'Greasemonkey' Malware Targets Firefox

snydeq writes "Researchers have discovered a new type of malware that collects passwords for banking sites but targets only Firefox. The malware, dubbed 'Trojan.PWS.ChromeInject.A,' sits in Firefox's add-ons folder, registering itself as 'Greasemonkey,' the well-known collection of scripts that add functionality to Web pages rendered by Firefox. The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including PayPal, collecting logins and passwords, which it forwards to a server in Russia. Trojan infection can occur via drive-by download or download duping."

DO-NOT "Remember Passwords"

[Hari Kant]

I would suggest that DO-NOT "Remember Passwords" and Login ids in any Browser where Sensitive Information will be sent ultimately.

Re:only firefox?

[scientus]

its javascript so the end code is probably cross-platform, weather the delivery takes place on multiple platforms i do not know but largely depends on the delivery mechanism, as a xpi it would probably be fully cross-platform.

mozila vs firefox, who friggen knows

someone should publish the javascript, the press report was totally bull

also java != javascript

Re:DO-NOT "Remember Passwords"

[maxwell demon]

I guess the malware remenmbered those passwords itself, so not storing them in the password manager wouldn't help.

IMHO the fact that you can use plugins with Firefox means that there should be an extra security barrier inside Firefox that disallows extensions to get passwords (e.g. when accessing the password lines, it would just get the stars which are also displayed on the screen).

Re:Username/password combo for banks flawed.

[Elemental MrJohnson]

Some banks already do this (at least in the UK). They send out a card reader that you use for a challenge/response when you put your bank card and PIN in. It's only required for making payments to new people, so you can your view balance and make payments to people or organisations you've made at least one payment to before. It's not perfect but it goes some way towards improving security. More here [natwest.com]

Re:PC ONLY?

[thtrgremlin]

Since reading the article is for loosers anyway...

This [plugin] is intended to be delivered onto a compromised computer system by other malware for subsequent download into Mozilla Firefox's Plugin folder

Since the computer need already be compromised... sure you can draw your own conclusion on that one :)

Re:only firefox?

[Rudisaurus]

More details here [bitdefender.com]

Re:DO-NOT "Remember Passwords"

[clone53421]

Javascript is already capable of getting the value of a password field, and even if it wasn't they could just redirect the form action and get the password that way.

Try this: go to Paypal.com (any page with a password field, really), type in something arbitrary into the password field, and then paste this into the address bar:

javascript:for(var a=document.getElementsByTagName("input"),i=0;i<a.length;i++)if(a[i].type=="password"){alert(a[i].value);i=a.length;}void(0);

Re:Wait, I thought...

[Thelasko]

Here's the important part:

is intended to be delivered onto a compromised computer system by other malware for subsequent download into Mozilla Firefox's Plugin folder. Once installed it gets to work every time Firefox is started.

Apparently Firefox has protections so plugins can only be downloaded from addons.mozilla.org, but if they are downloaded by another program, and placed in the appropriate folder, Firefox will use them.

There are two things to know about this:
1) Another piece of malware has to be present on the machine for this to happen.
2) There is a "feature" in Firefox that allows it to run any program in the plugin folder.

Yeah, there's a bug in Firefox, but it's not the root cause.

Only if you want to be in the IT business

[joeflies]

The problem with USB keys is that you have to install a client to handle the PKCS #11 with the browser. No bank wants to get in the business of telling customers to install software (and all the help desk problems that come with it).

OTP tokens have been the preferred method for consumer strong authentication, but only consumers in Europe have seem to taken to them. I don't really see people lining up to get the paypal OTP token.

Re:only firefox?

[The MAZZTer]

Nowhere does it say it is Java. In fact, I don't see any Java. I see JavaScript, but that is completely unrelated to Java (if the name confuses you, take it up with Sun, their marketing department wanted to leech off of Java's success). There is only a JavaScript file and a Windows Netscape Plugin. So it probably only affects Windows.

malware targets Windows ..

[rs232]

"This latest e-threat - called Trojan.PWS.ChromeInject.A - is intended to be delivered onto a compromised computer [bitdefender.co.uk] system by other malware"

SYMPTOMS: Presence of the: "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll"

TECHNICAL DESCRIPTION: It drops an executable file (which is a Firefox 3 plugin)

Does that mean it's Windows only ?

Re:To the smart people...

[Scuff]

you can detect it by looking for the following 2 files: "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll" "%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js" Theoretically closing Firefox and deleting those might remove it. The recommendations are to run anti-virus software, which is a good idea since the rest of the article indicates this is usually added to already compromised machines. Locations of the files may vary by OS, but should still be in Firefox plugins and chrome theme.

