'Greasemonkey' Malware Targets Firefox 370
snydeq writes "Researchers have discovered a new type of malware that collects passwords for banking sites but targets only Firefox. The malware, dubbed 'Trojan.PWS.ChromeInject.A,' sits in Firefox's add-ons folder, registering itself as 'Greasemonkey,' the well-known collection of scripts that add functionality to Web pages rendered by Firefox. The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including PayPal, collecting logins and passwords, which it forwards to a server in Russia. Trojan infection can occur via drive-by download or download duping."
I wish (Score:5, Funny)
Re: (Score:3, Insightful)
I wish I could use this as an excuse for all the money disappearing from my PayPal and bank accounts, but sadly I can't....
See? With Firefox, you wouldn't have that problem! :-)
Re:I wish (Score:4, Funny)
Now you can ask for a government bailout!
Re:I wish (Score:5, Informative)
I give out my paypal password all the time.
It's Fire98-myFun.
it will do you no good without my keyfob and it's current 6 digit number. My bank, paypal, ebay, and 2 of my credit cards use the same keyfob because they use verisign and it defeats every single one of these trojans, keyloggers, and scammers. Why they are not common place I'll never understand.
Re:I wish (Score:4, Interesting)
Interesting...I'd not heard of such and option being available for PP, eBay or banks.
What bank is that with?
Do you have links on how to set this up with PP and eB? Is it one fob that does it for them all or one for each?
Re:I wish (Score:4, Informative)
http://www.coolest-gadgets.com/20070118/paypal-security-key-fob/ [coolest-gadgets.com]
covers paypal and ebay. It's been in place over a year now. You will need to go searching online in ebay and Paypal to find the real links. I had to be logged in to find them and they are internal links.
My bank is a michigan only bank, so it'll probably not be available to you, but the whole system is verisign based so if the company uses verisigns system the same keyfob works for all of them.
Re:I wish (Score:4, Informative)
https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside [paypal.com]
found a public paypal page with more info about it.
Re:I wish (Score:4, Insightful)
Can I still log in to my PayPal account if I lose or break my token, or if I don't have my mobile phone with me?
Yes. During login, we'll ask you questions to help confirm your identity. When you answer them correctly, you'll be able to log in.
Isn't the whole point of this device that you have to have it to log in? What extra security does asking some questions to confirm my identity do if I have a virus logging everything I type?
Re: (Score:3, Interesting)
well, I've been trying for a year to get Paypal to send me one, I even offered to PAY them for it. Nno go. I'm in Canada, and despite the fact that I use the same PayPal.com as all the US customers and they are constantly advertising it to me they refuse to send me one.
Re: (Score:3, Interesting)
I take back my complaint, I just tried it again and the charged me $5 CAD and said it'll be arriving in the mail shortly. I was logged in with my business account this time though, maybe that makes a difference.
Yay! I'm finally getting a PayPal RSA token. I can feel safer knowing my PayPal has equivalent security (on the authentication level anyway) as my Work VPN has had for years.
Re: (Score:3, Interesting)
You are so wrong it's not funny.
One-Time-Password devices do little to protect against man-in-the-middle, man-in-the-browser, session hijacking, or CSRF attacks.
They are useful against some sorts of attacks, but not when the attacker is already in your browser. He just has to wait for you to log in normally, then he does what he wants with your session.
This is a veiled blessing... (Score:2, Insightful)
Re: (Score:3, Insightful)
----
Note: Actually a fanboy, but a realistic one.
Gah... (Score:4, Informative)
That said, if you're done being cheeky: software is complicated. Bugs are a simple reality and inevitably lead to some kind of exploitability. But Linux and Mac (along with FF and numerous other open tools) get a bit of credit for implementing basic controls (accounts with privilege separation in the OS's) and responding quickly and proactively.
Windows is only now trying it, but their implementation is so cumbersome it's defeating it's own purpose.
Any Vista user out there that haven't already tried it there are several open source sudo [sourceforge.net] for Windows [sourceforge.net] implementations that make using non-privileged accounts more viable. I think I use Sudowin [sourceforge.net] which seemed to work the best for me, but I'm not on my home computer.
