14 DAY TRIAL // McAfee has warned of the discovery of a keylogger Trojan that spoofs Firefox extensions in order to find its way onto vulnerable machines. After it has compromised a system, FormSpy remains active in the background and records mouse movements and key presses. Such information holds the potential to reveal identity sensitive information, confidential banking or credit card data, account details and login info, usernames and passwords.
"Websites were found to be linking to the FormSpy website hosted at IP address 81.95.xx.xx and installing FormSpy using an old VBS/Psyme exploit targeting Internet Explorer. These websites are believed to have been penetrated and modified by hackers. VBS/Psyme can be detected proactively in Internet Explorer (IE) with VirusScan ScriptScan (VSE8.0i feature) enabled; whilst FormSpy can be detected proactively using the latest DATs and engine. This is a detection for a malware that was discovered in the wild on July 24, 2005 (PST). Its installer was proactively detected as New Malware.ag (now Downloader-AXM). It is installed as a Mozilla/Firefox component extension and will forward data submitted in the web browser to a malicious website," warns McAfee .
According to McAfee, FormSpy's man executable, in addition to registering Mozilla event listeners, features the characteristic of sniffing out ICQ, FTP, IMAP and POP3 traffic for any passwords.
McAfee's Avert Labs has detailed the MO of the attacks as being initiated by a spam message from the billing department of Wal-Mart, complete with a malicious attachment. When opened, the Downloader-AXM trojan installs the keylogger and sniffer components of the FormSpy. FormSpy spoofs Numberedlinks 0.9, a legitimate ".xpi" Firefox file extension, posing as a browser add-on.
"The Trojan writes files directly to the Firefox folders without putting up the confirmation," said Craig Schmugar, the virus research manager at McAfee's Avert Labs. "The Trojan is using a mechanism to get its code executed when it hooks into Firefox. And from a security model, that kind of functionality is all over the place."