QuoteResearchers at BitDefender have discovered a new type of malicious software that collects passwords for banking sites but targets only Firefox users. The malware, which BitDefender dubbed "Trojan.PWS.ChromeInject.A" sits in Firefox's add-ons folder, said Viorel Canja, the head of BitDefender's lab. The malware runs when Firefox is started.
Please read full article here: http://www.infoworld.com/article/08/12/04/Firefox_users_targeted_by_rare_piece_of_malware_1.html (http://www.infoworld.com/article/08/12/04/Firefox_users_targeted_by_rare_piece_of_malware_1.html)
About Trojan.PWS.ChromeInject.A : http://www.bitdefender.co.uk/NW900-uk--BitDefender-detects-novel-approach-to-stealing-web-passwords.html (http://www.bitdefender.co.uk/NW900-uk--BitDefender-detects-novel-approach-to-stealing-web-passwords.html)
Thanks for the heads up.
Recommendations:
- ONLY download add-ons (extensions) from the official Mozilla download site: https://addons.mozilla.org/en-US/firefox/
- Use NoScript: http://noscript.net/ (although if Javascript is needed for your banking site . . . )
http://www.pcworld.com/article/154931/.html?tk=rss_news
This could be a bad one...gathers banking information.
Here's a discussion topic about it at DSLReports Mozilla forum:
http://www.dslreports.com/forum/r21525320-Password-Trojan-Poses-as-Firefox-Plugin
according to CNET:
http://news.cnet.com/Trojan-piggybacks-on-Firefox/2100-7349_3-6098615.html
QuoteA new Trojan horse making the rounds has been installing itself as a Firefox extension, according to security company McAfee.
The FormSpy Trojan attacks computers that have already been infected with the Downloader-AXM Trojan, according to a security advisory McAfee issued Tuesday. Once FormSpy is executed, it installs itself as a component of the Firefox Web browser.
The FormSpy spyware then gleans sensitive information, such as credit card and bank account numbers, from the user's browser and forwards it to a malicious Web site. But this Trojan is capable of other tricks, as well, McAfee noted.
According to one source, the virus is being circulated in a email attachment that can appear as billing info from Wal-mart, and also is marketed as the Numberlinks 0.9 extension for Firefox (http://numberedlinks.mozdev.org/), taking its name from a legitimate add-on designed to make it easier for Firefox users browse the Web without a mouse.
(Topics Merged.)
This is indeed one nasty malicious script. Because it can be a drive-by download (downloaded without any interaction by the user), until the vulnerability has been addressed, consider using Internet Explorer for all online credit card purchases and banking activities.
How can we know when it's addressed? Will something be posted about it here on Lzd?
Because the infected "add-on" is neither supported nor provided by Mozilla, but rather is targeting Mozilla, it will be left to the antivirus vendors to ensure that this password stealing trojan is being detected by them.
See the following blog posts for additional information:
http://blog.mozilla.com/security/2008/12/08/malicious-firefox-plugin/
http://blog.johnath.com/2008/12/08/firefox-malware/