Password stealing malware masquerades as Firefox add-on

Password stealing malware masquerades as Firefox add-on

Summary: Malware researchers at BitDefender are reporting on a newly discovered malware (Trojan.PWS.

TOPICS: Security

BitDefenderMalware researchers at BitDefender are reporting on a newly discovered malware (Trojan.PWS.ChromeInject.B) that when once dropped in Firefox's add-ons directory starts operating as such, and attempts to steal accounting data from a predefined list of over a hundred E-banking sites. Once the accounting data is obtained, it's forwarded to a free web space hosting provider in Russia. Earlier this year, a more severe incident took place when the Vietnamese Language Pack hosted at Mozilla's official list was infected with malware.

"It drops an executable file (which is a Firefox 3 plugin) and a JavaScript file (detected by Bitdefender as: Trojan.PWS.ChromeInject.A) into the Firefox plugins and chrome folders respectively. It filters the URLs within the Mozilla Firefox browser and whenever encounter the following addresses opened in the Firefox browser it captures the login credentials. It is the first malware that targets Firefox. The filtering is done by a JavaScript file running in Firefox's chrome environment."

MalwareDespite the novel approach used, the malware would have made a huge impact if it were released several years ago when E-banking authentication was still in its infancy since plain simple keylogging is one part of the session hijacking tactics used. And while they will indeed obtain the accounting data, this is no longer sufficient for a successful compromise of a bank account. In comparison, the techniques used by sophisticated crimeware like Zeus, Sinowal and Wsnpoem undermine the majority of two-factor authentication mechanisms used by E-banking providers, since once you start doing E-banking from a compromised environment nothing's really what it seems to be anymore.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I am still curious about ISPs.

    Why is there a route from my ISP to the infamous Russian domain. How trivially easy would it be for TWC here in San Antonio to simply delete the ability for any packet to arrive at said domain. They know where it is, the exact IP range, and adding extra IP addresses where packets end up at this big bit bucket in the sky (/dev/null on some gateway) astounds me.

    It isn't rocket surgery, it could eliminate the profit motive and decimate the malware revenue stream in literally days, wiping it out.

    Come on TWC, take a chance, use one of your engineers and $128 in labor and simply remove these nasty IP addresses from being accessible.

    • Folks would lose their Russian porn

      and that would lose the ISP some customers.
      Michael Kelly
      • No, there is a specific domain.

        Not going to post it. It is not used for p0rn, it is 100% used for Russian hacking. You do post a valid point though, there are other sites that should be blacklisted that could actually be semi-legit (hacked or cracked) over there.

        I still say though that any ISP could gain 100 fold if they introduced a policy and made it public that they were going to block, and add new blocks to specific known cracker domains.

    • Net Neutrality

      Your ISP provides you an internet connection. If they begin to dictate where you can go because it's "Bad for you" or "against the law" than they suddenly become responsible for ANYTHING you do on the web. Which means if they do that and you go somewhere else and download child porn the ISP then becomes responsible. Net Neutrality protects that but it also puts restrictions on what they can do. They can limit types of traffic but cannot block it. They can block incoming traffic but not outbound.

      It's a legal issue. Sure, it would be nice. But it's better for all of us if we don't start down that road.
      • Net Neutrality...

        I agree and disagree!

        ISP's have no business blocking anything! The federal government either. (Except possibly real terrorist groups, not political comment they don't like).

        Blocking an IP or domain is the right of an individual or private company, period.

        I block all network activity to various domains from Brazil, Africa, Russia, China, etc. all the time!

        I will block access to MY computer from whomever whenever as I wish!

        That action taken on my behalf without my tacit approval or input by ISP's or the state, is plain old tyranny and must be resisted vigorously!
    • RE: I am still curious about ISPs


      Unfortunately, you have to be the one to "stop them cold". As pointed out by another commenter, it is not a good thing for ISPs to get into the "filtering" business. We pay them to transmit data to and from our computers.

      That being said, I suggest that you do what i have done. get a firewall and use it. I have gone to a site, called IPDeny, downloaded the varied country IP address block, and manually added them to my firewall. Not the best solution, and not the easiest one, but at least it is under MY control.

      FYI, I started with the CN zone, and then progressed to the RU zone.
      • I think there could be concensus.