Re:This is a veiled blessing... (Score:5, Insightful)
DO-NOT "Remember Passwords" (Score:4, Informative)
Re:DO-NOT "Remember Passwords" (Score:5, Informative)
I guess the malware remenmbered those passwords itself, so not storing them in the password manager wouldn't help.
IMHO the fact that you can use plugins with Firefox means that there should be an extra security barrier inside Firefox that disallows extensions to get passwords (e.g. when accessing the password lines, it would just get the stars which are also displayed on the screen).
Re: (Score:2)
That's a really good point. How do I know that the latest update to Forecastfox isn't now ready my browsing history or passwords and uploading that information to a third party. Many addons do not need access to the web page being rendered, so I wonder why there isn't some additional layer of security there.
Re: (Score:3, Insightful)
How do I know that the latest update to Forecastfox isn't now ready my browsing history or passwords and uploading that information to a third party. Many addons do not need access to the web page being rendered, so I wonder why there isn't some additional layer of security there.
You don't. You are trusting solely that the developers are honest and/or that an interested third party reviews their code to ensure it does not do this. But this isn't any different than closed-source; When you install Windows, you're trusting that Microsoft hasn't trojaned their software either. Really, what people fail to understand is that all security is based on trust.
What's mind-blowing though, is that people overwhelmingly are honest.
Re:DO-NOT "Remember Passwords" (Score:5, Informative)
Javascript is already capable of getting the value of a password field, and even if it wasn't they could just redirect the form action and get the password that way.
Try this: go to Paypal.com (any page with a password field, really), type in something arbitrary into the password field, and then paste this into the address bar:
javascript:for(var a=document.getElementsByTagName("input"),i=0;i<a.length;i++)if(a[i].type=="password"){alert(a[i].value);i=a.length;}void(0);
Re: (Score:3, Interesting)
Given that javascript can be injected into a page in various ways, and as you show it can access the contents of input fields. Would there be any milage in blocking access to the contents of password fields from javascript. Would that break many sites?
IIRC the file upload element works this way, to avpid revealing the file path to the website.
Re: (Score:2)
Um, all they'd have to do is gather the username/password from the form when you submitted it. Considering that add-ons can dynamically rewrite the HTML of the page you're on (AdBlock, for example), that wouldn't be hard. Send the login credentials to their server using Ajax before the form submits, and you'll never know it happened.
Re:DO-NOT "Remember Passwords" (Score:4, Insightful)
I would suggest that DO-NOT "Remember Passwords" and Login ids in any Browser where Sensitive Information will be sent ultimately.,/quote>
Well, that'll stop the really stupid malware authors that sit down at your PC and copy the file that stores your passwords. But it won't stop the one who left a key logger, the other who is doing control scrapes, the guy looking over your shoulder, the in-memory debugger that waits for a POST submission and copies everything in the data struct, or the FBI (who knows about those magazines under your bed too).
If you want to offer some advice to people that'll result in a real increase in security, tell them to install NoScript, or not to download executables and run them without scanning them. Tell them to install Spybot, or AdAware, or AVG Free. But don't ask them to turn off a convenient feature because it will stop the .1% of attackers too stupid to figure out a better way of getting that information.
Good on you! (Score:5, Funny)
Well, this just proves that it's easier to develop for Firefox than IE. ^_^ Of course, it's a very backhanded compliment.
Re: (Score:2)
You forgot the </snark> tag ;)
Username/password combo for banks flawed. (Score:5, Interesting)
It's just part of the mounting evidence that username/password combinations for banks is inherently flawed. "Somthing you know" can always easily be known by someone else. Bank security should (IMO) be also based on "something you have", like an ATM card.
If banks really wanted two-way authentication to work properly, they'd use a hardware device (USB-key) that had to be present in the machine to login to your account. The hardware device would be implemented in such a way to make it impossible to copy the functionality of it without physical access to it.
Re: (Score:2)
That should be simple enough. Seriously, though, if a key like that were introduced, it would just be one more layer these people would have to overcome.
