Malicious Firefox Plugin

Window Snyder

Issue

A malicious piece of software masquerading as a legitimate and popular Firefox plugin is spreading.  Trojan.PWS.ChromeInject.A collects a user’s passwords from banking and other sites and forwards them to a remote server.

Impact

If a user has been tricked into installing this plug-in, or had it installed through a separate vulnerability it may compromise passwords and the user’s accounts.  This trojan is not Greasemonkey, even though it uses some of Greasemonkey’s internal IDs.

Status

To check whether your computer is infected, look for “Basic Example Plugin for Mozilla” in the Plugin list by choosing Add-ons from the Tools menu in Firefox.  Then choose Plugins. If you see this plugin, disable it.

Johnathan Nightingale blogged about it here: http://blog.johnath.com/2008/12/08/firefox-malware/

Credit

This issue was identified in the wild by BitDefender.  Their analysis is here: http://www.bitdefender.com/VIRUS-1000451-en–Trojan.PWS.ChromeInject.B.html