[ISN] New Trojan poses as Firefox extension

From: InfoSec News (alerts@private)
Date: Thu Jul 27 2006 - 22:31:45 PDT


By Jeremy Kirk
IDG News Service
26 July 2006

A new password-stealing Trojan masquerading as an extension to Firefox is 
on the loose.

Called "FormSpy", it is downloaded to a computer that is already infected 
with another Trojan horse called "Downloader-AXM", according to McAfee. 
That Trojan was recently detected in e-mail spam messages. Downloader-AXM 
contacts servers to download other malicious programs to a computer 
without a user's knowledge. Once downloaded, FormSpy installs itself as a 
Firefox extension.

The program appears as the "NumberedLinks 0.9" extension, which would 
normally would allow a user to navigate links by numbers using the 
keyboard rather than a mouse. The payload is that FormSpy can transmit 
information in a Web browser to another website, which could include 
credit card numbers, passwords and electronic banking pin numbers, 
according to McAfee. FormSpy can also steal e-mail, ICQ instant messaging 
service and FTP passwords.

The targeting of Firefox is not coincidental. Microsoft's rival Internet 
Explorer browser has reigned in the ability of ActiveX controls to be 
installed without digitally-signed verification, something that will 
become standard on the forthcoming IE7. Mozilla is still without that 
protection, relying on confirmation dialogues.

All contents © IDG 2006.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Thu Jul 27 2006 - 22:46:32 PDT