Password stealing malware masquerades as Firefox add-on
Password stealing malware masquerades as Firefox add-on
Does this apply to Linux as well as Windows?
Re: Password stealing malware masquerades as Firefox add-on
I would assume that since this malware is Firefox centric, it would affect linux installs running Firefox just as it would windows. Key make sure you know what addon your using in FF and use only those that are neeeded to complete the task you must carryout.Flash wrote:Does this apply to Linux as well as Windows?
- urban soul
- Posts: 273
- Joined: Wed 05 Mar 2008, 17:03
- Location: "Killing a nerd is not as much fun as ist sounds" B.Simpson
- Contact:
Re: Password stealing malware masquerades as Firefox add-on
Answer: yes.Flash wrote:Does this apply to Linux as well as Windows?
It logs the outgoing traffic to banking sites and logs the keys you pressed on your computer keyboard in a quite intelligent way.
- 37fleetwood
- Posts: 403
- Joined: Fri 10 Aug 2007, 03:25
- urban soul
- Posts: 273
- Joined: Wed 05 Mar 2008, 17:03
- Location: "Killing a nerd is not as much fun as ist sounds" B.Simpson
- Contact:
You know that you have it, because you - the user - has to download and install it. There is currently no known way to install FF plug-ins without user interaction. Uninstalling it removes everything according to http://www.heise.de.
Solution: only download FF plug-ins from mozilla.org. They try to keep their site clean. MD5sum is also available.
BUT: Don't forget to read the user comments; Torrent searchbars are MALWARE (steal your private data) - and they can be found on mozilla.org. Also, for half a day (grumble) the keylogger was awailable on mozilla.org, too. (They promised to check the plugins in future for these routines. But it is very easy to obscure the code).
Generally I consider mozilla.org a clean site run by very experienced admins.
Urban
Solution: only download FF plug-ins from mozilla.org. They try to keep their site clean. MD5sum is also available.
BUT: Don't forget to read the user comments; Torrent searchbars are MALWARE (steal your private data) - and they can be found on mozilla.org. Also, for half a day (grumble) the keylogger was awailable on mozilla.org, too. (They promised to check the plugins in future for these routines. But it is very easy to obscure the code).
Generally I consider mozilla.org a clean site run by very experienced admins.
Urban
- urban soul
- Posts: 273
- Joined: Wed 05 Mar 2008, 17:03
- Location: "Killing a nerd is not as much fun as ist sounds" B.Simpson
- Contact:
Verrry useful, indeed.
...sorry, couln't find any useful english documents.
http://www.heise.de/newsticker/Trojaner ... ung/119969 ger.)
"Please let bitdefender do the job to clean your computer, your Out house and your granny."
Edit: -> that (or something very similar ) is the advertisment text they throw at unsettled users. What a mockery!!
...sorry, couln't find any useful english documents.
http://www.heise.de/newsticker/Trojaner ... ung/119969 ger.)
"Please let bitdefender do the job to clean your computer, your Out house and your granny."
Edit: -> that (or something very similar ) is the advertisment text they throw at unsettled users. What a mockery!!
Last edited by urban soul on Wed 10 Dec 2008, 22:45, edited 1 time in total.
- 37fleetwood
- Posts: 403
- Joined: Fri 10 Aug 2007, 03:25
sorry if my question offended you, I just thought it was unlikely that anyone would download a plug-in called "banking info stealer", though you never know. what I meant is, is it known what the name of the plug-in/s are that have this issue.I read your referenced site and the add-on is a fake version of Greasemonkeyurban soul wrote:You know that you have it, because you - the user - has to download and install it. There is currently no known way to install FF plug-ins without user interaction. Uninstalling it removes everything according to http://www.heise.de.
Solution: only download FF plug-ins from mozilla.org. They try to keep their site clean. MD5sum is also available.
BUT: Don't forget to read the user comments; Torrent searchbars are MALWARE (steal your private data) - and they can be found on mozilla.org. Also, for half a day (grumble) the keylogger was awailable on mozilla.org, too. (They promised to check the plugins in future for these routines. But it is very easy to obscure the code).
Generally I consider mozilla.org a clean site run by very experienced admins.
