MozillaZine

FormSpy - Spyware program hooks into Mozilla Firefox

Discuss various technical topics not related to Mozilla.
old Harry Waldron
Moderator
 
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post Posted July 25th, 2006, 1:32 pm

Sharing a rare and low-risk security warning for the Firefox environment (Windows only). This new threat can be avoided easily by users avoiding spam email and attachments, plus keeping AV protection updated :)

FormSpy (aka FireSpy) is a new spyware program designed to integrate into the Mozilla browser environment. It is being spread by spam email spoofed to appear as a billing issue from Walwart. It was launched on July 24th. The attachment contains a downloader malware agent that can install FormSpy as a Firefox plugin.

FormSpy - Spyware program hooks into Mozilla Firefox
http://www.avertlabs.com/research/blog/?p=62
http://vil.nai.com/vil/content/v_140256.htm

Upon execution, it registers Mozilla event listeners to the malware and sends information submitted by the victim in the web browser to a malicious website. These information can include, but is not limited to, credit card numbers, passwords, e-banking pin numbers etc. The main executable is also capable of sniffing passwords from ICQ, FTP, IMAP and POP3 traffic


FireSpy - Sophos Writeup
http://www.sophos.com/security/analyses ... espya.html

Troj/FireSpy-A will then attempt to register the dropped component as a Firefox plugin and begin monitoring the user's browsing habits, stealing information including monitoring and logging information from Web forms



----- EMAIL TO AVOID -----

Downloader-AXM - Massively spammed on 07/24/2006
http://vil.nai.com/vil/content/v_140257.htm

From: billing support [mailto:info@walmart.com]

Subject: Your order information WC2905036

Message: Dear Sir/Madam, Thank you for shopping with our internet shop. Your order, WC2905036,has been received. Summary of your order you can see in the attachment
file.

Attachment: wc2905036.exe

John Liebson
 
Posts: 6529
Joined: July 29th, 2003, 1:09 pm

Post Posted July 25th, 2006, 2:25 pm

Hmm, I think that is what I got in a file supposedly from Dell (customercare@dell.com), sent from Brazil:

"Thank you for shopping with our internet shop. Your order, WC2905036, has been received. Summary of your order you can see in the attachment file."

I did not, of course, open the attachment, having not bothered to place an unknown order from an unknown "company" in Brazil. The attachment was a .zip file, an odd way to send a receipt.

[EDIT] Finally got around to scanning the zip file, which was reported as containing backdoor-bac, a three-year-old trojan. Almost as if the sender was trying to copy the new email threat, but did not know how to do so "properly."

old Harry Waldron
Moderator
 
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post Posted July 26th, 2006, 5:14 am

Hi John -- Yes the spammers are reusing the "WC2905036 email" messages for a wide range of trojan horse attacks. Best practices are always your friend whether you're using more secure browsers, OS environments, etc ...

Here's another example from the latest version of HAXDOOR (one of the most popular and worst of the Windows rootkit type attacks).

http://myitforum.com/cs2/blogs/hwaldron ... 22509.aspx

It seems like the bad guys would at least change the order # when they launch another mass spam mailing attack ;)

Lost User 143714
 
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post Posted July 26th, 2006, 11:26 am

James,
The avertlab piece seems to contain confusing information. In one sentence, it reads: "Upon successful execution, FormSpy hooks mouse and keyboard events in the Mozilla Firefox web browser", yet a few sentences later it reads."FormSpy writes and modifies Mozilla configuration files directly which bypasses this confirmation process." On the one hand it sounds like FormSpy affects existing installed extensions, while on the other it looks like it affects only new ones...

nrthomas
 
Posts: 1988
Joined: February 9th, 2003, 3:25 pm

Post Posted July 26th, 2006, 11:31 am

rieber, I don't see anything wrong with those two statements. What this Trojan appears to do is write files directly into <appdir>\extensions and <profile>\extensions, bypassing the usual extensions install dialog. Those files then hook mouse and keyboard events in Firefox.
Nick Thomas - Mozilla Release Engineer

Lost User 143714
 
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post Posted July 26th, 2006, 11:40 am

I agree. Thanks...

Robert S.

User avatar
 
Posts: 4399
Joined: April 24th, 2004, 3:04 am
Location: Bay Area, CA

Post Posted July 26th, 2006, 12:42 pm

Does it actually install into the extensions directory or the chrome directory? If it is the extensions directory we could probably blocklist it. Otherwise it is no different than if a zip writer wrote over one of the app files in a jar or installed into chrome using an xpi with install.js or just by placing it there along with a chrome.manifest.