It's just part of the mounting evidence that username/password combinations for banks is inherently flawed. "Somthing you know" can always easily be known by someone else. Bank security should (IMO) be also based
Re: (Score:2, Informative)
Re: (Score:2, Interesting)
What if banks had to respond back with RSA code? (Score:2)
I'm not sure this is what you're referring to but in either case your post got me thinking:
Wouldn't an effective phishing defense (but not MITM) be for the RSA key fobs to have two numbers displayed instad of one, such that when you log in with the first number displayed on your fob, the bank replys with the 2nd number. If they don't match its likely a bogus site.
I'm sure there are tehcnical issues to resolve to decouple the two keys to avoid a snooper / phisher from being able to guess the banks response
Only if you want to be in the IT business (Score:3, Informative)
The problem with USB keys is that you have to install a client to handle the PKCS #11 with the browser. No bank wants to get in the business of telling customers to install software (and all the help desk problems that come with it).
OTP tokens have been the preferred method for consumer strong authentication, but only consumers in Europe have seem to taken to them. I don't really see people lining up to get the paypal OTP token.
Re: (Score:3, Insightful)
Every bank in Mexico uses OTP authentication with a small physical device that generates a random key.
When will the US catch up with the rest of the world in terms of technology? ;)
Re: (Score:3, Interesting)
Because the secret key is held on the device and is never disclosed to the outside world, you cannot copy a device without physically disassembling it and getting out the key by probing the electronics.
1: Not yet. For some devices touted as "secure", you can. Easily.
2: The key is on the banking server as well, or at least the method to generate or validate it at any given time.
Your server will be compromised.
The end user will lose the dongle.
The dongle will be cracked.
The dongle will malfunction.
Malware
new? (Score:2)
Yet another attempt at a classic type of malware designed to harvest web passwords has been detected...
There, fixed it for ya.
I don't think it is really fair to call it 'new' just because you havn't reported on this particular incident yet today. It is a little misleading. Glad I could help.
Wait, I thought... (Score:2)
Re: (Score:3, Informative)
Apparently Firefox has protections so plugins can only be downloaded from addons.mozilla.org, but if they are downloaded by another program, and placed in the appropriate folder, Firefox will use them.
There are two things to know about this:
1) Another piece of malware has to be
Re: (Score:2)
This thing isn't installed via Firefox's add-on process, or even by Firefox at all. It's installed by other malware that's already infected your system. Not hard, just write a few files into Firefox's add-on directory and then edit Firefox's configuration files to register the new add-on by hand. Any competent programmer with some experience with XML processing could code that up in an afternoon.
Attack vector. (Score:2)
It is not clear whether Firefox actually has a vulnerability that allows such a drive by downloads, or if IE or other browsers with a vulnerability might allow a drive by download that attacks FireFox. Anyway if the user downloads bits from the net and executes it voluntarily, there is nothing one can do to protect s
i've said this many times (Score:4, Insightful)
and i've always been derided as a microsoft fanboy. when i think its just common sense:
the amount of hacks and viruses and malware on an os/ browser has absolutely nothing to do with anything other than marketshare
you can try to make something as secure as possible, but if the incentive is high, hackers can always pay attention to security way more than you do, and find holes you did not anticipate, no matte rhow subtle
if something is full of security holes, it won't be hacked, if its market share is tiny
meanwhile if something is ironclad, it will still be hacked, if its maker share is huge. the incentive to find holes is so high, the most esoteric avenues of investigation are explored
Re:i've said this many times (Score:4, Informative)
The reason Windows is targeted is because it's model of sharing everything was so wide open to so many exploits. And don't forget the numerous buffer-overflow vulnerabilities. Top that off with the fact that it is so pervasive, and you have the deadly combination we have now.
Linux/Unix, on the other hand, was written with clear lines of delineation between the user and kernel spaces. And attention was paid to avoid buffer overflow vulnerabilities.
Not saying that there aren't exploits available in Linux and Unix... There are. It's just designed from the ground up to be more secure than Windows.
So part of what you said is correct: The pervasiveness of Windows is a major reason why it is targeted. But you can't avoid the poor security design of Windows as a cause as well.
