14 DAY TRIAL // Security researchers from antivirus vendor Webroot have identified an information stealing trojan, which modifies a Firefox file, so that the browser is forced to store passwords automatically.
The threat is detected by Webroot as Trojan-PWS-Nslogm and is capable of stealing usernames and passwords stored by both Internet Explorer and Firefox browsers.
By default, whenever Firefox detects that login credentials are submitted through a Web form, it offers to remember them for future use.
When this happens, the user is presented with several options which include "Remember", "Never for This Site" or "Not Now". If they choose remember, the browser stores the username and password in a local database.
Since it's easier to steal credentials from this database instead of injecting the browser process and grabbing them as they are submitted, the author of this trojan thought it would make more sense to have Firefox remember all passwords without asking users for confirmation.
To achieve this, he created a routine to patch the nsLoginManagerPrompter.js file in the Firefox installation by adding new code and commenting out some already existent lines.
"The Trojan then scrapes information from the registry, from the so-called Protected Storage area used by IE to store passwords, and from Firefox’s own password storage, and tries to pass the stolen information onward, once per minute," Andrew Brandt, a malware researcher at Webroot, explains.
The password stealer installs itself in the c:\windows\system32 folder as a file called Kernel.exe. The captured data is send to a command and control server via a deprecated ActiveX control called msinet.ocx.
The trojan appears to be created with a keylogger generator available for free on the Internet. The researchers learned this after the author left his name and email address in the code and they were able to track down the website where he posted the tool.
Mr. Brandt notes that after cleaning the threat the easiest and safest way to restore the modified nsLoginManagerPrompter.js file is by re-install Firefox on top of the current installation. This will also preserve existing settings.