VanillaMozilla
 
Posts: 13808
Joined: November 7th, 2005, 11:26 am

Post Posted July 26th, 2006, 1:05 pm

I think one problem with evil plugins or extensions is that because they run under Fx, they can bypass an outbound firewall, whereas if they ran indepently, they would be caught by the firewall. Is this not correct?

corrosionfactor
 
Posts: 1
Joined: July 26th, 2006, 3:33 pm

Post Posted July 26th, 2006, 4:07 pm

It installs itself as "Signature" under extensions. Yes, I fell for it- just after placing an order with Amazon, the email arrived and like a dummy I opened it. Fortunately, E-Trust Firewall blocked the 13876273.exe file from sending information and Computer Associates helped me remove the trojan.

You know you have it if a large portion of the bottom part of Firefox is blank, with a beige color under the taskbar.

Uninstall Signature and the browser works again.

IceDogg
 
Posts: 657
Joined: July 24th, 2004, 11:26 am

Post Posted July 26th, 2006, 4:19 pm

Maybe if a new extension has been added since the last time Firefox was ran it should popup a dialog that ask if this is an intentional action (listing the extensions added). Or at least a warning of sorts. What are thoughts on that?

It would still allow for easily adding extensions by dropping their folder info into the extensions directory but yet still have a check to make sure it was intended and not a malware action. But then I guess the file that tracks that could be just as easily be modified? Just thinking out loud here. I know that it's better not to execute files of a untrusted nature, but I was just wondering if this could be done. Just to add another layer of protection so to speak.

Edit: left out a word.

Jus
 
Posts: 485
Joined: August 12th, 2004, 11:37 am

Post Posted July 26th, 2006, 8:59 pm

IceDogg wrote:Maybe if a new extension has been added since the last time Firefox was ran it should popup a dialog that ask if this is an intentional action (listing the extensions added). Or at least a warning of sorts. What are thoughts on that?

The install extensions dialogue will pop up right if you drop xpis into the profile's extension folder?

Robert S.

User avatar
 
Posts: 4399
Joined: April 24th, 2004, 3:04 am
Location: Bay Area, CA

Post Posted July 26th, 2006, 10:41 pm

IceDogg wrote:Maybe if a new extension has been added since the last time Firefox was ran it should popup a dialog that ask if this is an intentional action (listing the extensions added). Or at least a warning of sorts. What are thoughts on that?

They could just install it any number of ways since it is installed by an executable that is downloaded and then launched... there are just too many ways to get around measures like this after it is running on the OS and the best bet is anti-virus software for these types of attacks.
Last edited by Robert S. on July 27th, 2006, 1:00 am, edited 1 time in total.

paulfox
 
Posts: 1510
Joined: May 8th, 2004, 1:38 pm

Post Posted July 26th, 2006, 11:24 pm

I just added this to my GMail filters (standalone); make a new filter listing under "contains," and "has attachment" - set to "delete."
GMail provides both, Yahoo and others may or may not but at least incorporate the wording:

Matches: WC2905036 has:attachment
Do this: Skip Inbox, Delete it

as always, thank you Harry.

ADDENDUM:
Comes to my attention from a site I use that apparently "Pay attention on attached file" used often in these messages, regarding updating information on the supposed "attachment." So, amend your filter to read this (I suppose AS WELL AS having A/V up to date, but if you don't click on "wrong things" AV won't be necessary!)

(WC2905036 OR Pay attention on attached file)

Remember to check "has attachment" if given that option (GMail does). You're less likely to accidentally click on something if it's already in spam.
Last edited by paulfox on July 27th, 2006, 2:54 pm, edited 2 times in total.
PentiumIII/W2K, Toshiba AMD laptop/Vista. FX 3 on both.

greenknight

User avatar
 
Posts: 6182
Joined: December 13th, 2004, 2:28 am
Location: In the shadow of Mount St. Helens

Post Posted July 27th, 2006, 4:32 am

ZDNet chose to headline a story about this "Trojan Piggybacks on Firefox", leading some to think the Trojan comes with Firefox or Firefox updates. Just what we needed. :-X
Win 10 Home x64, Linux Mint 19.1 MATE x64, AMD A8 5600K APU 3.6 GHz (3.9 Turbo), AMD Radeon HD 7560D (integrated graphics). G.Skill Ares DDR3-2400 (running at 1866) 8GB, Firefox 72.0.2, Developer Edition 73.0b9(Win only), Nightly 74.0a1x64 (Win), Nightly 74.0a1 (Linux AMD64) .

IceDogg
 
Posts: 657
Joined: July 24th, 2004, 11:26 am

Post Posted July 27th, 2006, 10:23 am

Thanks Robert S, I was afraid that was the case.

Return to MozillaZine Tech


Who is online

Users browsing this forum: No registered users and 2 guests