Trojan Spoofs Firefox Extension, Steals IDs

By Gregg Keizer, TechWeb Technology News

An identity-stealing keylogger that disguises itself as a Firefox extension and installs silently in the background was discovered Tuesday by security vendor McAfee.

According to the Santa Clara, Calif.-based company, the "FormSpy" Trojan horse monitors mouse movements and key presses to steal online banking or credit card usernames and passwords, other login information, and URLs typed into Firefox, the popular open-source browser. Another component of the Trojan sniffs out passwords from ICQ and FTP sessions, and IMAP and POP3 traffic, said McAfee. All collected information is sent to an IP address hard-coded into the Trojan.

The scam starts with spam posing as a message from the billing support department of mega-retailer Wal-Mart, said Craig Schmugar, the virus research manager at McAfee's Avert Labs. "There's an order number in the message, which matches the number of the attachment," said Schmugar. "When someone opens the attachment, the Trojan downloads and installs two components, a keylogger as well as a sniffer." As of Tuesday afternoon, FormSpy had gained little traction.

But it's the way that FormSpy gets onto a machine that's unique, Schmugar said. FormSpy masquerades as a Firefox extension, or browser add-on. It spoofs Numberedlinks 0.9, an extension that in its legitimate form lets users navigate links with the keypad. FormSpy uses some of the actual extension's code to put its hooks into Firefox.

Normally, Firefox extensions -- which in Windows have the .xpi file extension -- display a confirmation dialog that the user must acknowledge before the add-on installs. The bogus Numberedlinks, however, skips that.

"The Trojan writes files directly to the Firefox folders without putting up the confirmation," said Schmugar. Users who have been infected won't realize that the bogus extension has been added to Firefox unless they call on the Tools|Extensions command (in Firefox 2 Beta 1, Tools|Add-ons) and spot "Numberedlinks 0.9" in the list.

Firefox's extensions have been criticized for lax security, in particular that they're not digitally signed to vouchsafe their contents. Schmugar said FormSpy's disguise argues for revisiting the topic.

"The Trojan is using a mechanism to get its code executed when it hooks into Firefox [spoofing an extension]," he said, "and from a security model, that kind of functionality is all over the place." Still, "better extension security should be considered by Mozilla," he concluded.

Because of similar -- and long-standing -- threats posed by ActiveX controls, Microsoft has made several changes to Internet Explorer, including blocking of virtually all such add-ons by default in the upcoming IE 7, to protect users. ActiveX controls, unlike Firefox extensions, are also digitally signed.

"Over time, malware writers will find a way to leverage Firefox to their advantage," said Schmugar.

"Quite a number" of the original spammed messages were reported to McAfee, Schmugar, said, but there had been "very little field submissions" of FormSpy Trojan, so for the moment the threat remained low-level.

"In all likelihood, some of those who received the spam did run the attachment. But how many were using Firefox, we don't know."