[nasional_list] [ppiindia] Password-Stealing Trojan Disguised as Firefox Extension

** Forum Nasional Indonesia PPI India Mailing List **
** Untuk bergabung dg Milis Nasional kunjungi: 
** Situs Milis: http://groups.yahoo.com/group/ppiindia/ **
** Beasiswa dalam negeri dan luar negeri S1 S2 S3 dan post-doctoral 
scholarship, kunjungi 
http://informasi-beasiswa.blogspot.com 
**http://blog.washingtonpost.com/securityfix/2006/07/passwordstealing_trojan_disgui.html?referrer=email

Password-Stealing Trojan Disguised as Firefox Extension

A spam e-mail making its rounds with a file attachment disguised as an 
"extension" or add-on for the Mozilla Firefox browser is actually a Trojan 
horse program, which allows attackers to install programs that intercept Web 
traffic from a victim's computer and monitor what he or she types, such as 
passwords and other login information.

According to analysis from McAfee AVERT, the spoofed message is designed to 
look like it came from the Wal-Mart billing support department. It includes an 
order number in the body of the e-mail and the same order number as the name of 
the attachment. If a Windows user clicks on the attachment, it will lead to the 
installation of a malicious program that steals passwords and monitors the 
victim's network activity (unless he or she has taken our advice to avoid using 
their computer under the all-powerful "administrator" account.)

Once installed, this malware is disguised as the Numberlinks 0.9 extension for 
Firefox, taking its name from a legitimate add-on designed to make it easier 
for Firefox users browse the Web without a mouse. Firefox extensions normally 
prompt the user to install them, but this one silently patches the user's 
browser without giving any notice. The next time the victim restarts the 
browser, the spying program -- which McAfee has dubbed "FormSpy" -- will start 
up automatically. 

Mozilla has taken heat from security experts in the past about neglecting to 
digitally "sign" third-party extensions so that users have some assurance that 
Mozilla has vetted the developer's work. And no doubt, this attack will 
embolden critics to say, "See, we told you so." But Dan Veditz, a security 
developer at Mozilla, said no amount of digital signing would prevent an attack 
like this one, as it relies not on the browser's default installer (whose 
installation files end in ".xpi") but on the user opening an executable program 
file (".exe") that is handled by the Windows operating system. 

Before Mozilla released Firefox 1.5.0.2, attackers were using a similar method 
to slip the "MyWebSearch Toolbar" onto users' Firefox browsers. With version 
1.5.0.2, Mozilla added code that simply removed the toolbar installation files. 
Veditz said Mozilla could similarly remove this attack avenue from future 
versions of Firefox, but added that the bad guys could simply tweak a few 
things to get around it. 

"This attack was perhaps a little too easy, but the reality is that once 
someone has launched an installer on their system, ultimately it becomes an 
arms race between how much effort we want to put in and what the attackers are 
willing to do" to circumvent it, Veditz said. 

Security Fix has warned readers many times in the past, but it bears repeating 
often: Do not open e-mail attachments that arrive in messages you weren't 
expecting. Even if they appear to come from someone you know, it's a good idea 
to reply and await a response, just to make sure the e-mail's "From" address 
was not faked by the attackers. 

Finally, scan any attachments with up-to-date anti-virus software before 
opening them: Because of the inherent difficulties of virus detection, there 
will always be things that can't be blocked, but this kind of safeguard is 
still a very good habit for Windows users to get into. If you don't have 
anti-virus tools installed or you want to get a diagnosis from more than one 
anti-virus product, submit the suspect file for a free scan at Virustotal. 

Incidentally, Mozilla is expected today to release a new version of Firefox 
today, 1.5.0.5, that includes about a dozen security updates as well as 
stability fixes. Security Fix will have more info on that update shortly after 
its release.


[Non-text portions of this message have been removed]



***************************************************************************
Berdikusi dg Santun & Elegan, dg Semangat Persahabatan. Menuju Indonesia yg 
Lebih Baik, in Commonality & Shared Destiny. 
http://groups.yahoo.com/group/ppiindia
***************************************************************************
__________________________________________________________________________
Mohon Perhatian:

1. Harap tdk. memposting/reply yg menyinggung SARA (kecuali sbg otokritik)
2. Pesan yg akan direply harap dihapus, kecuali yg akan dikomentari.
3. Reading only, http://dear.to/ppi 
4. Satu email perhari: ppiindia-digest@xxxxxxxxxxxxxxx
5. No-email/web only: ppiindia-nomail@xxxxxxxxxxxxxxx
6. kembali menerima email: ppiindia-normal@xxxxxxxxxxxxxxx
 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/ppiindia/

<*> To unsubscribe from this group, send an email to:
    ppiindia-unsubscribe@xxxxxxxxxxxxxxx

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
 



** Forum Nasional Indonesia PPI India Mailing List **
** Untuk bergabung dg Milis Nasional kunjungi: 
** Situs Milis: http://groups.yahoo.com/group/ppiindia/ **
** Beasiswa dalam negeri dan luar negeri S1 S2 S3 dan post-doctoral 
scholarship, kunjungi 
http://informasi-beasiswa.blogspot.com **

Other related posts: