Tuesday, March 31, 2009

Firefox Attacks Sharpen Bite

Via eWeek (Security Watch) -

Security researchers are highlighting a more powerful breed of attack that is specifically targeting users of the open source Mozilla Firefox web browser.

Long touted for its improved security over rival browsers including Microsoft IE, Firefox has been mined for dozens of vulnerabilities over the last few years, but the application hasn't ever faced the same level of attacks as Explorer.

However, experts are charting the emergence of a new, sophisticated breed of Firefox threat that packs a significantly more potent punch than its predecessors.

Posting to the Webroot Threat Blog, longtime security researcher Andrew Brandt describes several newly discovered pieces of badware in circulation that he cites as "raising the bar" for Firefox attacks.

"In the past few weeks, we've seen malware writers up the ante in their bets against Firefox. Two new spies came across the transom in the past week, and easily managed to load themselves into a freshly installed copy of Firefox 3.0.7. I should note that this isn't due to any problem or negligence on Mozilla's part; once you execute malicious code on your PC, any application is vulnerable. Firefox just happens to be a big target," Brandt notes.

The first piece of malware Brandt points to is a malicious plugin that appears to be a new variant of a known spyware attack, DNSChanger. Framed as a browser hijacking ploy, the installer drops a DLL payload into the Firefox components folder, and then runs in the background from thereon.

The threat, also ID'd as "Firesox" then injects ads or modified results when it detects certain search query strings sent to engines including Google, Yahoo, MSN, Altavista, Teoma, Ask, Pricegrabber, Brandt reports.

"In the past, we saw DNSChanger used to help fraudulent advertising affiliates boost their numbers, and to direct unsuspecting users to rogue antimalware tools by generating bogus results. It remains to be seen whether this new variant will be as prolific as the old version," he writes.

The second attack highlighted in the researcher's blog post is a piece of adware that only installs correctly with Firefox versions 3.x or later. Parceled together with other programs and a too-long-to-read EULA, the threat, dubbed Foxicle, appears after users attempt to opt-out of another adware toolbar, Mirar.

Whether they agree to keep Mirar or end up saddled with Foxicle, users unlucky enough to stumble onto the programs appear destined to stare at some unwanted ads when they're browsing.

In both cases, the attacks represent a new generation of Firefox threats in their ability to cloak themselves from discovery, Brandt contends.

"Neither Firesox, the DNSChanger clone, or Foxicle put an obvious entry in Firefox's plugins dialog that signal their presence. While not widely distributed, I suspect we'll be seeing more of them," he said.

No comments:

Post a Comment