Trojan overrides Firefox password-saving behavior   Leave a comment

A curious new information-stealing Trojan that patches a core Firefox file in order to override the browser’s behavior has been discovered by Webroot researchers.

Every Firefox user has seen at least once the following offer pop up when signing into an online service:


Savvy users know that making the browser remember the passwords is simply a bad idea because password-stealing Trojans can usually easily extract them from the browser’s password storage area, and they change their browser’s settings to make it not “remember” passwords by default.

But this Trojan changes the nsLoginManagerPrompter.js file that dictates this behavior – adds a few lines of code and invalidates a few more, so that when the user who has not effected the above mentioned settings changes logs into a Web site, the browser automatically stores the passwords without ever showing the aforementioned query.

“The keylogging Trojan copies itself to the system32 directory with the filename Kernel.exe; drops and registers an old, benign, deprecated ActiveX control called the Microsoft Internet Transfer Control DLL, or msinet.ocx, which it uses to communicate with its command and control server; then it creates a new user account (username: Maestro) on the infected system,” points out one of the researchers.

From then on, it is easy for the Trojan to collect the saved passwords and try to send them to the C&C server. But what is especially interesting about this Trojan is that it is “signed” – embedded in its code is the following string:


After a brief search, the researcher tied the e-mail address to one Salar “Salixem” Zeynali, an Iraninan malware author that writes it for fun. He actually doesn’t sell the keylogger in question, but the offers a tool for creating them on a message board for free.

Webroot researchers say that it is possible to detect the Trojan (which they called Trojan-PWS-Nslog) easily, but that no AV can restore the modified Firefox file. For that, you will have to install Firefox once again – preferably over the one you already have installed so that the patched file gets simply overwritten, and you don’t lose your bookmarks and add-ons.

http://www.net-security.org/malware_news.php?id=1490&utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29

About these ads

Posted October 13, 2010 by axxerainc in Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: