Here's a timely reminder to always be wary of public terminals, because we have another executable that forces Firefox to store logins locally while removing any notifications to the end-user:
Click to Enlarge
Hitting the "Enable" button alters "nsLoginManagerPrompter.js", replacing some bits of code and adding others like the Trojan-PWS-Nslog file from October did. At this point, the unwary user will log in without any "Do you want Firefox to remember this password" prompt and go about their merry business. The moment they leave, all the attacker has to do is access the same PC, go into Tools / Options / Saved Passwords and retrieve whatever has been stored there from the list of sites, usernames and passwords.
Click to Enlarge
Unlike Trojan-PWS-Nslog, the executable we tested doesn't appear to send the logins elsewhere - it's a local threat only, which is better than nothing I suppose. If a public terminal seems a little insecure or you didn't see a "save this password" prompt from Firefox, it might be a good idea to check if your logins have been stored. In all likelihood, they probably just have the "save passwords" feature disabled but better safe than sorry.
Detection rates on Virustotal at the moment are quite low - 8/43 - and we detect this as Backdoor.Win32.FFGrab.A.
Thanks to Adam Thomas and Francesco for additional research.
Christopher Boyd
No comments:
Post a Comment