You've been wrong many times (Score:3, Informative)
You might think it's common sense that marketshare is all that matters, but we hammered this out years ago when comparing attack rates on IIS vs Apache.
Obviously marketshare is a factor. Ease of infiltration is another factor. A more popular platform will be attacked less if the chance of success is lower, because at the end of the day going after the weaker but less popular platform can still net you more compromised systems. If you only look at desktop browsers and OSes, you might not think this is the
Re: (Score:3)
Virii isnt a word.
Secondly, the GP is right, its all about marketshare. Look at all the rooted linux servers out there. Look at all the malware for windows. At the end of the day any computer controlled by someone with admin rights and who isnt paranoid about security is a risk.
virii should be a word (Score:4, Funny)
1. it just sounds cool
2. sometimes in scrabble, you need to get rid of a lot of Is
language isn't a top down authoritarian function, its trickle up from the bottom
therefore, here in this thread, based on my authority of having none at all, i hereby announce "virii" to be a valid word in the english language
use it profusely, use it constantly, use it anywhere
and in such a way, make it a valid word
motion has passed
Re: (Score:3, Funny)
>> 1. it just sounds cool
True, it sounds more "technical" than the more mundane "viruses". But I also believe in using proper words.
>> language isn't a top down authoritarian function, its trickle up from the bottom
Yeah, I only hear that from people who can't spell. (just kidding!)
Cheers!
-dZ.
that's it... (Score:5, Funny)
Nothing new here (Score:2)
According to the description, you have to get infected with some other malware first which would then stuff this thing into Firefox's folders and hook it in by manipulating the configuration. So my first thought is that the primary risk is (yet again) Windows users. They're the ones who'll be the targets of the initial malware. Even if you're a Windows user, if you aren't already having a problem with being regularly infected by malware you aren't at great risk. And if you are currently being regularly infe
Any Platform? (Score:2)
Would this attack style apply to any Firefox platform - Linux, Mac, Windows? As I understand it, FF plugins are mostly written in Javascript. Even on more secure platforms like Mac and Linux, each user has access to his own FF plugins directory, so if any malicious code were to be executed as him, it could presumably write this "plugin" into that user's FF settings directory.
FireFox matters. (Score:3, Interesting)
Not sure whether this should be considered a compliment, but to me it indicates that FF matters. It has enough market share for criminals to target.
Unfortunately not many details on this exploit: is it really an exploit in FF (for the drive-by download)? Or is it more like a trojan (for the download duping)?
malware targets Windows .. (Score:4, Informative)
SYMPTOMS: Presence of the: "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll"
TECHNICAL DESCRIPTION: It drops an executable file (which is a Firefox 3 plugin)
Does that mean it's Windows only ?
Re: (Score:3, Interesting)
Oh good I'm safe then, it's firefox 3 plugin - won't work in my Firefox 1.5.x. Another good reason not to upgrade - securtiy is worse in the new version.
Fightback? (Score:3)
Can we now blitz the collecting server with millions of bogus account records? Enough to make it not worthwhile trying them to find the good ones?
SITE-MODS: Please edit Subject Line -- W32 only (Score:3, Informative)
Fix (Score:5, Funny)
You can download a fix for it here [microsoft.com].
Wow, the summary is correct. (Score:3, Insightful)
This is not an exploit, this is a payload like a rootkit that targets Firefox... after your computer has already been compromised.
I would be surprised if there ISN'T a similar payload targeting IE delivered by the same malware.
Would have been nice (Score:3, Insightful)
if they had identified the server that it tried to contact, either by hostname or IP address, so that those with the capability to do so, could block connectivity to it from their network(s) and/or customers. ISP's could add a simple ACL to a router, home users might put a 127.0.0.1 entry in /etc/hosts, etc.
Of course one thing they completely left out was if this 'plugin' ran only on Windows Firefox or if other platforms were susceptible as well.
And quite frankly, if that host was providing some legitimate service that doing this ended up blocking, well, oh fucking well. Keep the thieves off your network and you can avoid that type of problem.
