New Trojan poses as Firefox extension
Mozilla users under attack.
By Jeremy Kirk, IDG News Service | Published: 16:07, 26 July 2006
A new password-stealing Trojan masquerading as an extension to Firefox is on the loose.
Called "FormSpy", it is downloaded to a computer that is already infected with another Trojan horse called "Downloader-AXM", according to McAfee. That Trojan was recently detected in e-mail spam messages. Downloader-AXM contacts servers to download other malicious programs to a computer without a user's knowledge. Once downloaded, FormSpy installs itself as a Firefox extension.
The program appears as the "NumberedLinks 0.9" extension, which would normally would allow a user to navigate links by numbers using the keyboard rather than a mouse. The payload is that FormSpy can transmit information in a Web browser to another website, which could include credit card numbers, passwords and electronic banking pin numbers, according to McAfee. FormSpy can also steal e-mail, ICQ instant messaging service and FTP passwords.
The targeting of Firefox is not coincidental. Microsoft’s rival Internet Explorer browser has reigned in the ability of ActiveX controls to be installed without digitally-signed verification, something that will become standard on the forthcoming IE7. Mozilla is still without that protection, relying on confirmation dialogues.