14 DAY TRIAL // Researchers from the anti-virus vendor BitDefender have come across an innovative piece of malware that hides itself and functions as a Firefox extension. The malicious add-on is a trojan that monitors user activity on numerous banking sites and steals the login credentials.
In order to fly under the radar, this trojan, identified by BitDefender as Trojan.PWS.ChromeInject, registers itself to the browser as “Greasemonkey.” Greasemonkey is actually the name of an advanced and legit Firefox extension that allows users to modify the appearance and rendering of visited web pages, through local JavaScript files.
The malware consists of a DLL file, called npbasic.dll that is dropped into the Firefox plugins directory and a JavaScript file, browser.js, that sits in the chrome folder. Finding these two files on a computer in the respective locations is an indication of an infection with this trojan. Fortunately, this malicious piece of software does not feature self-replication, and is not available in Mozilla's official add-ons repository. Instead, it is downloaded and installed by other malware.
BitDefender has assigned a “very high” damage level for this threat, mainly because of the over 100 banking websites it filters. The likes of US Bank, PayPal, Bank of America, E-Gold are on the list, along with tens of banks from the UK, Spain, Italy, Germany, Australia, France, and even one from the Isle of Man. The trojan forwards the collected data to a server located in Russia.
This new type of attack comes after a November in which Firefox's market share reached the 20% marker, for the first time in the browser's history. A lot of professionals estimate that this number will increase even more with the release of Firefox 3.1, which will bring unprecedented JavaScript performance. This could mean other similar threats might be taking off, with malware authors trying to benefit from the increasing popularity of Firefox and the general users' belief that it's safer than Internet Explorer.
Signatures for the detection of the ChromeInject trojan are likely to be released by the other antivirus vendors as well, so keeping your security solution updated is very important, as Viorel Canja, head of BitDefender anti-virus lab, points out. “In order to stay safe, home computer users are advised to install effective Internet Security protection and make sure they are updated regularly, to ward off these attempts,” says Mr. Canja.
If this malware running as a Firefox plugin technique takes off, it will be interesting to see Mozilla's response. Maybe providing an option to restrict installation of add-ons from the interface only would be a solution to mitigate this new type of attack.