Another option of course, (for individuals and private/company networks, but probably not so for commercial ISP's) would be to just null-route the entirety of Russia (using blackholes.us), and then selective override individual address spaces as and if needed.
LIST OF BANKS; seems to be windoze-only (Score:4, Informative)
Re: (Score:2)
I'd presume anything that supports Mozilla add-ons would be affected. But that is just a guess.
also (Score:4, Interesting)
What happens if you already have Greasemonkey? Would it stop working or does the malware work fine alongside it?
Re: (Score:2, Informative)
its javascript so the end code is probably cross-platform, weather the delivery takes place on multiple platforms i do not know but largely depends on the delivery mechanism, as a xpi it would probably be fully cross-platform.
mozila vs firefox, who friggen knows
someone should publish the javascript, the press report was totally bull
also java != javascript
Re: (Score:3, Interesting)
someone should publish the javascript, the press report was totally bull
Meh, even without seeing the code it's pretty easy to figure out what they most likely did. All they'd have to do is create an onSubmit that sends an Ajax request to their server with the contents of the username and password fields on the form being submitted. Considering that add-ons (AdBlock, for example) can already inject and/or remove HTML from the dynamic page, it doesn't surprise me in the least.
Then all they have to do is figure out how to deploy it – obviously the Firefox plugin repository i
Re:only firefox? (Score:5, Insightful)
Mozilla needs your permission to install plugins from unverified sources.
But since windows standard practice is to click on everything that has an OK on it, I think it doesn't matter.
Re:only firefox? (Score:5, Insightful)
There, fixed that for ya.
Re: (Score:3, Insightful)
But since users' standard practice, as trained by M$ security theatre over many years, is to click on everything that has an OK on it, I think it doesn't matter.
There, fixed that for ya.
---
Don't be a programmer-bureaucrat; someone who substitutes marketing buzzwords and software bloat for verifiable improvements.
Re: (Score:3, Interesting)
I've had quite a few issues with Ubuntu because of my years of using windows. I'm used to hitting Enter rather than clicking for the default actions. Especially the overwrite file dialogs which default to 'no' in windows and 'yes' in ubuntu
Re:only firefox? (Score:5, Insightful)
from the article:
Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it, Canja said.
This is utterly unacceptable. They should give instructions to users on how to avoid downloading this.
They listed two ways in which systems get infected. One is "by being duped into downloading it." The instructions to avoid this are easily enough translated as your standard Internet hygien guidelines: "When websites offer browser-enhancements to you, say no," and "don't execute email attachments even if they come from trusted friends."
However, I want more detail about this "drive-by download" bit. There is a hole in my browser that will make it automatically download this addon, without prompting me? Give me a link. Give me the details. What versions have the hole? Has it been patched? Is there something I can do (other than "browse nothing") that will prevent this hole from being exploited? People need these details.
Re:only firefox? (Score:5, Funny)
Re:only firefox? (Score:5, Interesting)
The cool thing about Firefox is that you can basically force users into installing malware by exploiting bug 59314 [mozilla.org]. Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes.
Re:only firefox? (Score:5, Informative)
I ran into this when I visited a site that another admin got the Antivirus 2008 trojan from. Of course I'm on Ubuntu so I was pretty sure simply visiting the site wouldn't cause any problems. I kept getting prompted to install it so I just found out what link it kept calling and just modified my hosts file to point it to localhost and then I got out of it like I should.
Pretty devious exploit though.
Re: (Score:3, Insightful)
Comment removed (Score:5, Insightful)
Comment removed (Score:4, Interesting)
Re:only firefox? (Score:5, Informative)
Re: (Score:2)
However, I want more detail about this "drive-by download" bit. There is a hole in my browser that will make it automatically download this addon, without prompting me? Give me a link. Give me the details. What versions have the hole? Has it been patched? Is there something I can do (other than "browse nothing") that will prevent this hole from being exploited? People need these details.
