LegendKiller
In the zone
Anti-virus firms are reporting that a trojan horse that takes the form of a Mozilla Firefox extension has been spotted in the wild. The trojan, which McAfee has named FormSpy and Sophos has dubbed Troj/FireSpy-A, captures information entered into the browser, including, but not limited to, passwords and banking details, and sends them to a remote computer. The trojan comes with a Windows executable that can also record ICQ, POP3, IMAP and FTP passwords. Within Firefox, the trojan pretends to be the legitimate numberedlinks extension.
The FormSpy trojan does not use any Firefox security flaws to infect computers. Instead, it is downloaded and installed automatically by a piece of Windows malware known as Downloader-AXM, which exists solely for the purpose of surreptitiously downloading and running trojan horses. Once downloaded by Downloader-AXM, FormSpy installs itself in Firefox by directly modifying Firefox user profile files, completely bypassing the standard Firefox extension installation mechanism (and warning messages).
To get infected by FormSpy in this way, a user must already have Downloader-AXM on his or her system. First spotted earlier this week, Downloader-AXM is distributed as a Windows executable attached to a spoof email purporting to be a order confirmation message from Wal-Mart. However, McAfee says that they have also seen attempts to install FormSpy using the three-year-old VBS/Psyme exploit in Microsoft Internet Explorer.
To check for infection, Firefox users are advised to examine their list of installed extensions (accessible from the Tools menu as the Extensions item). The unexpected presence of "Numbered Links 0.9" indicates a possible infection. The McAfee virus profile of FormSpy includes more information about the files installed by the trojan. McAfee believes that the number of infections is currently low.
TechWeb has an article about FormSpy. In the report, Craig Schmugar, virus research manager at McAfee's Avert Labs, expresses concerns about the ease with which the FormSpy trojan is able to disguise itself as the legitimate numberedlinks extension and suggests that Firefox developers should address this.
Source:Mozillazine
The FormSpy trojan does not use any Firefox security flaws to infect computers. Instead, it is downloaded and installed automatically by a piece of Windows malware known as Downloader-AXM, which exists solely for the purpose of surreptitiously downloading and running trojan horses. Once downloaded by Downloader-AXM, FormSpy installs itself in Firefox by directly modifying Firefox user profile files, completely bypassing the standard Firefox extension installation mechanism (and warning messages).
To get infected by FormSpy in this way, a user must already have Downloader-AXM on his or her system. First spotted earlier this week, Downloader-AXM is distributed as a Windows executable attached to a spoof email purporting to be a order confirmation message from Wal-Mart. However, McAfee says that they have also seen attempts to install FormSpy using the three-year-old VBS/Psyme exploit in Microsoft Internet Explorer.
To check for infection, Firefox users are advised to examine their list of installed extensions (accessible from the Tools menu as the Extensions item). The unexpected presence of "Numbered Links 0.9" indicates a possible infection. The McAfee virus profile of FormSpy includes more information about the files installed by the trojan. McAfee believes that the number of infections is currently low.
TechWeb has an article about FormSpy. In the report, Craig Schmugar, virus research manager at McAfee's Avert Labs, expresses concerns about the ease with which the FormSpy trojan is able to disguise itself as the legitimate numberedlinks extension and suggests that Firefox developers should address this.
Source:Mozillazine
