Firefox Malware – ChromeInject – the honeymoon is over

After a few reports in the press around a new Malware that specifically targets Firefox users, we thought we have a more detailed look at this piece of malware.

In general, it only targets Firefox users. This fact will disturb many users that “escaped” Internet Explorer and switched over to Firefox for security reasons. It is long known that Firefox has with the XUL Interface and the Plugins a mechanism that is very similar to Internet Explorer’s BHO (Browser Helper Objects). In fact, the browser plugin is essentially just a DLL that can contain whatever content – including malicious one.

When we installed this component, the first interesting thing was that it will install itself silently without any user interaction or user notification. This is a bit disturbing as normally the Firefox User Design is quite well-thought through.

What this malware then does is as follows:

  • It has a pre-compiled list of hostnames that it watches for. If the user goes to any of these websites, the malware will load the malicious DLL and inject HTML into the current Firefox page.
  • This additional code will then steal any information they want, including username and passwords and other identity related information.
  • The sample we analyzed affected 103 financial institutions worldwide, including 10 financial institutions in Australia.

Technical Details

After the malware is installed, it is actually visible as a plugin, however it has the innocent name “Basic Example Plugin for Mozilla”

It hooks into the XUL engine and “watches” the internet traffic for the URL’s it is interested and injects then HTML code.

Overall this malware is not anywhere as sophisticated as the top-class trojans like silentbanker, Sinowal, …, however it gets the job done. A few things are worth mentioning as they are quite unique:

  • The malicious component (DLL) will only be loaded if the user goes to any of the URL’s the malware watches. This means that e.g. when you start Firefox, the system and all components are fine and the malware actually is not active in memory.
  • Only when the user enters one of the affected financial institutions website, the malicious DLL is loaded.

How to check whether you are infected?

You can check whether you are infected by openin your Firefox Browser and clickin on the Tools-Menu and select “Add-ons”. Then select the last tab called “Plugins” and make sure that you do not have a plugin called “Basic Example Plugin for Mozilla – npbasic”.

If you see this, you can disable the plugin by clicking on “disable”.

All TrustDefender users are protected by default from this attack.

9 thoughts on “Firefox Malware – ChromeInject – the honeymoon is over”

  1. Hello !!! ;)
    My name is Piter Kokoniz. Just want to tell, that I like your blog very much!
    And want to ask you: what was the reasson for you to start this blog?
    Sorry for my bad english:)
    Your Piter

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>