mozilla.org]. Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes.

Re:only firefox?

[Vancorps (746090)]

I ran into this when I visited a site that another admin got the Antivirus 2008 trojan from. Of course I'm on Ubuntu so I was pretty sure simply visiting the site wouldn't cause any problems. I kept getting prompted to install it so I just found out what link it kept calling and just modified my hosts file to point it to localhost and then I got out of it like I should.

Pretty devious exploit though.

Re:only firefox?

[hairyfeet (841228)]

Bingo, I have seen malware in both Firefox and IE installed using the "endless loop" dialog box that the previous poster pointed out on Bugzilla(BTW, how freakin sad is it that the bug is from pre-1.0 and is still there?). Here is how I saw it work, by using a test box i keep for bug testing and removal practice. I found the bug by going through the users history and going where he went.

Here is how it works. You get Mr. Stupid Horny Guy to look at some topsites, you know the ones, a bunch of hot babe thumbnails that take them to yet more topsites. After a few minutes he will hit a site with a dialog box that says something like "You won a free hour in our hot babe video vault! Simply click yes to download the player and watch your hot videos full screen!" but thanks to the bug if he hits cancel it simply throws another dialog box in his face until he hits yes. If Mr Stupid Horny Guy even knows about ctrl/alt/del (which many don't) they will find the PC slow to a crawl whenever they try to launch it. So for Mr Stupid Horny Guy the choices come down to A=yank the plug out of the back, or B=click yes. So you can guess which of those 2 gets chosen more often.

I just wish Mozilla would put a cancel button automatically on all dialog boxes that would just kill all scripts on a page. It would probably cut way down on the drive by downloads, at least the ones I have come across.

Re:only firefox?

[Rudisaurus (675580)]

More details here [bitdefender.com]

Re:only firefox?

[Simon Brooke (45012)]

does it affect all platforms since it's Java?

anyone know?

It's not Java, it's JavaScript - two very different languages linked only by a common marketing fuckwit.

Re:DO-NOT "Remember Passwords"

[maxwell demon (590494)]

I guess the malware remenmbered those passwords itself, so not storing them in the password manager wouldn't help.

IMHO the fact that you can use plugins with Firefox means that there should be an extra security barrier inside Firefox that disallows extensions to get passwords (e.g. when accessing the password lines, it would just get the stars which are also displayed on the screen).

Re:DO-NOT "Remember Passwords"

[clone53421 (1310749)]

Javascript is already capable of getting the value of a password field, and even if it wasn't they could just redirect the form action and get the password that way.

Try this: go to Paypal.com (any page with a password field, really), type in something arbitrary into the password field, and then paste this into the address bar:

javascript:for(var a=document.getElementsByTagName("input"),i=0;i<a.length;i++)if(a[i].type=="password"){alert(a[i].value);i=a.length;}void(0);

Re:NoScript FTW

[kalirion (728907)]

Like you never "Temporarily allow myweirdpornvideos.com".

Re:This is a veiled blessing...

[thtrgremlin (1158085)]

I think an important thing to note here is that this is not using a Firefox exploit. It is using existing malware to manually install a plugin into Firefox. There is no proof of concept here at all, but point taken.