Urban
thanks
Scott
[color=darkblue][b]Thanks!
Scott 8) [/b][/color]
[color=darkblue][size=150]I'm a PC... Without Windows[/size][/color]
Scott 8) [/b][/color]
[color=darkblue][size=150]I'm a PC... Without Windows[/size][/color]
At least one variant of this trojan identifies itself as Greasemonky, a popular FF extension used to inject your own javascript into sites to improve functionality.
http://www.privacydigest.com/2008/12/04 ... romeinject
BitDefender says that it installs some javascript and a dll file. If it is actually a dll and not just a file with a .dll extension to hide its true purpose, I don't think that Linux would be affected. I mean, we can't use dll files, can we? Unfortunately, the BitDefender site seems to be the only with actual information, everyone else just quotes them or gives a link to them.
BitDefender also says:
Remember: CONSTANT VIGILANCE!
http://www.privacydigest.com/2008/12/04 ... romeinject
BitDefender says that it installs some javascript and a dll file. If it is actually a dll and not just a file with a .dll extension to hide its true purpose, I don't think that Linux would be affected. I mean, we can't use dll files, can we? Unfortunately, the BitDefender site seems to be the only with actual information, everyone else just quotes them or gives a link to them.
BitDefender also says:
Notice the reference to Win32. It seems that the javascript part uses something in the dll file that is not cross platform (or BitDefender is misrepresenting things). I think that we may have dodged the bullet here. Still, this should be a strong reminder that we are not invulnerable.Trojan-Spy:W32/Banker.IVX, Win32/Inject.NBT trojan, Troj/Bancos-BEX, TR/Drop.Small.abw
Remember: CONSTANT VIGILANCE!
Be brave that God may help thee, speak the truth even if it leads to death, and safeguard the helpless. - A knight's oath
- urban soul
- Posts: 273
- Joined: Wed 05 Mar 2008, 17:03
- Location: "Killing a nerd is not as much fun as ist sounds" B.Simpson
- Contact:
Scott,
no offence here. It is the BitDefender site that bothered me. They try to withhold information about the malware in order to sell their software. This is UNTRUSTWORTHY style. Never trust anti-virus or anti-spyware companies anyway. (The ideal persons with the required knowledge are former malware authors).
On topic: yet another way to spread a FF plugin is to drop an install script + payload. So, next time FFis restarted the plugin is being installed. This is most likely a windoze szenario and would not apply to linux users today (because linux is unattractive to the authors).
I recommend using NoScript! All of these tricks require JavaScript at one or the other stage.
Urban
no offence here. It is the BitDefender site that bothered me. They try to withhold information about the malware in order to sell their software. This is UNTRUSTWORTHY style. Never trust anti-virus or anti-spyware companies anyway. (The ideal persons with the required knowledge are former malware authors).
On topic: yet another way to spread a FF plugin is to drop an install script + payload. So, next time FFis restarted the plugin is being installed. This is most likely a windoze szenario and would not apply to linux users today (because linux is unattractive to the authors).
I recommend using NoScript! All of these tricks require JavaScript at one or the other stage.
Urban
Ha, the funny thing is that you can add javascript to any site anywhere, just by adding javascript:<code> in any site.SirDuncan wrote:At least one variant of this trojan identifies itself as Greasemonky, a popular FF extension used to inject your own javascript into sites to improve functionality.
http://www.privacydigest.com/2008/12/04 ... romeinject
BitDefender says that it installs some javascript and a dll file. If it is actually a dll and not just a file with a .dll extension to hide its true purpose, I don't think that Linux would be affected. I mean, we can't use dll files, can we? Unfortunately, the BitDefender site seems to be the only with actual information, everyone else just quotes them or gives a link to them.
BitDefender also says:Notice the reference to Win32. It seems that the javascript part uses something in the dll file that is not cross platform (or BitDefender is misrepresenting things). I think that we may have dodged the bullet here. Still, this should be a strong reminder that we are not invulnerable.Trojan-Spy:W32/Banker.IVX, Win32/Inject.NBT trojan, Troj/Bancos-BEX, TR/Drop.Small.abw
Remember: CONSTANT VIGILANCE!