It sounds like they're just playing "what-if". If you've got a malicious Firefox addon, how do you get your victims to install it? Obviously the first step is to trick them in to installing it - a variation on the trojan (as named). The other way is to try and install it without user interaction. How to do that? Find an exploit in the browser, a helper application (Flash, Acrobat, Quicktime, etc.), or the OS itself to perform a generically-labled drive-by download.
Whether any of this is actually happen
Re:only firefox? (Score:5, Funny)
does it affect all platforms since it's Java?
anyone know?
It's not Java, it's JavaScript - two very different languages linked only by a common marketing fuckwit.
Re: (Score:2)
I love job interviews that involve "Your resume says Java, so you must do some Javascript since they're so similar, right?"
At that point, telling the truth becomes a very hard decision to make.
Re: (Score:2)
Well the languages have many similarities. Most of them are the same as the similarities of JavaScript and Java and C++ but still for the novice coder they look like the same language. But yes they are very different languages not related to each other.
Re: (Score:3, Informative)
Re:PC ONLY? (Score:5, Funny)
Re: (Score:2)
Viruses and Malware are features, not bugs!
Re:PC ONLY? (Score:5, Informative)
But I thought the sequence usually went like this:
1. Install Firefox /. for pedantic usage of noScript to designate a particular add-on to Firefox, and for not using the general designation of either FX3 or FF3...
2. Install noScript
3. ???
4. Don't get infected by js vector based viruses.
5. Get flamed on
No, but really. If you have noScript, as most everyone I know using Fx does, then how do you get infected by a virus that uses js as an attack vector...
Guess I'll keep reading the thread and see if the answer arises.
Re:PC ONLY? (Score:4, Informative)
Re: (Score:2)
No? Since the plugins run on all platforms, or?
Re:PC ONLY? (Score:5, Informative)
This [plugin] is intended to be delivered onto a compromised computer system by other malware for subsequent download into Mozilla Firefox's Plugin folder
Since the computer need already be compromised... sure you can draw your own conclusion on that one :)
Re:PC ONLY? (Score:5, Funny)
spelling "losers" correctly is for losers too.
Re: (Score:3, Funny)
Re: (Score:2)
PC != Windows. Unless the trojan installs via a Windows executable (which is a possible attack vector but certainly not the only possible one), the FF add-on/Javascript code will run on any platform.
Re: (Score:3, Funny)
Since I haven't yet RTFA, I can't comment with any authority (as if I ever do), but if it's a javascript exploit, then I suppose it could affect any platform. My credit union's online banking portal only allows me to use Internet Explorer, so I can't even get to my bank account through Firefox or Opera or SWIron (which I prefer to Chrome). Oh the irony! Here's one instance where IE is a safer alternative to FF!
Re:PC ONLY? (Score:5, Funny)
Re:Linux has less than 0.5% share, so does it matt (Score:5, Funny)
Linux has 0.8% market share!
Though that's counting me and my beard of unusual size, so take it as you wish.
Re:Linux has less than 0.5% share, so does it matt (Score:5, Funny)
Linux has 0.8% market share!
Though that's counting me and my beard of unusual size, so take it as you wish.
Stallman, is that you?
Re:Linux has less than 0.5% share, so does it matt (Score:5, Funny)
No, he would have said GNU/Linux.
Re: (Score:2)
Pluguns control YOU!
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Russia seems to be the largest country in the world.
Re: (Score:2)
If I promise to spend it all on fine Russian vodka, can I have all your money?
Re:NoScript FTW (Score:5, Funny)
Like you never "Temporarily allow myweirdpornvideos.com".
Re: (Score:3, Informative)
Re: (Score:3, Informative)
Can I put on my 'told you so' t-shirt now?
No, you can't. The trojan doesn't attack the password list file, it scrapes the login credentials from forms of sites when you visit them.
Anyway, are you aware of any way of obtaining username/password information from the "woefully unprotected" password list? I'm not saying a way doesn't exist, but I don't know of any.
Re: (Score:3, Informative)
The malware calls itself "Greasemonkey" to avoid detection, but it's completely unrelated to the real Greasemonkey add-on.
Same as all the "spyware removal" or "antivirus" tools that are really adware/trojans... it's just to get it on your machine and prevent you from trying to delete it...