        There are famous and well know pure malicious domains out there. For my own use, I am not concerned, it is the millions out there who use a computer as a benign appliance. I am not talking about wholesale filtering, however, there are specific IPs and subnets that are world known nothing but malice. I believe a concerted effort by, for example, all ISPs could bring these networks to their knees in days.

        Just as an example, web hack dot ru from here.

        filter it out, DDOS and probably 50% of all malware infected computers are useless, since the IPs are coded into the malware.

        I'd love to head up oversight on something like this, because it doesn't exist. There is nothing, ever, good that came out of those 3 domain sites. Not only that, part of the filter can be notification to computer owners they are hacked.


      OpenDNS works great. I've got those sites, and quite a few others, blocked. Both at work, and at home, trying to get to those sites gets you a notice from OpenDNS that the site has been blocked by the admin of the network.

      Really tweaked some cookies around here when people could no longer waste countless paid hours at myspace, too.
      Dr. John
  • Cut them off from the world

    How long would these sites last if we told the hosting country that we would no longer accept Internet traffic from them due to security risks to our citizens?
    • All it takes is will, of which there is none.

      ISPs don't care, and won't take any steps to simply cut them off for fear or anyone complaining.

      • ...

        Please do a bit more research before making these kind of statements.
        • What research?

          They can do this easily, not one single ISP is doing anything to prevent malicious traffic or website access. It takes a concerted effort to force an ISP to enforce their own "terms of service", in one case, I had to threaten a lawsuit to get a bot in Arkansas brought down. They don't care, so long as everyone pays their bill.

          They can and probably do already know every one of the 40% of Windows computers compromised in their network, spewing Vi@gra emails and performing DDOS attacks and do NOTHING about it.

          What are you are talking about.

          • It's Not a matter of research

            at least for the's a matter of consumer education. I don't want my ISP controlling my internet access when that's what *I* should be doing.
  • It's been thought of, it's been done, but ...

    re: "Cut them off from the world"

    It is not really effective. With today's networks and remote hosting options, it is quite easy to move an illegal operation around the world in minutes. If you start killing off connectivity to certain providers in Russia, the bad guys just move their stuff to China, Finland, Bulgaria, Brazil, or anywhere else in the world (including the US) that has access and cheap or free hosting.

    I can get a free email account in 75 different countries in a couple of minutes. I can put up a minimal web server for almost nothing. I can spread a sophisticated spoof site over multiple hosts and ISPs to avoid detection. Just as the Internet provides huge possibilities for good, it also provides bountiful resources for the bad guys.

    One more thing. In the coming recession/depression things are going to get worse, not better. Hosting companies and ISPs are going to have less resources to police their own operations, and they are going to have powerful incentives (money) to look the other way when illicit activities are taking place.

    Illegal but profitable endeavors ALWAYS thrive when times are hard. Often with the complicity and cooperation of otherwise respectable companies and citizens, who are just looking for any way to make ends meet.
    terry flores
  • Just how does this work?

    Do you have to install the addon or does it automatically download itself(like a drive-by download) to the plugins folder?
    In other words, is any user interaction needed?

    Never mind, got it.

    "Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it, Canja said.

    When it runs on a PC, it registers itself in Firefox's system files as "Greasemonkey," a well-known collection of scripts that add extra functionality to Web pages rendered by Firefox."
  • RE: Password stealing malware masquerades as Firefox add-on

    To me this article is useless. It does not tell an end user how to even see if they have this on there machine. It's like telling me I won a million dollars but leaves it at that. What is the point of the article?
    • Ditto! [NT]

    • Not useless

      First of all you need to have an antivirus for your protection and preferably you should do a scan with bitdefender as they have discovered it and they surely have the definitions up to date.

      Second if you would have looked to bitdefender's encyclopedia you would have known:

      [pre]Presence of the: "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll"
      "%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js"
      files in the Mozilla Firefox's plugins and chrome folders.[/pre]
  • WHICH Add-on IS it?...

    Either the title to this article is misleading as Hades or the article is not complete or BOTH!!! grrr!!!

    Now, [b][u]EXACTLY[/u] *HOW*[/b] is this virus spread??? [b][u]EXACTLY[/u] *WHAT*[/b] is the NAME of the Add-on that is referred to in the title of this article?????

    Without that information this "article" is simply yellow journalism at its finest!!!!!
    • Carefull!

      ZDnet is getting really aggressive about strong opinions!

      If you stray too far from "PC" speech, your BLOCKED!

      Don't you know your post "looks" nasty?