By Gregg Keizer, TechWeb Technology News 

An identity-stealing keylogger that disguises itself as a Firefox extension
and installs silently in the background was discovered Tuesday by security
vendor McAfee. 
According to the Santa Clara, Calif.-based company, the "FormSpy" Trojan
horse monitors mouse movements and key presses to steal online banking or
credit card usernames and passwords, other login information, and URLs typed
into Firefox, the popular open-source browser. Another component of the
Trojan sniffs out passwords from ICQ and FTP sessions, and IMAP and POP3
traffic, said McAfee. All collected information is sent to an IP address
hard-coded into the Trojan. 

The scam starts with spam posing as a message from the billing support
department of mega-retailer Wal-Mart, said Craig Schmugar, the virus
research manager at McAfee's Avert Labs. "There's an order number in the
message, which matches the number of the attachment," said Schmugar. "When
someone opens the attachment, the Trojan downloads and installs two
components, a keylogger as well as a sniffer." As of Tuesday afternoon,
FormSpy had gained little traction. 

But it's the way that FormSpy gets onto a machine that's unique, Schmugar
said. FormSpy masquerades as a Firefox extension, or browser add-on. It
spoofs Numberedlinks 0.9, an extension that in its legitimate form lets
users navigate links with the keypad. FormSpy uses some of the actual
extension's code to put its hooks into Firefox. 

Normally, Firefox extensions -- which in Windows have the .xpi file
extension -- display a confirmation dialog that the user must acknowledge
before the add-on installs. The bogus Numberedlinks, however, skips that. 

"The Trojan writes files directly to the Firefox folders without putting up
the confirmation," said Schmugar. Users who have been infected won't realize
that the bogus extension has been added to Firefox unless they call on the
Tools|Extensions command (in Firefox 2 Beta 1, Tools|Add-ons) and spot
"Numberedlinks 0.9" in the list. 

Firefox's extensions have been criticized for lax security, in particular
that they're not digitally signed to vouchsafe their contents. Schmugar said
FormSpy's disguise argues for revisiting the topic. 

"The Trojan is using a mechanism to get its code executed when it hooks into
Firefox [spoofing an extension]," he said, "and from a security model, that
kind of functionality is all over the place." Still, "better extension
security should be considered by Mozilla," he concluded. 

Because of similar -- and long-standing -- threats posed by ActiveX
controls, Microsoft has made several changes to Internet Explorer, including
blocking of virtually all such add-ons by default in the upcoming IE 7, to
protect users. ActiveX controls, unlike Firefox extensions, are also
digitally signed. 

"Over time, malware writers will find a way to leverage Firefox to their
advantage," said Schmugar. 

"Quite a number" of the original spammed messages were reported to McAfee,
Schmugar, said, but there had been "very little field submissions" of
FormSpy Trojan, so for the moment the threat remained low-level. 

"In all likelihood, some of those who received the spam did run the
attachment. But how many were using Firefox, we don't know." 


Justification
Downloader-AXM has been deemed Low-Profiled due to media attention at the
following website:
<http://www.techweb.com/wire/security/191101268;jsessionid=ZSIPNB4RIMFWUQSND
LOSKH0CJUNN2JVN>

Read About It
Information about Downloader-AXM is located on VIL at:
<http://vil.nai.com/vil/content/v_140257.htm>

Detection
Downloader-AXM was first discovered on July 25, 2006 and detection will be
added to the 4815 Dat files (Release Date: July 26, 2006).

Though we consider this a low threat, An EXTRA.DAT file may be downloaded
via the McAfee AVERT Extra.dat Request Page:
<https://www.webimmune.net/extra/getextra.aspx>

If you suspect you have Downloader-AXM, please submit a sample to
<http://www.webimmune.net>

Risk Assessment Definition
For further information on the Risk Assessment and Avert Labs Recommended
Actions please see:
<http://www.mcafee.com/us/threat_center/outbreaks/virus_library/risk_assessm
ent.html>



Mike Grant
Bytware, Inc.
775-851-2900 

http://www.bytware.com


CONFIDENTIALITY NOTICE:  This e-mail message and any attachment to this e-mail 
message contain information that may be privileged and confidential.  This 
e-mail and any attachments are intended solely for the use of the individual or 
entity named above (the recipient) and may not be forwarded to or shared with 
any third party.  If you are not the intended recipient and have received this 
e-mail in error, please notify us by return e-mail or by telephone at 
775-851-2900 and delete this message.  This notice is automatically appended to 
each e-mail message leaving Bytware, Inc.  



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.