14 DAY TRIAL // Security researchers warn of a new piece of malware that functions as an extension for the Mozilla Firefox browser. The rogue add-on intercepts Google search queries and injects advertisements into the results.
The new attack has been reported by analysts from antivirus vendor Trend Micro and seems to be motivated by illegal monetary gain through an advertising scheme. The threat combines techniques previously employed by different families of malware.
For a start, it comes under the form of a Firefox extension, which is rather uncommon. A similar computer trojan running as a Firefox extension, which was used to monitor user sessions and capture online banking credentials for over 100 financial institutions, was discovered back in December 2008.
Dubbed Trojan.PWS.ChromeInject by BitDefender researchers, the malicious extension was being deployed without the users' consent by other malware already present on the infected computers. In comparison, this new Firefox threat, which Trend Micro calls TSPY_EBOD.A, is using social engineering to trick users into installing it.
The extension is being offered on various forums via JavaScript as an Adobe Flash Player update. Once installed, it appears in the Add-ons Management window under the Extensions tab as "Adobe Flash Player 0.2." It is worth noting that the real Flash Player add-on for Firefox is actually a plug-in, which is listed under the Plugins tab as "Shockwave Flash [version number]."
This new piece of malware is actually a click fraud trojan, which injects ads into Google search-result pages. When these ads are clicked, the trojan's authors are receiving a small fee from the advertising network supplying them. Back in July, we reported about a similar trojan, which hijacked queries performed through the default search boxes in Internet Explorer and Firefox and routed them through a custom Google search widget.
Trend Micro analysts note that the rogue extension is also monitoring and intercepting all Google searches performed with Firefox and uploads the captured data to a remote server. This is probably done in order to establish some search trends for the victims and subsequently serve them with ads, which they are more likely to click on.
"We have seen a lot of malware target Internet Explorer in the past. This is probably one of the reasons why a huge number of users are opting to use alternative browsers such as Firefox, Chrome, Safari, and Opera instead. Though this used to be considered a safe computing practice before, it seems it no longer is with the proliferation of malware targetting [sic.] the most popular alternative Internet browser - Firefox," Jonathan Leopando, technical communications specialist at Trend, concludes.