SITE-MODS: Please edit Subject Line -- W32 only

[gavron]

It doesn't "target Firefox", it targets "Firefox on Windows 32 systems" This does not affect Linux, Mac, or other systems. Ehud

Re:i've said this many times

[Sounder40]

The reason Windows is targeted is because it's model of sharing everything was so wide open to so many exploits. And don't forget the numerous buffer-overflow vulnerabilities. Top that off with the fact that it is so pervasive, and you have the deadly combination we have now.

Linux/Unix, on the other hand, was written with clear lines of delineation between the user and kernel spaces. And attention was paid to avoid buffer overflow vulnerabilities.

Not saying that there aren't exploits available in Linux and Unix... There are. It's just designed from the ground up to be more secure than Windows.

So part of what you said is correct: The pervasiveness of Windows is a major reason why it is targeted. But you can't avoid the poor security design of Windows as a cause as well.

Re:only firefox?

[Vancorps]

I ran into this when I visited a site that another admin got the Antivirus 2008 trojan from. Of course I'm on Ubuntu so I was pretty sure simply visiting the site wouldn't cause any problems. I kept getting prompted to install it so I just found out what link it kept calling and just modified my hosts file to point it to localhost and then I got out of it like I should.

Pretty devious exploit though.

Re:PC ONLY?

[drachenstern]

But I thought the sequence usually went like this:

1. Install Firefox
2. Install noScript
3. ???
4. Don't get infected by js vector based viruses.
5. Get flamed on /. for pedantic usage of noScript to designate a particular add-on to Firefox, and for not using the general designation of either FX3 or FF3...

No, but really. If you have noScript, as most everyone I know using Fx does, then how do you get infected by a virus that uses js as an attack vector...

Guess I'll keep reading the thread and see if the answer arises.

Re:PC ONLY?

[thtrgremlin]

It is written in Java script, but the delivery system is windows only. This malware also does not use its own delivery system. (don't worry, you would have to read the article to know that and we all know reading the article is for losers)

Gah...

[msimm]

Read.article. Most of your 'insightful' comment applies to Windows and piggy-backing on a Windows exploit. The other OS's you mention (ie: not Windows) would be exploited by ignoring the FF warning dialog about installing untrusted add-ons and installing it anyway (not so much an exploit).

That said, if you're done being cheeky: software is complicated. Bugs are a simple reality and inevitably lead to some kind of exploitability. But Linux and Mac (along with FF and numerous other open tools) get a bit of credit for implementing basic controls (accounts with privilege separation in the OS's) and responding quickly and proactively.

Windows is only now trying it, but their implementation is so cumbersome it's defeating it's own purpose.

Any Vista user out there that haven't already tried it there are several open source sudo [sourceforge.net] for Windows [sourceforge.net] implementations that make using non-privileged accounts more viable. I think I use Sudowin [sourceforge.net] which seemed to work the best for me, but I'm not on my home computer.

Re:I wish

[Lumpy]

I give out my paypal password all the time.

It's Fire98-myFun.

it will do you no good without my keyfob and it's current 6 digit number. My bank, paypal, ebay, and 2 of my credit cards use the same keyfob because they use verisign and it defeats every single one of these trojans, keyloggers, and scammers. Why they are not common place I'll never understand.

Re:I wish

[Lumpy]

http://www.coolest-gadgets.com/20070118/paypal-security-key-fob/ [coolest-gadgets.com]

covers paypal and ebay. It's been in place over a year now. You will need to go searching online in ebay and Paypal to find the real links. I had to be logged in to find them and they are internal links.

My bank is a michigan only bank, so it'll probably not be available to you, but the whole system is verisign based so if the company uses verisigns system the same keyfob works for all of them.

Re:I wish

[Lumpy]

https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside [paypal.com]

found a public paypal page with more info about it.

Re:Can I put on my 'told you so' t-shirt now?

[clone53421]

Can I put on my 'told you so' t-shirt now?

No, you can't. The trojan doesn't attack the password list file, it scrapes the login credentials from forms of sites when you visit them.

Anyway, are you aware of any way of obtaining username/password information from the "woefully unprotected" password list? I'm not saying a way doesn't exist, but I don't know of any.

Re:Mozilla?

[clone53421]

The malware calls itself "Greasemonkey" to avoid detection, but it's completely unrelated to the real Greasemonkey add-on.

Same as all the "spyware removal" or "antivirus" tools that are really adware/trojans... it's just to get it on your machine and prevent you from trying to delete it...

