Login And Password Stealing Trojan Masquerades As Firefox Plug-in

A password stealing Trojan that poses as a Firefox Plugin is doing the rounds, according to Romanian security firm BitDefender. ChromeInject-A is typically downloaded onto Windows PCs already compromised by other malware.
It drops an executable file (which is a Firefox 3 add-on) and a JavaScript file (detected by Bitdefender as Trojan.PWS.ChromeInject.A) into the Firefox plugins and chrome folders respectively. It filters the URLs within the Mozilla Firefox browser and whenever encounter the specific addresses opened in the Firefox browser it captures the login credentials. It is the first malware that targets Firefox. The filtering is done by a JavaScript file running in Firefox’s chrome environment.
The backdoor code looks for data exchanged between a compromised machine and a list of pre-programmed banking sites in Europe, Australia and the US. Harvested login credentials are captured and subsequently posted to a server located in Russia.
BitDefender reports that incidents of the malware are “very low”, so the attack is more notable for its novelty than its potency. Malware that capitalises on the popularity of Firefox is rare, but not unprecedented.

No comments: