Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FireFox Users Targeted By Rare Piece Of Malware.


  • Please log in to reply
23 replies to this topic

#1 DSTM

DSTM

    "Bleepin' Aussie Addict"


  • Members
  • 2,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SYDNEY-AUSTRALIA
  • Local time:12:22 PM

Posted 05 December 2008 - 07:01 AM

Firefox Users Targeted by Rare Piece of Malware (PC World)
Posted on Thu Dec 4, 2008 6:51PM EST

Researchers at BitDefender have discovered a new type of malicious software that collects passwords for banking sites but targets only Firefox users.

The malware, which BitDefender dubbed "Trojan.PWS.ChromeInject.A" sits in Firefox's add-ons folder, said Viorel Canja, the head of BitDefender's lab. The malware runs when Firefox is started.

The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including Barclays, Wachovia, Bank of America, and PayPal along with two dozen or so Italian and Spanish banks. When it recognizes a Web site, it will collect logins and passwords, forwarding that information to a server in Russia.

Firefox has been continually gaining market share against main competitor Internet Explorer since its debut four years ago, which may be one reason why malware authors are looking for new avenues to infect computers, Canja said.

Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it, Canja said.

When it runs on a PC, it registers itself in Firefox's system files as "Greasemonkey," a well-known collection of scripts that add extra functionality to Web pages rendered by Firefox.

BitDefender has updated its products to detect it, and other vendors will likely follow suit quickly, Canja said. Users could avoid it by only downloading signed, verified software, but that's a measure that restricts the usability of a PC, he said.

Source LINK.















BC AdBot (Login to Remove)

 


#2 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:09:22 PM

Posted 20 December 2008 - 09:46 AM

Thank you Aussie for the info.

#3 Lloyd T

Lloyd T

  • Members
  • 853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:10:22 PM

Posted 20 December 2008 - 11:23 AM

Thanks for the info!

I don't use the Greasemonkey add-on, so I should iimediately know if my computer is under attack if there is a Greasemonkey add-on installed.

#4 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:07:22 PM

Posted 20 December 2008 - 04:57 PM

Any word on whether this is platform independent or Windows only?

#5 tork

tork

  • Members
  • 718 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:here
  • Local time:10:22 PM

Posted 21 December 2008 - 10:09 AM

More information on bitdefender's findings on both Trojan.PWS.ChromeInject.B and Trojan.PWS.ChromeInject.A

It drops an executable file (which is a Firefox 3 plugin) and a JavaScript file (detected by Bitdefender as: Trojan.PWS.ChromeInject.A) into the Firefox plugins and chrome folders respectively.

It filters the URLs within the Mozilla Firefox browser and whenever encounter the following addresses opened in the Firefox browser it captures the login credentials....


continues with a list of addresses here: http://www.bitdefender.com/VIRUS-1000451-e...meInject.B.html

#6 Lloyd T

Lloyd T

  • Members
  • 853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:10:22 PM

Posted 21 December 2008 - 10:32 AM

How do we know if we got infected?

#7 tork

tork

  • Members
  • 718 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:here
  • Local time:10:22 PM

Posted 21 December 2008 - 10:47 AM

You could run bitdefender's online free scanner:
http://www.bitdefender.com/

bitdefender online scanner faqs: http://kb.bitdefender.com/KB162-en--BitDef...canner-FAQ.html

#8 tork

tork

  • Members
  • 718 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:here
  • Local time:10:22 PM

Posted 21 December 2008 - 10:47 AM

Off topic question here: I double posted by accident - I'm missing how I can delete my own post or it that not possible?

Edited by tork, 21 December 2008 - 10:51 AM.


#9 Lloyd T

Lloyd T

  • Members
  • 853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:10:22 PM

Posted 21 December 2008 - 10:59 AM

Do I have to if AntiVir can also detect the malware?

AntiVir name: TR/Drop.Small.abw

#10 tork

tork

  • Members
  • 718 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:here
  • Local time:10:22 PM

Posted 21 December 2008 - 11:33 AM

Up to you, JMO, but I'm a believer in getting second opinions - especially if your bank is one of the addresses listed - better to know now than too late

#11 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:08:22 PM

Posted 21 December 2008 - 12:29 PM

Off topic question here: I double posted by accident - I'm missing how I can delete my own post or it that not possible?

Not Possible. :thumbsup:
Only Mods, and above, can delete posts.
If you feel a post needs to be removed, PM a Mod as to why, and a link to the post in question.
A link to a specific post can be found, at the top right of the post.
Post #XX, where #XX, is the link to the post.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#12 tork

tork

  • Members
  • 718 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:here
  • Local time:10:22 PM

Posted 21 December 2008 - 12:59 PM

tg1911,

Thank you for the information

tork

#13 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:08:22 PM

Posted 21 December 2008 - 01:38 PM

You're quite welcome, tork.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#14 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:07:22 PM

Posted 21 December 2008 - 03:16 PM

Any word on whether this is platform independent or Windows only?

From what I've been able to gather, it's a Win32-specific threat. No one's really come out and said that explicitly, but no one is reporting infections under *nix or MacOS.

#15 Lloyd T

Lloyd T

  • Members
  • 853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:10:22 PM

Posted 21 December 2008 - 03:44 PM

:thumbsup: You answered your own question. Another reason why non-Windows systems are better.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users