LIST OF BANKS; seems to be windoze-only

[rickst29]

"Trojan.PWS.ChromeInject.B" is definitely only effective in Windows, because it installs and executes these files: "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll" "%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js" browser.js calls the The dll file, which can't run in Linux, etc. unless you're running a WINDOZE Firefox via crossover (which would be insanely stupid). Also, since it's installed into the program directory (rather than the user's profile), VISTA will almost certainly make you click for "administrator confirmation" before writing the files. (I don't know for sure, because I don't have VISTA.) - - - - - When I enter the URL for http://www.bitdefender.com/VIRUS-1000451-en--Trojan.PWS.ChromeInject.A.html# [bitdefender.com], the page content is identical the version for "Trojan.PWS.CHromeInject.B" (even the given name is "Trojan.PWS.ChromeInject.B", they even over-wrote the ChromeInject.A page by accident or, ChromeInject.A isn't spreading in the wild AND has nearly identical characteristcs, perhaps differing only in file sizes.) BitDefender provides the following list of banks their page for this version, http://www.bitdefender.com/VIRUS-1000451-en--Trojan.PWS.ChromeInject.B.html [bitdefender.com]: It filters the URLs within the Mozilla Firefox browser and whenever encounter the following addresses opened in the Firefox browser it captures the login credentials. akbank.com caixasabadell.net credem.it areasegura.banif.es banca.cajaen.es openbank.es poste.it banesto.es carnet.cajarioja.es gruposantander.es intelvia.cajamurcia.es net.kutxa.net bancopastor.es bancamarch.es caixamanlleu.es elmonte.es ibercajadirecto.com bancopopular.es bancogallego.es bancajaproximaempresas.com caixa*.es caja*.es ccm.es bancoherrero.com bankoa.es bbvanetoffice.com bgnetplus.com bv-i.bancodevalencia.es clavenet.net fibancmediolanum.es sabadellatlantico.com arquia.es banking.*.de westpac.com.au adelaidebank.com.au pncs.com.au nationet.com online.hbs.net.au www.qccu.com.au boq.com.au banksa.com anz.com suncorpmetway.com.au quiubi.it cariparma.it bancaintesa.it popso.it fmbcc.bcc.it secservizi.it bancamediolanum.it csebanking.it fineco.it gbw2.it gruppocarige.it in-biz.it isideonline.it iwbank.it bancaeuro.it bancagenerali.it bcp.it unibanking.it uno-e.com unipolbanca.it carifvg.com cariparo.it carisbo.it islamic-bank.com banking.first-direct.com natwestibanking.com itibank.co.uk co-operativebank.co.uk lloydstsb.co.uk mybankoffshore.alil.co.im abbeynational.co.uk mybusinessbank.co.uk barclays.com online.co.uk my.if.com anbusiness.com hsbc.co anbusiness.com co-operativebankonline.co.uk halifax-online.co.uk ibank.cahoot.com smile.co.uk caterallenonline.co.uk tdcanadatrust.com schwab.com wachovia.com bankofamerica kfhonline.com wamu.com wellsfargo.com procreditbank.bg chase.com 53.com citizensbankonline.com e-gold.com paypal.com usbank.com suntrust.com banquepopulaire.fr onlinebanking.nationalcity.com

You've been wrong many times

[Chris Burke]

You might think it's common sense that marketshare is all that matters, but we hammered this out years ago when comparing attack rates on IIS vs Apache.

Obviously marketshare is a factor. Ease of infiltration is another factor. A more popular platform will be attacked less if the chance of success is lower, because at the end of the day going after the weaker but less popular platform can still net you more compromised systems. If you only look at desktop browsers and OSes, you might not think this is the case, but that's only because right now the most popular program and the most vulnerable program are the same, and that the up-and-coming browser can only claim to be better than the most popular one on security issues, not actually good.

In any case, common sense should not be telling you that the security of the program doesn't affect the number of hacks and viruses. Making the reasonable assumption that all code contains some number of bugs does not in any way imply that they are equally prevalent or equally easy to find in any given program, or that the time to discover the bugs is always the same and dependent only on desire. Exploring esoteric avenues of investigation because the incentive is so high does not guarantee a timely result. If it takes substantial time and effort to find an exploit, which is then fixed, requiring another substantial effort to find another exploit, then it may not be in the hackers interest to go after this target versus a lower profile one where exploits can be found faster and more frequently in spit of bug fixes.

Put succinctly: "the amount of hacks and viruses and malware on an os/ browser has absolutely nothing to do with anything other than marketshare" is trivially wrong, at its simplest you could say that the number of hacks and viruses is related to (marketshare * vulnerability).